Posts

Nmap [/home/kali/Facts]$ nmap facts.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA) |_ 256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519) 80/tcp open http nginx 1.26.3 (Ubuntu) |_http-title: facts |_http-server-header: nginx/1.26.3 (Ubuntu) Camaleon CMS 进行目录扫描得到/admin [/home/kali/Facts]$ feroxbuster -u 'http://facts.htb/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://facts.htb/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 200 GET 124l 552w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 121l 443w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 69l 448w 30396c http://facts.htb/randomfacts/logopage2.png 200 GET 129l 132w 3508c http://facts.htb/sitemap 200 GET 8l 11w 183c http://facts.htb/rss 200 GET 66l 519w 44082c http://facts.htb/randomfacts/primary-question-mark.png 404 GET 2l 9w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 7l 10w 162c http://facts.htb/randomfacts/ 404 GET 114l 371w 4836c http://facts.htb/fonts.googleapis.com/css 200 GET 271l 1166w 19187c http://facts.htb/search 200 GET 160l 773w 15365c http://facts.htb/finland-happiest 200 GET 172l 920w 19730c http://facts.htb/animal-ejected 200 GET 172l 913w 19727c http://facts.htb/first-impressions 200 GET 178l 965w 21754c http://facts.htb/dolphin-fact 404 GET 114l 371w 4836c http://facts.htb/fonts.googleapis.com/ 200 GET 166l 833w 17324c http://facts.htb/anne-frank 200 GET 160l 721w 15004c http://facts.htb/animal-sweat 200 GET 160l 733w 14975c http://facts.htb/cute-animals 200 GET 172l 925w 19677c http://facts.htb/dark-chocolate 200 GET 64l 988w 206540c http://facts.htb/assets/camaleon_cms/image-not-found-fc3c0e66dc61abf74010e63ef65a2e23c4cb40a3320408f2711f82fdc22b503f.png 200 GET 172l 889w 19556c http://facts.htb/cats-attachment 200 GET 8l 2294w 169312c http://facts.htb/assets/themes/camaleon_first/assets/css/main-41052d2acf5add707cadf8d1c12a89a9daca83fb8178fdd5c9105dc6c566d25d.css 200 GET 9958l 40904w 330571c http://facts.htb/assets/themes/camaleon_first/assets/js/main-2d9adb006939c9873a62dff797c5fc28dff961487a2bb550824c5bc6b8dbb881.js 200 GET 281l 1177w 19593c http://facts.htb/page 302 GET 0l 0w 0c http://facts.htb/admin => http://facts.htb/admin/login 然后随意注册一个账号 登录到后台发现具体的CMS版本 进入到信息修改界面，进行修改密码 然后抓包添加图中的部分 ...

Nmap [root@Hacking] /home/kali/expressway ❯ nmap expressway.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19 Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 看起来tcp端口只开放了22的ssh服务，接下来扫描一下udp端口 ...

Nmap [root@Hacking] /home/kali/hacknet ❯ nmap hacknet.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) | ssh-hostkey: | 256 95:62:ef:97:31:82:ff:a1:c6:08:01:8c:6a:0f:dc:1c (ECDSA) |_ 256 5f:bd:93:10:20:70:e6:09:f1:ba:6a:43:58:86:42:66 (ED25519) 80/tcp open http nginx 1.22.1 |_http-server-header: nginx/1.22.1 |_http-title: HackNet - social network for hackers 查看技术栈里使用了Django Django 随便注册一个用户进去，可以执行的操作有： ...

Nmap [root@Hacking] /home/kali/soulmate ❯ nmap soulmate.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Soulmate - Find Your Perfect Match |_http-server-header: nginx/1.18.0 (Ubuntu) 8000/tcp open http-alt? Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19 Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Dirsearch [root@Hacking] /home/kali/soulmate ❯ dirsearch -u 'http://soulmate.htb' _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://soulmate.htb/ [21:15:09] Scanning: [21:15:24] 301 - 178B - /assets -> http://soulmate.htb/assets/ [21:15:24] 403 - 564B - /assets/ [21:15:28] 302 - 0B - /dashboard.php -> /login [21:15:33] 200 - 16KB - /index.php [21:15:35] 200 - 8KB - /login.php [21:15:35] 302 - 0B - /logout.php -> login.php [21:15:40] 302 - 0B - /profile.php -> /login [21:15:41] 200 - 11KB - /register.php [21:15:42] 301 - 178B - /shell -> http://soulmate.htb/shell/ [21:15:42] 403 - 564B - /shell/ Task Completed Subdomain Fuzz [root@Hacking] /home/kali/soulmate ❯ ffuf -u 'http://soulmate.htb/' -H 'Host: FUZZ.soulmate.htb' -w /usr/share/fuzzDicts/subdomainDicts/main.txt -fw 4 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://soulmate.htb/ :: Wordlist : FUZZ: /usr/share/fuzzDicts/subdomainDicts/main.txt :: Header : Host: FUZZ.soulmate.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response words: 4 ________________________________________________ ftp [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 209ms] CrashFTP 找到一个能用的 ...

