Hackthebox

Nmap [/home/kali/Facts]$ nmap facts.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA) |_ 256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519) 80/tcp open http nginx 1.26.3 (Ubuntu) |_http-title: facts |_http-server-header: nginx/1.26.3 (Ubuntu) Camaleon CMS 进行目录扫描得到/admin [/home/kali/Facts]$ feroxbuster -u 'http://facts.htb/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://facts.htb/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 200 GET 124l 552w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 121l 443w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 69l 448w 30396c http://facts.htb/randomfacts/logopage2.png 200 GET 129l 132w 3508c http://facts.htb/sitemap 200 GET 8l 11w 183c http://facts.htb/rss 200 GET 66l 519w 44082c http://facts.htb/randomfacts/primary-question-mark.png 404 GET 2l 9w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 7l 10w 162c http://facts.htb/randomfacts/ 404 GET 114l 371w 4836c http://facts.htb/fonts.googleapis.com/css 200 GET 271l 1166w 19187c http://facts.htb/search 200 GET 160l 773w 15365c http://facts.htb/finland-happiest 200 GET 172l 920w 19730c http://facts.htb/animal-ejected 200 GET 172l 913w 19727c http://facts.htb/first-impressions 200 GET 178l 965w 21754c http://facts.htb/dolphin-fact 404 GET 114l 371w 4836c http://facts.htb/fonts.googleapis.com/ 200 GET 166l 833w 17324c http://facts.htb/anne-frank 200 GET 160l 721w 15004c http://facts.htb/animal-sweat 200 GET 160l 733w 14975c http://facts.htb/cute-animals 200 GET 172l 925w 19677c http://facts.htb/dark-chocolate 200 GET 64l 988w 206540c http://facts.htb/assets/camaleon_cms/image-not-found-fc3c0e66dc61abf74010e63ef65a2e23c4cb40a3320408f2711f82fdc22b503f.png 200 GET 172l 889w 19556c http://facts.htb/cats-attachment 200 GET 8l 2294w 169312c http://facts.htb/assets/themes/camaleon_first/assets/css/main-41052d2acf5add707cadf8d1c12a89a9daca83fb8178fdd5c9105dc6c566d25d.css 200 GET 9958l 40904w 330571c http://facts.htb/assets/themes/camaleon_first/assets/js/main-2d9adb006939c9873a62dff797c5fc28dff961487a2bb550824c5bc6b8dbb881.js 200 GET 281l 1177w 19593c http://facts.htb/page 302 GET 0l 0w 0c http://facts.htb/admin => http://facts.htb/admin/login 然后随意注册一个账号 登录到后台发现具体的CMS版本 进入到信息修改界面，进行修改密码 然后抓包添加图中的部分 ...

Nmap [root@Hacking] /home/kali/expressway ❯ nmap expressway.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19 Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 看起来tcp端口只开放了22的ssh服务，接下来扫描一下udp端口 ...

Nmap [root@Hacking] /home/kali/hacknet ❯ nmap hacknet.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) | ssh-hostkey: | 256 95:62:ef:97:31:82:ff:a1:c6:08:01:8c:6a:0f:dc:1c (ECDSA) |_ 256 5f:bd:93:10:20:70:e6:09:f1:ba:6a:43:58:86:42:66 (ED25519) 80/tcp open http nginx 1.22.1 |_http-server-header: nginx/1.22.1 |_http-title: HackNet - social network for hackers 查看技术栈里使用了Django Django 随便注册一个用户进去，可以执行的操作有： ...

Nmap [root@Hacking] /home/kali/soulmate ❯ nmap soulmate.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Soulmate - Find Your Perfect Match |_http-server-header: nginx/1.18.0 (Ubuntu) 8000/tcp open http-alt? Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19 Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Dirsearch [root@Hacking] /home/kali/soulmate ❯ dirsearch -u 'http://soulmate.htb' _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://soulmate.htb/ [21:15:09] Scanning: [21:15:24] 301 - 178B - /assets -> http://soulmate.htb/assets/ [21:15:24] 403 - 564B - /assets/ [21:15:28] 302 - 0B - /dashboard.php -> /login [21:15:33] 200 - 16KB - /index.php [21:15:35] 200 - 8KB - /login.php [21:15:35] 302 - 0B - /logout.php -> login.php [21:15:40] 302 - 0B - /profile.php -> /login [21:15:41] 200 - 11KB - /register.php [21:15:42] 301 - 178B - /shell -> http://soulmate.htb/shell/ [21:15:42] 403 - 564B - /shell/ Task Completed Subdomain Fuzz [root@Hacking] /home/kali/soulmate ❯ ffuf -u 'http://soulmate.htb/' -H 'Host: FUZZ.soulmate.htb' -w /usr/share/fuzzDicts/subdomainDicts/main.txt -fw 4 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://soulmate.htb/ :: Wordlist : FUZZ: /usr/share/fuzzDicts/subdomainDicts/main.txt :: Header : Host: FUZZ.soulmate.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response words: 4 ________________________________________________ ftp [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 209ms] CrashFTP 找到一个能用的 ...

