Posts

Fscan [root@Hacking] /home/kali/Desktop ❯ ./fscan -h 192.168.10.10 -p 80 ⏎ ┌──────────────────────────────────────────────┐ │ ___ _ │ │ / _ \ ___ ___ _ __ __ _ ___| | __ │ │ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │ │ / /_\\_____\__ \ (__| | | (_| | (__| < │ │ \____/ |___/\___|_| \__,_|\___|_|\_\ │ └──────────────────────────────────────────────┘ Fscan Version: 2.0.0 [2025-07-16 22:41:57] [INFO] 暴力破解线程数: 1 [2025-07-16 22:41:57] [INFO] 开始信息扫描 [2025-07-16 22:41:57] [INFO] 最终有效主机数量: 1 [2025-07-16 22:41:57] [INFO] 开始主机扫描 [2025-07-16 22:41:57] [INFO] 有效端口数量: 1 [2025-07-16 22:41:57] [SUCCESS] 端口开放 192.168.10.10:80 [2025-07-16 22:42:03] [SUCCESS] 服务识别 192.168.10.10:80 => [http] [2025-07-16 22:42:03] [INFO] 存活端口数量: 1 [2025-07-16 22:42:03] [INFO] 开始漏洞扫描 [2025-07-16 22:42:03] [INFO] 加载的插件: webpoc, webtitle [2025-07-16 22:42:04] [SUCCESS] 网站标题 http://192.168.10.10 状态码:200 长度:25157 标题:易优CMS - Powered by Eyoucms.com [2025-07-16 22:42:11] [SUCCESS] 目标: http://192.168.10.10:80 漏洞类型: poc-yaml-thinkphp5023-method-rce 漏洞名称: poc1 详细信息: links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce [2025-07-16 22:42:14] [SUCCESS] 扫描已完成: 2/2 发现存在thinkphp的rce漏洞 ...

CMS Getshell fscan扫描到192.168.10.10开放了808端口，似乎使用的是骑士CMS 进入登录页，发现了版本信息是4.2.111 并且通过回显可以判断出用户名就是admin，尝试进行爆破密码 得到密码是admin123456。来到工具-风格模板-可用模板进行抓包，修改tpl_dir的值 然后木马的位置在/Application/Home/Conf/config.php 根目录中拿到flag，上线msf 获取NTLM哈希值 上线cs ...

Box Info OS Difficulty Linux Easy As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2 Nmap [root@Hacking] /home/kali/Outbound ❯ nmap outbound.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA) |_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519) 80/tcp open http nginx 1.24.0 (Ubuntu) |_http-server-header: nginx/1.24.0 (Ubuntu) |_http-title: Did not follow redirect to http://mail.outbound.htb/ 添加mail.outbound.htb到/etc/hosts ...

Box Info OS Difficulty Windows Medium As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt Nmap PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-10 17:46:07Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA) | 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA) |_ 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 添加dc.voleur.htb到/etc/hosts ...

Box Info OS Difficulty Windows Hard As is common in real life Windows pentests, you will start the RustyKey box with credentials for the following account: rr.parker / 8#t5HE8L!W3A Nmap [root@kali] /home/kali/RustyKey ❯ nmap rustykey.htb -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-29 13:48:41Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found GetTGT (rr.parker) 默认给出账户无法直接用于认证 ...

Nmap [root@kali] /home/kali/status ❯ nmap 172.17.0.2 -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Web Bunkeriana 只开放了80端口 Gobuser [root@kali] /home/kali/status ❯ gobuster dir -u http://172.17.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ⏎ =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.17.0.2 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 5197] /status.php (Status: 403) [Size: 5197] /.php (Status: 403) [Size: 5197] /server-status (Status: 403) [Size: 5197] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== 查看到有一个status.php，状态码是403 注意到响应头中有一个Statusid是0，尝试将其修改为1 ...

Nmap [root@kali] /home/kali/Bola ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0) | ssh-hostkey: | 256 4f:3f:8c:fb:88:da:ea:37:d6:9f:c3:bd:f4:8e:18:1b (ECDSA) |_ 256 2e:a1:36:ff:8b:bb:0d:b3:c8:cb:4a:81:cb:37:77:31 (ED25519) 12345/tcp open http Werkzeug httpd 2.2.2 (Python 3.11.2) |_http-title: Site doesn't have a title (application/json). |_http-server-header: Werkzeug/2.2.2 Python/3.11.2 Dirsearch [root@kali] /home/kali/Bola ❯ dirsearch -u http://172.17.0.2:12345/ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://172.17.0.2:12345/ [10:24:22] Scanning: [10:24:29] 400 - 167B - /console [10:24:32] 405 - 153B - /login [10:24:37] 308 - 245B - /user -> http://172.17.0.2:12345/user/ [10:24:37] 400 - 54B - /user/ [10:24:37] 200 - 65B - /user/2 [10:24:37] 200 - 69B - /user/1 [10:24:37] 200 - 73B - /user/3 Task Completed 发现有很多用户名 ...

Nmap [root@kali] /home/kali/Artificial ❯ nmap Artificial.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA) | 256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA) |_ 256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Artificial - AI Solutions |_http-server-header: nginx/1.18.0 (Ubuntu) TensorFlow RCE 随意注册一个用户，进入到上传页面，得到requirement.txt和dockerfile ...

Box Info OS Difficulty Linux Medium Nmap [root@kali] /home/kali/sabulaji ❯ nmap 192.168.55.88 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: epages |_http-server-header: Apache/2.4.62 (Debian) 873/tcp open rsync (protocol version 31) Dirsearch [root@kali] /home/kali/sabulaji ❯ dirsearch -u http://192.168.55.88 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.88/ [03:28:14] Scanning: [03:28:16] 403 - 278B - /.php [03:28:23] 200 - 2KB - /index.html [03:28:27] 403 - 278B - /server-status [03:28:27] 403 - 278B - /server-status/ Task Completed 并没有什么有价值的东西 ...

Box Info OS Difficulty Windows Medium As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV! Nmap [root@kali] /home/kali/TombWatcher ❯ nmap TombWatcher.htb -sV -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-08 15:48:25Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found 添加DC01.tombwatcher.htb到/etc/hosts ...