Nmap [root@Hacking] /home/kali/silentdev ❯ nmap 192.168.26.18 -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 4a:f7:09:40:45:df:25:cc:a4:f5:85:ac:63:c6:13:3e (ECDSA) |_ 256 58:be:2c:d0:40:af:d5:9c:2a:13:38:82:61:f6:8c:87 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Upload Image |_http-server-header: Apache/2.4.62 (Debian) MAC Address: 08:00:27:3A:A8:70 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 进入之后是一个上传页面 ...

Nmap [root@Hacking] /home/kali/vulntarget-a ❯ nmap 192.168.237.132 -A PORT STATE SERVICE VERSION 80/tcp open http nginx | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3 | http-robots.txt: 1 disallowed entry |_/ 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) MAC Address: 00:0C:29:99:58:97 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|phone Running: Microsoft Windows 7|Phone OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows OS details: Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0 Network Distance: 1 hop Service Info: Host: WIN7-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: WIN7-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:99:58:97 (VMware) |_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s | smb2-security-mode: | 2:1:0: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: win7-PC | NetBIOS computer name: WIN7-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2025-09-04T10:23:53+08:00 | smb2-time: | date: 2025-09-04T02:23:53 |_ start_date: 2025-09-04T02:22:36 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) TRACEROUTE HOP RTT ADDRESS 1 0.32 ms 192.168.237.132 Dirsearch [root@Hacking] /home/kali/vulntarget-a ❯ dirsearch -u 'http://192.168.237.132/' _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.237.132/ [10:37:07] Scanning: [10:37:08] 400 - 166B - /\..\..\..\..\..\..\..\..\..\etc\passwd [10:37:11] 301 - 178B - /api -> http://192.168.237.132/api/ [10:37:11] 403 - 564B - /api/ [10:37:11] 403 - 564B - /attachment.asp [10:37:11] 403 - 564B - /attachment.aspx [10:37:11] 403 - 564B - /attachment.jsp [10:37:11] 403 - 564B - /attachment.html [10:37:11] 403 - 564B - /attachment.htm [10:37:11] 403 - 564B - /attachmentedit.asp [10:37:11] 403 - 564B - /attachmentedit.aspx [10:37:11] 403 - 564B - /attachmentedit.html [10:37:11] 403 - 564B - /attachmentedit.jsp [10:37:11] 403 - 564B - /attachmentedit.htm [10:37:11] 403 - 564B - /attachments [10:37:11] 403 - 564B - /attachments.aspx [10:37:11] 403 - 564B - /attachments.jsp [10:37:11] 403 - 564B - /attachments.html [10:37:11] 403 - 564B - /attachments.htm [10:37:11] 403 - 564B - /attachments.asp [10:37:13] 200 - 894B - /favicon.ico [10:37:13] 301 - 178B - /general -> http://192.168.237.132/general/ [10:37:14] 301 - 178B - /images -> http://192.168.237.132/./images/ [10:37:14] 403 - 564B - /./images/ [10:37:14] 403 - 564B - /./images/Sym.php [10:37:14] 403 - 564B - /./images/c99.php [10:37:14] 301 - 178B - /inc -> http://192.168.237.132/inc/ [10:37:14] 403 - 564B - /inc/ [10:37:14] 200 - 10KB - /index.php [10:37:14] 400 - 166B - /index.php::$DATA [10:37:14] 200 - 10KB - /index.php. [10:37:14] 200 - 10KB - /index.pHp [10:37:15] 301 - 178B - /mobile -> http://192.168.237.132/mobile/ [10:37:16] 301 - 178B - /portal -> http://192.168.237.132/portal/ [10:37:17] 200 - 26B - /robots.txt [10:37:17] 301 - 178B - /share -> http://192.168.237.132/share/ [10:37:17] 200 - 0B - /share/ [10:37:17] 200 - 2KB - /portal/ [10:37:18] 301 - 178B - /static -> http://192.168.237.132/static/ [10:37:18] 301 - 178B - /static.. -> http://192.168.237.132/static/ [10:37:18] 403 - 564B - /templates/beez/index.php [10:37:18] 403 - 564B - /templates/ja-helio-farsi/index.php [10:37:18] 403 - 564B - /templates/rhuk_milkyway/index.php [10:37:18] 400 - 166B - /Trace.axd::$DATA [10:37:19] 400 - 166B - /web.config::$DATA [10:37:19] 301 - 178B - /WebService -> http://192.168.237.132/WebService/ Task Completed 下文中IP我改动了一下，因为有些工具在kali不好用 ...

