0x00 前言
最近玩了一下hackthebox,多亏了我高中好好学了英语,里面的80%英文我都能看懂,剩下的就交给谷歌翻译。
简单记录下我在HTB上学到的基础知识
0x01 tenet (23/tcp)
telnet is an old service used for remote management of other hosts on the network. Since the target is running this service, it canreceive telnet connection requests from other hosts in the network (such as ourselves). Usually, connectionrequests through telnet are configured with username/password combinations for increased security.
Sometimes, due to configuration mistakes, some important accounts can be left with blank passwords for the sake of accessibility. This is a significant issue with some network devices or hosts, leaving them open to simple brute-forcing attacks, where the attacker can try logging in sequentially, using a list of usernames with no password input. Some typical important accounts have self-explanatory names, such as:
- admin
- administrator
- root
$ nmap -sV
-sV: Probe open ports to determine service/version info
0x02 FTP(21/tcp)
definition on Wikipedia:
The File Transfer Protocol (FTP) is a standard communication protocol used to transfer computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a clear-text sign-in protocol, generally in the form of a username and password. However, they can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).
However, if the network administrators choose to wrap the connection with the SSL/TLS protocol or tunnel the FTP connection through SSH (as shown below) to add a layer of encryption that only the source anddestination hosts can decrypt, this would successfully foil most Man-in the-Middle attacks. Notice how port 21 has disappeared, as the FTP protocol gets moved under the SSH protocol on port 22, thus being tunneled through it and secured against any interception.
A typical misconfiguration for running FTP services allows an anonymous account to access the service like any other authenticated user. The anonymous username can be input when the prompt appears, followed by any password whatsoever since the service will disregard the password for this specific account.
0x03 SMB(445/tcp)
Using the SMB protocol, an application (or the user of an application) can access files at a remote server, along with other resources such as printers. Thus, a client application can read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.
Despite having the ability to secure access to the share, a network administrator can sometimes make mistakes and accidentaly allow logins without any valid credentials or using either guest accounts or anonymous log-ons
As previously mentioned, we observe that port 445 TCP for SMB is up and running, which means that we have an active share that we could potentially explore. Think of this share as a folder that can be accessed over the internet. In order to do so, we will need the appropriate services and scripts installed. In order to successfully enumerate share content on the remote system, we can use a script called smbclient .
$ sudo apt-get install smbclient
Smbclient will attempt to connect to the remote host and check if there is any authentication required. If there is, it will ask you for a password for your local username. We should take note of this. If we do not specify a specific username to smbclient when attempting to connect to the remote host, it will just use your local machine's username. That is the one you are currently logged into your Virtual Machine with. This is because SMB authentication always requires a username, so by not giving it one explicitly to try to login with, it will just have to pass your current local username to avoid throwing an error with the protocol.
Nevertheless, let us use our local username since we do not know about any remote usernames present on the target host that we could potentially log in with. Next up, after that, we will be prompted for a password. This password is related to the username you input before. Hypothetically, if we were a legitimate remote user trying to log in to their resource, we would know our username and password and log in normally to access our share. In this case, we do not have such credentials, so what we will be trying to perform is any of the following:
- Guest authentication
- Anonymous authentication
Any of these will result in us logging in without knowing a proper username/password combination and seeing the files stored on the share. Let us proceed to try that. We leave the password field blank, simply hitting Enter to tell the script to move along.
Running the command above, we see that four separate shares are displayed. Let us go through each of them and see what they mean.
- ADMIN$ - Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network connected system. These shares may not be permanently deleted but may be disabled.
- C$ - Administrative share for the C:\ disk volume. This is where the operating system is hosted.
- IPC$ - The inter-process communication share. Used for inter-process communication via named pipes and is not part of the file system.
- WorkShares - Custom share.