Linux

Nmap [/home/kali/Facts]$ nmap facts.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA) |_ 256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519) 80/tcp open http nginx 1.26.3 (Ubuntu) |_http-title: facts |_http-server-header: nginx/1.26.3 (Ubuntu) Camaleon CMS 进行目录扫描得到/admin [/home/kali/Facts]$ feroxbuster -u 'http://facts.htb/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://facts.htb/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 200 GET 124l 552w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 121l 443w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 69l 448w 30396c http://facts.htb/randomfacts/logopage2.png 200 GET 129l 132w 3508c http://facts.htb/sitemap 200 GET 8l 11w 183c http://facts.htb/rss 200 GET 66l 519w 44082c http://facts.htb/randomfacts/primary-question-mark.png 404 GET 2l 9w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 7l 10w 162c http://facts.htb/randomfacts/ 404 GET 114l 371w 4836c http://facts.htb/fonts.googleapis.com/css 200 GET 271l 1166w 19187c http://facts.htb/search 200 GET 160l 773w 15365c http://facts.htb/finland-happiest 200 GET 172l 920w 19730c http://facts.htb/animal-ejected 200 GET 172l 913w 19727c http://facts.htb/first-impressions 200 GET 178l 965w 21754c http://facts.htb/dolphin-fact 404 GET 114l 371w 4836c http://facts.htb/fonts.googleapis.com/ 200 GET 166l 833w 17324c http://facts.htb/anne-frank 200 GET 160l 721w 15004c http://facts.htb/animal-sweat 200 GET 160l 733w 14975c http://facts.htb/cute-animals 200 GET 172l 925w 19677c http://facts.htb/dark-chocolate 200 GET 64l 988w 206540c http://facts.htb/assets/camaleon_cms/image-not-found-fc3c0e66dc61abf74010e63ef65a2e23c4cb40a3320408f2711f82fdc22b503f.png 200 GET 172l 889w 19556c http://facts.htb/cats-attachment 200 GET 8l 2294w 169312c http://facts.htb/assets/themes/camaleon_first/assets/css/main-41052d2acf5add707cadf8d1c12a89a9daca83fb8178fdd5c9105dc6c566d25d.css 200 GET 9958l 40904w 330571c http://facts.htb/assets/themes/camaleon_first/assets/js/main-2d9adb006939c9873a62dff797c5fc28dff961487a2bb550824c5bc6b8dbb881.js 200 GET 281l 1177w 19593c http://facts.htb/page 302 GET 0l 0w 0c http://facts.htb/admin => http://facts.htb/admin/login 然后随意注册一个账号 登录到后台发现具体的CMS版本 进入到信息修改界面，进行修改密码 然后抓包添加图中的部分 ...

Nmap [root@Hacking] /home/kali/expressway ❯ nmap expressway.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19 Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 看起来tcp端口只开放了22的ssh服务，接下来扫描一下udp端口 ...

Nmap [root@Hacking] /home/kali/hacknet ❯ nmap hacknet.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) | ssh-hostkey: | 256 95:62:ef:97:31:82:ff:a1:c6:08:01:8c:6a:0f:dc:1c (ECDSA) |_ 256 5f:bd:93:10:20:70:e6:09:f1:ba:6a:43:58:86:42:66 (ED25519) 80/tcp open http nginx 1.22.1 |_http-server-header: nginx/1.22.1 |_http-title: HackNet - social network for hackers 查看技术栈里使用了Django Django 随便注册一个用户进去，可以执行的操作有： ...

