推箱子2-向右推!_保持冷静，砍箱子-me脚

推箱子2-向右推!

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

Hack The Box(HTB)是一个在线平台，可让您测试渗透测试技能。 它包含一些不断更新的挑战。 其中一些模拟现实世界的场景，而另一些则更倾向于CTF的挑战风格。

Note. Only write-ups of retired HTB machines are allowed.

注意 。 只允许注销HTB机器。

Lame is the first machine published on Hack The Box and is for beginners, requiring only one exploit to obtain root access.

Lame是在Hack The Box上发布的第一台机器，是针对初学者的，只需要一个漏洞就可以获取root访问权限。

We will use the following tools to pawn the box on a Kali Linux box

我们将使用以下工具将盒子当成Kali Linux盒子

• nmap

  纳帕

• zenmap

  禅地图

• searchsploit

  searchsploit

• metasploit

  元胞

第1步-扫描网络 (Step 1 - Scanning the network)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

开发机器之前的第一步是进行一些扫描和侦察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as you could.

这是最重要的部分之一，因为它将决定您以后可以尝试利用的内容。 最好在该阶段花费更多的时间以获取尽可能多的信息。

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我将使用Nmap(网络映射器)。 Nmap是一个免费的开源实用程序，用于网络发现和安全审核。 它使用原始IP数据包来确定网络上可用的主机，这些主机提供的服务，它们正在运行的操作系统，使用的数据包过滤器/防火墙的类型以及许多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here

此工具可以使用许多命令来扫描网络。 如果您想了解更多信息，可以在这里查看文档

I use the following command to get a basic idea of what we are scanning

我使用以下命令来了解我们正在扫描的内容

nmap -sV -O -F --version-light 10.10.10.3

-sV: Probe open ports to determine service/version info

-sV：探测打开的端口以确定服务/版本信息

-O: Enable OS detection

-O：启用操作系统检测

-F: Fast mode - Scan fewer ports than the default scan

-F：快速模式-扫描的端口少于默认扫描

--version-light: Limit to most likely probes (intensity 2)

--version-light：限制为最可能的探测(强度2)

10.10.10.3: IP address of the Lame box

10.10.10.3：Lame Box的IP地址

You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

您也可以使用Zenmap，这是官方的Nmap Security Scanner GUI。 它是一个多平台，免费和开源的应用程序，旨在使Nmap易于初学者使用，同时为经验丰富的Nmap用户提供高级功能。

I use a different set of commands to perform an intensive scan

我使用一组不同的命令来执行密集扫描

nmap -A -v 10.10.10.3

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：启用操作系统检测，版本检测，脚本扫描和跟踪路由

-v: Increase verbosity level

-v：提高详细程度

10.10.10.3: IP address of the Lame box

10.10.10.3：Lame Box的IP地址

If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports

如果发现结果有点不堪重负，则可以移至“ 端口/主机”选项卡以仅获取打开的端口

We can see that there are 4 open ports:

我们可以看到有4个开放端口：

Port 21. File Transfer Protocol (FTP) control (command)

端口21 。 文件传输协议(FTP)控制(命令)

Port 22. Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding

端口22 。 安全Shell(SSH)，安全登录，文件传输(scp，sftp)和端口转发

Port 139. NetBIOS Session Service

端口139 。 NetBIOS会话服务

Port 445. Microsoft-DS (Directory Services) SMB file sharing

端口445 。 Microsoft-DS(目录服务)SMB文件共享

Let see what we can get with the first port

让我们看看第一个端口可以得到什么

第2步-脆弱的FTP (Step 2 - The Vulnerable FTP)

We will use Searchsploit to check if there's any known vulnerability on vsftpd 2.3.4. Searchsploit is a command line search tool for Exploit Database

我们将使用Searchsploit来检查vsftpd 2.3.4上是否存在任何已知漏洞。 Searchsploit是用于漏洞利用数据库的命令行搜索工具

I use the following command

我使用以下命令

searchsploit vsftpd 2.3.4

Now that we know that there is a vulnerability - Backdoor Command Execution - let's try to exploit it

