3

Hack The Box( Starting Point ) - Web_Kio

 2 years ago
source link: https://www.cnblogs.com/Webkio/p/16643924.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Hack The Box [Starting Point]

初始点 —— 了解渗透测试的基础知识。
这一章节对于一个渗透小白来说,可以快速的成长。以下将提供详细的解题思路,与实操步骤。

TIER 0

实例:Meow

难度:很容易

1661003426028-f4919bfd-897f-4232-9f78-e880f6bdbf7a.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=156&id=uc95c3e9a&margin=%5Bobject%20Object%5D&name=image.png&originHeight=192&originWidth=1233&originalType=binary&ratio=1&rotation=0&showTitle=false&size=27366&status=done&style=stroke&taskId=u112b0adf-0c03-4052-9214-2140d930834&title=&width=1001

连接VPN 创建实例机器

1661003581858-61eef49b-2804-44c0-969e-3a4b381f8faa.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=419&id=u453db443&margin=%5Bobject%20Object%5D&name=image.png&originHeight=559&originWidth=1334&originalType=binary&ratio=1&rotation=0&showTitle=false&size=94029&status=done&style=stroke&taskId=ucd6076c9-a4ee-451b-bfab-c520c9706c2&title=&width=1001


目标机器IP地址

1661003651910-acebfba6-2646-4ca7-a0a6-5859ae60e026.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=289&id=uf8932b64&margin=%5Bobject%20Object%5D&name=image.png&originHeight=265&originWidth=919&originalType=binary&ratio=1&rotation=0&showTitle=false&size=13074&status=done&style=stroke&taskId=ud889b3d0-7edc-43cb-8956-e54f33dfed7&title=&width=1001

1. 首字母缩略词 VM 代表什么?

virtual machine

1661003756131-36c1aecd-d16e-4fd9-afa2-e0daf8d8f536.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=284&id=uc701f483&margin=%5Bobject%20Object%5D&name=image.png&originHeight=258&originWidth=908&originalType=binary&ratio=1&rotation=0&showTitle=false&size=9843&status=done&style=stroke&taskId=ufacb45c9-2934-405e-80b9-e9ec57f805d&title=&width=1001


这边联想 “VMware workstation”虚拟机软件 ,以下方框提示***** *e。
联想虚拟机翻译 答案即 “virtual machine

1661003886970-50c82507-d116-4006-848d-1978edaeae5a.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=146&id=uba7c6682&margin=%5Bobject%20Object%5D&name=image.png&originHeight=133&originWidth=911&originalType=binary&ratio=1&rotation=0&showTitle=false&size=8638&status=done&style=stroke&taskId=u91e70a2f-dec9-4856-88d7-5f2d3c6e1ee&title=&width=1001


该题拿小旗子。

1661003975768-1f56e5df-022f-4127-b3db-be5968c601bd.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=327&id=u6bbfc7cf&margin=%5Bobject%20Object%5D&name=image.png&originHeight=301&originWidth=921&originalType=binary&ratio=1&rotation=0&showTitle=false&size=18819&status=done&style=stroke&taskId=u211115b6-732d-45d5-b50b-de0d8b5dd0f&title=&width=1001

2. 我们使用什么工具与操作系统交互以便通过命令行发出命令,例如启动我们的 VPN 连接的工具?它也被称为控制台或外壳。

terminal

1661004160887-3c2bb50a-25a5-4e60-86cc-385228d3df6f.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=315&id=ufad59c9c&margin=%5Bobject%20Object%5D&name=image.png&originHeight=293&originWidth=930&originalType=binary&ratio=1&rotation=0&showTitle=false&size=18403&status=done&style=stroke&taskId=ud98cc21a-fe6e-4663-9f95-e052ea706b3&title=&width=1001


通常发出命令,敲击命令行的时候都是在终端下进行的,即为控制台或外壳。

1661004120413-3361447f-b86d-42db-9d98-0ca6595bcb55.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=134&id=u2f181ddd&margin=%5Bobject%20Object%5D&name=image.png&originHeight=119&originWidth=886&originalType=binary&ratio=1&rotation=0&showTitle=false&size=7652&status=done&style=stroke&taskId=u69b3f778-0e0d-4159-bfa9-1812583736d&title=&width=1001


该题拿小旗子

1661004210700-854dfea3-fa5e-4764-8304-51895cb74f53.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=401&id=ub591b1dd&margin=%5Bobject%20Object%5D&name=image.png&originHeight=369&originWidth=921&originalType=binary&ratio=1&rotation=0&showTitle=false&size=32308&status=done&style=stroke&taskId=u840c57ae-2908-4f87-963d-7e59fc1c9e6&title=&width=1001

3. 我们使用什么服务来建立与 HTB 实验室的 VPN 连接?

openvpn 送分题

1661004337292-781d4b03-42d8-4552-ad4a-cb84972a3931.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=302&id=u0ae2599d&margin=%5Bobject%20Object%5D&name=image.png&originHeight=270&originWidth=896&originalType=binary&ratio=1&rotation=0&showTitle=false&size=12413&status=done&style=stroke&taskId=ufd36e16a-62f1-4d11-860e-43e86c450f1&title=&width=1001


VPN就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道。
我们这里通过openvpn即可以建立与HTB实验室的VPN连接。
该题拿小旗子:

1661004514586-393c1d08-7171-4f1f-a9df-d9a259f7e57f.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=358&id=u7b637e60&margin=%5Bobject%20Object%5D&name=image.png&originHeight=328&originWidth=918&originalType=binary&ratio=1&rotation=0&showTitle=false&size=19770&status=done&style=stroke&taskId=ua1365f43-4eb1-4391-a34d-b3488f4a6b1&title=&width=1001

