Posts

Thehackerslabs-Patata Mágica

Nmap [root@Hacking] /home/kali/Patata ❯ nmap 192.168.26.11 -A PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 |_http-title: Curiosidades CTF | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) |_http-title: Curiosidades CTF |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds? MAC Address: 08:00:27:3D:D6:CB (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 10 OS CPE: cpe:/o:microsoft:windows_10 OS details: Microsoft Windows 10 1709 - 21H2 Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-08-30T07:16:27 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: PATATA-MAGICA, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:3d:d6:cb (PCS Systemtechnik/Oracle VirtualBox virtual NIC) TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 192.168.26.11 File Read 进入到80端口这里有一个Games 到页面底部可以进行交互，可以查看文件内容，并且文件名称通过GET传参查看一下index.php源码 ...

HTB-Previous

Box Info OS Difficulty Linux Medium Nmap [root@Hacking] /home/kali ❯ nmap previous.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: PreviousJS |_http-server-header: nginx/1.18.0 (Ubuntu) Dirsearch [root@Hacking] /home/kali ❯ dirsearch -u http://previous.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://previous.htb/ [10:42:11] Scanning: [10:42:44] 307 - 40B - /api.json -> /api/auth/signin?callbackUrl=%2Fapi.json [10:42:44] 307 - 39B - /api.php -> /api/auth/signin?callbackUrl=%2Fapi.php [10:42:44] 307 - 40B - /api-docs -> /api/auth/signin?callbackUrl=%2Fapi-docs [10:42:44] 307 - 35B - /api -> /api/auth/signin?callbackUrl=%2Fapi [10:42:44] 307 - 39B - /api-doc -> /api/auth/signin?callbackUrl=%2Fapi-doc [10:42:44] 307 - 39B - /api.log -> /api/auth/signin?callbackUrl=%2Fapi.log [10:42:44] 307 - 60B - /api/2/issue/createmeta -> /api/auth/signin?callbackUrl=%2Fapi%2F2%2Fissue%2Fcreatemeta [10:42:44] 307 - 38B - /api.py -> /api/auth/signin?callbackUrl=%2Fapi.py [10:42:44] 307 - 41B - /api/api -> /api/auth/signin?callbackUrl=%2Fapi%2Fapi [10:42:44] 307 - 46B - /api/api-docs -> /api/auth/signin?callbackUrl=%2Fapi%2Fapi-docs [10:42:44] 307 - 52B - /api/cask/graphql -> /api/auth/signin?callbackUrl=%2Fapi%2Fcask%2Fgraphql [10:42:44] 307 - 45B - /api/apidocs -> /api/auth/signin?callbackUrl=%2Fapi%2Fapidocs [10:42:44] 307 - 49B - /api/config.json -> /api/auth/signin?callbackUrl=%2Fapi%2Fconfig.json [10:42:44] 307 - 60B - /api/apidocs/swagger.json -> /api/auth/signin?callbackUrl=%2Fapi%2Fapidocs%2Fswagger.json [10:42:44] 307 - 43B - /api/batch -> /api/auth/signin?callbackUrl=%2Fapi%2Fbatch [10:42:44] 307 - 54B - /api/application.wadl -> /api/auth/signin?callbackUrl=%2Fapi%2Fapplication.wadl [10:42:44] 307 - 44B - /api/config -> /api/auth/signin?callbackUrl=%2Fapi%2Fconfig <skip> 进入网页可以看到首页是PreviousJS 然后点击Get Started进入登录页面 ...