Nmap [root@Hacking] /home/kali/soulmate ❯ nmap soulmate.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Soulmate - Find Your Perfect Match |_http-server-header: nginx/1.18.0 (Ubuntu) 8000/tcp open http-alt? Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19 Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Dirsearch [root@Hacking] /home/kali/soulmate ❯ dirsearch -u 'http://soulmate.htb' _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://soulmate.htb/ [21:15:09] Scanning: [21:15:24] 301 - 178B - /assets -> http://soulmate.htb/assets/ [21:15:24] 403 - 564B - /assets/ [21:15:28] 302 - 0B - /dashboard.php -> /login [21:15:33] 200 - 16KB - /index.php [21:15:35] 200 - 8KB - /login.php [21:15:35] 302 - 0B - /logout.php -> login.php [21:15:40] 302 - 0B - /profile.php -> /login [21:15:41] 200 - 11KB - /register.php [21:15:42] 301 - 178B - /shell -> http://soulmate.htb/shell/ [21:15:42] 403 - 564B - /shell/ Task Completed Subdomain Fuzz [root@Hacking] /home/kali/soulmate ❯ ffuf -u 'http://soulmate.htb/' -H 'Host: FUZZ.soulmate.htb' -w /usr/share/fuzzDicts/subdomainDicts/main.txt -fw 4 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://soulmate.htb/ :: Wordlist : FUZZ: /usr/share/fuzzDicts/subdomainDicts/main.txt :: Header : Host: FUZZ.soulmate.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response words: 4 ________________________________________________ ftp [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 209ms] CrashFTP 找到一个能用的 ...

Nmap [root@Hacking] /home/kali/silentdev ❯ nmap 192.168.26.18 -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 4a:f7:09:40:45:df:25:cc:a4:f5:85:ac:63:c6:13:3e (ECDSA) |_ 256 58:be:2c:d0:40:af:d5:9c:2a:13:38:82:61:f6:8c:87 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Upload Image |_http-server-header: Apache/2.4.62 (Debian) MAC Address: 08:00:27:3A:A8:70 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 进入之后是一个上传页面 ...

Box Info OS Difficulty Linux Hard Nmap [root@Hacking] /home/kali/Guardian ❯ nmap guardian.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 9c:69:53:e1:38:3b:de:cd:42:0a:c8:6b:f8:95:b3:62 (ECDSA) |_ 256 3c:aa:b9:be:17:2d:5e:99:cc:ff:e1:91:90:38:b7:39 (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-title: Guardian University - Empowering Future Leaders |_http-server-header: Apache/2.4.52 (Ubuntu) Portal 在页面源码中发现了子域名portal.guardian.htb ...

Box Info OS Difficulty Linux Medium Nmap [root@Hacking] /home/kali ❯ nmap previous.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: PreviousJS |_http-server-header: nginx/1.18.0 (Ubuntu) Dirsearch [root@Hacking] /home/kali ❯ dirsearch -u http://previous.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://previous.htb/ [10:42:11] Scanning: [10:42:44] 307 - 40B - /api.json -> /api/auth/signin?callbackUrl=%2Fapi.json [10:42:44] 307 - 39B - /api.php -> /api/auth/signin?callbackUrl=%2Fapi.php [10:42:44] 307 - 40B - /api-docs -> /api/auth/signin?callbackUrl=%2Fapi-docs [10:42:44] 307 - 35B - /api -> /api/auth/signin?callbackUrl=%2Fapi [10:42:44] 307 - 39B - /api-doc -> /api/auth/signin?callbackUrl=%2Fapi-doc [10:42:44] 307 - 39B - /api.log -> /api/auth/signin?callbackUrl=%2Fapi.log [10:42:44] 307 - 60B - /api/2/issue/createmeta -> /api/auth/signin?callbackUrl=%2Fapi%2F2%2Fissue%2Fcreatemeta [10:42:44] 307 - 38B - /api.py -> /api/auth/signin?callbackUrl=%2Fapi.py [10:42:44] 307 - 41B - /api/api -> /api/auth/signin?callbackUrl=%2Fapi%2Fapi [10:42:44] 307 - 46B - /api/api-docs -> /api/auth/signin?callbackUrl=%2Fapi%2Fapi-docs [10:42:44] 307 - 52B - /api/cask/graphql -> /api/auth/signin?callbackUrl=%2Fapi%2Fcask%2Fgraphql [10:42:44] 307 - 45B - /api/apidocs -> /api/auth/signin?callbackUrl=%2Fapi%2Fapidocs [10:42:44] 307 - 49B - /api/config.json -> /api/auth/signin?callbackUrl=%2Fapi%2Fconfig.json [10:42:44] 307 - 60B - /api/apidocs/swagger.json -> /api/auth/signin?callbackUrl=%2Fapi%2Fapidocs%2Fswagger.json [10:42:44] 307 - 43B - /api/batch -> /api/auth/signin?callbackUrl=%2Fapi%2Fbatch [10:42:44] 307 - 54B - /api/application.wadl -> /api/auth/signin?callbackUrl=%2Fapi%2Fapplication.wadl [10:42:44] 307 - 44B - /api/config -> /api/auth/signin?callbackUrl=%2Fapi%2Fconfig <skip> 进入网页可以看到首页是PreviousJS 然后点击Get Started进入登录页面 ...

