Thehackerslabs-Phantom Robotics

默认的用户凭证 username: mark password: suP3rPa$sw0rd2026!& Nmap [/home/kali/temp]$ nmap 192.168.56.100 -A -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-07-13 12:20:55Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name) |_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=DC01.PHANTOM.THL | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL | Not valid before: 2026-02-21T23:24:38 |_Not valid after: 2027-02-21T23:24:38 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name) |_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=DC01.PHANTOM.THL | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL | Not valid before: 2026-02-21T23:24:38 |_Not valid after: 2027-02-21T23:24:38 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.PHANTOM.THL | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL | Not valid before: 2026-02-21T23:24:38 |_Not valid after: 2027-02-21T23:24:38 |_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name) |_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=DC01.PHANTOM.THL | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL | Not valid before: 2026-02-21T23:24:38 |_Not valid after: 2027-02-21T23:24:38 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 57796/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 57797/tcp open msrpc Microsoft Windows RPC 57808/tcp open msrpc Microsoft Windows RPC 57817/tcp open msrpc Microsoft Windows RPC 57831/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:B2:9C:C3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%) OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_2016 Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2026-07-13T12:21:47 |_ start_date: N/A |_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b2:9c:c3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) TRACEROUTE HOP RTT ADDRESS 1 0.41 ms 192.168.56.100 修改 /etc/hosts 如下 ...

2026年07月13日 · 8 分钟 · 3888 字 · HYH

Thehackerslabs-Shadows

Nmap [/home/kali/temp]$ cat nmap.result # Nmap 7.95 scan initiated Sun Jul 12 10:00:50 2026 as: /usr/lib/nmap/nmap -A -p- -oN nmap.result 192.168.237.138 Nmap scan report for 192.168.237.138 Host is up (0.00049s latency). Not shown: 65514 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-07-12 02:02:41Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name) |_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=Seerver.shadow.thl | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl | Not valid before: 2026-06-21T22:08:16 |_Not valid after: 2027-06-21T22:08:16 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: SHADOW) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name) |_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=Seerver.shadow.thl | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl | Not valid before: 2026-06-21T22:08:16 |_Not valid after: 2027-06-21T22:08:16 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name) |_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=Seerver.shadow.thl | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl | Not valid before: 2026-06-21T22:08:16 |_Not valid after: 2027-06-21T22:08:16 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=Seerver.shadow.thl | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl | Not valid before: 2026-06-21T22:08:16 |_Not valid after: 2027-06-21T22:08:16 |_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49686/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49704/tcp open msrpc Microsoft Windows RPC 57914/tcp open msrpc Microsoft Windows RPC 58794/tcp open msrpc Microsoft Windows RPC MAC Address: 00:0C:29:16:42:DB (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 2016|10|2012|2022|Phone|7 (97%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows Server 2016 (97%), Microsoft Windows 10 1607 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2022 (91%), Microsoft Windows Phone 7.5 or 8.0 (88%), Microsoft Windows Embedded Standard 7 (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: SEERVER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: Seerver | NetBIOS computer name: SEERVER\x00 | Domain name: shadow.thl | Forest name: shadow.thl | FQDN: Seerver.shadow.thl |_ System time: 2026-07-11T19:03:33-07:00 | smb2-time: | date: 2026-07-12T02:03:33 |_ start_date: 2026-07-12T01:52:20 | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required |_nbstat: NetBIOS name: SEERVER, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:16:42:db (VMware) |_clock-skew: mean: 59m59s, deviation: 2h38m44s, median: 0s TRACEROUTE HOP RTT ADDRESS 1 0.49 ms 192.168.237.138 UserEnum [/home/kali/temp]$ kerbrute userenum -d shadow.thl --dc 192.168.237.138 /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 07/12/26 - Ronnie Flathers @ropnop 2026/07/12 10:30:45 > Using KDC(s): 2026/07/12 10:30:45 > 192.168.237.138:88 2026/07/12 10:30:45 > [+] VALID USERNAME: shadow@shadow.thl 2026/07/12 10:30:45 > [+] VALID USERNAME: guest@shadow.thl 2026/07/12 10:30:45 > [+] VALID USERNAME: Shadow@shadow.thl 2026/07/12 10:30:45 > [+] VALID USERNAME: jsmith@shadow.thl 2026/07/12 10:30:45 > [+] VALID USERNAME: administrator@shadow.thl 2026/07/12 10:30:46 > [+] VALID USERNAME: SHADOW@shadow.thl 2026/07/12 10:30:46 > [+] VALID USERNAME: Guest@shadow.thl 2026/07/12 10:30:46 > [+] VALID USERNAME: Administrator@shadow.thl 2026/07/12 10:30:47 > [+] VALID USERNAME: helpdesk@shadow.thl 2026/07/12 10:30:49 > [+] VALID USERNAME: GUEST@shadow.thl 2026/07/12 10:30:50 > [+] VALID USERNAME: JSmith@shadow.thl 2026/07/12 10:30:58 > [+] VALID USERNAME: Jsmith@shadow.thl 2026/07/12 10:31:10 > [+] VALID USERNAME: itsupport@shadow.thl 2026/07/12 10:31:21 > [+] VALID USERNAME: JSMITH@shadow.thl 2026/07/12 10:31:27 > Done! Tested 624370 usernames (14 valid) in 42.334 seconds SMB - Get User(shadow) Password 用 smbmap 可以通过 guest 查看到 Incidents 目录 ...