Thehackerslabs-Welcome To The Jungle

Nmap [root@Hacking] /home/kali/Jungle ❯ nmap 192.168.55.161 -A -p- PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Welcome to the Jungle - The Hex Guns |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC Dirsearch [root@Hacking] /home/kali/Jungle ❯ feroxbuster -u http://192.168.55.161 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.161 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 29l 94w 1251c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 2l 10w 160c http://192.168.55.161/img => http://192.168.55.161/img/ 200 GET 29l 124w 1209c http://192.168.55.161/index.php 200 GET 42l 168w 1915c http://192.168.55.161/albums.php 301 GET 2l 10w 162c http://192.168.55.161/media => http://192.168.55.161/media/ 200 GET 126l 218w 2089c http://192.168.55.161/css/styles.css 200 GET 7l 13w 189c http://192.168.55.161/header.php 200 GET 8487l 45658w 3909539c http://192.168.55.161/img/axl.png 200 GET 29l 124w 1209c http://192.168.55.161/ 200 GET 3l 11w 81c http://192.168.55.161/footer.php 403 GET 29l 91w 1232c http://192.168.55.161/css/ 301 GET 2l 10w 160c http://192.168.55.161/css => http://192.168.55.161/css/ 200 GET 29l 124w 1209c http://192.168.55.161/Index.php 301 GET 2l 10w 162c http://192.168.55.161/Media => http://192.168.55.161/Media/ 200 GET 7731l 46736w 3824296c http://192.168.55.161/img/digital-destruction.png 200 GET 9162l 55315w 4712528c http://192.168.55.161/img/paradise-404.png 200 GET 8321l 48830w 4266377c http://192.168.55.161/img/neon-rebellion.png 301 GET 2l 10w 160c http://192.168.55.161/IMG => http://192.168.55.161/IMG/ 200 GET 7l 13w 189c http://192.168.55.161/Header.php 200 GET 29l 124w 1209c http://192.168.55.161/INDEX.php 301 GET 2l 10w 160c http://192.168.55.161/CSS => http://192.168.55.161/CSS/ 301 GET 2l 10w 160c http://192.168.55.161/Img => http://192.168.55.161/Img/ 200 GET 3l 11w 81c http://192.168.55.161/Footer.php 301 GET 2l 10w 162c http://192.168.55.161/MEDIA => http://192.168.55.161/MEDIA/ 200 GET 7l 13w 189c http://192.168.55.161/HEADER.php 200 GET 3l 11w 81c http://192.168.55.161/FOOTER.php [####################] - 5m 1984940/1984940 0s found:25 errors:0 [####################] - 5m 220546/220546 722/s http://192.168.55.161/ [####################] - 5m 220546/220546 721/s http://192.168.55.161/img/ [####################] - 5m 220546/220546 720/s http://192.168.55.161/media/ [####################] - 5m 220546/220546 721/s http://192.168.55.161/css/ [####################] - 5m 220546/220546 722/s http://192.168.55.161/Media/ [####################] - 5m 220546/220546 723/s http://192.168.55.161/IMG/ [####################] - 5m 220546/220546 728/s http://192.168.55.161/CSS/ [####################] - 5m 220546/220546 729/s http://192.168.55.161/Img/ [####################] - 5m 220546/220546 797/s http://192.168.55.161/MEDIA/ 针对/media目录进行扫描，发现一个压缩包 ...

Thehackerslabs-Evelator

Information 在pdf文件中，给出了默认的用户名和密码 Nmap [root@Hacking] /home/kali/Evelator ❯ nmap 192.168.55.158 -A -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-21 13:51:51Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bloodhound.thl, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bloodhound.thl, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49706/tcp open msrpc Microsoft Windows RPC 添加bloodhound.thl到/etc/hosts ...

