Posts

Box Info OS Difficulty Windows Hard Nmap [root@kali] /home/kali/Certificate ❯ nmap Certificate.htb -sV -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30) |_http-title: Certificate | Your portal for certification |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-01 09:04:19Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 DC01.certificate.htb添加到/etc/hosts ...

Box Info OS Difficulty Linux Medium Nmap [root@kali] /home/kali/ApacheByte ❯ nmap 172.17.0.3 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 1b:a6:6b:55:9c:c7:98:b3:ac:01:00:21:2f:67:9a:3e (ECDSA) |_ 256 68:bd:c1:ad:61:e1:5d:e9:2b:f8:d1:f1:7d:16:fe:4c (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Blog |_http-server-header: Apache/2.4.58 (Ubuntu) Change Passwd 来到网页端，任意注册后来到account.php，发现可以上传头像或者修改密码 头像只能上传图片格式，并且可以在/uploads/目录下看到 得到一个路径，并且注意目录中还有另外一个图片 尝试修改密码，将numero改为图片名称，修改管理员的密码 这里管理员的用户名是: manager ...

Nmap [root@kali] /home/kali/merchan ❯ nmap 192.168.55.77 -sV -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-04 23:07 EDT Nmap scan report for 192.168.55.77 Host is up (0.00028s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0) | ssh-hostkey: | 256 da:68:54:15:39:b8:44:ed:b9:08:4c:59:e5:89:50:08 (ECDSA) |_ 256 b4:7d:98:a8:01:e8:3b:17:43:24:43:39:3a:b4:b8:50 (ED25519) 80/tcp open http Apache httpd 2.4.62 |_http-title: Did not follow redirect to http://merchan.thl |_http-server-header: Apache/2.4.62 (Debian) Feroxbuster [root@kali] /home/kali/merchan ❯ feroxbuster -u 'http://www.merchan.thl/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js ⏎ ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://www.merchan.thl/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [js] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 280c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 28w 319c http://www.merchan.thl/images => http://www.merchan.thl/images/ 200 GET 8l 29w 28898c http://www.merchan.thl/assets/favicon.ico 200 GET 139l 592w 68236c http://www.merchan.thl/images/camiseta.jpg 200 GET 7l 36w 330c http://www.merchan.thl/js/scripts.js 200 GET 186l 943w 74237c http://www.merchan.thl/images/llavero.jpg 200 GET 10826l 22299w 236792c http://www.merchan.thl/css/styles.css 301 GET 9l 28w 319c http://www.merchan.thl/assets => http://www.merchan.thl/assets/ 200 GET 563l 3920w 380306c http://www.merchan.thl/images/sudadera.png 200 GET 130l 399w 7235c http://www.merchan.thl/ 301 GET 9l 28w 316c http://www.merchan.thl/css => http://www.merchan.thl/css/ 301 GET 9l 28w 315c http://www.merchan.thl/js => http://www.merchan.thl/js/ 200 GET 1l 15w 1365c http://www.merchan.thl/secret.js [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 5m 1102751/1102751 0s found:12 errors:0 [####################] - 5m 220546/220546 740/s http://www.merchan.thl/ [####################] - 5m 220546/220546 726/s http://www.merchan.thl/images/ [####################] - 5m 220546/220546 729/s http://www.merchan.thl/assets/ [####################] - 5m 220546/220546 729/s http://www.merchan.thl/css/ [####################] - 5m 220546/220546 727/s http://www.merchan.thl/js/ 发现有一个secret.js ...

Box Info OS Difficulty Linux Medium Nmap [root@kali] /home/kali/ofuskeit ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0) | ssh-hostkey: | 256 f4:1e:4f:80:e4:25:19:87:a5:2b:e5:fe:b3:16:5d:70 (ECDSA) |_ 256 7d:5a:d8:80:54:05:d2:2f:6f:7f:59:26:4f:6f:83:a8 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Servicios de Mantenimiento Inform\xC3\xA1tico 3000/tcp open http Node.js Express framework |_http-title: Error Dirsearch [root@kali] /home/kali/ofuskeit ❯ dirsearch -u http://172.17.0.2 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://172.17.0.2/ [22:47:24] Scanning: [22:47:24] 200 - 318B - /.git [22:47:31] 200 - 2KB - /index.html [22:47:31] 301 - 313B - /javascript -> http://172.17.0.2/javascript/ [22:47:33] 301 - 315B - /node_modules -> http://172.17.0.2/node_modules/ [22:47:33] 200 - 14KB - /node_modules/ [22:47:33] 200 - 26KB - /package-lock.json [22:47:33] 200 - 265B - /package.json [22:47:34] 403 - 275B - /server-status [22:47:34] 403 - 275B - /server-status/ Task Completed 查看.git目录，得到一个用户的信息 ...

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/Umz ❯ nmap 192.168.55.73 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: cyber fortress 9000 |_http-server-header: Apache/2.4.62 (Debian) Dirsearch [root@kali] /home/kali/Umz ❯ dirsearch -u http://192.168.55.73 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.73/ [02:39:29] Scanning: [02:39:30] 403 - 278B - /.php [02:39:38] 200 - 3KB - /index.html [02:39:38] 200 - 3KB - /index.php [02:39:38] 200 - 3KB - /index.php/login/ [02:39:43] 403 - 278B - /server-status/ [02:39:43] 403 - 278B - /server-status Task Completed Request Flood 来到index.php，可以看到过多请求会触发某种机制 ...