Box Info OS Difficulty Linux Hard Nmap [root@Hacking] /home/kali/Guardian ❯ nmap guardian.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 9c:69:53:e1:38:3b:de:cd:42:0a:c8:6b:f8:95:b3:62 (ECDSA) |_ 256 3c:aa:b9:be:17:2d:5e:99:cc:ff:e1:91:90:38:b7:39 (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-title: Guardian University - Empowering Future Leaders |_http-server-header: Apache/2.4.52 (Ubuntu) Portal 在页面源码中发现了子域名portal.guardian.htb ...

Box Info OS Difficulty Linux Medium Nmap [root@Hacking] /home/kali ❯ nmap previous.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: PreviousJS |_http-server-header: nginx/1.18.0 (Ubuntu) Dirsearch [root@Hacking] /home/kali ❯ dirsearch -u http://previous.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://previous.htb/ [10:42:11] Scanning: [10:42:44] 307 - 40B - /api.json -> /api/auth/signin?callbackUrl=%2Fapi.json [10:42:44] 307 - 39B - /api.php -> /api/auth/signin?callbackUrl=%2Fapi.php [10:42:44] 307 - 40B - /api-docs -> /api/auth/signin?callbackUrl=%2Fapi-docs [10:42:44] 307 - 35B - /api -> /api/auth/signin?callbackUrl=%2Fapi [10:42:44] 307 - 39B - /api-doc -> /api/auth/signin?callbackUrl=%2Fapi-doc [10:42:44] 307 - 39B - /api.log -> /api/auth/signin?callbackUrl=%2Fapi.log [10:42:44] 307 - 60B - /api/2/issue/createmeta -> /api/auth/signin?callbackUrl=%2Fapi%2F2%2Fissue%2Fcreatemeta [10:42:44] 307 - 38B - /api.py -> /api/auth/signin?callbackUrl=%2Fapi.py [10:42:44] 307 - 41B - /api/api -> /api/auth/signin?callbackUrl=%2Fapi%2Fapi [10:42:44] 307 - 46B - /api/api-docs -> /api/auth/signin?callbackUrl=%2Fapi%2Fapi-docs [10:42:44] 307 - 52B - /api/cask/graphql -> /api/auth/signin?callbackUrl=%2Fapi%2Fcask%2Fgraphql [10:42:44] 307 - 45B - /api/apidocs -> /api/auth/signin?callbackUrl=%2Fapi%2Fapidocs [10:42:44] 307 - 49B - /api/config.json -> /api/auth/signin?callbackUrl=%2Fapi%2Fconfig.json [10:42:44] 307 - 60B - /api/apidocs/swagger.json -> /api/auth/signin?callbackUrl=%2Fapi%2Fapidocs%2Fswagger.json [10:42:44] 307 - 43B - /api/batch -> /api/auth/signin?callbackUrl=%2Fapi%2Fbatch [10:42:44] 307 - 54B - /api/application.wadl -> /api/auth/signin?callbackUrl=%2Fapi%2Fapplication.wadl [10:42:44] 307 - 44B - /api/config -> /api/auth/signin?callbackUrl=%2Fapi%2Fconfig <skip> 进入网页可以看到首页是PreviousJS 然后点击Get Started进入登录页面 ...