4. VPN启动序列输出中“隧道接口”的缩写名称是什么?

tun

1661005247630-d6c8be46-6fcf-46ff-829c-fc221a95e9b7.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=308&id=ubcf05893&margin=%5Bobject%20Object%5D&name=image.png&originHeight=286&originWidth=931&originalType=binary&ratio=1&rotation=0&showTitle=false&size=11919&status=done&style=stroke&taskId=ud2cc51fc-2037-4835-894b-ebeb84529fd&title=&width=1001


直接隧道接口 翻译 你能发现缩写 即 答案

1661005073326-b4ea97e5-72ef-4081-b9a2-87922e33c827.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=142&id=u5a40848b&margin=%5Bobject%20Object%5D&name=image.png&originHeight=128&originWidth=900&originalType=binary&ratio=1&rotation=0&showTitle=false&size=8429&status=done&style=stroke&taskId=u012266f2-7e02-46c2-a3cf-598754e7cb9&title=&width=1001

5. 我们使用什么工具通过 ICMP 回显请求测试与目标的连接?

ping

1661005641452-18f3199f-db0d-4a10-979a-7c51588bb839.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=281&id=ue1cb19d1&margin=%5Bobject%20Object%5D&name=image.png&originHeight=259&originWidth=922&originalType=binary&ratio=1&rotation=0&showTitle=false&size=12354&status=done&style=stroke&taskId=u5fa8179d-d4c2-4445-afaf-ad663c22b9d&title=&width=1001


原理:ICMP协议是报文控制协议 **检查网络的连通性 **ping命令就是基于ICMP协议 这里的考点亦是如此

1661005724887-40c8f3a6-f51d-4afc-86a9-001dab3d4675.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=217&id=u55b6781a&margin=%5Bobject%20Object%5D&name=image.png&originHeight=248&originWidth=1144&originalType=binary&ratio=1&rotation=0&showTitle=false&size=360583&status=done&style=stroke&taskId=u4f54c180-9a8a-4905-88a3-c255243e7d4&title=&width=1001

6. 在目标上查找开放端口的最常用工具的名称是什么?

**nmap **

1661006288760-feff9473-27e8-42ce-ba86-d354e1c61785.png#clientId=u775169a5-03a1-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=275&id=u80ea8b1f&margin=%5Bobject%20Object%5D&name=image.png&originHeight=248&originWidth=904&originalType=binary&ratio=1&rotation=0&showTitle=false&size=10739&status=done&style=stroke&taskId=uc3e7bae3-642e-4ec8-927c-796ff81f45a&title=&width=1001


Nmap是一款针对大型网络的端口扫描工具

1661006458829-ed85c7ee-6984-4b5b-b872-4999e3ce7034.png#clientId=u775169a5-03a1-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=340&id=ua03867a0&margin=%5Bobject%20Object%5D&name=image.png&originHeight=300&originWidth=883&originalType=binary&ratio=1&rotation=0&showTitle=false&size=19250&status=done&style=stroke&taskId=u75aeb0e9-7b34-465e-bb39-2de656884a8&title=&width=1001

7. 在扫描过程中,我们在端口 23/tcp 上识别出什么服务?

telnet

1661006804346-a36ae8fe-b409-47e3-b8c7-4544541d7b92.png#clientId=u775169a5-03a1-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=360&id=u9f1f76bb&margin=%5Bobject%20Object%5D&name=image.png&originHeight=319&originWidth=887&originalType=binary&ratio=1&rotation=0&showTitle=false&size=20140&status=done&style=stroke&taskId=u7495e084-2719-4f6a-873c-5fd8f19e769&title=&width=1001


这里直接使用nmap 对目标机器进行端口扫描
-Pn:将所有主机视为在线的——跳过主机发现

1661006765232-1d86cb0a-c2a7-4ec4-955e-cfea281e9bcd.png#clientId=u775169a5-03a1-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=146&id=u5e3b5fdc&margin=%5Bobject%20Object%5D&name=image.png&originHeight=182&originWidth=1188&originalType=binary&ratio=1&rotation=0&showTitle=false&size=257282&status=done&style=stroke&taskId=u6edcce87-3af7-417a-b100-3d95c937a3a&title=&width=950.4

8. 什么用户名可以使用空密码通过 telnet 登录目标?

root

1661007082703-7261e09d-4481-4beb-9f9e-47eae589b259.png#clientId=u775169a5-03a1-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=334&id=ua1ae3ec0&margin=%5Bobject%20Object%5D&name=image.png&originHeight=301&originWidth=902&originalType=binary&ratio=1&rotation=0&showTitle=false&size=16725&status=done&style=stroke&taskId=u03f5af0e-5d1e-4dd3-b15b-47adbacd5d2&title=&width=1001


这边直接利用telnet工具进行连接 输入root 管理员用户名 如果对方没有设置密码 即能空密码进入
(这边利用Linux子系统 为结果更加清晰)

1661007220842-2bd8418f-6605-4046-826b-ef30260fa31f.png#clientId=u775169a5-03a1-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=331&id=ud36874b2&margin=%5Bobject%20Object%5D&name=image.png&originHeight=273&originWidth=825&originalType=binary&ratio=1&rotation=0&showTitle=false&size=23852&status=done&style=stroke&taskId=u3e207dbe-f681-4ce0-a387-9b0065dfaa2&title=&width=1001


Telnet协议—— 是Internet远程登录服务的标准协议和主要方式 端口号:TCP 23
作用及机制:
它为用户提供了在本地计算机上完成远程主机工作的能力。
终端使用者的电脑上使用telnet程序,用它连接到服务器
终端使用者可以在telnet程序中输入命令,这些命令会在服务器上运行,就像直接在服务器的控制台上输入一样。可以在本地就能控制服务器
要开始一个telnet会话,必须输入用户名和密码来登录服务器。Telnet是常用的远程控制Web服务器的方法。

