CTB靶场使用-入门靶场题解

介绍

  视频介绍:https://www.bilibili.com/video/BV17T4y1i7Uh
官方文档:https://help.hackthebox.com/en/articles/5185158-introduction-to-hack-the-box

  总之就是打靶机,但是云靶机,不需要自己搭建,根据赛季会开放一些免费的靶机。

注册

  访问官网,选择立即加入:

  https://www.hackthebox.com/

  选中HTB Labs:

image

  然后注册好相关信息即可

Linux连接

  点击右上角CONNECT TO HTB ,有下面3种连接:

image

  对应不同靶场的连接方式:

image

  下面演示连接Machines的方法,Starting Point 是同样的方法

  点击Machines,有2种,选中OpenVPN,因为这个免费:

image

  这里可以选中VPN的地区,和协议TCP或者UDP

image

  博主不知道什么情况,只能使用TCP来连接,所以就演示TCP:

image

  下载VPN文件:image

  linux中,执行文件:

openvpn lab_AgonyIt.ovpn

image

  连接成功之后,这里会亮绿灯:

image

  点进入,可以看到分配给你的ip

image

  同时linux虚拟机,也可以使用ifconfig查看到ip:

image

image

  ‍

注意

  如果你要打Machines的关卡,就连接Machines,如果要打Starting Point,就连接Starting Point,不要2个都连接上,该用谁就用谁,

image

Starting Point

  下面还是打入门靶场

image​​​

  ‍

  查看ip与其一致:

image

  只能打这4个,下面几个要开vip。。。

image

image

Meow

  开启第一个Meow:

image

image

  下面这关的填空题:

  What does the acronym VM stand for?

  • Virtual Machine

  What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It's also known as a console or shell.

  • Terminal

  What service do we use to form our VPN connection into HTB labs?

  • OpenVPN

  What tool do we use to test our connection to the target with an ICMP echo request?

  • Ping

  What is the name of the most common tool for finding open ports on a target?

  • nmap

  What service do we identify on port 23/tcp during our scans?

  • Telnet

  What username is able to log into the target over telnet with a blank password?

  • root

  Submit root flag:

  扫描目的ip端口:

image

  发现开放了telent服务,试着连接:

  登陆的用户名和密码是弱口令root/root,进去直接是root权限,直接拿到flag

image

  操作起来非常卡顿,但是也拿到flag了:

image

  ‍

  ‍

Fawn

  开启靶场后,目的ip为:10.129.198.188

  nmap扫描:

image

  发现ftp端口开放,连接ftp,使用账号anonymous密码与账号一致

image

  下载flag.txt:

image

  TASK 1

  What does the 3-letter acronym FTP stand for?

  • File Transfer Protocol

  TASK 2

  Which port does the FTP service listen on usually?

  • 21

  TASK 3

  FTP sends data in the clear, without any encryption. What acronym is used for a later protocol designed to provide similar functionality to FTP but securely, as an extension of the SSH protocol?

  • SFTP

  TASK 4

  What is the command we can use to send an ICMP echo request to test our connection to the target?

  • ping

  TASK 5

  From your scans, what version is FTP running on the target?(根据你扫描情况而写)

  • vsftpd 3.0.3

  TASK 6

  From your scans, what OS type is running on the target?(根据你扫描情况而写)

  • Unix

  TASK 7

  What is the command we need to run in order to display the 'ftp' client help menu?

  • ftp -h

  TASK 8

  What is username that is used over FTP when you want to log in without having an account?

  • anonymous

  TASK 9

  What is the response code we get for the FTP message 'Login successful'?

  • 230

  TASK 10

  There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.

  • ls

  TASK 11

  What is the command used to download the file we found on the FTP server?

  • get

Dancing

image

  下面是这关的填空题:

  TASK 1

  What does the 3-letter acronym SMB stand for?

  • Server Message Block

  TASK 2

  What port does SMB use to operate at?

  • 445

  TASK 3

  What is the service name for port 445 that came up in our Nmap scan?

  • microsoft-ds

  TASK 4

  What is the 'flag' or 'switch' that we can use with the smbclient utility to 'list' the available shares on Dancing?

  • -L

  TASK 5

  How many shares are there on Dancing?

  • 4

  TASK 6

  What is the name of the share we are able to access in the end with a blank password?

  • WorkShares

  TASK 7

  What is the command we can use within the SMB shell to download the files we find?

  • get

  扫描端口:

nmap -sV 10.129.154.197

image

image

  接下来利用smbclient工具尝试访问目标(显然是windows操作系统),从前面的列举,可以直接访问上述共享目录,但是这里需要注意的是,需要多个\进行转义,密码为空,然后就进入目录,在每个目录用ls查看一下,发现是在James这个目录中有flag,然后用get命令下载到本地。

image

  下载之后,在本地查看即可。

Redeemer

  开启靶机:

image

  TASK 1

  Which TCP port is open on the machine?

6379

  使用nmap命令扫描端口(如果以下命令效果不佳,可以添加 -Pn):

nmap -sS -T4 -p0-65535 -Pn 10.129.217.19

  可知开放的端口号为6379/tcp。

  TASK 2

  Which service is running on the port that is open on the machine?

redis

  服务是redis,可以使用命令:nmap -A -p6379 10.129.26.40

  TASK 3

  What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database

In-memory Database

  TASK 4

  Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

  在linux中使用redis-cli命令行工具,来实现与Redis服务器的交互

redis-cli

  TASK 5

  Which flag is used with the Redis command-line utility to specify the hostname?

-h

image

  TASK 6

  Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

info

  TASK 7

  What is the version of the Redis server being used on the target machine?

5.0.7

image

  TASK 8

  Which command is used to select the desired database in Redis?

select

  在成功连接redis数据库并通过info命令获取数据库信息后,通过查看Keyspace信息模块,可以得知该数据库中有一个数据库名为db0(该数据库索引为0),keys=4,使用命令:

select 0
//select+index(索引号,此处选择0号索引)表示选择索引为0的数据库

image

  TASK 9

  How many keys are present inside the database with index 0?

4

  TASK 10

  Which command is used to obtain all the keys in a database?

keys *

image

  最后 get flag 查看flag即可!

  ‍

posted @ 2024-09-19 12:41  itchen-2002  阅读(13)  评论(0编辑  收藏  举报