现在我们知道存在一个漏洞-后门命令执行-让我们尝试利用它

We will use Metasploit. It's a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders

我们将使用Metasploit。 这是一个渗透测试框架，可使黑客攻击变得简单。 对于许多攻击者和防御者来说，这是必不可少的工具

I launch Metasploit Framework on Kali and look for command I should use to launch the exploit

我在Kali上启动Metasploit框架，并寻找启动漏洞利用程序所需的命令

I use the command to look for all the payloads available

我使用命令查找所有可用的负载

search vsftpd 2.3.4

We can see there are several different exploits but the one we're interested in is number 4

我们可以看到有几种不同的攻击方式，但我们感兴趣的是第4个

exploit/unix/ftp/vsftpd_234_backdoor

I use the following command for the exploit

我使用以下命令进行攻击

use exploit/unix/ftp/vsftpd_234_backdoor

This will launch the exploit. I use this command to display the available options

这将启动漏洞利用。 我使用此命令显示可用选项

show options

You can see that the remote host (RHOSTS) is not yet set. I will set both the remote host and the target as these two pieces of information are needed to run the exploit

您可以看到尚未设置远程主机(RHOSTS)。 我将同时设置远程主机和目标，因为运行漏洞利用程序需要这两部分信息

I use the following command to set the remote host using the IP address of HTB Lame box

我使用以下命令使用HTB Lame框的IP地址设置远程主机

set RHOSTS 10.10.10.3

Then I set the target to 0 as displayed when I checked the options

然后，当我检查选项时，我将目标设置为0

set TARGET 0

We can now run the exploit

我们现在可以运行漏洞利用程序

Unfortunately we can see that even if the exploit is completed, no session was created. The vulnerability has been patched as mentioned here, in the description of the exploit.

不幸的是，我们可以看到，即使漏洞利用程序完成，也不会创建任何会话。 如漏洞描述中所述，已对该漏洞进行了修补。

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

此模块利用了已添加到VSFTPD下载档案中的恶意后门。 根据最新信息，此后门已在2011年6月30日至2011年7月1日之间引入了vsftpd-2.3.4.tar.gz档案。 该后门程序于2011年7月3日被删除。

The Exploit Database is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. The aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away

漏洞利用数据库是公共漏洞和相应的易受攻击软件的符合常见漏洞和暴露(CVE)要求的存档，旨在供渗透测试人员和漏洞研究人员使用。 目的是为通过直接提交，邮件列表以及其他公共资源收集的最全面的漏洞利用服务，并将其呈现在可免费使用且易于导航的数据库中。 漏洞利用数据库是漏洞利用和概念证明而非咨询的存储库，对于那些立即需要可操作数据的人来说，它是宝贵的资源

We need to find another way. Let's have a look at another port!

我们需要找到另一种方式。 让我们看看另一个端口！

第三步-脆弱的桑巴舞 (Step 3 - The Vulnerable Samba)

If you remember from Step 1 - Scan the network, we found out that port 445 - Samba smbd 3.0.20-Debian was opened. Let's see if we can find any vulnerabilities around that specific version

如果您还记得“第一步-扫描网络”，我们发现端口445-Samba smbd 3.0.20-Debian已打开。 让我们看看是否可以找到该特定版本附近的任何漏洞

If you want to learn more about Samba, go here. But a deep knowledge of Samba is not required for that box.

如果您想了解有关Samba的更多信息，请转到此处 。 但是该盒子不需要对Samba有深入的了解。

We go back to Searchsploit to check

我们回到Searchsploit进行检查

I use the following command

我使用以下命令

searchsploit Samba 3.0.20

We can see that there's a 'Username' map script Command Execution that we could launch using Metasploit. Let's try it!

我们可以看到可以使用Metasploit启动“用户名”映射脚本命令执行。 试试吧！

Back to Metasploit and checking the command we should use to launch the exploit. I use the following command

返回Metasploit并检查用于启动漏洞利用程序的命令。 我使用以下命令

search Samba 3.0.20

We can see there are several different exploits but the one we're interested in is number 15

我们可以看到有几种不同的攻击方式，但我们感兴趣的是第15个

exploit/multi/samba/usermap_script

You can also find it on the Exploit Database website

您也可以在漏洞利用数据库网站上找到它

The description of the exploit

漏洞描述

This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!