9. 提交Flag

利用telnet工具连接目标 即可远程控制Web服务器
ls:查看当前目录下的文件 可以看到“flag.txt”
cat:查看文件内容 即是flag

1661007407872-160a207b-8126-4a5c-b7ef-de6edcd4206d.png#clientId=u775169a5-03a1-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=334&id=u176ec895&margin=%5Bobject%20Object%5D&name=image.png&originHeight=303&originWidth=907&originalType=binary&ratio=1&rotation=0&showTitle=false&size=15560&status=done&style=stroke&taskId=u9a86f572-c560-4c7f-a2a5-e8410637c83&title=&width=1001

1661007287130-4afe3075-fdca-4cc0-b8ff-d94ea5bb7278.png#clientId=u775169a5-03a1-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=100&id=ucdedc328&margin=%5Bobject%20Object%5D&name=image.png&originHeight=125&originWidth=917&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17616&status=done&style=stroke&taskId=u6e3c6983-b2b1-4408-8592-8a220b19705&title=&width=733.6

这一关虽然很容易,但是满满的都是知识点。
每一个虽然百度都能查到 但是呢 在不百度的情况下 考验的即是一种推断 实操的能力了
从对VPN的认识到创建连接;
从Nmap端口扫描器的认识到利用进行存活端口探测;
从ICMP报文控制协议原理到telnet远程登录服务的标准协议认识及利用;
最后对Linux系统的认识获取目标旗帜 这对于一个小白来说 可不容易。渗透测试就是这样 信息差的关系
容易的东西很容易,如果觉得难的话,是因为自己了解的还不够多而已

实例:Fawn

难度:很容易

1661008379790-4317d1c0-905e-4707-b7fe-54a87442a16c.png#clientId=u775169a5-03a1-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=140&id=ue6da9ab5&margin=%5Bobject%20Object%5D&name=image.png&originHeight=175&originWidth=1216&originalType=binary&ratio=1&rotation=0&showTitle=false&size=28054&status=done&style=stroke&taskId=u1e043a2a-51d9-4f3a-b4c9-5d9a0c0bab6&title=&width=972.8

连接VPN 创建实例机器

1661003581858-61eef49b-2804-44c0-969e-3a4b381f8faa.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=419&id=FrKdP&margin=%5Bobject%20Object%5D&name=image.png&originHeight=559&originWidth=1334&originalType=binary&ratio=1&rotation=0&showTitle=false&size=94029&status=done&style=stroke&taskId=ucd6076c9-a4ee-451b-bfab-c520c9706c2&title=&width=1001


目标机器IP地址

1661008508109-316c1a9b-e47b-4e04-b51a-b9966b494a18.png#clientId=u775169a5-03a1-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=273&id=u6ba213db&margin=%5Bobject%20Object%5D&name=image.png&originHeight=250&originWidth=917&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17422&status=done&style=stroke&taskId=uc98ab02e-bd3f-421b-8bcd-f94da7a4a3b&title=&width=1001

1. 3 个字母的首字母缩写词 FTP 代表什么?

File Transfer Protocol(文件传输控制协议)

1661008829934-e94b98a3-dda4-4406-8ca6-dd4ce64dda9b.png#clientId=ubd029031-65bc-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=339&id=u5446b447&margin=%5Bobject%20Object%5D&name=image.png&originHeight=311&originWidth=918&originalType=binary&ratio=1&rotation=0&showTitle=false&size=16417&status=done&style=stroke&taskId=uc3a7c4e9-f9d1-48c3-9a8f-38ff9ba3c58&title=&width=1001


直接翻译可以发现答案

1661008751342-ad476c41-26b0-42d2-95e7-8e0e8368311a.png#clientId=ubd029031-65bc-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=278&id=ue6dddc6f&margin=%5Bobject%20Object%5D&name=image.png&originHeight=321&originWidth=833&originalType=binary&ratio=1&rotation=0&showTitle=false&size=22814&status=done&style=stroke&taskId=u7b857e84-345d-4580-bec7-2b978a176ec&title=&width=721.4000244140625


FTP协议——文件传输协议 上层协议是TCP
端口号:TCP端口中的20和21这两个端口
作用及机制:其中20用于传输数据,21用于传输控制信息
FTP协议包括两个组成部分,其一为FTP服务器,其二为FTP客户端。
其中FTP服务器用来存储文件,用户可以使用FTP客户端通过FTP协议访问位于FTP服务器上的资源。在开发网站的时候,通常利用FTP协议把网页或程序传到Web服务器上。
此外,由于FTP传输效率非常高,在网络上传输大的文件时,一般也采用该协议。

2. FTP服务通常监听哪个端口?

21

1661008904964-3cc4bacc-25ce-4eff-89ef-da458cb80e60.png#clientId=ubd029031-65bc-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=330&id=u82b4c98d&margin=%5Bobject%20Object%5D&name=image.png&originHeight=300&originWidth=910&originalType=binary&ratio=1&rotation=0&showTitle=false&size=13757&status=done&style=stroke&taskId=ud5ec9ec3-0f85-42bb-bcf6-8ca5de95706&title=&width=1001

3. FTP 的安全版本使用什么首字母缩写词?

SFTP (Secure 安全的 稳固的)
这边可以联想到HTTPS(超文本安全传输协议)和HTTP(超文本传输协议) FTP+S = FTP的安全版本

1661009022368-6791b431-f552-4d51-ba67-9b7b977b982b.png#clientId=ubd029031-65bc-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=327&id=uf9522154&margin=%5Bobject%20Object%5D&name=image.png&originHeight=294&originWidth=900&originalType=binary&ratio=1&rotation=0&showTitle=false&size=14750&status=done&style=stroke&taskId=u59a9f085-4eda-4c06-b0e4-a74026a4181&title=&width=1001

4. 我们可以使用什么命令来发送 ICMP 回显请求以测试我们与目标的连接?

