Hackmyvm

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/atom ❯ nmap 192.168.55.12 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | ssh-hostkey: | 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA) |_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519) 只有22端口开放？有趣 扫一下UDP端口 [root@kali] /home/kali/atom ❯ nmap 192.168.55.12 -sU --top-ports 100 ⏎ PORT STATE SERVICE 623/udp open asf-rmcp IPMI IPMI（智能平台管理接口）能够横跨不同的操作系统、固件和硬件平台，可以智能的监视、控制和自动回报大量服务器的运作状况，以降低服务器系统成本。 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/hackingtoys ❯ nmap 192.168.55.10 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | ssh-hostkey: | 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA) |_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519) 3000/tcp open ssl/ppp? |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=FR | Not valid before: 2024-05-20T15:36:20 |_Not valid after: 2038-01-27T15:36:20 | fingerprint-strings: | GenericLines: | HTTP/1.0 400 Bad Request | Content-Length: 930 | Puma caught this error: Invalid HTTP format, parsing fails. Are you trying to open an SSL connection to a non-SSL Puma? (Puma::HttpParserError) | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/client.rb:268:in `execute' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/client.rb:268:in `try_to_finish' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/server.rb:298:in `reactor_wakeup' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/server.rb:248:in `block in run' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:119:in `wakeup!' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:76:in `block in select_loop' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:76:in `select' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:76:in `select_loop' | /usr/loc | GetRequest: | HTTP/1.0 403 Forbidden | content-type: text/html; charset=UTF-8 | Content-Length: 5702 | <!DOCTYPE html> | <html lang="en"> | <head> | <meta charset="utf-8" /> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta name="turbo-visit-control" content="reload"> | <title>Action Controller: Exception caught</title> | <style> | body { | background-color: #FAFAFA; | color: #333; | color-scheme: light dark; | supported-color-schemes: light dark; | margin: 0px; | body, p, ol, ul, td { | font-family: helvetica, verdana, arial, sans-serif; | font-size: 13px; | line-height: 18px; | font-size: 11px; | white-space: pre-wrap; | pre.box { | border: 1px solid #EEE; | padding: 10px; | margin: 0px; | width: 958px; | header { | color: #F0F0F0; | background: #C00; |_ padding: 查看3000端口服务，是Ruby on rails ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.158 -sV -A -p- PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA) | 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA) |_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Pwned....!! Feroxbuster [root@kali] /home/kali/pwned ❯ feroxbuster -u http://192.168.55.6/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.6/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 16l 27w 194c http://192.168.55.6/nothing/nothing.html 200 GET 75l 191w 3065c http://192.168.55.6/ 200 GET 4l 7w 41c http://192.168.55.6/robots.txt 301 GET 9l 28w 314c http://192.168.55.6/nothing => http://192.168.55.6/nothing/ 301 GET 9l 28w 318c http://192.168.55.6/hidden_text => http://192.168.55.6/hidden_text/ 200 GET 22l 21w 211c http://192.168.55.6/hidden_text/secret.dic 下载这个dic用作扫描字典 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.157 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.3 (protocol 2.0) | ssh-hostkey: | 3072 2c:1b:36:27:e5:4c:52:7b:3e:10:94:41:39:ef:b2:95 (RSA) | 256 93:c1:1e:32:24:0e:34:d9:02:0e:ff:c3:9c:59:9b:dd (ECDSA) |_ 256 81:ab:36:ec:b1:2b:5c:d2:86:55:12:0c:51:00:27:d7 (ED25519) 80/tcp open http nginx |_http-title: Site doesn't have a title (text/html). 目录扫描失败 [root@kali] /home/kali ❯ curl "http://192.168.56.157/" -v * Trying 192.168.56.157:80... * Connected to 192.168.56.157 (192.168.56.157) port 80 * using HTTP/1.x > GET / HTTP/1.1 > Host: 192.168.56.157 > User-Agent: curl/8.12.1 > Accept: */* > * Request completely sent off < HTTP/1.1 200 OK < Server: nginx < Date: Sat, 19 Apr 2025 06:42:57 GMT < Content-Type: text/html < Content-Length: 57 < Last-Modified: Sun, 20 Sep 2020 16:29:39 GMT < Connection: keep-alive < ETag: "5f678373-39" < Accept-Ranges: bytes < Dont Overthink. Really, Its simple. <!