使用非默认的“用户名映射脚本”配置选项时，此模块利用Samba 3.0.20至3.0.25rc3版本中的命令执行漏洞。 通过指定包含外壳元字符的用户名，攻击者可以执行任意命令。 无需身份验证即可利用此漏洞，因为此选项用于在身份验证之前映射用户名！

Back on Metasploit where I use the command

回到我使用命令的Metasploit

use exploit/multi/samba/usermap_script

This will launch the exploit. I use the following command to display the available options

这将启动漏洞利用。 我使用以下命令显示可用选项

show options

You can see that the remote host (RHOSTS) is not yet set.

您可以看到尚未设置远程主机(RHOSTS)。

I use the following command to set the remote host using the IP address of HTB Lame box

我使用以下命令使用HTB Lame框的IP地址设置远程主机

set RHOSTS 10.10.10.3

We can now run the exploit

我们现在可以运行漏洞利用程序

Bingo! We have a command shell opened. Let's see what we can find :)

答对了！ 我们打开了一个命令外壳。 让我们看看我们能找到什么:)

第4步-寻找user.txt标志 (Step 4 - Looking for the user.txt flag)

We can now look for the first flag, user.txt

现在，我们可以查找第一个标志user.txt

I use the following command to check who am I on that machine

我使用以下命令检查我在那台计算机上的身份

whoami

We have root access to the machine. We got the power! Let's start navigating the folders

我们具有对该计算机的root访问权限。 我们拥有强大的力量！ 让我们开始浏览文件夹

I use the following command to list all the files/folders

我使用以下命令列出所有文件/文件夹

ls

Let's move to the home folder and see what we can find

让我们转到主文件夹，看看我们能找到什么

I use the following command to change to the home directory, then I list all the files/folders

我使用以下命令更改到主目录，然后列出所有文件/文件夹

cd home

We don't have that much info here, let's be more specific with the command

我们这里没有太多信息，让我们用命令更具体

ls -la

We can see that there's a folder called makis. Let's see what's inside!

我们可以看到有一个名为makis的文件夹。 让我们看看里面有什么！

We found the user.txt file! To read the content of the file I use the command

我们找到了user.txt文件！ 要读取文件的内容，请使用以下命令

cat user.txt

Now that we have the user flag, let's find the root flag!

现在有了用户标志，让我们找到根标志！

第5步-寻找root.txt标志 (Step 5 - Looking for the root.txt flag)

Let's go back to the root directory. I use the command

让我们回到根目录。 我使用命令

cd ~

To check where you are, you can use the following command

要检查您的位置，可以使用以下命令

pwd

Here we see that we're at the /root level and if we list the files/folders we find the root.txt file!

在这里，我们看到我们处于/ root级别，如果我们列出文件/文件夹，我们将找到root.txt文件！

To read the content of the file I use the command

要读取文件的内容，请使用以下命令

cat root.txt

Congrats! You found both flags!

恭喜！ 您找到了两个标志！

Please don’t hesitate to comment, ask questions or share with your friends :)

请不要犹豫，发表评论，提问或与您的朋友分享:)

You can see more of my articles here

您可以在这里看到更多我的文章

You can follow me on Twitter or on LinkedIn

您可以在Twitter或LinkedIn上关注我

And don't forget to #GetSecure, #BeSecure & #StaySecure!

并且不要忘记＃ GetSecure ，＃ BeSecure和＃StaySecure ！

Other articles in this series

本系列的其他文章

• Keep Calm and Hack The Box - Legacy

  保持冷静并打破常规-旧版

• Keep Calm and Hack The Box - Devel

  保持冷静并打破僵局-开发

• Keep Calm and Hack The Box - Beep

  保持冷静并砍箱子-哔

翻译自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-lame/

推箱子2-向右推!