Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Backfire ❯ nmap backfire.htb -sV -Pn -T4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0) 443/tcp open ssl/http nginx 1.22.1 5000/tcp filtered upnp 8000/tcp open http nginx 1.22.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 访问backfire.htb:8000可以得到两个文件 ...
Box Info OS Windows Difficulty Easy Nmap [root@kali] /home/kali/Active ❯ nmap active.htb -sV -Pn -T4 PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC 49167/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows SMB File Leak 匿名登陆SMB,发现可以读取的Replication ...
Box Info OS Windows Difficulty Hard Nmap [root@kali] /home/kali/Blackfield ❯ nmap Blackfield.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows 把BLACKFIELD.local添加到**/etc/hosts** ...
Box Info OS Windows Difficulty Medium Nmap [root@kali] /home/kali/Cascade ❯ nmap Cascade.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows 把cascade.local添加到**/etc/hosts** ...
Box Info OS Windows Difficulty Easy Nmap [root@kali] /home/kali/Forest ❯ nmap forest.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.68 seconds 将htb.local加入**/etc/hosts** ...
Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Headless ❯ nmap headless.htb Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 5000/tcp open upnp 进入5000端口查看,自动跳转到一个support路由 Dirsearch [root@kali] /home/kali/Headless ❯ dirsearch -u headless.htb:5000 Target: http://headless.htb:5000/ Starting: 401 - 317B - /dashboard 200 - 2KB - /support Task Completed 进入dashboard,发现需要身份认证 ...
Box Info OS Windows Difficulty Medium Nmap [root@kali] /home/kali/Resolute ❯ nmap Resolute.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows 把megabank.local添加到**/etc/hosts** ...
Box Info OS Windows Difficulty Easy Nmap [root@kali] /home/kali/Sauna ❯ nmap Sauna.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 把EGOTISTICAL-BANK.LOCAL添加到**/etc/hosts** ...
Box Info OS Windows Difficulty Easy As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su Nmap root@kali: /home/kali/EscapeTwo ➜ nmap EscapeTwo.htb -sV -Pn -T4 Nmap scan report for EscapeTwo.htb PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows SMB User Crack root@kali: /home/kali/EscapeTwo ➜ crackmapexec smb escapetwo.htb -u "rose" -p "KxEPkKe6R8su" --rid-brute | grep SidTypeUser SMB EscapeTwo.htb 445 DC01 500: SEQUEL\Administrator (SidTypeUser) SMB EscapeTwo.htb 445 DC01 501: SEQUEL\Guest (SidTypeUser) SMB EscapeTwo.htb 445 DC01 502: SEQUEL\krbtgt (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1000: SEQUEL\DC01$ (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1103: SEQUEL\michael (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1114: SEQUEL\ryan (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1116: SEQUEL\oscar (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1122: SEQUEL\sql_svc (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1601: SEQUEL\rose (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1607: SEQUEL\ca_svc (SidTypeUser) SMB File Leak [root@kali] /home/kali/EscapeTwo ❯ smbclient -L //10.10.xx.xx -U rose Password for [WORKGROUP\rose]: Sharename Type Comment --------- ---- ------- Accounting Department Disk ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Users Disk 在这个Accounting Department中存在表格文件 ...
Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/Yummy ❯ nmap yummy.htb -sSCV -Pn -T4 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 16:55 CST Nmap scan report for yummy.htb (10.10.11.36) Host is up (0.095s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 a2:ed:65:77:e9:c4:2f:13:49:19:b0:b8:09:eb:56:36 (ECDSA) |_ 256 bc:df:25:35:5c:97:24:f2:69:b4:ce:60:17:50:3c:f0 (ED25519) 80/tcp open http Caddy httpd |_http-title: Yummy |_http-server-header: Caddy Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.45 seconds 开放端口:22、80 ...