2026年07月12日 · 8 分钟 · 3636 字 · HYH

Thehackerslabs-Folclore

Nmap [root@Hacking] /home/kali/Folclore ❯ nmap 192.168.26.15 -A -p- PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? MAC Address: 08:00:27:EE:0F:0E (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 11|10|2008 (98%) OS CPE: cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 Aggressive OS guesses: Microsoft Windows 11 (98%), Microsoft Windows 10 1903 - 21H1 (91%), Microsoft Windows 10 1803 (89%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: FOLCLORE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ee:0f:0e (PCS Systemtechnik/Oracle VirtualBox virtual NIC) | smb2-time: | date: 2025-09-02T13:07:21 |_ start_date: N/A TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 192.168.26.15 只开了smb服务 ...

2025年09月02日 · 10 分钟 · 4727 字 · HYH

Thehackerslabs-Patata Mágica

Nmap [root@Hacking] /home/kali/Patata ❯ nmap 192.168.26.11 -A PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 |_http-title: Curiosidades CTF | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) |_http-title: Curiosidades CTF |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds? MAC Address: 08:00:27:3D:D6:CB (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 10 OS CPE: cpe:/o:microsoft:windows_10 OS details: Microsoft Windows 10 1709 - 21H2 Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-08-30T07:16:27 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: PATATA-MAGICA, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:3d:d6:cb (PCS Systemtechnik/Oracle VirtualBox virtual NIC) TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 192.168.26.11 File Read 进入到80端口这里有一个Games 到页面底部可以进行交互,可以查看文件内容,并且文件名称通过GET传参 查看一下index.php源码 ...

2025年08月30日 · 5 分钟 · 2291 字 · HYH

Thehackerslabs-Welcome To The Jungle

Nmap [root@Hacking] /home/kali/Jungle ❯ nmap 192.168.55.161 -A -p- PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Welcome to the Jungle - The Hex Guns |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC Dirsearch [root@Hacking] /home/kali/Jungle ❯ feroxbuster -u http://192.168.55.161 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.161 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 29l 94w 1251c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 2l 10w 160c http://192.168.55.161/img => http://192.168.55.161/img/ 200 GET 29l 124w 1209c http://192.168.55.161/index.php 200 GET 42l 168w 1915c http://192.168.55.161/albums.php 301 GET 2l 10w 162c http://192.168.55.161/media => http://192.168.55.161/media/ 200 GET 126l 218w 2089c http://192.168.55.161/css/styles.css 200 GET 7l 13w 189c http://192.168.55.161/header.php 200 GET 8487l 45658w 3909539c http://192.168.55.161/img/axl.png 200 GET 29l 124w 1209c http://192.168.55.161/ 200 GET 3l 11w 81c http://192.168.55.161/footer.php 403 GET 29l 91w 1232c http://192.168.55.161/css/ 301 GET 2l 10w 160c http://192.168.55.161/css => http://192.168.55.161/css/ 200 GET 29l 124w 1209c http://192.168.55.161/Index.php 301 GET 2l 10w 162c http://192.168.55.161/Media => http://192.168.55.161/Media/ 200 GET 7731l 46736w 3824296c http://192.168.55.161/img/digital-destruction.png 200 GET 9162l 55315w 4712528c http://192.168.55.161/img/paradise-404.png 200 GET 8321l 48830w 4266377c http://192.168.55.161/img/neon-rebellion.png 301 GET 2l 10w 160c http://192.168.55.161/IMG => http://192.168.55.161/IMG/ 200 GET 7l 13w 189c http://192.168.55.161/Header.php 200 GET 29l 124w 1209c http://192.168.55.161/INDEX.php 301 GET 2l 10w 160c http://192.168.55.161/CSS => http://192.168.55.161/CSS/ 301 GET 2l 10w 160c http://192.168.55.161/Img => http://192.168.55.161/Img/ 200 GET 3l 11w 81c http://192.168.55.161/Footer.php 301 GET 2l 10w 162c http://192.168.55.161/MEDIA => http://192.168.55.161/MEDIA/ 200 GET 7l 13w 189c http://192.168.55.161/HEADER.php 200 GET 3l 11w 81c http://192.168.55.161/FOOTER.php [####################] - 5m 1984940/1984940 0s found:25 errors:0 [####################] - 5m 220546/220546 722/s http://192.168.55.161/ [####################] - 5m 220546/220546 721/s http://192.168.55.161/img/ [####################] - 5m 220546/220546 720/s http://192.168.55.161/media/ [####################] - 5m 220546/220546 721/s http://192.168.55.161/css/ [####################] - 5m 220546/220546 722/s http://192.168.55.161/Media/ [####################] - 5m 220546/220546 723/s http://192.168.55.161/IMG/ [####################] - 5m 220546/220546 728/s http://192.168.55.161/CSS/ [####################] - 5m 220546/220546 729/s http://192.168.55.161/Img/ [####################] - 5m 220546/220546 797/s http://192.168.55.161/MEDIA/ 针对/media目录进行扫描,发现一个压缩包 ...

