Game Zone
Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root!
This room will cover SQLi (exploiting this vulnerability manually and via SQLMap), cracking a users hashed password, using SSH tunnels to reveal a hidden service and using a metasploit payload to gain root privileges
버프로 Request 인터셉터 후 텍스트파일로 저장 (request.txt)
sqlmap -r request.txt --dbms=mysql --dump-r uses the intercepted request you saved earlier
--dbms tells SQLMap what type of database management system it is
--dump attempts to outputs the entire database
john-the-ripper-hash-formats
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
john은 세가지 버전이 존재함.
jumbo, john, pro
kail에 설치되어있는 것은 jumbo 버전이며 더 많은 종류의 hash 크랙을 지원함.
john hash.txt --wordlist= --format=
agent47
videogamer124
SSH (Reverse port forwarding)
-L is a local tunnel (YOU <-- CLIENT).
If a site was blocked, you can forward the traffic to a server you own and view it.
For example, if imgur was blocked at work, you can do ssh -L 9000:imgur.com:80 user@example.com. Going to localhost:9000 on your machine, will load imgur traffic using your other server.
-R is a remote tunnel (YOU --> CLIENT).
You forward your traffic to the other server for others to view. Similar to the example above, but in reverse.
ss: netstat와 유사함 (리눅스의 네트워크 툴)
We will use a tool called ss to investigate sockets running on a host.
If we run ss -tulpn it will tell us what socket connections are running
-t: Display TCP sockets
-u: Display UDP sockets
-l: Displays only listening sockets
-p: Shows the process using the socket
-n: Doesn't resolve service names
iptables (방화벽): 권한상승하지 않으면 확인할 수 없다. root만 확인 가능.
We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list). However, Using an SSH Tunnel we can expose the port to us (locally)!
$> iptables -L
From our local machine, run ssh -L 10000:localhost:10000 타겟계정@타겟아이피
Once complete, in your browser type "localhost:10000" and you can access the newly-exposed webserve
kali> ssh -L 10000:localhost:10000 agent47@10.10.206.248(공격자의 로컬에서만 접근 가능한 것을 외부에서 접근하고자 할 때, 유용함, mysql 관리자 포트,web 관리자 페이지 등..)
나의 10000포트를 통해 타겟(10.10.206.258)에 연결한 후 타겟(localhost)의 10000포트로 연결함
'OSCP > TryHackMe' 카테고리의 다른 글
| [Linux] Daily Bugle (0) | 2020.04.25 |
|---|---|
| [Linux] Skynet (0) | 2020.04.23 |
| [Windows] HackPark (0) | 2020.04.20 |
| [Windows] Alfred (0) | 2020.04.16 |
| [Windows] Steel Mountain (0) | 2020.04.14 |