**ping **(上一题讲过 ping命令就是基于ICMP报文控制协议)

1661009157465-b72e0429-b628-4f6b-8f40-3ef14729a459.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=363&id=u2fb14c70&margin=%5Bobject%20Object%5D&name=image.png&originHeight=330&originWidth=909&originalType=binary&ratio=1&rotation=0&showTitle=false&size=19611&status=done&style=stroke&taskId=u458c0ac8-b015-451f-ae78-0c921847ce2&title=&width=1001

5. 根据您的扫描,目标上运行的 FTP 版本是什么?

vsftpd 3.0.3

1661009421679-51fddf0c-6bbc-4ec4-9404-4144f9a5e525.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=329&id=u0c9da47d&margin=%5Bobject%20Object%5D&name=image.png&originHeight=300&originWidth=913&originalType=binary&ratio=1&rotation=0&showTitle=false&size=16800&status=done&style=stroke&taskId=u5f49f6ca-cbc3-40ff-abff-78aa10d2546&title=&width=1001


这边利用nmap 指定参数-sV 即可扫描出FTP的运行版本
-sV 探测打开的端口以确定服务/版本信息

1661009376421-7abc1ae7-3a5c-47c0-8edd-6377f4fe320b.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=203&id=u2bf9897b&margin=%5Bobject%20Object%5D&name=image.png&originHeight=246&originWidth=1214&originalType=binary&ratio=1&rotation=0&showTitle=false&size=364604&status=done&style=stroke&taskId=u5d77183d-c459-48ec-9304-4ba10910487&title=&width=1001

6. 根据您的扫描,目标上正在运行什么操作系统类型?

unix

1661009520594-7d1dbbab-b818-4bfd-a986-c60cf10b7627.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=337&id=u48c11e75&margin=%5Bobject%20Object%5D&name=image.png&originHeight=304&originWidth=904&originalType=binary&ratio=1&rotation=0&showTitle=false&size=15721&status=done&style=stroke&taskId=u0af2bc17-8cbd-42e6-9792-ccbc15e20ad&title=&width=1001


答案基于扫描结果

1661009569252-02cd7b3a-0c2d-4f49-8f10-4e8288318c68.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=217&id=uec0f4812&margin=%5Bobject%20Object%5D&name=image.png&originHeight=258&originWidth=1190&originalType=binary&ratio=1&rotation=0&showTitle=false&size=375003&status=done&style=stroke&taskId=u21f049fb-c0ec-47f7-ba87-d2599584630&title=&width=1001

7. 为了显示“ftp”客户端帮助菜单,我们需要运行什么命令?

ftp -h

1661009688487-6dcb4a6c-37c1-47c4-ab71-968dbe9a2b78.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=367&id=ua26e2826&margin=%5Bobject%20Object%5D&name=image.png&originHeight=337&originWidth=919&originalType=binary&ratio=1&rotation=0&showTitle=false&size=16904&status=done&style=stroke&taskId=u608faf60-8361-4b21-abd4-49b071e0cbf&title=&width=1001


1661009670801-6595dc7d-1e9e-47b6-b084-a91ce6f43578.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=256&id=u80fe44c0&margin=%5Bobject%20Object%5D&name=image.png&originHeight=312&originWidth=1222&originalType=binary&ratio=1&rotation=0&showTitle=false&size=255127&status=done&style=stroke&taskId=u78d8a01c-4fd8-4b08-bd7b-7e2046bea25&title=&width=1001

8. 当您想在没有帐户的情况下登录时,通过 FTP 使用的用户名是什么?

anonymous

1661010182393-cea7f7be-2dd3-4913-b418-dbd3719a21ce.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=361&id=u0bb96527&margin=%5Bobject%20Object%5D&name=image.png&originHeight=330&originWidth=914&originalType=binary&ratio=1&rotation=0&showTitle=false&size=19979&status=done&style=stroke&taskId=u35c975dd-efce-4718-a036-8898591e267&title=&width=1001


原理:
使用 FTP 传输文件时,用户需要通过向 FTP 服务器提供凭据来获得文件传输许可。当然某些公共 FTP 服务器可能不需要凭据即可访问其文件,但是无法保证数据传输的安全性,任何未加密公共网络上的数据发送都是非常危险的,所以为了保护传输数据的安全,由 FTP 衍生而出的就是下面的两种协议:FTPS 与 SFTP。
如果想要了解FTPS和FTP和SFTP的区别,可以去看一篇文章《一文详解 FTP、FTPS 与 SFTP 的原理》
重点,FTP有两种登录方式。
ftp 有两种登录方式:匿名登录和授权登录。使用匿名登录时,用户名为:anonymous,密码为:任何合法email 地址;使用授权登录时,用户名为用户在远程系统中的用户帐号,密码为用户在远程系统中的用户密码。
参考文献:https://blog.csdn.net/Gao068465/article/details/120846856

利用ftp工具通过匿名用户anonymous 连接目标web服务器 进行文件传输

1661010297385-aebbc478-9599-42ab-b4a5-a3b69f9e70d3.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=140&id=u27933efa&margin=%5Bobject%20Object%5D&name=image.png&originHeight=173&originWidth=1238&originalType=binary&ratio=1&rotation=0&showTitle=false&size=141029&status=done&style=stroke&taskId=u1a542116-e87a-448d-b06b-0ef457983b8&title=&width=1001


禁用FTP匿名登陆:
主配置文件 :vi /etc/vsftpd/vsftpd.conf
anonymous_enable=NO #禁止匿名登录

9. 提交Flag

1661010387348-419abbc9-2072-47bf-b1bd-029dc013ad4a.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=333&id=u4b40c481&margin=%5Bobject%20Object%5D&name=image.png&originHeight=306&originWidth=920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17186&status=done&style=stroke&taskId=u53434b9f-8e26-4d19-bbc3-960c71461f8&title=&width=1001


