这个房间将介绍SQLi(手动和通过SQLMap利用这个漏洞),破解用户哈希密码,使用SSH隧道来揭示隐藏的服务,以及使用metasploit有效负载来获得root权限。
Task 1 Deploy the vulnerable machine论坛上拿着狙击手的大型卡通头像叫什么名字?
agent 47
Task 2 Obtain access via SQLi在此任务中,您将了解有关 SQL(结构化查询语言)的更多信息,以及如何潜在地操作查询以与数据库进行通信。
SQL 是一种用于在数据库中存储、编辑和检索数据的标准语言。查询可以如下所示:
1SELECT * FROM users WHERE username = :username AND password := password
在我们的GameZone机器中,当您尝试登录时,它将从您的用户名和密码中获取您输入的值,然后将它们直接插入到上面的查询中。如果查询找到数据,则允许你登录,否则将显示错误消息。
这是一个潜在的漏洞位置,因为您可以输入用户名作为另一个 SQL 查询。这将进行查询写入、放置和执行。
如果我们的用户名是 ad ...
使用 Hydra 暴力破解网站登录,识别并使用公共漏洞,然后提升您在这台 Windows 机器上的权限!
1nmap -p- -sC -sV -T4 10.10.173.96
1234567891011121314151617181920212223242526Nmap scan report for 10.10.173.96Host is up (0.18s latency).Not shown: 65533 filtered tcp ports (no-response)PORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 8.5|_http-server-header: Microsoft-IIS/8.5| http-methods: |_ Potentially risky methods: TRACE|_http-title: hackpark | hackpark amusements| http-robots.txt: 6 disal ...
Initial Access1nmap -p- -sC -sV -T4 10.10.206.74
12345678910111213141516171819202122232425262728Nmap scan report for 10.10.206.74Host is up (0.19s latency).Not shown: 65532 filtered tcp ports (no-response)PORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 7.5|_http-title: Site doesn't have a title (text/html).| http-methods: |_ Potentially risky methods: TRACE|_http-server-header: Microsoft-IIS/7.53389/tcp open ssl/ms-wbt-server?| ssl-cert: Sub ...
网络流量分析网络流量分析是指利用分析技术和统计手段对网络数据包进行处理,从而实现对网络的行为分析、性能分析和故障诊断等。它也是网络取证中经常使用的手段。
在几乎所有的CTF 比赛中,都会涉及对网络流量分析能力的考查,尤其是在企业或者行业内部的比赛中,此类题目属于必考题目。这类题目的难度适中,涉及的知识面广泛,能有效结合企业内部的业务,因此建议各位读者重点关注并熟练掌握。
进行网络流量分析需要掌握多方面的知识,不仅涉及杂项知识,还需要结合 Web 渗透等方面的基础知识。
网络协议的基础知识网络协议是为在网络中进行数据交换而建立的规则、标准或约定的集合,通常也简称为协议。互联网的核心是一系列协议,总称为互联网协议(Internet Protocol Suite),它们对计算机如何连接和组网做出了详尽的规定,一个协议通常只为一个目的而设计。那么应该如何设计网络协议呢?
ARPANET(阿帕网)是美国国防高级研究计划局开发的世界上第一个运营的数据包交换网络,是全球互联网的鼻祖。但是,ARPANET 无法和使用不同操作系统的计算机进行网络交流,这引发了研究者的思考。ARPANET的研制经验表明, ...
Hack into a Mr. Robot themed Windows machine. Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access.
Initial Access1nmap -p- -sC -sV -T4 10.10.153.112
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354PORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 8.5|_http-server-header: Microsoft-IIS/8.5|_http-tit ...
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172┌──(root㉿kali)-[~]└─# nmap -p- -sC -sV -T4 10.10.189.80 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-07 03:51 ESTNmap scan report for 10.10.189.80Host is up (0.23s latency).Not shown: 65524 closed tcp ports (reset)PORT STATE SERVICE VERSION21/tcp open ftp ProFTPD 1.3.522/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubunt ...
ReconScan the machine
1nmap -sV -vv -script=vuln -T4 10.10.84.104
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657NSE: Script scanning 10.10.84.104.NSE: Starting runlevel 1 (of 2) scan.Initiating NSE at 02:00NSE Timing: About 99.82% done; ETC: 02:00 (0:00:00 remaining)NSE Timing: About 99.91% done; ETC: 02:01 (0:00:00 remaining)Completed NSE at 02:01, 60.68s elapsedNSE: Starting runlevel 2 (of 2) scan.Initiating NSE at 02:01NSE: [ssl-ccs- ...
IntroductionDuring a penetration test, you will often have access to some Windows hosts with an unprivileged user. Unprivileged users will hold limited access, including their files and folders only, and have no means to perform administrative tasks on the host, preventing you from having complete control over your target.
This room covers fundamental techniques that attackers can use to elevate privileges in a Windows environment, allowing you to use any initial unprivileged foothold on a host ...
What is Privilege Escalation?What does “privilege escalation” mean?At it’s core, Privilege Escalation usually involves going from a lower permission account to a higher permission one. More technically, it’s the exploitation of a vulnerability, design flaw, or configuration oversight in an operating system or application to gain unauthorized access to resources that are usually restricted from the users.
Why is it important?It’s rare when performing a real-world penetration test to be able to g ...
What is a shell?Before we can get into the intricacies of sending and receiving shells, it’s important to understand what a shell actually is. In the simplest possible terms, shells are what we use when interfacing with a Command Line environment (CLI). In other words, the common bash or sh programs in Linux are examples of shells, as are cmd.exe and Powershell on Windows. When targeting remote systems it is sometimes possible to force an application running on the server (such as a webserver, f ...
