Hackmyvm

HackMyVM-Silentdev

Nmap [root@Hacking] /home/kali/silentdev ❯ nmap 192.168.26.18 -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 4a:f7:09:40:45:df:25:cc:a4:f5:85:ac:63:c6:13:3e (ECDSA) |_ 256 58:be:2c:d0:40:af:d5:9c:2a:13:38:82:61:f6:8c:87 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Upload Image |_http-server-header: Apache/2.4.62 (Debian) MAC Address: 08:00:27:3A:A8:70 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 进入之后是一个上传页面 ...

HackMyVM-Lazzycorp

HackMyVM-Takedown

Nmap [root@Hacking] /home/kali/Takedown ❯ nmap 192.168.55.138 -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u5 (protocol 2.0) | ssh-hostkey: | 3072 51:fb:66:e0:d2:b6:ae:16:a9:d2:74:41:a5:b3:02:2b (RSA) | 256 93:a0:01:6c:42:cd:26:bf:38:e5:70:fb:b8:c6:b3:fe (ECDSA) |_ 256 77:c9:ed:41:a5:cb:30:33:08:22:88:f6:a8:28:11:8d (ED25519) 80/tcp open http nginx 1.18.0 |_http-title: Cybersecurity Inc - Secure Your Digital World |_http-server-header: nginx/1.18.0 添加shieldweb.che和ticket.shieldweb.che到/etc/passwd ...

HackMyVM-Sabulaji

Box Info OS Difficulty Linux Medium Nmap [root@kali] /home/kali/sabulaji ❯ nmap 192.168.55.88 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: epages |_http-server-header: Apache/2.4.62 (Debian) 873/tcp open rsync (protocol version 31) Dirsearch [root@kali] /home/kali/sabulaji ❯ dirsearch -u http://192.168.55.88 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.88/ [03:28:14] Scanning: [03:28:16] 403 - 278B - /.php [03:28:23] 200 - 2KB - /index.html [03:28:27] 403 - 278B - /server-status [03:28:27] 403 - 278B - /server-status/ Task Completed 并没有什么有价值的东西 ...

HackMyVM-Umz

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/Umz ❯ nmap 192.168.55.73 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: cyber fortress 9000 |_http-server-header: Apache/2.4.62 (Debian) Dirsearch [root@kali] /home/kali/Umz ❯ dirsearch -u http://192.168.55.73 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.73/ [02:39:29] Scanning: [02:39:30] 403 - 278B - /.php [02:39:38] 200 - 3KB - /index.html [02:39:38] 200 - 3KB - /index.php [02:39:38] 200 - 3KB - /index.php/login/ [02:39:43] 403 - 278B - /server-status/ [02:39:43] 403 - 278B - /server-status Task Completed Request Flood 来到index.php，可以看到过多请求会触发某种机制 ...

HackMyVM-Homelab

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/homelab ❯ nmap 192.168.55.41 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 ((Unix)) |_http-favicon: Apache on Mac OS X |_http-title: Mac OS X Server | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.62 (Unix) 只有80端口开放了 Dir Fuzz [root@kali] /home/kali/homelab ❯ dirsearch -u http://192.168.55.41 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.41/ [04:47:54] Scanning: [04:48:00] 200 - 820B - /cgi-bin/printenv [04:48:00] 200 - 1KB - /cgi-bin/test-cgi [04:48:01] 200 - 4KB - /error.html [04:48:01] 200 - 8KB - /favicon.ico [04:48:02] 200 - 5KB - /index.html [04:48:05] 301 - 313B - /script -> http://192.168.55.41/script/ [04:48:05] 403 - 276B - /script/ [04:48:06] 301 - 314B - /service -> http://192.168.55.41/service/ [04:48:06] 301 - 319B - /service?Wsdl -> http://192.168.55.41/service/?Wsdl [04:48:06] 301 - 312B - /style -> http://192.168.55.41/style/ [04:48:10] 403 - 276B - /server-status/ [04:48:11] 403 - 276B - /server-status Task Completed [root@kali] /home/kali/homelab ❯ curl http://192.168.55.41/service/ Whoa! But sorry, this service is only available for myself!# 看到有一个service路径，但是好像需要认证 ...

HackMyVM-Pycrt

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/pycrt ❯ nmap 192.168.55.36 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 6667/tcp open irc | irc-info: | users: 1 | servers: 1 | chans: 0 | lusers: 1 | lservers: 0 | server: irc.local | version: InspIRCd-3. irc.local | source ident: nmap | source host: 192.168.55.4 |_ error: Closing link: (nmap@192.168.55.4) [Client exited] 80端口没有可以利用的信息，只是一个静态页面 ...

HackMyVM-Immortal

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/immportal ❯ nmap 192.168.55.17 -sV -A -p- PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.55.4 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 504 Feb 27 2024 message.txt 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 e8:79:ad:8b:d1:a8:39:1b:ac:ed:52:ef:d0:22:0e:eb (RSA) | 256 65:df:6d:1d:49:11:bd:f3:2f:fa:10:0c:3b:48:69:39 (ECDSA) |_ 256 f6:b7:bf:cf:a5:d5:1b:26:4e:13:08:31:07:d5:79:b1 (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-title: Password |_http-server-header: Apache/2.4.56 (Debian) Own www-data ...

HackMyVM-Up

Box Info OS Linux Diffculty Easy Nmap [root@kali] /home/kali/up ❯ nmap 192.168.55.16 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: RodGar - Subir Imagen 进入之后是一个上传页面，经过测试没有漏洞 Feroxbuster [root@kali] /home/kali/up ❯ feroxbuster -u 'http://192.168.55.16/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.16/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 150l 388w 4489c http://192.168.55.16/ 301 GET 9l 28w 316c http://192.168.55.16/uploads => http://192.168.55.16/uploads/ 301 GET 9l 28w 319c http://192.168.55.16/javascript => http://192.168.55.16/javascript/ 200 GET 150l 388w 4489c http://192.168.55.16/index.php 403 GET 31l 94w 964c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 1l 1w 1301c http://192.168.55.16/uploads/robots.txt 301 GET 9l 28w 329c http://192.168.55.16/javascript/clipboard => http://192.168.55.16/javascript/clipboard/ 200 GET 858l 3081w 26377c http://192.168.55.16/javascript/clipboard/clipboard Own www-data 注意到**/uploads下还有一个robots.txt**，经过解码得到源码 ...

HackMyVM-Mathdop

Box Info OS Linux Difficult Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.55.13 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 ac:78:16:74:49:a1:68:9d:54:84:8a:59:e9:38:10:bc (RSA) | 256 06:0c:4d:9d:2c:32:43:d2:3d:f7:4f:82:c8:15:85:60 (ECDSA) |_ 256 3b:cd:fc:1f:dd:48:0f:ee:17:78:9a:f1:09:cb:8c:ec (ED25519) 7577/tcp open http Apache Tomcat (language: en) | http-title: Site doesn't have a title (application/hal+json). |_Requested resource was http://192.168.55.13:7577/api | http-methods: |_ Potentially risky methods: PUT PATCH DELETE 9393/tcp open http Apache Tomcat (language: en) | http-methods: |_ Potentially risky methods: PUT PATCH DELETE |_http-title: Site doesn't have a title (application/hal+json). CVE-2024-37084 进入到9393端口的dashboard ...