3s0boz/ctf-writeups

# CTF 与实验室报告（Writeups） 来自 TryHackMe、INE（eJPT 备考）和 HackTheBox 的方法论优先报告。每篇报告都记录了完整的攻击链——从侦察到后渗透——重点关注技术推演，而不仅仅是获取 flag。 涵盖 3 个平台的 **43 篇报告**。 ## TryHackMe | 房间 | 关键技术 | |---|---| | [Anonymous](tryhackme/anonymous/) | FTP 匿名写入 cron 脚本，SUID env GTFOBins | | [Blog](tryhackme/blog/) | WordPress 凭据暴力破解，SUID binary 滥用 | | [Brute It](tryhackme/brute-it/) | HTTP 管理面板暴力破解，SSH key 破解，sudo cat shadow | | [Smag Grotto](tryhackme/smag-grotto/) | PCAP 凭据提取，cron job 注入，sudo apt-get GTFOBins | | [Tomghost](tryhackme/tomghost/) | Ghostcat CVE-2020-1938，GPG 密码破解，sudo zip GTFOBins | | [Wgel](tryhackme/wgel/) | HTML 注释用户泄露，暴露的 SSH key，sudo wget 数据外发 | | [Year of the Rabbit](tryhackme/year-of-the-rabbit/) | FTP 隐写术，base64 解码，Hydra SSH，sudo vi GTFOBins | | [GamingServer](tryhackme/gaming-server/) | gobuster 密钥，ssh2john 破解，LXD 容器逃逸 | | [COLDDBOX:EASY](tryhackme/colddbox-easy/) | 非标准 SSH 端口，wpscan 暴力破解，wp-config SSH 重用，sudo vim | | [Chocolate Factory](tryhackme/chocolate-factory/) | FTP 隐写术链，SHA-512 破解，PATH 劫持，sudo vi | | [Lookup](tryhackme/lookup/) | 用户名枚举，elFinder CVE，PATH 劫持，sudo look 文件读取 | ## INE ### 评估方法论 | 实验 | 关键技术 | |---|---| | [Footprinting and Scanning](ine/assessment-methodologies/Footprinting-and-Scanning/) | 主机发现，端口扫描，服务检测 | | [SMB Enumeration with Nmap](ine/assessment-methodologies/SMB-Enumeration-Nmap/) | 10 个 SMB NSE 脚本，guest 会话检测 | | [NetBIOS Hacking](ine/assessment-methodologies/NetBIOS-Hacking/) | 空会话，Hydra SMB，PsExec SYSTEM，autoroute 枢纽 | | [ProFTPd Recon](ine/assessment-methodologies/ProFTPd-Recon/) | Hydra FTP 暴力破解，7 组凭据，7 个 flag | | [SSH Enumeration](ine/assessment-methodologies/SSH-Enumeration/) | Metasploit ssh_version + ssh_login，STOP_ON_SUCCESS | | [Postfix SMTP Recon](ine/assessment-methodologies/Postfix-SMTP-Recon/) | VRFY 用户枚举，EHLO 能力泄露，smtp-user-enum | | [Samba Dictionary Attack](ine/assessment-methodologies/Samba-Dictionary-Attack/) | smb_login + Hydra，smbmap 权限，非浏览共享，RID 循环 | | [Password Cracker Linux](ine/assessment-methodologies/Password-Cracker-Linux/) | ProFTPD 1.3.3c 后门，hashdump，crack_linux auxiliary | | [SNMP Enumeration](ine/assessment-methodologies/SNMP-Enumeration/) | UDP 161，community string 暴力破解，用户列表至 SMB 枢纽，PsExec | ### 系统/主机渗透测试 | 实验 | 关键技术 | |---|---| | [Shellshock](ine/system-host-penetration-testing/Shellshock/) | CVE-2014-6271，Burp Suite User-Agent 注入，bash 环境执行 | | [Exploitation CTF 1](ine/system-host-penetration-testing/Exploitation-CTF-1/) | FlatCore CMS RCE，WordPress Duplicator 文件读取 | | [Exploitation CTF 2](ine/system-host-penetration-testing/Exploitation-CTF-2/) | SMB 暴力破解，pass-the-hash，msfvenom ASPX shell | | [Exploitation CTF 3](ine/system-host-penetration-testing/Exploitation-CTF-3/) | ProFTPD mod_copy，SMB 匿名写入 PHP shell，SUID find | | [System-Host CTF 2 Linux](ine/system-host-penetration-testing/System-Host-CTF-2-Linux/) | Shellshock CGI，libssh 认证绕过，binary PATH 劫持 | | [Linux PrivEsc via Cron Job](ine/system-host-penetration-testing/Linux-PrivEsc-Cron-Job/) | 可写 cron 脚本，printf sudoers 注入 | | [Windows HnNPT](ine/system-host-penetration-testing/Windows-HnNPT/) | WebDAV davtest + cadaver ASP shell，SMB Hydra 暴力破解 | | [MSF CTF 1 Windows](ine/system-host-penetration-testing/MSF-CTF-1-Windows/) | MSSQL RCE，SeImpersonatePrivilege，getsystem | | [Windows PrivEsc PowerUp](ine/system-host-penetration-testing/Windows-PrivEsc-PowerUp/) | Unattend.xml base64 密码，runas，HTA 反向 shell | | [Windows Token Impersonation](ine/system-host-penetration-testing/Windows-Token-Impersonation/) | HFS RCE，Incognito load_tokens，impersonate_token | | [Windows Credential Dumping Kiwi](ine/system-host-penetration-testing/Windows-Credential-Dumping-Kiwi/) | BadBlue RCE，迁移至 lsass，kiwi creds_all + lsa_dump | | [Rootkit Scanner PrivEsc](ine/system-host-penetration-testing/Rootkit-Scanner-PrivEsc/) | chkrootkit 0.49 cron 滥用，MSF 本地漏洞利用 | | [Windows UAC Bypass](ine/system-host-penetration-testing/Windows-UAC-Bypass/) | HFS RCE，UACMe Akagi64 方法 23，hashdump | | [Windows NTLM Hash Cracking](ine/system-host-penetration-testing/Windows-NTLM-Hash-Cracking/) | BadBlue RCE，迁移至 lsass，hashdump，John + Hashcat + MSF crack_windows | ### 基于网络的攻击 | 实验 | 关键技术 | |---|---| | [Network CTF 1 - Wireshark Forensics](ine/network-based-attacks/Network-CTF-1-Wireshark/) | HTTP 过滤器，NBNS 主机名，PowerShell UA 检测，TCP 流提取 | ### 后渗透 | 实验 | 关键技术 | |---|---| | [Meterpreter Basics](ine/post-exploitation/Meterpreter-Basics/) | Xdebug RCE，Meterpreter 文件系统操作，上传/下载，webshell staging | | [Windows Persistence](ine/post-exploitation/Windows-Persistence/) | persistence_service 自启动，getgui RDP 后门用户 | | [Post-Exploitation CTF 2](ine/post-exploitation/Post-Exploitation-CTF-2/) | SSH 暴力破解，NTLM hash 破解 (John)，PrintSpoofer SYSTEM，icacls ACL 绕过 | | [Clearing Tracks Linux](ine/post-exploitation/Clearing-Tracks-Linux/) | Samba is_known_pipename，history -c，/dev/null bash_history | | [Clearing Tracks Windows](ine/post-exploitation/Clearing-Tracks-Windows/) | BadBlue RCE，Meterpreter clearev Windows 事件日志 | ### 枢纽（Pivoting） | 实验 | 关键技术 | |---|---| | [Pivoting](ine/pivoting/Pivoting-INE/) | HFS RCE，autoroute 路由注入，通过枢纽进行 TCP 扫描，portfwd，bind_tcp | | [Pivoting with Metasploit](ine/pivoting/Pivoting-Metasploit/) | HFS RCE，autoroute，portscan/tcp 枢纽，portfwd 指纹识别，BadBlue bind shell | ## HackTheBox | 机器 | 关键技术 | |---|---| | [Support](hackthebox/support/) | LDAP info 属性泄露，机器账户配额，RBCD，Impacket S4U getST，Kerberos PsExec | 所有实验均在受控环境中出于教育目的完成。请参阅每篇报告中的免责声明部分。

标签：CSV导出, CTI, PE 加载器, StruQ, XXE攻击, 协议分析, 威胁模拟, 权限提升, 网络安全, 防御加固, 隐私保护