Dockerlabs

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/Gallery ❯ nmap 172.17.0.3 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 19:95:1a:f2:f6:7a:a1:f1:ba:16:4b:58:a0:59:f2:02 (ECDSA) |_ 256 e7:e9:8f:b8:db:94:c2:68:11:4c:25:81:f1:ac:cd:ac (ED25519) 80/tcp open http PHP cli server 5.5 or later (PHP 8.3.6) |_http-title: Galer\xC3\xADa de Arte Digital Feroxbuster [root@kali] /home/kali/Gallery ❯ feroxbuster -u 'http://172.17.0.3/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://172.17.0.3/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 200 GET 29l 83w 1478c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 7l 57w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 266l 543w 5288c http://172.17.0.3/style.css 200 GET 28l 63w 1104c http://172.17.0.3/login.php 200 GET 0l 0w 0c http://172.17.0.3/config.php 302 GET 0l 0w 0c http://172.17.0.3/dashboard.php => login.php SQL Injection 在用户名这里存在注入点 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/bicho ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-24 09:26 EDT Nmap scan report for 172.17.0.2 Host is up (0.000089s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-title: Did not follow redirect to http://bicho.dl |_http-server-header: Apache/2.4.58 (Ubuntu) 添加bicho.dl到**/etc/hosts** ...

Box Info OS Linux Difficulty Medium 提权部分为非预期 Nmap [root@kali] /home/kali/stackinferno ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 88:00:5f:26:eb:50:e4:55:6d:0a:0c:73:58:99:cd:2d (ECDSA) |_ 256 6b:36:5c:a3:c0:8b:22:b7:35:11:86:f1:7e:7f:77:5b (ED25519) 80/tcp open http Werkzeug/2.2.2 Python/3.11.2 |_http-server-header: Werkzeug/2.2.2 Python/3.11.2 | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 302 FOUND | Server: Werkzeug/2.2.2 Python/3.11.2 | Date: Wed, 16 Apr 2025 03:01:23 GMT | Content-Type: text/html; charset=utf-8 | Content-Length: 223 | Location: http://cybersec.dl | Connection: close | <!doctype html> | <html lang=en> | <title>Redirecting...</title> | <h1>Redirecting...</h1> | <p>You should be redirected automatically to the target URL: <a href="http://cybersec.dl">http://cybersec.dl</a>. If not, click the link. | GetRequest, HTTPOptions: | HTTP/1.1 302 FOUND | Server: Werkzeug/2.2.2 Python/3.11.2 | Date: Wed, 16 Apr 2025 03:01:18 GMT | Content-Type: text/html; charset=utf-8 | Content-Length: 223 | Location: http://cybersec.dl | Connection: close | <!doctype html> | <html lang=en> | <title>Redirecting...</title> | <h1>Redirecting...</h1> | <p>You should be redirected automatically to the target URL: <a href="http://cybersec.dl">http://cybersec.dl</a>. If not, click the link. | RTSPRequest: | <!DOCTYPE HTML> | <html lang="en"> | <head> | <meta charset="utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 400</p> | <p>Message: Bad request version ('RTSP/1.0').</p> | <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p> | </body> |_ </html> |_http-title: CyberSec Corp - Expertos en Ciberseguridad 添加域名：cybersec.dl ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Chocoping ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 |_http-title: Index of / |_http-server-header: Apache/2.4.62 (Debian) | http-ls: Volume / | SIZE TIME FILENAME | 1.0K 2025-04-05 11:13 ping.php Own www-data 注意到可以传入ip参数执行ping命令 下面我会用两种扫描工具来进行对比 ...

《The Walking Dead》又叫做《行尸走肉》，是一部更了十多年的美剧，我是全部看完了的，刚好有这个靶机，那么肯定得打一下。 Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 0d:09:9d:0f:dc:43:54:cd:39:a9:e2:d6:81:74:40:e8 (RSA) | 256 09:d0:f6:52:00:3f:21:51:19:b1:c6:7a:f4:ff:21:01 (ECDSA) |_ 256 19:e0:b3:72:bd:e9:1e:8d:4c:c4:fd:1f:da:3f:a5:cf (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: The Walking Dead - CTF 访问网页，发现有一个隐藏的shell.php ...

Box Info OS Linux Difficulty Hard Nmap 不知道为什么扫得很慢，这里就简略一点 [root@kali] /home/kali/predictable ❯ nmap 172.17.0.2 -p- PORT STATE SERVICE 22/tcp open ssh 1111/tcp open lmsocialserver Crack Number 访问1111端口，在源代码中得到信息 似乎是这个随机数列表的生成逻辑 ...

