IntroductionDuring a penetration test, you will often have access to some Windows hosts with an unprivileged user. Unprivileged users will hold limited access, including their files and folders only, and have no means to perform administrative tasks on the host, preventing you from having complete control over your target.
This room covers fundamental techniques that attackers can use to elevate privileges in a Windows environment, allowing you to use any initial unprivileged foothold on a host ...
What is Privilege Escalation?What does “privilege escalation” mean?At it’s core, Privilege Escalation usually involves going from a lower permission account to a higher permission one. More technically, it’s the exploitation of a vulnerability, design flaw, or configuration oversight in an operating system or application to gain unauthorized access to resources that are usually restricted from the users.
Why is it important?It’s rare when performing a real-world penetration test to be able to g ...
What is a shell?Before we can get into the intricacies of sending and receiving shells, it’s important to understand what a shell actually is. In the simplest possible terms, shells are what we use when interfacing with a Command Line environment (CLI). In other words, the common bash or sh programs in Linux are examples of shells, as are cmd.exe and Powershell on Windows. When targeting remote systems it is sometimes possible to force an application running on the server (such as a webserver, f ...
本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/res
Difficulty: Easy
端口扫描1nmap -p- -sC -sV -T4 10.10.253.248
12345678Nmap scan report for 10.10.253.248Host is up (0.19s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Apache2 Ubuntu Default Page: It works6379/tcp open redis Redis key-value store 6.0.7
访问80端口是
查看源代码,我们看不到任何隐藏的内容。我使用 Dirsearch 运行目录扫描,看 ...
MISC你说爱我?尊嘟假嘟
总共三种状态「你说爱我」「尊嘟」「假嘟」,考虑是 Ook!。至于那个对应哪个,情况不多,稍微试一下就知道了(其实不论是什么字符,Ook! 第一行都是 Ook.,所以「你说爱我」对应 Ook. 很容易知道)
你说爱我->Ook.
尊嘟->Ook!
假嘟->Ook?
不过替换完之后会有些没对齐,用脚本弄一下
123456import reinput_string = "Ook. Ook.Ook. Ook. Ook. ......."output_string = re.sub(r'(?<! )O', ' O', input_string)print(output_string)
https://ctf.bugku.com/tool/brainfuck
https://www.splitbrain.org/services/ook
解密得到
ild3l4pXejwPcCwJsPAOq7sJczdRdTsJcCEUsP1Z
ISCTF{9832h-s92hw-23u7w-2j8s ...
本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/dogcat
Difficulty: Medium
12345678910111213141516┌──(root㉿kali)-[~]└─# nmap -p- -sC -sV -T4 10.10.93.198 Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-09 20:22 ESTNmap scan report for 10.10.93.198Host is up (0.32s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 24:31:19:2a:b1:97:1a:04:4e:2c:36:ac:84:0a:75:87 ...
本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/startup
Difficulty: Easy
We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!
Nmap1nmap -p- -sC -sV -T4 10.10.47.1
1234567891011121314 ...
本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/blog
Difficulty: Medium
Billy Joel made a blog on his home computer and has started working on it. It’s going to be so awesome!
Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get what you need? Or will you fall down the rabbit hole…
In order to get the blog to work with AWS, you’ll need to add blog.thm to your /etc/hosts file.
Credit to Sq00ky f ...
本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/tomghost
Difficulty: Easy
1nmap -p- -sC -sV -T4 10.10.175.81
可以看到啊8080端口
网上搜索到相关漏洞
https://www.exploit-db.com/exploits/49039
1234567891011121314151617181920212223242526272829303132333435363738394041[*] Running module against 10.10.175.81Status Code: 200Accept-Ranges: bytesETag: W/"1261-1583902632000"Last-Modified: Wed, 11 Mar 2020 04:57:12 GMTContent-Type: application/xmlContent-Length: 1261<?xml version="1.0" encoding=& ...
本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/cyborgt8
Difficulty: Easy
1nmap -p- -sC -sV -T4 10.10.167.166
检查一下发现80端口只是默认的Apache2,这意味着该站点尚未完全配置
为了更深入的挖掘
我们采用gobuster
1gobuster dir --url http://10.10.167.166/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
发现了一个/admin和/etc
访问/etc
123/etc/squid/passwdmusic_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
12345678/etc/squid/squid.confauth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwdauth_param basic ch ...