HTB-CodeTwo

Nmap [root@Hacking] /home/kali/CodeTwo ❯ nmap codetwo.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 a0:47:b4:0c:69:67:93:3a:f9:b4:5d:b3:2f:bc:9e:23 (RSA) | 256 7d:44:3f:f1:b1:e2:bb:3d:91:d5:da:58:0f:51:e5:ad (ECDSA) |_ 256 f1:6b:1d:36:18:06:7a:05:3f:07:57:e1:ef:86:b4:85 (ED25519) 8000/tcp open http Gunicorn 20.0.4 |_http-title: Welcome to CodeTwo |_http-server-header: gunicorn/20.0.4 Device type: general purpose CVE-2024-28397 发现存在/download路由可以下载源码 from flask import Flask, render_template, request, redirect, url_for, session, jsonify, send_from_directory from flask_sqlalchemy import SQLAlchemy import hashlib import js2py import os import json js2py.disable_pyimport() app = Flask(__name__) app.secret_key = 'S3cr3tK3yC0d3Tw0' app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db' app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False db = SQLAlchemy(app) class User(db.Model): id = db.Column(db.Integer, primary_key=True) username = db.Column(db.String(80), unique=True, nullable=False) password_hash = db.Column(db.String(128), nullable=False) class CodeSnippet(db.Model): id = db.Column(db.Integer, primary_key=True) user_id = db.Column(db.Integer, db.ForeignKey('user.id'), nullable=False) code = db.Column(db.Text, nullable=False) @app.route('/') def index(): return render_template('index.html') @app.route('/dashboard') def dashboard(): if 'user_id' in session: user_codes = CodeSnippet.query.filter_by(user_id=session['user_id']).all() return render_template('dashboard.html', codes=user_codes) return redirect(url_for('login')) @app.route('/register', methods=['GET', 'POST']) def register(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] password_hash = hashlib.md5(password.encode()).hexdigest() new_user = User(username=username, password_hash=password_hash) db.session.add(new_user) db.session.commit() return redirect(url_for('login')) return render_template('register.html') @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] password_hash = hashlib.md5(password.encode()).hexdigest() user = User.query.filter_by(username=username, password_hash=password_hash).first() if user: session['user_id'] = user.id session['username'] = username; return redirect(url_for('dashboard')) return "Invalid credentials" return render_template('login.html') @app.route('/logout') def logout(): session.pop('user_id', None) return redirect(url_for('index')) @app.route('/save_code', methods=['POST']) def save_code(): if 'user_id' in session: code = request.json.get('code') new_code = CodeSnippet(user_id=session['user_id'], code=code) db.session.add(new_code) db.session.commit() return jsonify({"message": "Code saved successfully"}) return jsonify({"error": "User not logged in"}), 401 @app.route('/download') def download(): return send_from_directory(directory='/home/app/app/static/', path='app.zip', as_attachment=True) @app.route('/delete_code/<int:code_id>', methods=['POST']) def delete_code(code_id): if 'user_id' in session: code = CodeSnippet.query.get(code_id) if code and code.user_id == session['user_id']: db.session.delete(code) db.session.commit() return jsonify({"message": "Code deleted successfully"}) return jsonify({"error": "Code not found"}), 404 return jsonify({"error": "User not logged in"}), 401 @app.route('/run_code', methods=['POST']) def run_code(): try: code = request.json.get('code') result = js2py.eval_js(code) return jsonify({'result': result}) except Exception as e: return jsonify({'error': str(e)}) if __name__ == '__main__': with app.app_context(): db.create_all() app.run(host='0.0.0.0', debug=True) 注意到/run_code接收参数，然后传递到js2py.eval_js，搜索可以得知如何逃逸 ...