靶场拓扑图 Nmap [root@Hacking] /home/kali/Desktop ❯ nmap 192.242.168.203 -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 27:bb:30:76:e1:47:ab:24:f0:89:5a:05:10:66:e4:7e (RSA) | 256 ab:df:49:e1:14:43:b1:75:ad:2f:6f:61:37:eb:24:ac (ECDSA) |_ 256 58:ed:00:9a:e5:37:1b:e6:f5:6c:d5:a3:c7:f0:32:67 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Laravel |_http-server-header: Apache/2.4.41 (Ubuntu) 65534/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: |_ Auth decrypt failed Laravel 80端口开放了Laravel服务，并且网页底部有版本信息 用nuclei扫一下，扫出来了CVE-2021-3129可以直接RCE ...

Box Info OS Difficulty Linux Hard Nmap [root@Hacking] /home/kali/Guardian ❯ nmap guardian.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 9c:69:53:e1:38:3b:de:cd:42:0a:c8:6b:f8:95:b3:62 (ECDSA) |_ 256 3c:aa:b9:be:17:2d:5e:99:cc:ff:e1:91:90:38:b7:39 (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-title: Guardian University - Empowering Future Leaders |_http-server-header: Apache/2.4.52 (Ubuntu) Portal 在页面源码中发现了子域名portal.guardian.htb ...

Nmap [root@Hacking] /home/kali/Folclore ❯ nmap 192.168.26.15 -A -p- PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? MAC Address: 08:00:27:EE:0F:0E (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 11|10|2008 (98%) OS CPE: cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 Aggressive OS guesses: Microsoft Windows 11 (98%), Microsoft Windows 10 1903 - 21H1 (91%), Microsoft Windows 10 1803 (89%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: FOLCLORE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ee:0f:0e (PCS Systemtechnik/Oracle VirtualBox virtual NIC) | smb2-time: | date: 2025-09-02T13:07:21 |_ start_date: N/A TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 192.168.26.15 只开了smb服务 ...

前言 之前的文章虽然写过这一个机器，但是却不是预期路线，这里重新打一遍 Nmap [root@Hacking] /home/kali/Matrix ❯ nmap 192.168.237.173 -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-30 09:07 CST Nmap scan report for 192.168.237.173 Host is up (0.00032s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey: |_ 256 aa:83:c3:51:78:61:70:e5:b7:46:9f:07:c4:ba:31:e4 (ECDSA) 80/tcp open http Apache httpd 2.4.51 ((Debian)) |_http-server-header: Apache/2.4.51 (Debian) |_http-title: Morpheus:1 81/tcp open http nginx 1.18.0 |_http-server-header: nginx/1.18.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=Meeting Place |_http-title: 401 Authorization Required Feroxbuster [root@Hacking] /home/kali/Matrix ❯ feroxbuster -u 'http://192.168.237.173/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.237.173/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [txt, php] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 280c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 175l 1014w 78508c http://192.168.237.173/trinity.jpeg 200 GET 15l 45w 348c http://192.168.237.173/ 301 GET 9l 28w 323c http://192.168.237.173/javascript => http://192.168.237.173/javascript/ 200 GET 1l 7w 47c http://192.168.237.173/robots.txt 200 GET 4l 27w 139c http://192.168.237.173/graffiti.txt 200 GET 24l 56w 451c http://192.168.237.173/graffiti.php 301 GET 9l 28w 330c http://192.168.237.173/javascript/jquery => http://192.168.237.173/javascript/jquery/ 200 GET 10870l 44283w 287600c http://192.168.237.173/javascript/jquery/jquery [####################] - 3m 1984956/1984956 0s found:8 errors:0 [####################] - 3m 661638/661638 4125/s http://192.168.237.173/ [####################] - 3m 661638/661638 3743/s http://192.168.237.173/javascript/ [####################] - 3m 661638/661638 4219/s http://192.168.237.173/javascript/jquery/ 发现一个特殊的graffiti.txt和graffiti.php ...