HTB-Machine

Box Info OS Difficulty Windows Medium As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt Nmap PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-10 17:46:07Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA) | 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA) |_ 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 添加dc.voleur.htb到/etc/hosts ...

Box Info OS Difficulty Windows Hard As is common in real life Windows pentests, you will start the RustyKey box with credentials for the following account: rr.parker / 8#t5HE8L!W3A Nmap [root@kali] /home/kali/RustyKey ❯ nmap rustykey.htb -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-29 13:48:41Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found GetTGT (rr.parker) 默认给出账户无法直接用于认证 ...

Nmap [root@kali] /home/kali/Artificial ❯ nmap Artificial.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA) | 256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA) |_ 256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Artificial - AI Solutions |_http-server-header: nginx/1.18.0 (Ubuntu) TensorFlow RCE 随意注册一个用户，进入到上传页面，得到requirement.txt和dockerfile ...

Box Info OS Difficulty Windows Medium As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV! Nmap [root@kali] /home/kali/TombWatcher ❯ nmap TombWatcher.htb -sV -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-08 15:48:25Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found 添加DC01.tombwatcher.htb到/etc/hosts ...

Box Info OS Difficulty Windows Hard Nmap [root@kali] /home/kali/Certificate ❯ nmap Certificate.htb -sV -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30) |_http-title: Certificate | Your portal for certification |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-01 09:04:19Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 DC01.certificate.htb添加到/etc/hosts ...

Box Info OS Difficulty Windows Easy As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990! Nmap [root@kali] /home/kali/Fluffy ❯ nmap Fluffy.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 添加dc01.fluffy.htb到/etc/host ...

Box Info OS Difficult Windows Medium As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025! Nmap [root@kali] /home/kali/Puppy ❯ nmap puppy.htb -sV PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 111/tcp open rpcbind 2-4 (RPC #100000) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2049/tcp open nlockmgr 1-4 (RPC #100021) 3260/tcp open iscsi? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) RPC [root@kali] /home/kali/Puppy ❯ rpcclient 10.xx.xx.xx -U levi.james ⏎ Password for [WORKGROUP\levi.james]: rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[levi.james] rid:[0x44f] user:[ant.edwards] rid:[0x450] user:[adam.silver] rid:[0x451] user:[jamie.williams] rid:[0x452] user:[steph.cooper] rid:[0x453] user:[steph.cooper_adm] rid:[0x457] rpcclient $> 得到一个用户列表 ...

Box Info OS Linux Difficulty Easy As is common in real life pentests, you will start the Planning box with credentials for the following account: admin / 0D5oT70Fq13EvB5r Nmap [root@kali] /home/kali/Planning ❯ nmap planning.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA) |_ 256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519) 80/tcp open http nginx 1.24.0 (Ubuntu) |_http-server-header: nginx/1.24.0 (Ubuntu) |_http-title: Edukate - Online Education Website 80端口没有什么可以利用的东西，尝试爆破子域名 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Environment ❯ nmap Environment.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 5c:02:33:95:ef:44:e2:80:cd:3a:96:02:23:f1:92:64 (ECDSA) |_ 256 1f:3d:c2:19:55:28:a1:77:59:51:48:10:c4:4b:74:ab (ED25519) 80/tcp open http nginx 1.22.1 |_http-title: Save the Environment | environment.htb |_http-server-header: nginx/1.22.1 Dirsearch [root@kali] /home/kali/Environment ❯ dirsearch -u http://environment.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://environment.htb/ [07:23:08] Scanning: [07:23:23] 403 - 555B - /admin/.config [07:23:23] 403 - 555B - /admin/.htaccess [07:23:39] 403 - 555B - /administrator/.htaccess [07:23:43] 403 - 555B - /admpar/.ftppass [07:23:43] 403 - 555B - /admrev/.ftppass [07:23:46] 403 - 555B - /app/.htaccess [07:23:52] 403 - 555B - /bitrix/.settings.bak [07:23:52] 403 - 555B - /bitrix/.settings [07:23:52] 403 - 555B - /bitrix/.settings.php.bak [07:23:54] 301 - 169B - /build -> http://environment.htb/build/ [07:23:54] 403 - 555B - /build/ [07:24:15] 403 - 555B - /ext/.deps [07:24:15] 200 - 0B - /favicon.ico [07:24:26] 200 - 4KB - /index.php [07:24:26] 200 - 2KB - /index.php/login/ [07:24:31] 403 - 555B - /lib/flex/varien/.project [07:24:31] 403 - 555B - /lib/flex/uploader/.actionScriptProperties [07:24:31] 403 - 555B - /lib/flex/varien/.flexLibProperties [07:24:31] 403 - 555B - /lib/flex/varien/.actionScriptProperties [07:24:31] 403 - 555B - /lib/flex/uploader/.flexProperties [07:24:31] 403 - 555B - /lib/flex/uploader/.project [07:24:31] 403 - 555B - /lib/flex/uploader/.settings [07:24:31] 403 - 555B - /lib/flex/varien/.settings [07:24:34] 200 - 2KB - /login [07:24:34] 200 - 2KB - /login/ [07:24:35] 302 - 358B - /logout/ -> http://environment.htb/login [07:24:35] 302 - 358B - /logout -> http://environment.htb/login [07:24:36] 403 - 555B - /mailer/.env [07:25:01] 403 - 555B - /resources/sass/.sass-cache/ [07:25:01] 403 - 555B - /resources/.arch-internal-preview.css [07:25:02] 200 - 24B - /robots.txt [07:25:12] 301 - 169B - /storage -> http://environment.htb/storage/ [07:25:12] 403 - 555B - /storage/ [07:25:19] 403 - 555B - /twitter/.env [07:25:21] 405 - 244KB - /upload/ [07:25:22] 405 - 244KB - /upload [07:25:24] 403 - 555B - /vendor/ Task Completed Env Bypass 进入登录页，进行抓包，可以看到直接带出了报错信息 ...

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/Eureka ❯ nmap Eureka.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA) | 256 90:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA) |_ 256 94:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://furni.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) 添加furni.htb到**/etc/hosts** ...