Thehackerslabs-Pa Que Aiga Lujo

Nmap [root@Hacking] /home/kali/Lujo ❯ nmap 192.168.55.157 -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 17:13 CST Nmap scan report for 192.168.55.157 Host is up (0.00026s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) | ssh-hostkey: | 256 af:79:a1:39:80:45:fb:b7:cb:86:fd:8b:62:69:4a:64 (ECDSA) |_ 256 6d:d4:9d:ac:0b:f0:a1:88:66:b4:ff:f6:42:bb:f2:e5 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: LuxeCollection - Art\xC3\xADculos de Lujo Exclusivos Dir scan [root@Hacking] /home/kali/Lujo ❯ dirsearch -u http://192.168.55.157 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.157/ [17:16:08] Scanning: [17:16:09] 403 - 279B - /.php [17:16:15] 200 - 15KB - /index.html [17:16:18] 301 - 318B - /scripts -> http://192.168.55.157/scripts/ [17:16:18] 200 - 937B - /scripts/ [17:16:18] 403 - 279B - /server-status [17:16:18] 403 - 279B - /server-status/ [17:16:19] 301 - 317B - /styles -> http://192.168.55.157/styles/ Task Completed [root@Hacking] /home/kali/Lujo ❯ feroxbuster -u http://192.168.55.157 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.157 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 221l 524w 5600c http://192.168.55.157/scripts/main.js 200 GET 231l 411w 3799c http://192.168.55.157/styles/responsive.css 200 GET 168l 285w 2899c http://192.168.55.157/styles/components.css 200 GET 230l 445w 4172c http://192.168.55.157/styles/main.css 200 GET 285l 778w 15656c http://192.168.55.157/ 301 GET 9l 28w 318c http://192.168.55.157/scripts => http://192.168.55.157/scripts/ 301 GET 9l 28w 317c http://192.168.55.157/styles => http://192.168.55.157/styles/ [####################] - 2m 661674/661674 0s found:7 errors:0 [####################] - 2m 661638/661638 4945/s http://192.168.55.157/ [####################] - 1s 661638/661638 1070612/s http://192.168.55.157/scripts/ => Directory listing (add --scan-dir-listings to scan) [####################] - 0s 661638/661638 220546000/s http://192.168.55.157/styles/ => Directory listing (add --scan-dir-listings to scan) 什么也没有扫到，那么就从页面里找信息，发现有一些人名其中Sophia可以进行SSH爆破登录 ...

HackMyVM-Lazzycorp

HTB-Editor

Box Info OS Difficulty Linux Easy Nmap [root@Hacking] /home/kali/Editor ❯ nmap editor.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Editor - SimplistCode Pro 8080/tcp open http Jetty 10.0.20 | http-title: XWiki - Main - Intro |_Requested resource was http://editor.htb:8080/xwiki/bin/view/Main/ |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Jetty(10.0.20) | http-cookie-flags: | /: | JSESSIONID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: PROPFIND LOCK UNLOCK | http-webdav-scan: | Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK | WebDAV type: Unknown |_ Server Type: Jetty(10.0.20) | http-robots.txt: 50 disallowed entries (15 shown) | /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ | /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ | /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ | /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ | /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ |_/xwiki/bin/undelete/ CVE-2025-24893 进入8080端口，发现底部版本信息搜索到这个脚本 ...

HTB-Era

Box Info OS Difficulty Linux Medium Nmap [root@Hacking] /home/kali/era ❯ nmap era.htb -A PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Era Designs |_http-server-header: nginx/1.18.0 (Ubuntu) Dirsearch [root@Hacking] /home/kali/era ❯ dirsearch -u era.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://era.htb/ [10:07:41] Scanning: [10:08:17] 301 - 178B - /css -> http://era.htb/css/ [10:08:24] 301 - 178B - /fonts -> http://era.htb/fonts/ [10:08:26] 301 - 178B - /img -> http://era.htb/img/ [10:08:26] 200 - 19KB - /index.html [10:08:31] 301 - 178B - /js -> http://era.htb/js/ [10:08:31] 403 - 564B - /js/ Task Completed 目录扫描似乎并没有东西，而且网站中并没有可以交互的地方，因此接下来尝试子域名爆破 ...

HackMyVM-Takedown

Nmap [root@Hacking] /home/kali/Takedown ❯ nmap 192.168.55.138 -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u5 (protocol 2.0) | ssh-hostkey: | 3072 51:fb:66:e0:d2:b6:ae:16:a9:d2:74:41:a5:b3:02:2b (RSA) | 256 93:a0:01:6c:42:cd:26:bf:38:e5:70:fb:b8:c6:b3:fe (ECDSA) |_ 256 77:c9:ed:41:a5:cb:30:33:08:22:88:f6:a8:28:11:8d (ED25519) 80/tcp open http nginx 1.18.0 |_http-title: Cybersecurity Inc - Secure Your Digital World |_http-server-header: nginx/1.18.0 添加shieldweb.che和ticket.shieldweb.che到/etc/passwd ...