Nmap [root@Hacking] /home/kali/CodeTwo ❯ nmap codetwo.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 a0:47:b4:0c:69:67:93:3a:f9:b4:5d:b3:2f:bc:9e:23 (RSA) | 256 7d:44:3f:f1:b1:e2:bb:3d:91:d5:da:58:0f:51:e5:ad (ECDSA) |_ 256 f1:6b:1d:36:18:06:7a:05:3f:07:57:e1:ef:86:b4:85 (ED25519) 8000/tcp open http Gunicorn 20.0.4 |_http-title: Welcome to CodeTwo |_http-server-header: gunicorn/20.0.4 Device type: general purpose CVE-2024-28397 发现存在/download路由可以下载源码 from flask import Flask, render_template, request, redirect, url_for, session, jsonify, send_from_directory from flask_sqlalchemy import SQLAlchemy import hashlib import js2py import os import json js2py.disable_pyimport() app = Flask(__name__) app.secret_key = 'S3cr3tK3yC0d3Tw0' app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db' app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False db = SQLAlchemy(app) class User(db.Model): id = db.Column(db.Integer, primary_key=True) username = db.Column(db.String(80), unique=True, nullable=False) password_hash = db.Column(db.String(128), nullable=False) class CodeSnippet(db.Model): id = db.Column(db.Integer, primary_key=True) user_id = db.Column(db.Integer, db.ForeignKey('user.id'), nullable=False) code = db.Column(db.Text, nullable=False) @app.route('/') def index(): return render_template('index.html') @app.route('/dashboard') def dashboard(): if 'user_id' in session: user_codes = CodeSnippet.query.filter_by(user_id=session['user_id']).all() return render_template('dashboard.html', codes=user_codes) return redirect(url_for('login')) @app.route('/register', methods=['GET', 'POST']) def register(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] password_hash = hashlib.md5(password.encode()).hexdigest() new_user = User(username=username, password_hash=password_hash) db.session.add(new_user) db.session.commit() return redirect(url_for('login')) return render_template('register.html') @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] password_hash = hashlib.md5(password.encode()).hexdigest() user = User.query.filter_by(username=username, password_hash=password_hash).first() if user: session['user_id'] = user.id session['username'] = username; return redirect(url_for('dashboard')) return "Invalid credentials" return render_template('login.html') @app.route('/logout') def logout(): session.pop('user_id', None) return redirect(url_for('index')) @app.route('/save_code', methods=['POST']) def save_code(): if 'user_id' in session: code = request.json.get('code') new_code = CodeSnippet(user_id=session['user_id'], code=code) db.session.add(new_code) db.session.commit() return jsonify({"message": "Code saved successfully"}) return jsonify({"error": "User not logged in"}), 401 @app.route('/download') def download(): return send_from_directory(directory='/home/app/app/static/', path='app.zip', as_attachment=True) @app.route('/delete_code/<int:code_id>', methods=['POST']) def delete_code(code_id): if 'user_id' in session: code = CodeSnippet.query.get(code_id) if code and code.user_id == session['user_id']: db.session.delete(code) db.session.commit() return jsonify({"message": "Code deleted successfully"}) return jsonify({"error": "Code not found"}), 404 return jsonify({"error": "User not logged in"}), 401 @app.route('/run_code', methods=['POST']) def run_code(): try: code = request.json.get('code') result = js2py.eval_js(code) return jsonify({'result': result}) except Exception as e: return jsonify({'error': str(e)}) if __name__ == '__main__': with app.app_context(): db.create_all() app.run(host='0.0.0.0', debug=True) 注意到/run_code接收参数，然后传递到js2py.eval_js，搜索可以得知如何逃逸 ...

Box Info OS Difficulty Linux Easy Nmap [root@Hacking] /home/kali/Editor ❯ nmap editor.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Editor - SimplistCode Pro 8080/tcp open http Jetty 10.0.20 | http-title: XWiki - Main - Intro |_Requested resource was http://editor.htb:8080/xwiki/bin/view/Main/ |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Jetty(10.0.20) | http-cookie-flags: | /: | JSESSIONID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: PROPFIND LOCK UNLOCK | http-webdav-scan: | Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK | WebDAV type: Unknown |_ Server Type: Jetty(10.0.20) | http-robots.txt: 50 disallowed entries (15 shown) | /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ | /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ | /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ | /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ | /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ |_/xwiki/bin/undelete/ CVE-2025-24893 进入8080端口，发现底部版本信息 搜索到这个脚本 ...

Box Info OS Difficulty Linux Medium Nmap [root@Hacking] /home/kali/era ❯ nmap era.htb -A PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Era Designs |_http-server-header: nginx/1.18.0 (Ubuntu) Dirsearch [root@Hacking] /home/kali/era ❯ dirsearch -u era.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://era.htb/ [10:07:41] Scanning: [10:08:17] 301 - 178B - /css -> http://era.htb/css/ [10:08:24] 301 - 178B - /fonts -> http://era.htb/fonts/ [10:08:26] 301 - 178B - /img -> http://era.htb/img/ [10:08:26] 200 - 19KB - /index.html [10:08:31] 301 - 178B - /js -> http://era.htb/js/ [10:08:31] 403 - 564B - /js/ Task Completed 目录扫描似乎并没有东西，而且网站中并没有可以交互的地方，因此接下来尝试子域名爆破 ...

Box Info OS Difficulty Linux Easy As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2 Nmap [root@Hacking] /home/kali/Outbound ❯ nmap outbound.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA) |_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519) 80/tcp open http nginx 1.24.0 (Ubuntu) |_http-server-header: nginx/1.24.0 (Ubuntu) |_http-title: Did not follow redirect to http://mail.outbound.htb/ 添加mail.outbound.htb到/etc/hosts ...