2021/3/24的修行

字数统计: 988字   |   阅读时长≈ 5分

说了要在2022/3/12前拿到OSCP那么就要在2022/3/12前拿到OSCP。

呵。吾等绝不会输,至少不会输给自己。

1. 上班

2. 继续学习《深入理解Java虚拟机》

3. HackTheBox Challenge 【ScriptKiddie】 再次努力了,再次没打掉

爆破了一天,没有爆掉。收手吧阿祖.jpg

4. SDL_GameControllerDB_Util发新版本

5. 康复

6. HackTheBox Challenge 【Netmon】 没看教程拿到user,看教程提权拿root

6.1 nmap

惯例nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
$ nmap -v -A -Pn 10.129.122.147                                                                                                                                                                                                                                                        
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-25 02:10 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:10
Completed NSE at 02:10, 0.00s elapsed
Initiating NSE at 02:10
Completed NSE at 02:10, 0.00s elapsed
Initiating NSE at 02:10
Completed NSE at 02:10, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 02:10
Completed Parallel DNS resolution of 1 host. at 02:10, 0.00s elapsed
Initiating Connect Scan at 02:10
Scanning 10.129.122.147 [1000 ports]
Discovered open port 139/tcp on 10.129.122.147
Discovered open port 21/tcp on 10.129.122.147
Discovered open port 80/tcp on 10.129.122.147
Discovered open port 135/tcp on 10.129.122.147
Discovered open port 445/tcp on 10.129.122.147
Increasing send delay for 10.129.122.147 from 0 to 5 due to 46 out of 152 dropped probes since last increase.
Increasing send delay for 10.129.122.147 from 5 to 10 due to max_successful_tryno increase to 4
Increasing send delay for 10.129.122.147 from 10 to 20 due to max_successful_tryno increase to 5
Completed Connect Scan at 02:11, 41.81s elapsed (1000 total ports)
Initiating Service scan at 02:11
Scanning 5 services on 10.129.122.147
Completed Service scan at 02:11, 10.52s elapsed (5 services on 1 host)
NSE: Script scanning 10.129.122.147.
Initiating NSE at 02:11
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Completed NSE at 02:11, 11.17s elapsed
Initiating NSE at 02:11
Completed NSE at 02:11, 2.45s elapsed
Initiating NSE at 02:11
Completed NSE at 02:11, 0.00s elapsed
Nmap scan report for 10.129.122.147
Host is up (0.23s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-03-24T18:11:32
|_  start_date: 2021-03-24T18:02:35

NSE: Script Post-scanning.
Initiating NSE at 02:11
Completed NSE at 02:11, 0.00s elapsed
Initiating NSE at 02:11
Completed NSE at 02:11, 0.00s elapsed
Initiating NSE at 02:11
Completed NSE at 02:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.28 seconds

6.2 找洞

google搜索Indy httpd 18.1 cve

搜索到

CVE-2018-9276

打开metasploit仓库

全局搜索CVE-2018-9276

找到攻击插件exploit/windows/http/prtg_authenticated_rce

使用失败

再次google

搜索到CVE-2018-19410

。。。这个更离谱,没人写exp,也没找到复现方法

6.3 重新看看nmap

等等,重新看看nmap结果

ftp tm允许匿名用户登录???

就tm离谱

上上上

直接ftp://10.129.122.147/Users/Public/user.txt

拿✳到✳user✳flag✳

开心

保底挑战完成了!

6.4 看看题解怎么拿到root

淦 这个题不行

这个拿到web的用户名和密码的方式我觉得就是纯粹的脑筋急转弯

没有任何借鉴意义

总之 拿到web端的用户名和密码后,设置然后重新使用metasploit的刚才那个件 就能reverse shell

然后拿root flag

重申一遍 这个题 我觉得真的不行

我会投差评

7. 稍微学了学Burp Suite的插件开发

有点意思

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

自称为XenoAmess的方术师。

为了得到【意义】而进行各种各样的修行。

Hack The Box