2025年08月23日 · 3 分钟 · 1407 字 · HYH

Thehackerslabs-Evelator

Information 在pdf文件中,给出了默认的用户名和密码 Nmap [root@Hacking] /home/kali/Evelator ❯ nmap 192.168.55.158 -A -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-21 13:51:51Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bloodhound.thl, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bloodhound.thl, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49706/tcp open msrpc Microsoft Windows RPC 添加bloodhound.thl到/etc/hosts ...

2025年08月22日 · 4 分钟 · 1627 字 · HYH

Thehackerslabs-Pa Que Aiga Lujo

Nmap [root@Hacking] /home/kali/Lujo ❯ nmap 192.168.55.157 -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 17:13 CST Nmap scan report for 192.168.55.157 Host is up (0.00026s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) | ssh-hostkey: | 256 af:79:a1:39:80:45:fb:b7:cb:86:fd:8b:62:69:4a:64 (ECDSA) |_ 256 6d:d4:9d:ac:0b:f0:a1:88:66:b4:ff:f6:42:bb:f2:e5 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: LuxeCollection - Art\xC3\xADculos de Lujo Exclusivos Dir scan [root@Hacking] /home/kali/Lujo ❯ dirsearch -u http://192.168.55.157 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.157/ [17:16:08] Scanning: [17:16:09] 403 - 279B - /.php [17:16:15] 200 - 15KB - /index.html [17:16:18] 301 - 318B - /scripts -> http://192.168.55.157/scripts/ [17:16:18] 200 - 937B - /scripts/ [17:16:18] 403 - 279B - /server-status [17:16:18] 403 - 279B - /server-status/ [17:16:19] 301 - 317B - /styles -> http://192.168.55.157/styles/ Task Completed [root@Hacking] /home/kali/Lujo ❯ feroxbuster -u http://192.168.55.157 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.157 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 221l 524w 5600c http://192.168.55.157/scripts/main.js 200 GET 231l 411w 3799c http://192.168.55.157/styles/responsive.css 200 GET 168l 285w 2899c http://192.168.55.157/styles/components.css 200 GET 230l 445w 4172c http://192.168.55.157/styles/main.css 200 GET 285l 778w 15656c http://192.168.55.157/ 301 GET 9l 28w 318c http://192.168.55.157/scripts => http://192.168.55.157/scripts/ 301 GET 9l 28w 317c http://192.168.55.157/styles => http://192.168.55.157/styles/ [####################] - 2m 661674/661674 0s found:7 errors:0 [####################] - 2m 661638/661638 4945/s http://192.168.55.157/ [####################] - 1s 661638/661638 1070612/s http://192.168.55.157/scripts/ => Directory listing (add --scan-dir-listings to scan) [####################] - 0s 661638/661638 220546000/s http://192.168.55.157/styles/ => Directory listing (add --scan-dir-listings to scan) 什么也没有扫到,那么就从页面里找信息,发现有一些人名 其中Sophia可以进行SSH爆破登录 ...