Nmap [root@kali] /home/kali/hexthink-silent-shadow ❯ nmap 192.168.55.67 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:6e:39:a4:15:86:88:70:c7:9d:09:91:a3:0b:18:8c (ECDSA) |_ 256 f9:21:5d:25:ee:76:05:db:01:3b:45:c9:68:b0:82:9f (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.58 (Ubuntu) 3306/tcp open mysql MariaDB 5.5.5-10.11.11 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.11.11-MariaDB-0ubuntu0.24.04.2 | Thread ID: 34 | Capabilities flags: 63486 | Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, SupportsCompression, IgnoreSigpipes, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, InteractiveClient, FoundRows, ODBCClient, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SupportsTransactions, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults | Status: Autocommit | Salt: wPg7y~-c,O)~bPI]yfu: |_ Auth Plugin Name: mysql_native_password 9090/tcp open zeus-admin? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, SqueezeCenter_CLI, TLSSessionReq, TerminalServerCookie, WMSRequest, X11Probe, drda, ibm-db2-das, informix: |_ Protocolo incorrecto. Esto no es HTTP. Mysql 进入到80端口的index.php，查看到存在ctf_user用户，可以使用密码登录，尝试使用空密码登录呢 ...

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/bypassme ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b4:a8:42:e7:2b:2f:7a:f9:50:bd:6d:31:8e:36:54:7b (ECDSA) |_ 256 c0:ff:28:31:a3:0b:1a:3d:c3:5f:83:1b:3c:44:28:32 (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-title: Login Panel |_Requested resource was login.php |_http-server-header: Apache/2.4.58 (Ubuntu) Dirsearch [root@kali] /home/kali/bypassme ❯ dirsearch -u 172.17.0.2 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://172.17.0.2/ [10:03:10] Scanning: [10:03:11] 403 - 275B - /.php [10:03:18] 302 - 0B - /index.php -> login.php [10:03:18] 302 - 0B - /index.php/login/ -> login.php [10:03:18] 200 - 2KB - /login.php [10:03:18] 403 - 275B - /logs [10:03:18] 403 - 275B - /logs/access_log [10:03:18] 403 - 275B - /logs/ [10:03:18] 403 - 275B - /logs/access.log [10:03:18] 403 - 275B - /logs/error.log [10:03:18] 403 - 275B - /logs/error_log [10:03:18] 403 - 275B - /logs/liferay.log [10:03:18] 403 - 275B - /logs/mail.log [10:03:18] 403 - 275B - /logs/proxy_error_log [10:03:18] 403 - 275B - /logs/proxy_access_ssl_log [10:03:18] 403 - 275B - /logs/wsadmin.traceout [10:03:18] 403 - 275B - /logs/errors.log [10:03:18] 403 - 275B - /logs/www-error.log [10:03:21] 403 - 275B - /server-status/ [10:03:21] 403 - 275B - /server-status Task Completed 发现存在一个/logs目录，但是无法直接查看，还是来到登陆页面查看 ...

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/pkgpoison ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 03:57 EDT Nmap scan report for 172.17.0.2 Host is up (0.000057s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 2f:87:50:66:15:23:d6:c3:90:3f:ea:8c:a4:4b:b3:ff (RSA) | 256 d1:35:c1:82:09:e8:c2:c7:cd:98:89:61:c2:6b:14:64 (ECDSA) |_ 256 dd:01:45:ce:bd:a3:05:21:5b:31:4c:2f:df:38:c4:f6 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: 404 Not Found |_http-server-header: Apache/2.4.41 (Ubuntu) Feroxbuster [root@kali] /home/kali/pkgpoison ❯ feroxbuster -u 'http://172.17.0.2/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://172.17.0.2/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 28w 308c http://172.17.0.2/notes => http://172.17.0.2/notes/ 200 GET 5l 24w 177c http://172.17.0.2/notes/note.txt 200 GET 5094l 30782w 2832734c http://172.17.0.2/index.png 200 GET 26l 51w 589c http://172.17.0.2/ [####################] - 17s 661647/661647 0s found:4 errors:3422 [####################] - 16s 661638/661638 40447/s http://172.17.0.2/ [####################] - 0s 661638/661638 330819000/s http://172.17.0.2/notes/ => Directory listing (add --scan-dir-listings to scan) 查看到一个note.txt ...

Box Info OS Difficulty Linux Medium Nmap [root@kali] /home/kali/ghoster ❯ nmap 192.168.55.65 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 c5:5f:01:14:c9:d4:fe:8e:9c:01:5f:3a:2c:dd:38:64 (ECDSA) |_ 256 63:25:3e:2b:61:4f:21:86:fa:d9:e5:d5:b6:bd:e8:29 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 8081/tcp open http Werkzeug httpd 3.1.3 (Python 3.11.2) |_http-title: Document Submission Portal |_http-server-header: Werkzeug/3.1.3 Python/3.11.2 Gobuster [root@kali] /home/kali/ghoster ❯ gobuster dir -u 'http://192.168.55.65/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ⏎ =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.55.65/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 278] /uploads (Status: 301) [Size: 316] [--> http://192.168.55.65/uploads/] /.php (Status: 403) [Size: 278] /server-status (Status: 403) [Size: 278] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== CVE-2023-36664 没有什么可以直接利用的，来到8081端口 ...

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/manage ❯ nmap 192.168.55.66 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 139/tcp open netbios-ssn Samba smbd 4 445/tcp open netbios-ssn Samba smbd 4 MAC Address: 08:00:27:01:D6:2B (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Dirsearch [root@kali] /home/kali/manage ❯ dirsearch -u 'http://192.168.55.66' ⏎ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.66/ [23:33:52] Scanning: [23:33:53] 403 - 278B - /.php [23:33:55] 200 - 11KB - /admin.php [23:34:01] 200 - 10KB - /index.html [23:34:05] 403 - 278B - /server-status/ [23:34:05] 403 - 278B - /server-status Task Completed 好像不存在SQL注入问题，也无法爆破登录，现在来看看445端口 ...