打靶记录(一四三)之HTBTravel
端口扫描┌──(mikannse㉿kali)-[~/HTB/travel]└─$ sudo nmap --min-rate=10000 -p- 10.10.10.189 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-12 13:12 CSTNmap scan report for 10.10.10.189Host is up (0.067s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh80/tcp open http443/tcp open httpsNmap done: 1 IP address (1 host up) scanned in 10.52 seconds
┌──(mikannse㉿kali)-[~/HTB/travel]└─$ sudo nmap -sT -sC -sV -O -p22,80,443 10.10.10.189Starti ...
打靶记录(一四二)之HTBRedCross
端口扫描┌──(mikannse㉿kali)-[~/HTB/redcross]└─$ sudo nmap --min-rate=10000 -p- 10.10.10.113Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 19:36 CSTNmap scan report for 10.10.10.113Host is up (0.073s latency).Not shown: 65532 filtered tcp ports (no-response)PORT STATE SERVICE22/tcp open ssh80/tcp open http443/tcp open httpsNmap done: 1 IP address (1 host up) scanned in 13.48 seconds
┌──(mikannse㉿kali)-[~/HTB/redcross]└─$ sudo nmap -sT -sC -sV -O -p22,80,443 10.10.10.113Starting Nmap ...
HTB蓝队路径取证分析
Event Horizon题目:我们 CEO 的计算机在一次网络钓鱼攻击中被入侵。攻击者小心地清除了 PowerShell 日志,所以我们不知道他们执行了什么。你能帮我们吗?
下载有一个logs目录,看样子是windows的事件分析,根据大小进行排序
Microsoft-Windows-PowerShell%4Operational.evtx这个文件存放的是powershell事件,所以与题目有关。
用windows自带的事件查看器打开,发现第一条就是一个关于mimikatz的警告,事件号是4100,代表因为限制策略而被阻止运行,比如mimikatz转存哈希就需要管理员权限,筛选了4100看一遍但是没有有效的信息
筛选4104事件,因为是远程执行代码,按时间降序,最早的那个事件中找到flag
Export┌──(mikannse㉿kali)-[~/Desktop]└─$ vol2 -f WIN-LQS146OE2S1-20201027-142607.raw imageinfoVolatility Foundation Volatility Framework 2.6.1INFO ...
打靶记录(一四一)之HTBStratosphere
端口扫描┌──(mikannse㉿kali)-[~/HTB/Stratosphere]└─$ sudo nmap --min-rate=10000 -p- 10.10.10.64Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 23:42 CSTNmap scan report for 10.10.10.64Host is up (0.17s latency).Not shown: 65532 filtered tcp ports (no-response)PORT STATE SERVICE22/tcp open ssh80/tcp open http8080/tcp open http-proxyNmap done: 1 IP address (1 host up) scanned in 21.91 seconds
┌──(mikannse㉿kali)-[~/HTB/Stratosphere]└─$ sudo nmap -sT -sC -sV -O -p22,80,8080 10.10.10.6 ...
打靶记录(一四零)之HTBPopcorn
端口扫描┌──(mikannse㉿kali)-[~/HTB/popcorn]└─$ sudo nmap --min-rate=10000 -p- 10.10.10.6 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 20:56 CSTNmap scan report for 10.10.10.6Host is up (0.072s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 8.72 seconds
┌──(mikannse㉿kali)-[~/HTB/popcorn]└─$ sudo nmap -sT -sV -sC -O -p22,80 10.10.10.6 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024 ...
打靶记录(一三九)之HTBCronos
端口扫描┌──(mikannse㉿kali)-[~/HTB/cronos]└─$ sudo nmap --min-rate=10000 -p- 10.10.10.13Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 19:08 CSTWarning: 10.10.10.13 giving up on port because retransmission cap hit (10).Nmap scan report for 10.10.10.13Host is up (0.087s latency).Not shown: 62200 closed tcp ports (reset), 3332 filtered tcp ports (no-response)PORT STATE SERVICE22/tcp open ssh53/tcp open domain80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 38.31 seconds
┌─ ...
打靶记录(一三八)之HTBAragog
端口扫描┌──(mikannse㉿kali)-[~/HTB/aragog]└─$ sudo nmap --min-rate=10000 -p- 10.10.10.78Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 09:55 CSTNmap scan report for 10.10.10.78Host is up (0.074s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE21/tcp open ftp22/tcp open ssh80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 8.60 seconds
┌──(mikannse㉿kali)-[~/HTB/aragog]└─$ sudo nmap -sT -sV -sC -O -p21,22,80 10.10.10.78Starting Nmap 7.94SVN ( https://nmap ...
打靶记录(一三七)之HTBEuropa
端口扫描┌──(mikannse㉿kali)-[~/HTB/europa]└─$ sudo nmap --min-rate=10000 -p- 10.10.10.22Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-08 22:38 CSTNmap scan report for 10.10.10.22Host is up (0.080s latency).Not shown: 65532 filtered tcp ports (no-response)PORT STATE SERVICE22/tcp open ssh80/tcp open http443/tcp open httpsNmap done: 1 IP address (1 host up) scanned in 13.51 seconds
┌──(mikannse㉿kali)-[~/HTB/europa]└─$ sudo nmap -sT -sV -sC -O -p22,80,443 10.10.10.22Starting Nmap 7.94SV ...
打靶记录(一三六)之HTBQuerier
端口扫描┌──(mikannse㉿kali)-[~]└─$ sudo nmap --min-rate=10000 -p- 10.10.10.125Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-08 20:29 CSTWarning: 10.10.10.125 giving up on port because retransmission cap hit (10).Nmap scan report for 10.10.10.125Host is up (0.070s latency).Not shown: 64291 closed tcp ports (reset), 1230 filtered tcp ports (no-response)PORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds1433/tcp open ms-sql-s5985/tcp open wsman ...
打靶记录(一三五)之HTBOctober
端口扫描┌──(mikannse㉿kali)-[~]└─$ sudo nmap --min-rate=10000 -p- 10.10.10.16 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-08 09:59 CSTNmap scan report for 10.10.10.16Host is up (0.067s latency).Not shown: 65533 filtered tcp ports (no-response)PORT STATE SERVICE22/tcp open ssh80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 13.57 seconds
┌──(mikannse㉿kali)-[~]└─$ sudo nmap -sT -sV -sC -O -p22,80 10.10.10.16Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-0 ...
打靶记录(一三四)之HTBGiddy
端口扫描┌──(mikannse㉿kali)-[~]└─$ sudo nmap --min-rate=10000 -p- 10.10.10.104Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 21:49 CSTNmap scan report for 10.10.10.104Host is up (0.081s latency).Not shown: 65531 filtered tcp ports (no-response)PORT STATE SERVICE80/tcp open http443/tcp open https3389/tcp open ms-wbt-server5985/tcp open wsman
┌──(mikannse㉿kali)-[~]└─$ sudo nmap -sT -sV -sC -O -p80,443,3389,5985 10.10.10.104Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 2 ...
HTBmisc(2)
Locked Awaymain.py
def open_chest(): with open('flag.txt', 'r') as f: print(f.read())blacklist = [ 'import', 'os', 'sys', 'breakpoint', 'flag', 'txt', 'read', 'eval', 'exec', 'dir', 'print', 'subprocess', '[', ']', 'echo', 'cat', '>', '<', '"', '\'', 'open']while True: command = input('The chest lies waiting... ') if any(b in command for b in blacklist): print('Invalid command!') continue try: exec(command) except Exception: pri ...