First, download the archive
link: https: //pan.baidu.com/s/1W4vikZnRkWsFyw0oTMI6TQ
extraction code: j4gd
extract the password is t3sec
Then, according to the file after extracting the virtual machine configuration .docx set up a virtual machine
Sample questions can be combined to attack writeup.docx
Title provides three virtual machines, but only to provide a web portal, that two additional virtual machine can not operate directly
Entitled simulate real challenge phase of the game, this object is achieved by osmotic environment, small get this topology hidden flag, flag format flagx {32 bit MD5}, where x is a number flag, a total of five flag, so numbered from 1-5.
All of the following attack by kali
1, blasting the background
Access web address, show me where ip is 192.168.50.134
Access 192.168.50.134 in the browser
using the tool to scan the site
can be found in the background, and try to log in
to find the background and do not have one, use Burp suite blasting
Blow out the password
We can see after landing the first flag
by file type manager to enter the parent directory can be found in Thisisyourflag have a third flag
SQL Injection
Sql found in this directory when sweeping the background, you can try to be injected with sqlmap
Found that can be injected, view all current database under the user
try to view the table name of the first database and found two interesting table name
to view the contents of the flag
can be found in a second flag
View topsec_admin contents of this table can be obtained as shown below username and password
192.168.50.1-255 using nmap to scan, you can see 192.168.50.130 port 3389 opens up a remote connection, its operating system is windows
Remote login
Next, use the above user name and password in the topsec_admin table trying to telnet this equipment, found that users administrator, password topsec.123 can log in, you can view the information of this machine can be found in its fourth flag C drive
Open Network, find another host
By mimikatz password crawler, you can get a user name and password
Know their respective fields, check ip domain-controlled machine
The next attempt to land this domain controller with crawl to the user and password
more uncomfortable, but you can click OK to change the password after successful login can be found in the fifth flag in the C drive
So I have found five flag