Nmap [root@Hacking] /home/kali/CodeTwo ❯ nmap codetwo.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 a0:47:b4:0c:69:67:93:3a:f9:b4:5d:b3:2f:bc:9e:23 (RSA) | 256 7d:44:3f:f1:b1:e2:bb:3d:91:d5:da:58:0f:51:e5:ad (ECDSA) |_ 256 f1:6b:1d:36:18:06:7a:05:3f:07:57:e1:ef:86:b4:85 (ED25519) 8000/tcp open http Gunicorn 20.0.4 |_http-title: Welcome to CodeTwo |_http-server-header: gunicorn/20.0.4 Device type: general purpose CVE-2024-28397 发现存在/download路由可以下载源码 from flask import Flask, render_template, request, redirect, url_for, session, jsonify, send_from_directory from flask_sqlalchemy import SQLAlchemy import hashlib import js2py import os import json js2py.disable_pyimport() app = Flask(__name__) app.secret_key = 'S3cr3tK3yC0d3Tw0' app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db' app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False db = SQLAlchemy(app) class User(db.Model): id = db.Column(db.Integer, primary_key=True) username = db.Column(db.String(80), unique=True, nullable=False) password_hash = db.Column(db.String(128), nullable=False) class CodeSnippet(db.Model): id = db.Column(db.Integer, primary_key=True) user_id = db.Column(db.Integer, db.ForeignKey('user.id'), nullable=False) code = db.Column(db.Text, nullable=False) @app.route('/') def index(): return render_template('index.html') @app.route('/dashboard') def dashboard(): if 'user_id' in session: user_codes = CodeSnippet.query.filter_by(user_id=session['user_id']).all() return render_template('dashboard.html', codes=user_codes) return redirect(url_for('login')) @app.route('/register', methods=['GET', 'POST']) def register(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] password_hash = hashlib.md5(password.encode()).hexdigest() new_user = User(username=username, password_hash=password_hash) db.session.add(new_user) db.session.commit() return redirect(url_for('login')) return render_template('register.html') @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] password_hash = hashlib.md5(password.encode()).hexdigest() user = User.query.filter_by(username=username, password_hash=password_hash).first() if user: session['user_id'] = user.id session['username'] = username; return redirect(url_for('dashboard')) return "Invalid credentials" return render_template('login.html') @app.route('/logout') def logout(): session.pop('user_id', None) return redirect(url_for('index')) @app.route('/save_code', methods=['POST']) def save_code(): if 'user_id' in session: code = request.json.get('code') new_code = CodeSnippet(user_id=session['user_id'], code=code) db.session.add(new_code) db.session.commit() return jsonify({"message": "Code saved successfully"}) return jsonify({"error": "User not logged in"}), 401 @app.route('/download') def download(): return send_from_directory(directory='/home/app/app/static/', path='app.zip', as_attachment=True) @app.route('/delete_code/<int:code_id>', methods=['POST']) def delete_code(code_id): if 'user_id' in session: code = CodeSnippet.query.get(code_id) if code and code.user_id == session['user_id']: db.session.delete(code) db.session.commit() return jsonify({"message": "Code deleted successfully"}) return jsonify({"error": "Code not found"}), 404 return jsonify({"error": "User not logged in"}), 401 @app.route('/run_code', methods=['POST']) def run_code(): try: code = request.json.get('code') result = js2py.eval_js(code) return jsonify({'result': result}) except Exception as e: return jsonify({'error': str(e)}) if __name__ == '__main__': with app.app_context(): db.create_all() app.run(host='0.0.0.0', debug=True) 注意到/run_code接收参数，然后传递到js2py.eval_js，搜索可以得知如何逃逸 ...