这边首先建立连接后,通过命令行可以发现存在flag.txt

1661010453109-def6f96c-c85b-425d-9ee9-93989df42621.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=106&id=uaab90bdb&margin=%5Bobject%20Object%5D&name=image.png&originHeight=130&originWidth=1225&originalType=binary&ratio=1&rotation=0&showTitle=false&size=115388&status=done&style=stroke&taskId=uddcb8903-c617-4c4b-bf48-bcd0c8c4771&title=&width=1001


ftp连接目标服务器不能直接查看文件内容,可以使用get命令获取该文件并下载至本地

1661010521195-5b8b6313-7399-47ea-a2f7-56c42d238009.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=167&id=u14bf5baa&margin=%5Bobject%20Object%5D&name=image.png&originHeight=205&originWidth=1229&originalType=binary&ratio=1&rotation=0&showTitle=false&size=166175&status=done&style=stroke&taskId=u9d100a52-af33-48f2-9f84-f657ccc8c44&title=&width=1001


dir 查看当前攻击机文件信息

1661010567951-5d71f606-cccb-427d-ac75-404c2069d5b0.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=542&id=ua4f78776&margin=%5Bobject%20Object%5D&name=image.png&originHeight=613&originWidth=1132&originalType=binary&ratio=1&rotation=0&showTitle=false&size=353525&status=done&style=stroke&taskId=ue48d05d5-7b1b-4fc1-b1b6-deb92bd56f4&title=&width=1001


type 打印即可看到flag值
1661010616646-9dc68d52-e1dc-46f4-9157-30a83396bd1f.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=67&id=u22a2583c&margin=%5Bobject%20Object%5D&name=image.png&originHeight=83&originWidth=1235&originalType=binary&ratio=1&rotation=0&showTitle=false&size=78734&status=done&style=stroke&taskId=u7774451f-bc25-4241-b066-14627927fc6&title=&width=1001

这一关也很容易,满满的都是知识点。结合上一关的经验,我们可以走的更快
这一关主要了解学习了FTP文件传输协议的原理以及利用姿势,也增进了对Nmap的使用

实例:Dancing

难度:很容易

1661045954343-5a98971a-926c-492b-af95-fa99ff28f5b3.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=144&id=u67f4b85a&margin=%5Bobject%20Object%5D&name=image.png&originHeight=180&originWidth=1217&originalType=binary&ratio=1&rotation=0&showTitle=false&size=26845&status=done&style=stroke&taskId=ua2c79031-c554-4b3e-9747-b96042c5d68&title=&width=973.6

连接VPN 创建实例机器

1661003581858-61eef49b-2804-44c0-969e-3a4b381f8faa.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=419&id=rVlqd&margin=%5Bobject%20Object%5D&name=image.png&originHeight=559&originWidth=1334&originalType=binary&ratio=1&rotation=0&showTitle=false&size=94029&status=done&style=stroke&taskId=ucd6076c9-a4ee-451b-bfab-c520c9706c2&title=&width=1001


目标机器IP地址

1661046261272-6cae52be-92fd-46ba-ac7e-ba9009832b5d.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=206&id=ub53438c8&margin=%5Bobject%20Object%5D&name=image.png&originHeight=257&originWidth=917&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17429&status=done&style=stroke&taskId=u191f79a1-78be-4734-b52e-3a23162b98f&title=&width=733.6

1. 3 个字母的首字母缩写词 SMB 代表什么?

Server Message Block

1661046410749-c704116a-a3ed-4119-9905-9a9cb8ea6380.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=243&id=u0ddc52f1&margin=%5Bobject%20Object%5D&name=image.png&originHeight=304&originWidth=909&originalType=binary&ratio=1&rotation=0&showTitle=false&size=18975&status=done&style=stroke&taskId=ua9ddf84b-cbb0-42e5-abdd-2eb6226c886&title=&width=727.2


1661046451361-d43f521e-abf0-46bc-909d-439295aab7a9.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=278&id=uaaae85cd&margin=%5Bobject%20Object%5D&name=image.png&originHeight=319&originWidth=830&originalType=binary&ratio=1&rotation=0&showTitle=false&size=15544&status=done&style=stroke&taskId=u03055d0a-6150-4623-aa55-affa339034d&title=&width=724

2. SMB 使用什么端口进行操作?

445

1661046516811-b76192b2-dd9c-4f9e-82b9-48eaaa5a9e09.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=248&id=u1022bbce&margin=%5Bobject%20Object%5D&name=image.png&originHeight=310&originWidth=911&originalType=binary&ratio=1&rotation=0&showTitle=false&size=13855&status=done&style=stroke&taskId=u2c1208a5-b79b-424b-ab25-6c2d8fae774&title=&width=728.8


445端口是一个毁誉参半的端口,有了它我们可以在局域网中轻松访问各种共享文件夹或共享打印机,但也正是因为有了它,黑客们才有了可乘之机,他们能通过该端口偷偷共享你的硬盘,甚至会在悄无声息中将你的硬盘格式化掉。

3. 我们的 Nmap 扫描中出现的端口 445 的服务名称是什么?

microsoft-ds

1661046855354-efe2ab74-0b83-4dee-a01d-809f8c256292.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=243&id=u7b0ba51b&margin=%5Bobject%20Object%5D&name=image.png&originHeight=304&originWidth=909&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17783&status=done&style=stroke&taskId=ubebd4f06-f391-4ab5-aa3d-71ebc2466c9&title=&width=727.2


这边利用nmap 识别目标445端口出现的服务名称

1661047724341-b56f18e2-3ad2-4005-beeb-16c3b5b54a8b.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=229&id=u5b47498b&margin=%5Bobject%20Object%5D&name=image.png&originHeight=286&originWidth=1230&originalType=binary&ratio=1&rotation=0&showTitle=false&size=388961&status=done&style=stroke&taskId=ua37f2663-8a7b-4060-af99-cd68d743082&title=&width=984

4. 我们可以使用 SMB 工具“列出”共享内容的“标志”或“开关”是什么?

