Hackthebox

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Nocturnal ❯ nmap Nocturnal.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA) | 256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA) |_ 256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Welcome to Nocturnal |_http-server-header: nginx/1.18.0 (Ubuntu) User 任意注册一个账户，然后登录，可以上传一些文件 ...

Box Info OS Windows Difficulty Hard Nmap [root@kali] /home/kali ❯ nmap Haze.htb -sV -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc01.haze.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb | Not valid before: 2025-03-05T07:12:20 |_Not valid after: 2026-03-05T07:12:20 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc01.haze.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb | Not valid before: 2025-03-05T07:12:20 |_Not valid after: 2026-03-05T07:12:20 |_ssl-date: TLS randomness does not represent time 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=dc01.haze.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb | Not valid before: 2025-03-05T07:12:20 |_Not valid after: 2026-03-05T07:12:20 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=dc01.haze.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb | Not valid before: 2025-03-05T07:12:20 |_Not valid after: 2026-03-05T07:12:20 8000/tcp open http Splunkd httpd | http-title: Site doesn't have a title (text/html; charset=UTF-8). |_Requested resource was http://Haze.htb:8000/en-US/account/login?return_to=%2Fen-US%2F |_http-server-header: Splunkd | http-robots.txt: 1 disallowed entry |_/ 8088/tcp open ssl/http Splunkd httpd |_http-server-header: Splunkd |_http-title: 404 Not Found | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2025-03-05T07:29:08 |_Not valid after: 2028-03-04T07:29:08 | http-robots.txt: 1 disallowed entry |_/ 8089/tcp open ssl/http Splunkd httpd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2025-03-05T07:29:08 |_Not valid after: 2028-03-04T07:29:08 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Splunkd dc01.haze.htb添加到**/etc/hosts** ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Code ❯ nmap code.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA) | 256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA) |_ 256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519) 5000/tcp open http Gunicorn 20.0.4 |_http-title: Python Code Editor |_http-server-header: gunicorn/20.0.4 Own www-data SSTI 注入 - Hello CTF 进入到5000端口是一个python代码执行窗口 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Strutted ❯ nmap strutted.htb -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) CVE-2024-53677 存在一个Download路由可以下载到网站源码 查看pom.xml发现使用的是struts2 6.3.0.1 ...

Box Info OS Windows Difficulty Medium Nmap [root@kali] /home/kali/TheFrizz ❯ nmap thefrizz.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0) 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12) |_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/ |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 将frizz.htb添加到**/etc/hosts** ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Dog ❯ nmap dog.htb -sV -A -Pn -T4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA) | 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA) |_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-git: | 10.10.11.58:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: todo: customize url aliases. reference:https://docs.backdro... |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-generator: Backdrop CMS 1 (https://backdropcms.org) | http-robots.txt: 22 disallowed entries (15 shown) | /core/ /profiles/ /README.md /web.config /admin | /comment/reply /filter/tips /node/add /search /user/register |_/user/password /user/login /user/logout /?q=admin /?q=comment/reply |_http-title: Home | Dog 可以发现nmap直接扫描到了**/.git**目录 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Cypher ❯ nmap cypher.htb -sV -A -T4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA) |_ 256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519) 80/tcp open http nginx 1.24.0 (Ubuntu) |_http-title: GRAPH ASM |_http-server-header: nginx/1.24.0 (Ubuntu) Dirsearch [root@kali] /home/kali/Desktop ❯ dirsearch -u cypher.htb -t 50 -x 404 Target: http://cypher.htb/ Starting: 200 - 5KB - /about 200 - 5KB - /about.html 307 - 0B - /api -> /api/docs 307 - 0B - /api/ -> http://cypher.htb/api/api 307 - 0B - /demo/ -> http://cypher.htb/api/demo 307 - 0B - /demo -> /login 200 - 4KB - /login.html 200 - 4KB - /login 301 - 178B - /testing -> http://cypher.htb/testing/ Task Completed ...

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/Checker ❯ nmap checker.htb -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 8080/tcp open http Apache httpd Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 在checker.htb:8080页面上发现了一个子域名：vault ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Titanic ❯ nmap titanic.htb -sV -T4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ReadAnyFiles 进入titanic.htb，点击Book Now，使用burpsuite进行抓包发现一个download路由 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali ❯ nmap cat.htb PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Dirsearch 存在git泄露 用git-dumper获取到源码 [root@kali] /home/kali/Cat ❯ git-dumper http://cat.htb/.git/ ./catgit XSS 在view_cat.php中发现存在XSS的可能性 ...