Nmap [root@Hacking] /home/kali/Lujo ❯ nmap 192.168.55.157 -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 17:13 CST Nmap scan report for 192.168.55.157 Host is up (0.00026s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) | ssh-hostkey: | 256 af:79:a1:39:80:45:fb:b7:cb:86:fd:8b:62:69:4a:64 (ECDSA) |_ 256 6d:d4:9d:ac:0b:f0:a1:88:66:b4:ff:f6:42:bb:f2:e5 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: LuxeCollection - Art\xC3\xADculos de Lujo Exclusivos Dir scan [root@Hacking] /home/kali/Lujo ❯ dirsearch -u http://192.168.55.157 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.157/ [17:16:08] Scanning: [17:16:09] 403 - 279B - /.php [17:16:15] 200 - 15KB - /index.html [17:16:18] 301 - 318B - /scripts -> http://192.168.55.157/scripts/ [17:16:18] 200 - 937B - /scripts/ [17:16:18] 403 - 279B - /server-status [17:16:18] 403 - 279B - /server-status/ [17:16:19] 301 - 317B - /styles -> http://192.168.55.157/styles/ Task Completed [root@Hacking] /home/kali/Lujo ❯ feroxbuster -u http://192.168.55.157 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.157 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 221l 524w 5600c http://192.168.55.157/scripts/main.js 200 GET 231l 411w 3799c http://192.168.55.157/styles/responsive.css 200 GET 168l 285w 2899c http://192.168.55.157/styles/components.css 200 GET 230l 445w 4172c http://192.168.55.157/styles/main.css 200 GET 285l 778w 15656c http://192.168.55.157/ 301 GET 9l 28w 318c http://192.168.55.157/scripts => http://192.168.55.157/scripts/ 301 GET 9l 28w 317c http://192.168.55.157/styles => http://192.168.55.157/styles/ [####################] - 2m 661674/661674 0s found:7 errors:0 [####################] - 2m 661638/661638 4945/s http://192.168.55.157/ [####################] - 1s 661638/661638 1070612/s http://192.168.55.157/scripts/ => Directory listing (add --scan-dir-listings to scan) [####################] - 0s 661638/661638 220546000/s http://192.168.55.157/styles/ => Directory listing (add --scan-dir-listings to scan) 什么也没有扫到，那么就从页面里找信息，发现有一些人名 其中Sophia可以进行SSH爆破登录 ...

Nmap [root@Hacking] /home/kali/lazycorp ❯ nmap 192.168.55.152 -A -p- PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.55.4 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.5 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 114 119 4096 Jul 16 12:35 pub 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 46:82:43:4b:ef:e0:b0:50:04:c0:d5:2c:3c:5c:7d:4a (RSA) | 256 52:79:ea:92:35:b4:f2:5d:b9:14:f0:21:1c:eb:2f:66 (ECDSA) |_ 256 98:fa:95:86:04:75:31:39:c6:60:26:9e:26:86:82:88 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: LazyCorp | Empowering Devs | http-robots.txt: 2 disallowed entries |_/cms-admin.php /auth-LazyCorp-dev/ |_http-server-header: Apache/2.4.41 (Ubuntu) 发现FTP可以匿名访问 ...