Tags: SQLi、Hashcat、Ghauri、Cacti、CVE-2024-25641、Mysql、SSH_Proxy、Duplicati
Recon & Enum
nmap -p- --min-rate 1000 -T4 -sC -sV -O -v yummy.htb
---
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a2:ed:65:77:e9:c4:2f:13:49:19:b0:b8:09:eb:56:36 (ECDSA)
|_ 256 bc:df:25:35:5c:97:24:f2:69:b4:ce:60:17:50:3c:f0 (ED25519)
80/tcp open http Caddy httpd
|_http-favicon: Unknown favicon MD5: 0C6ECE85EA540E6ABEBA19B1436C17E2
| http-methods:
|_ Supported Methods: POST HEAD GET OPTIONS
|_http-title: Yummy
|_http-server-header: Caddy
ffuf -u http://yummy.htb/ -H 'Host: FUZZ.yummy.htb' -w subdomains.txt -fs 39296
---
gobuster dns -w /usr/share/seclists/Discovery/DNS/n0kovo_subdomains.txt -d [domain_name] -r [dns_ip]
---
gobuster dir -k --random-agent -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u 'http://[domain]'
---
gobuster dir -k --random-agent -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u 'http://[subdomain]'
---
ldapsearch -H "ldap://$IP" -x -s base namingcontexts
Shell as User1
Local Enum
...
[suid]
...
[server port]
...
Shell as User2
Local Enum
...
user2 (nopasswd)
...
Shell as Root
More and More
这个靶机的主要难点,在于发现 XSS 漏洞后,如何进一步利用 …
Dump Hash
Exploit
Other
https://app.hackthebox.com/home https://app.hackthebox.com/machines https://app.hackthebox.com/challenges