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/crackoff ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 21:28 CST Nmap scan report for sitio.dl (172.17.0.2) Host is up (0.00010s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3d:fc:bd:41:cb:81:e8:cd:a2:58:5a:78:68:2b:a3:04 (ECDSA) |_ 256 d8:5a:63:27:60:35:20:30:a9:ec:25:36:9e:50:06:8d (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: CrackOff - Bienvenido MAC Address: 02:42:AC:11:00:02 (Unknown) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.10 ms sitio.dl (172.17.0.2) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds Gobuster [root@kali] /home/kali/crackoff ❯ gobuster dir -u http://172.17.0.2/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.17.0.2/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 275] /index.php (Status: 200) [Size: 2974] /login.php (Status: 200) [Size: 3968] /welcome.php (Status: 200) [Size: 2800] /db.php (Status: 302) [Size: 75] [--> error.php] /error.php (Status: 200) [Size: 2705] /.php (Status: 403) [Size: 275] /server-status (Status: 403) [Size: 275] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== SQL Injection 进入login.php，发现在username字段中存在SQL注入漏洞，单引号闭合 ...

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/r00tless ❯ nmap 172.18.0.2 -sV -A -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-01 11:27 CST Nmap scan report for 172.18.0.2 Host is up (0.000092s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 fa:7b:d3:96:f6:83:bb:bd:24:86:b4:a8:f6:59:c3:62 (ECDSA) |_ 256 29:49:38:ae:44:75:d8:88:2a:b6:98:55:00:bd:24:76 (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Subir Archivo 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 02:42:AC:12:00:02 (Unknown) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2025-03-01T03:27:48 |_ start_date: N/A TRACEROUTE HOP RTT ADDRESS 1 0.09 ms 172.18.0.2 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.77 seconds Gobuster [root@kali] /home/kali/r00tless ❯ gobuster dir -u http://172.18.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.18.0.2 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt,html [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.html (Status: 403) [Size: 275] /index.html (Status: 200) [Size: 2410] /.php (Status: 403) [Size: 275] /upload.php (Status: 200) [Size: 56] /readme.txt (Status: 200) [Size: 78] /.php (Status: 403) [Size: 275] /.html (Status: 403) [Size: 275] /server-status (Status: 403) [Size: 275] Progress: 882240 / 882244 (100.00%) =============================================================== Finished =============================================================== Own passsamba ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Inclusion ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 20:33 CST Nmap scan report for sitio.dl (172.17.0.2) Host is up (0.000081s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | ssh-hostkey: | 256 03:cf:72:54:de:54:ae:cd:2a:16:58:6b:8a:f5:52:dc (ECDSA) |_ 256 13:bb:c2:12:f5:97:30:a1:49:c7:f9:d0:ba:d0:5e:f7 (ED25519) 80/tcp open http Apache httpd 2.4.57 ((Debian)) |_http-server-header: Apache/2.4.57 (Debian) |_http-title: Apache2 Debian Default Page: It works MAC Address: 02:42:AC:11:00:02 (Unknown) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.08 ms sitio.dl (172.17.0.2) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.70 seconds Gobuster [root@kali] /home/kali/Inclusion ❯ gobuster dir -u http://172.17.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.17.0.2 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 275] /shop (Status: 301) [Size: 307] [--> http://172.17.0.2/shop/] /.php (Status: 403) [Size: 275] /server-status (Status: 403) [Size: 275] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== 再扫**/shop** ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/sites ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 20:05 CST Nmap scan report for 172.17.0.2 Host is up (0.000077s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 cb:8f:50:db:6d:d8:d4:ac:bf:54:b0:62:12:7c:f0:01 (ECDSA) |_ 256 ca:6b:c7:0c:2a:d6:0e:3e:ff:c4:6e:61:ac:35:db:01 (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Configuraci\xC3\xB3n de Apache y Seguridad en Sitios Web MAC Address: 02:42:AC:11:00:02 (Unknown) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.08 ms 172.17.0.2 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.63 seconds Gobuster [root@kali] /home/kali/sites ❯ gobuster dir -u http://172.17.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ⏎ =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.17.0.2 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 275] /.php (Status: 403) [Size: 275] /vulnerable.php (Status: 200) [Size: 37] /server-status (Status: 403) [Size: 275] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== ReadAnyFiles ...