1661047812498-802c2277-1daa-4d94-8bd4-7abd250f1458.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=272&id=u8cfc158d&margin=%5Bobject%20Object%5D&name=image.png&originHeight=340&originWidth=919&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17896&status=done&style=stroke&taskId=u1948c33f-a721-4d4e-8ef0-0c130d417c5&title=&width=735.2


这边利用smbclient 工具 列出目标共享内容

1661047600611-0d302539-0110-484a-a274-c4da18f71b17.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=235&id=uf46ef6ef&margin=%5Bobject%20Object%5D&name=image.png&originHeight=294&originWidth=1158&originalType=binary&ratio=1&rotation=0&showTitle=false&size=243579&status=done&style=stroke&taskId=ubd71becb-0c85-47b1-8579-73bb45a45ff&title=&width=926.4

5. 最后我们可以使用空白密码访问的共享名称是什么?

WorkShares

1661048969172-58bd4847-06cf-4283-bf71-636f24849ae0.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=274&id=u2aeb63d0&margin=%5Bobject%20Object%5D&name=image.png&originHeight=342&originWidth=921&originalType=binary&ratio=1&rotation=0&showTitle=false&size=20716&status=done&style=stroke&taskId=ua153a4cb-6711-49b5-b0a6-ed4adfdc1f8&title=&width=736.8


利用smbclient 继续连接共享文件 “WorkShares”可以空密码进入

1661049025526-9c7c63ef-53b2-4d3c-b041-bf9c2a06e51a.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=394&id=uba0e6a97&margin=%5Bobject%20Object%5D&name=image.png&originHeight=493&originWidth=1234&originalType=binary&ratio=1&rotation=0&showTitle=false&size=735459&status=done&style=stroke&taskId=uaed7e429-7ce5-40e1-8ecf-00ad9cddea4&title=&width=987.2

6. 我们可以在 SMB shell 中使用什么命令来下载我们找到的文件?

get
以上帮助信息可以看到

1661049088090-1c95d1e2-312f-4965-8072-33e66293a000.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=276&id=u224c30ad&margin=%5Bobject%20Object%5D&name=image.png&originHeight=345&originWidth=919&originalType=binary&ratio=1&rotation=0&showTitle=false&size=18199&status=done&style=stroke&taskId=uf0174cab-f99d-40d0-8408-74418b2d97f&title=&width=735.2

7. 提交Flag

1661049176967-4357e6a7-97f7-43e9-8c77-3f8ee963013d.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=260&id=u83312f6d&margin=%5Bobject%20Object%5D&name=image.png&originHeight=325&originWidth=982&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17563&status=done&style=stroke&taskId=u4125f2ae-d734-4112-bed9-5ff0d0b7f22&title=&width=785.6


一次查找文件 并下载即可获取flag

1661049147358-8073a184-e7ac-4c0c-bb92-402e296e5771.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=602&id=u91254956&margin=%5Bobject%20Object%5D&name=image.png&originHeight=753&originWidth=1234&originalType=binary&ratio=1&rotation=0&showTitle=false&size=1098771&status=done&style=stroke&taskId=uc5e392ee-aede-48d6-9e01-2232efd4d95&title=&width=987.2

这一关主要考验对smb的认识以及历史漏洞的简单利用

实例:Redeemer

难度:很容易

1661049540936-480879c3-10c9-4ea5-ba52-63a5d3b51e25.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=154&id=u30242f66&margin=%5Bobject%20Object%5D&name=image.png&originHeight=192&originWidth=1226&originalType=binary&ratio=1&rotation=0&showTitle=false&size=27043&status=done&style=stroke&taskId=ucb526b6a-1298-4651-896e-f0d4e615f6f&title=&width=980.8

连接VPN 创建实例机器

1661003581858-61eef49b-2804-44c0-969e-3a4b381f8faa.png#clientId=ud2e86959-578d-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=419&id=JJsfd&margin=%5Bobject%20Object%5D&name=image.png&originHeight=559&originWidth=1334&originalType=binary&ratio=1&rotation=0&showTitle=false&size=94029&status=done&style=stroke&taskId=ucd6076c9-a4ee-451b-bfab-c520c9706c2&title=&width=1001


目标机器IP地址

1661049567873-cd90bbde-d3ef-4402-a59d-024b19cce056.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=206&id=u20b2b3d9&margin=%5Bobject%20Object%5D&name=image.png&originHeight=257&originWidth=918&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17075&status=done&style=stroke&taskId=u820cfd59-aaf2-4cce-8718-12c2b40c8dd&title=&width=734.4

1. 机器上打开了哪个 TCP 端口?

6379

1661049829339-5a8a3aa4-ae64-4ccb-9fa8-164b8074acf6.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=258&id=u3acbbdc8&margin=%5Bobject%20Object%5D&name=image.png&originHeight=322&originWidth=917&originalType=binary&ratio=1&rotation=0&showTitle=false&size=14284&status=done&style=stroke&taskId=ufbbe255c-dabe-4b28-b7ad-593220753d5&title=&width=733.6


nmap探测

1661050550104-e4af6488-3479-4b71-af00-ee578a462379.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=167&id=u10d48151&margin=%5Bobject%20Object%5D&name=image.png&originHeight=209&originWidth=1214&originalType=binary&ratio=1&rotation=0&showTitle=false&size=199835&status=done&style=stroke&taskId=u22d8aad7-fa27-4e2e-9b6b-ff6e3408e29&title=&width=971.2

2. 哪个服务在机器上打开的端口上运行?

