Dockerlabs-WalkingDead

《The Walking Dead》又叫做《行尸走肉》,是一部更了十多年的美剧,我是全部看完了的,刚好有这个靶机,那么肯定得打一下。 Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 0d:09:9d:0f:dc:43:54:cd:39:a9:e2:d6:81:74:40:e8 (RSA) | 256 09:d0:f6:52:00:3f:21:51:19:b1:c6:7a:f4:ff:21:01 (ECDSA) |_ 256 19:e0:b3:72:bd:e9:1e:8d:4c:c4:fd:1f:da:3f:a5:cf (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: The Walking Dead - CTF 访问网页,发现有一个隐藏的shell.php ...

2025年04月08日 · 1 分钟 · 450 字 · HYH

Thehackerslabs-Black Gold

Box Info OS Windows Difficulty Hard Nmap [root@kali] /home/kali ❯ nmap 192.168.56.10 -sV -A -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Neptune 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-08 07:26:35Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: neptune.thl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: neptune.thl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 53459/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 53460/tcp open msrpc Microsoft Windows RPC 53470/tcp open msrpc Microsoft Windows RPC 53479/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:37:4E:C0 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%) OS CPE: cpe:/o:microsoft:windows_server_2016 Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-04-08T07:27:27 |_ start_date: N/A |_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:37:4e:c0 (Oracle VirtualBox virtual NIC) | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required 修改**/etc/hosts** ...

2025年04月08日 · 3 分钟 · 1464 字 · HYH

VulNyx-Matrix

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Matrix ❯ nmap 192.168.56.141 -sV -A -p- 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0) | ssh-hostkey: | 256 67:78:c9:d2:e3:ff:be:fc:9e:13:9a:af:9d:59:17:66 (ECDSA) |_ 256 1a:78:b1:e6:f1:f0:d1:b3:ab:c8:3f:95:fd:46:52:67 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Enter The Matrix Gobuster [root@kali] /home/kali/Matrix ❯ gobuster dir -u http://192.168.56.141/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .pcap =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.141/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: pcap [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /trinity.pcap (Status: 200) [Size: 146389] /server-status (Status: 403) [Size: 279] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== Exiftool 进行流量分析 ...

2025年04月08日 · 2 分钟 · 767 字 · HYH

Thehackerslabs-B.I.G

Box Info OS Windows Difficulty Hard Nmap [root@kali] /home/kali ❯ nmap 192.168.212.4 -sV -A -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Site doesn't have a title (text/html). |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-05 23:20:54Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bbr.thl, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bbr.thl, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49671/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49686/tcp open msrpc Microsoft Windows RPC 57043/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:29:23:16 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 2016 OS CPE: cpe:/o:microsoft:windows_server_2016 OS details: Microsoft Windows Server 2016 build 10586 - 14393 Network Distance: 1 hop Service Info: Host: BIG; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 15h54m38s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_nbstat: NetBIOS name: BIG, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:29:23:16 (Oracle VirtualBox virtual NIC) | smb2-time: | date: 2025-04-05T23:21:49 |_ start_date: 2025-04-05T19:55:29 将bbr.thl添加到**/etc/hosts** ...

2025年04月05日 · 3 分钟 · 1481 字 · HYH

HackMyVM-Todd

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Todd ❯ nmap 192.168.56.137 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA) | 256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA) |_ 256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519) 80/tcp open http Apache httpd 2.4.59 ((Debian)) |_http-title: Mindful Listening |_http-server-header: Apache/2.4.59 (Debian) 页面没有任何可以用的信息 然后再次进行Nmap,发现多了几个端口 ...

2025年04月02日 · 4 分钟 · 1781 字 · HYH

VulnVM-Search

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Search ❯ nmap 192.168.56.136 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 39:0d:70:e0:55:cb:20:de:ad:f7:10:d8:1f:76:4d:9d (ECDSA) |_ 256 df:e2:94:52:e9:3d:eb:69:2d:b4:a5:a9:2c:3e:63:46 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Apache2 Debian Default Page: It works 得到用户名是support ...

2025年04月02日 · 2 分钟 · 674 字 · HYH

HTB-Haze

Box Info OS Windows Difficulty Hard Nmap [root@kali] /home/kali ❯ nmap Haze.htb -sV -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc01.haze.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb | Not valid before: 2025-03-05T07:12:20 |_Not valid after: 2026-03-05T07:12:20 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc01.haze.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb | Not valid before: 2025-03-05T07:12:20 |_Not valid after: 2026-03-05T07:12:20 |_ssl-date: TLS randomness does not represent time 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=dc01.haze.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb | Not valid before: 2025-03-05T07:12:20 |_Not valid after: 2026-03-05T07:12:20 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=dc01.haze.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb | Not valid before: 2025-03-05T07:12:20 |_Not valid after: 2026-03-05T07:12:20 8000/tcp open http Splunkd httpd | http-title: Site doesn't have a title (text/html; charset=UTF-8). |_Requested resource was http://Haze.htb:8000/en-US/account/login?return_to=%2Fen-US%2F |_http-server-header: Splunkd | http-robots.txt: 1 disallowed entry |_/ 8088/tcp open ssl/http Splunkd httpd |_http-server-header: Splunkd |_http-title: 404 Not Found | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2025-03-05T07:29:08 |_Not valid after: 2028-03-04T07:29:08 | http-robots.txt: 1 disallowed entry |_/ 8089/tcp open ssl/http Splunkd httpd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2025-03-05T07:29:08 |_Not valid after: 2028-03-04T07:29:08 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Splunkd dc01.haze.htb添加到**/etc/hosts** ...

2025年03月31日 · 8 分钟 · 3673 字 · HYH

HackMyVM-KrustyKrab

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.131 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2 (protocol 2.0) | ssh-hostkey: | 256 f6:91:6b:ad:ea:ad:1d:b9:44:09:d8:74:a3:02:38:35 (ECDSA) |_ 256 b6:66:2f:f0:4c:26:7f:7d:14:ea:b3:62:09:64:a7:94 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 进入80端口查看,是一个apache默认页 ...

2025年03月27日 · 4 分钟 · 1973 字 · HYH

HTB-Code

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Code ❯ nmap code.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA) | 256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA) |_ 256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519) 5000/tcp open http Gunicorn 20.0.4 |_http-title: Python Code Editor |_http-server-header: gunicorn/20.0.4 Own www-data SSTI 注入 - Hello CTF 进入到5000端口是一个python代码执行窗口 ...

2025年03月23日 · 2 分钟 · 742 字 · HYH

HTB-Strutted

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Strutted ❯ nmap strutted.htb -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) CVE-2024-53677 存在一个Download路由可以下载到网站源码 查看pom.xml发现使用的是struts2 6.3.0.1 ...

2025年03月22日 · 2 分钟 · 603 字 · HYH