2025年08月21日 · 3 分钟 · 1481 字 · HYH

Thehackerslabs-Merchan

Nmap [root@kali] /home/kali/merchan ❯ nmap 192.168.55.77 -sV -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-04 23:07 EDT Nmap scan report for 192.168.55.77 Host is up (0.00028s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0) | ssh-hostkey: | 256 da:68:54:15:39:b8:44:ed:b9:08:4c:59:e5:89:50:08 (ECDSA) |_ 256 b4:7d:98:a8:01:e8:3b:17:43:24:43:39:3a:b4:b8:50 (ED25519) 80/tcp open http Apache httpd 2.4.62 |_http-title: Did not follow redirect to http://merchan.thl |_http-server-header: Apache/2.4.62 (Debian) Feroxbuster [root@kali] /home/kali/merchan ❯ feroxbuster -u 'http://www.merchan.thl/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js ⏎ ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://www.merchan.thl/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [js] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 280c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 28w 319c http://www.merchan.thl/images => http://www.merchan.thl/images/ 200 GET 8l 29w 28898c http://www.merchan.thl/assets/favicon.ico 200 GET 139l 592w 68236c http://www.merchan.thl/images/camiseta.jpg 200 GET 7l 36w 330c http://www.merchan.thl/js/scripts.js 200 GET 186l 943w 74237c http://www.merchan.thl/images/llavero.jpg 200 GET 10826l 22299w 236792c http://www.merchan.thl/css/styles.css 301 GET 9l 28w 319c http://www.merchan.thl/assets => http://www.merchan.thl/assets/ 200 GET 563l 3920w 380306c http://www.merchan.thl/images/sudadera.png 200 GET 130l 399w 7235c http://www.merchan.thl/ 301 GET 9l 28w 316c http://www.merchan.thl/css => http://www.merchan.thl/css/ 301 GET 9l 28w 315c http://www.merchan.thl/js => http://www.merchan.thl/js/ 200 GET 1l 15w 1365c http://www.merchan.thl/secret.js [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 5m 1102751/1102751 0s found:12 errors:0 [####################] - 5m 220546/220546 740/s http://www.merchan.thl/ [####################] - 5m 220546/220546 726/s http://www.merchan.thl/images/ [####################] - 5m 220546/220546 729/s http://www.merchan.thl/assets/ [####################] - 5m 220546/220546 729/s http://www.merchan.thl/css/ [####################] - 5m 220546/220546 727/s http://www.merchan.thl/js/ 发现有一个secret.js ...

2025年06月05日 · 3 分钟 · 1029 字 · HYH

Thehackerslabs-Hexthink-Silent-Shadow

Nmap [root@kali] /home/kali/hexthink-silent-shadow ❯ nmap 192.168.55.67 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:6e:39:a4:15:86:88:70:c7:9d:09:91:a3:0b:18:8c (ECDSA) |_ 256 f9:21:5d:25:ee:76:05:db:01:3b:45:c9:68:b0:82:9f (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.58 (Ubuntu) 3306/tcp open mysql MariaDB 5.5.5-10.11.11 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.11.11-MariaDB-0ubuntu0.24.04.2 | Thread ID: 34 | Capabilities flags: 63486 | Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, SupportsCompression, IgnoreSigpipes, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, InteractiveClient, FoundRows, ODBCClient, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SupportsTransactions, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults | Status: Autocommit | Salt: wPg7y~-c,O)~bPI]yfu: |_ Auth Plugin Name: mysql_native_password 9090/tcp open zeus-admin? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, SqueezeCenter_CLI, TLSSessionReq, TerminalServerCookie, WMSRequest, X11Probe, drda, ibm-db2-das, informix: |_ Protocolo incorrecto. Esto no es HTTP. Mysql 进入到80端口的index.php,查看到存在ctf_user用户,可以使用密码登录,尝试使用空密码登录呢 ...

2025年06月04日 · 2 分钟 · 841 字 · HYH

Thehackerslabs-Black Gold

Box Info OS Windows Difficulty Hard Nmap [root@kali] /home/kali ❯ nmap 192.168.56.10 -sV -A -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Neptune 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-08 07:26:35Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: neptune.thl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: neptune.thl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 53459/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 53460/tcp open msrpc Microsoft Windows RPC 53470/tcp open msrpc Microsoft Windows RPC 53479/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:37:4E:C0 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%) OS CPE: cpe:/o:microsoft:windows_server_2016 Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-04-08T07:27:27 |_ start_date: N/A |_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:37:4e:c0 (Oracle VirtualBox virtual NIC) | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required 修改**/etc/hosts** ...

2025年04月08日 · 3 分钟 · 1464 字 · HYH