redis

1661049847267-81bc38b8-f02b-4987-ae25-2cbf8e1b4822.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=250&id=ua0c05c53&margin=%5Bobject%20Object%5D&name=image.png&originHeight=312&originWidth=914&originalType=binary&ratio=1&rotation=0&showTitle=false&size=15122&status=done&style=stroke&taskId=uc9d8f77d-aa92-4a06-a23d-d2b1fa5f291&title=&width=731.2


nmap探测

1661050565007-812788ee-6712-4d81-8121-2a51f2f746d0.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=167&id=uf9cf36d0&margin=%5Bobject%20Object%5D&name=image.png&originHeight=209&originWidth=1214&originalType=binary&ratio=1&rotation=0&showTitle=false&size=199835&status=done&style=stroke&taskId=ub430dd2d-5edf-4e41-9ed8-49291624d3f&title=&width=971.2

3. Redis是什么类型的数据库?从以下选项中进行选择:(i) 内存数据库,(ii) 传统数据库

In-menmory Database

1661049880630-a86e2625-93f3-4955-a441-77eacda58df6.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=269&id=u4e21aff4&margin=%5Bobject%20Object%5D&name=image.png&originHeight=336&originWidth=914&originalType=binary&ratio=1&rotation=0&showTitle=false&size=29787&status=done&style=stroke&taskId=ud4cca583-f50a-4e9d-8247-bff236b75b6&title=&width=731.2


原理:
redis是内存数据库,用超级管理员用户运行在内存里的。我们可以通过redis未授权访问漏洞进去,即可拿到最高权限。且可以通过redis可以写计划任务,执行系统命令,写公私钥对等。
redis密码默认没有 需要人为进行配置。

密码配置方法:

  • 连接redis数据库
  • 进入配置文件 redis.conf
  • 解除注释 requirepass [接密码]
  • 退出重连redis 密码设置成功

4. 哪个命令行实用程序用于与 Redis 服务器交互?输入您将在终端中输入的程序名称,不带任何参数。

redis-cli ( 此工具通常用于与redis服务器交互 )

1661049899134-6dc945c1-ee36-436d-9a3a-cb8bf13eb5d5.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=279&id=uc3a16e1e&margin=%5Bobject%20Object%5D&name=image.png&originHeight=349&originWidth=916&originalType=binary&ratio=1&rotation=0&showTitle=false&size=23395&status=done&style=stroke&taskId=uf70e8a07-0ee4-4a07-9f45-838e383eab9&title=&width=732.8


如果没有安装 可以在Linux环境中 执行命令安装:apt install redis-tools

5. Redis 命令行实用程序使用哪个标志来指定主机名?

-h (host)

1661049998287-8826cc85-3dfe-400d-a447-9b129cb66dfc.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=270&id=ue7f733b8&margin=%5Bobject%20Object%5D&name=image.png&originHeight=337&originWidth=911&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17463&status=done&style=stroke&taskId=u70b8b727-a34b-40a8-8c52-a0d23d96067&title=&width=728.8


1661051267532-bdc8600a-4fdc-489e-acfd-644e9cc92e31.png#clientId=u9a817476-1aa0-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=50&id=u8127a2f9&margin=%5Bobject%20Object%5D&name=image.png&originHeight=63&originWidth=1211&originalType=binary&ratio=1&rotation=0&showTitle=false&size=62145&status=done&style=stroke&taskId=u8f26f585-d643-42fd-89d8-bd019cdf1e2&title=&width=968.8

6. 连接到 Redis 服务器后,使用哪个命令获取有关 Redis 服务器的信息和统计信息?

info

1661050018441-ae2f004b-cd80-44c9-9c7d-c7065f6c883b.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=275&id=uf165f7f9&margin=%5Bobject%20Object%5D&name=image.png&originHeight=344&originWidth=908&originalType=binary&ratio=1&rotation=0&showTitle=false&size=21462&status=done&style=stroke&taskId=u2a724bee-0214-4877-b93a-f05619b7a8a&title=&width=726.4


1661051288717-21ef6c2b-90f9-47d6-96fc-250fd4d1e332.png#clientId=u9a817476-1aa0-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=550&id=u5567150c&margin=%5Bobject%20Object%5D&name=image.png&originHeight=687&originWidth=1194&originalType=binary&ratio=1&rotation=0&showTitle=false&size=651807&status=done&style=stroke&taskId=ub05b03a3-6dbf-45a8-a37d-b27167f0515&title=&width=955.2

7. 目标机器上使用的 Redis 服务器的版本是什么?

5.0.7

1661050029330-bcd0480b-1c7c-4ece-aceb-422182094442.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=246&id=uee249b89&margin=%5Bobject%20Object%5D&name=image.png&originHeight=307&originWidth=914&originalType=binary&ratio=1&rotation=0&showTitle=false&size=16284&status=done&style=stroke&taskId=u21de54f0-e896-4e9e-9ba4-f82334be054&title=&width=731.2


nmap 扫描结果可以看到

1661051212276-ff8788d5-46c4-4c9a-b7a8-9d593b8f74dd.png#clientId=u9a817476-1aa0-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=126&id=u84d7878f&margin=%5Bobject%20Object%5D&name=image.png&originHeight=157&originWidth=1179&originalType=binary&ratio=1&rotation=0&showTitle=false&size=235601&status=done&style=stroke&taskId=u8265193e-8062-46c6-aa76-071fcd5e78a&title=&width=943.2

8. 哪个命令用于在 Redis 中选择所需的数据库?

select

1661050041882-7e016b6b-84fe-4c72-a22f-1fd45aae39b5.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=249&id=u9da2a130&margin=%5Bobject%20Object%5D&name=image.png&originHeight=311&originWidth=910&originalType=binary&ratio=1&rotation=0&showTitle=false&size=16333&status=done&style=stroke&taskId=uc626f334-8a46-4845-9df2-450b23c0ee4&title=&width=728


选择索引为0的数据库

1661051791136-1bd1949b-f938-48d2-9e61-4c8e584b069d.png#clientId=u9a817476-1aa0-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=155&id=u0bde1598&margin=%5Bobject%20Object%5D&name=image.png&originHeight=194&originWidth=1203&originalType=binary&ratio=1&rotation=0&showTitle=false&size=164591&status=done&style=stroke&taskId=u3f93b512-44ef-49c4-b008-ab5e24c4155&title=&width=962.4

9. 索引为 0 的数据库中有多少键?

