【season-5】box Ghost wp

htb-Season-5
37k words
Nmap123456789101112131415161718192021222324252627282930313233343536PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-15 07:09:48Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain...

maldev

Uncategorized
46k words
无法公开.

【season-5】 htb Axlle wp

htb-Season-5
13k words
Usernmap1234567891011121314151617181920212223242526272829303132333435363738└─$ sudo nmap -sU 10.129.29.242 --top-ports=200 --min-rate=3000Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-22 22:08 EDTNmap scan report for 10.129.29.242 (10.129.29.242)Host is up (0.50s latency).Not shown: 196 open|filtered udp ports (no-response)PORT STATE SERVICE53/udp open domain88/udp open kerberos-sec123/udp open ntp389/udp open ldap####PORT STATE SERVICE VERSION25/tcp open smtp ...

【season-5】box Editorial wp

htb-Season-5
15k words
nmap12345678910111213└─$ sudo nmap -sS 10.129.xxx.xxx -p22,80 -sV --min-rate=3000Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-16 00:24 EDTNmap scan report for 10.129.xx.xx (10.129.xx.xx)Host is up (0.43s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)80/tcp open http nginx 1.18.0 (Ubuntu)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at h...

【season-5】box Blurry 一个失败的user记录

Uncategorized
4.5k words
https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/ 没有公开CVE-2024-24592的利用方式 这里我用文章中原本的upload方式只能把plk传到我的目录下,我看其他的好像也有每个五分钟就跑的,所以我这里抓个包看看 1234567891011121314151617181920212223GET /auth.login HTTP/1.1Host: api.blurry.htbUser-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: keep-aliveX-ClearML-Worker: flowerX-Trains-Worker: flowerX-ClearML-Client: clearml-1.16.1X-Trains-Client: clearml-1.16.1Authorization: ...

CubeMadness2-gamepwn

ctf
1.5k words
映入眼帘的和CM1一样,也都是吃满20个给flag 还是打开CE追一下值 这里吃到第四个的时候其实就ok了 然后尝试改一下值,会发现改了没反应,或者改了也不生效一会就变回去了 猜测是有什么恢复逻辑之类的,于是给值的内存写入部分下个断点。 看了下三个地址当中的这个是主要的判断,因为每秒好像都在处理逻辑 看一下汇编,好像是这里一直在赋值. 再往上走了下看看edx的值是从哪来的 挨个下了断点简单看了下是 1.[rax+000000B8]内存指向的值赋给了rdx 1.1这里看下rdx被赋值的地址指向了一个8f 24 2.然后eax = 6208CECB 3.再imul[rdx]就是rdx指向的值和eax做了个乘法,然后将乘积的取了低位32给了la也就是rax..高位的32位给了ld也就是这里的rdx,可以看下面这个。 123456>>> print(bin((0x248f*0x6208CECB)))0b11100000000000000000000000000000111101100101>>> print(hex(0b11...

padding oracle attack 原理

Uncategorized
4.6k words
首先需要理解的是异或,这个非常简单,举几个例子 123456789101112131415160 ^ 1 = 11 ^ 0 = 10 ^ 0 = 01 ^ 1 = 0一个数值 ^ 另一个数值 = 亦或中间值一个数值 ^ 亦或中间值 = 另一个数值另一个数值 ^ 亦或中间值 = 一个数值任意数值 ^ 0 = 任意数值 接下来是一个利用思路,如果我们此时有一个字符串是10086,我们将其与一个iv进行简单的亦或. 1234567891010086 变化成下面这个亚子0x31 0x30 0x30 0x38 0x36iv = 0x6b 0x72 0x62 0x76 0x67然后进行对应的亦或,变成0x5a 0x42 0x52 0x4e 0x51 此时如果想让他变回"10086"只需要再和iv亦或一次即可。 但如果我要将其"10086"在亦或后变成其他数值的话,只需要操作iv即可。 比如我要把"10086"与iv亦或后变成20086。 我就可以将"1"与iv亦或后的0x5a,与"2"的he...

【season-5】box freelancer wp

htb-Season-5
32k words
Usernmap1234567891011121314151617181920212223242526└─$ sudo nmap -sS 10.129.224.232 -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49670,49671,49672,57884,57889 -sV -T4 --min-rate=2000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 00:15 EDTNmap scan report for 10.129.224.232 (10.129.224.232)Host is up (0.61s latency).PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus80/tcp open http nginx 1.25.588/tcp open kerberos-...

【season-5】box magicgardens wp

htb-Season-5
25k words
USERnmap1234567891011121314151617181920212223242526272829303132333435└─$ sudo nmap -sS 10.129.104.149 -p22,25,80,1337,5000, -sV --min-rate=3000Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-22 05:42 EDTStats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Service ScanService scan Timing: About 60.00% done; ETC: 05:44 (0:00:40 remaining)Nmap scan report for 10.129.104.149 (10.129.104.149)Host is up (0.47s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 9...

【season-5】box BoardLight wp

htb-Season-5
13k words
Nmap1234567891011121314151617181920212223└─$ sudo nmap -sS 10.10.11.11 -p- --min-rate=3000 -OStarting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 02:00 EDTWarning: 10.10.11.11 giving up on port because retransmission cap hit (10).Stats: 0:00:34 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanSYN Stealth Scan Timing: About 53.82% done; ETC: 02:01 (0:00:29 remaining)Nmap scan report for 10.10.11.11 (10.10.11.11)Host is up (1.0s latency).Not shown: 64252 closed tcp ports (res...