-- Trust me --> * Connection #0 to host 192.168.56.157 left intact Hydra to ssh 尝试使用simple爆破登录 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.151 -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0) | ssh-hostkey: | 2048 c2:91:d9:a5:f7:a3:98:1f:c1:4a:70:28:aa:ba:a4:10 (RSA) | 256 3e:1f:c9:eb:c0:6f:24:06:fc:52:5f:2f:1b:35:33:ec (ECDSA) |_ 256 ec:64:87:04:9a:4b:32:fe:2d:1f:9a:b0:81:d3:7c:cf (ED25519) 80/tcp open http nginx 1.14.2 | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: nginx/1.14.2 |_http-generator: WordPress 6.7.1 |_http-title: bammmmuwe 直接就扫到了wordpress目录 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.144 -p- PORT STATE SERVICE 22/tcp open ssh 8080/tcp open http-proxy Gobuster [root@kali] /home/kali ❯ gobuster dir -u http://192.168.56.144:8080/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt --exclude-length 45 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.144:8080/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] Exclude Length: 45 [+] User Agent: gobuster/3.6 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /redirect (Status: 400) [Size: 24] /robots.txt (Status: 200) [Size: 16] Progress: 97322 / 882244 (11.03%)^C [!] Keyboard interrupt detected, terminating. Progress: 100724 / 882244 (11.42%) =============================================================== Finished =============================================================== 发现一个**/redirect路由，并且需要url**参数 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Todd ❯ nmap 192.168.56.137 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA) | 256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA) |_ 256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519) 80/tcp open http Apache httpd 2.4.59 ((Debian)) |_http-title: Mindful Listening |_http-server-header: Apache/2.4.59 (Debian) 页面没有任何可以用的信息 然后再次进行Nmap，发现多了几个端口 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.131 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2 (protocol 2.0) | ssh-hostkey: | 256 f6:91:6b:ad:ea:ad:1d:b9:44:09:d8:74:a3:02:38:35 (ECDSA) |_ 256 b6:66:2f:f0:4c:26:7f:7d:14:ea:b3:62:09:64:a7:94 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 进入80端口查看，是一个apache默认页 ...

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali ❯ nmap 192.168.56.116 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0) | ssh-hostkey: | 2048 5d:41:2a:c1:2d:3b:6c:78:b3:af:ae:9d:42:fe:88:b8 (RSA) | 256 3c:e9:64:eb:84:fe:5c:83:94:07:27:6c:12:14:c8:4c (ECDSA) |_ 256 09:9b:2b:18:de:6c:6d:f8:8b:15:df:6c:0f:c0:7c:b2 (ED25519) 80/tcp open http Apache httpd 2.4.59 ((Debian)) |_http-server-header: Apache/2.4.59 (Debian) |_http-title: News Website 65000/tcp filtered unknown Gobuster [root@kali] /home/kali ❯ gobuster dir -u http://192.168.56.116/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.116/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 279] /index.html (Status: 200) [Size: 3118] /news.php (Status: 200) [Size: 1301] /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] /.html (Status: 403) [Size: 279] /littlesecrets (Status: 301) [Size: 324] [--> http://192.168.56.116/littlesecrets/] /server-status (Status: 403) [Size: 279] Progress: 882240 / 882244 (100.00%) =============================================================== Finished =============================================================== 针对这个**/littlesecrets**再次进行扫描 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Matrioshka ❯ nmap 192.168.56.108 -sV -A -p- -T4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0) | ssh-hostkey: | 256 b5:a4:7c:65:5c:1f:d7:89:42:bd:76:df:2c:8e:93:4e (ECDSA) |_ 256 5d:3d:2b:43:fc:89:fa:24:a3:f4:73:5f:7b:89:6c:e3 (ED25519) 80/tcp open http Apache httpd 2.4.61 ((Debian)) |_http-server-header: Apache/2.4.61 (Debian) |_http-title: mamushka MAC Address: 08:00:27:D5:7C:4C (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 5.X OS CPE: cpe:/o:linux:linux_kernel:5 OS details: Linux 5.0 - 5.5 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 将mamushka.hmv添加到**/etc/hosts** ...