4

1661050052094-1a67a388-1f2c-4589-abed-1f22876c289c.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=256&id=ufd7aaee3&margin=%5Bobject%20Object%5D&name=image.png&originHeight=320&originWidth=913&originalType=binary&ratio=1&rotation=0&showTitle=false&size=14790&status=done&style=stroke&taskId=u403c7337-2cdb-48fa-a86a-2791c29325d&title=&width=730.4


db0 keys=4
1661051412423-9abb4c0b-57bf-4e8b-9627-7aef84ee4b61.png#clientId=u9a817476-1aa0-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=37&id=ude636f32&margin=%5Bobject%20Object%5D&name=image.png&originHeight=46&originWidth=1220&originalType=binary&ratio=1&rotation=0&showTitle=false&size=38466&status=done&style=stroke&taskId=uf74f74cc-9d9b-4d2d-98cc-67004b6acc3&title=&width=976

10. 哪个命令用于获取数据库中的所有键?

keys * 可以获取当前选择数据库的所有键

1661050068609-fa3527c1-5010-4ec2-89db-686a50d7ce44.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=252&id=ucdeedd4f&margin=%5Bobject%20Object%5D&name=image.png&originHeight=315&originWidth=918&originalType=binary&ratio=1&rotation=0&showTitle=false&size=15984&status=done&style=stroke&taskId=uc988c1a5-81e6-434f-9a2f-6ed412513b7&title=&width=734.4


1661051827667-cd4eee91-7bb1-44d6-8f26-3c5612977cce.png#clientId=u9a817476-1aa0-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=99&id=u47545843&margin=%5Bobject%20Object%5D&name=image.png&originHeight=124&originWidth=1228&originalType=binary&ratio=1&rotation=0&showTitle=false&size=156208&status=done&style=stroke&taskId=u935aa26e-0714-4245-80ed-ef9b692fdcc&title=&width=982.4

11. 提交Flag

1661050083863-a484fe6e-b69c-414c-9b93-eb11c92d6947.png#clientId=udc79e142-61c7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=248&id=u6dc8d764&margin=%5Bobject%20Object%5D&name=image.png&originHeight=310&originWidth=917&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17506&status=done&style=stroke&taskId=uc7a6aa09-a381-4993-9531-5736e5d1590&title=&width=733.6


以上查看到存在的键“flag” get 获取键值即可

1661051900267-87d8f742-e139-4f11-9c3b-cfa35299f733.png#clientId=u9a817476-1aa0-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=57&id=u7f90266c&margin=%5Bobject%20Object%5D&name=image.png&originHeight=71&originWidth=1190&originalType=binary&ratio=1&rotation=0&showTitle=false&size=73583&status=done&style=stroke&taskId=udd88887b-d478-481b-8309-034fd3000e7&title=&width=952

这一关主要考验对redis和对redis-cli的认识,以及redis未授权访问的漏洞的利用。

__EOF__


report

Recommend

  • 99
    • www.tuicool.com 6 years ago
    • Cache

    Hack The Box - SecNotes

    Quick Summary Hey guys Today SecNotes retired. SecNotes was a very nice box and I really liked that it mixed between windows and linux , and that’s because it was a windows box and it had windows subsystem for...

  • 76
    • www.tuicool.com 6 years ago
    • Cache

    Hack The Box - Dab

    Quick Summary Hey guys today dab retired and this is my write-up. Dab was a nice box ,A hard one but it had some funny stuff too , getting user was really annoying because it had a lot of rabbit holes. Root wa...

  • 60
    • www.tuicool.com 6 years ago
    • Cache

    Hack The Box - Ypuffy

    Quick Summary Hey guys today Ypuffy retired and this is my write-up. This box is a little different from the other boxes. It’s not windows or linux , it’s running openbsd which is a unix-like system. I really...

  • 53
    • www.tuicool.com 6 years ago
    • Cache

    Hack The Box - Giddy

    Quick Summary Hey guys today Giddy retired and this is my write-up. Giddy was a nice windows box , This box had a nice sqli vulnerability which we will use to steal ntlm hashes and login , Then the privilege...

  • 89
    • www.tuicool.com 6 years ago
    • Cache

    Hack The Box - Zipper

    Quick Sumarry Hey guys today Zipper retired and here’s my write-up. Owning user on this box was challenging because we have to exploit an RCE vulnerability which is not really easy and then we have to get a s...

  • 67
    • www.tuicool.com 6 years ago
    • Cache

    Hack The Box - Access

    Quick Summary Hey guys today Access retired and this is my write-up. I don’t have too much to say about this box , It was a nice easy windows box and a good example of using runas in windows , Wh...

  • 58
    • www.tuicool.com 6 years ago
    • Cache

    Hack The Box - Ethereal

    Introduction Hey guys today Ethereal retired and here is my write-up about it. And as the difficulty says , It’s insane ! The most annoying part about this box is that it was very hard to enumerate because we...

  • 80
    • www.tuicool.com 6 years ago
    • Cache

    Hack The Box - Carrier

    Quick Summary Hey guys today Carrier retired and here is my write-up about it. User on this box wasn’t hard to get , but for root it’s a different thing because we will go through some networking tricks and w...

  • 82
    • 微信 mp.weixin.qq.com 6 years ago
    • Cache

    Nibbles - Hack the box

  • 60
    • www.tuicool.com 6 years ago
    • Cache

    Hack The Box - Frolic

    Quick Summary Hey guys today frolic retired and here is my write-up about it. This box was more of a CTF challenge than a real world scenario , especially the user part , But it was nice because for root we w...

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK