Linux

Box Info OS Difficulty Linux Easy Nmap [root@Hacking] /home/kali/Editor ❯ nmap editor.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Editor - SimplistCode Pro 8080/tcp open http Jetty 10.0.20 | http-title: XWiki - Main - Intro |_Requested resource was http://editor.htb:8080/xwiki/bin/view/Main/ |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Jetty(10.0.20) | http-cookie-flags: | /: | JSESSIONID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: PROPFIND LOCK UNLOCK | http-webdav-scan: | Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK | WebDAV type: Unknown |_ Server Type: Jetty(10.0.20) | http-robots.txt: 50 disallowed entries (15 shown) | /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ | /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ | /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ | /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ | /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ |_/xwiki/bin/undelete/ CVE-2025-24893 进入8080端口，发现底部版本信息 搜索到这个脚本 ...

Box Info OS Difficulty Linux Medium Nmap [root@Hacking] /home/kali/era ❯ nmap era.htb -A PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Era Designs |_http-server-header: nginx/1.18.0 (Ubuntu) Dirsearch [root@Hacking] /home/kali/era ❯ dirsearch -u era.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://era.htb/ [10:07:41] Scanning: [10:08:17] 301 - 178B - /css -> http://era.htb/css/ [10:08:24] 301 - 178B - /fonts -> http://era.htb/fonts/ [10:08:26] 301 - 178B - /img -> http://era.htb/img/ [10:08:26] 200 - 19KB - /index.html [10:08:31] 301 - 178B - /js -> http://era.htb/js/ [10:08:31] 403 - 564B - /js/ Task Completed 目录扫描似乎并没有东西，而且网站中并没有可以交互的地方，因此接下来尝试子域名爆破 ...

Nmap [root@Hacking] /home/kali/Takedown ❯ nmap 192.168.55.138 -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u5 (protocol 2.0) | ssh-hostkey: | 3072 51:fb:66:e0:d2:b6:ae:16:a9:d2:74:41:a5:b3:02:2b (RSA) | 256 93:a0:01:6c:42:cd:26:bf:38:e5:70:fb:b8:c6:b3:fe (ECDSA) |_ 256 77:c9:ed:41:a5:cb:30:33:08:22:88:f6:a8:28:11:8d (ED25519) 80/tcp open http nginx 1.18.0 |_http-title: Cybersecurity Inc - Secure Your Digital World |_http-server-header: nginx/1.18.0 添加shieldweb.che和ticket.shieldweb.che到/etc/passwd ...

Box Info OS Difficulty Linux Easy As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2 Nmap [root@Hacking] /home/kali/Outbound ❯ nmap outbound.htb -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA) |_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519) 80/tcp open http nginx 1.24.0 (Ubuntu) |_http-server-header: nginx/1.24.0 (Ubuntu) |_http-title: Did not follow redirect to http://mail.outbound.htb/ 添加mail.outbound.htb到/etc/hosts ...

Nmap [root@kali] /home/kali/status ❯ nmap 172.17.0.2 -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Web Bunkeriana 只开放了80端口 Gobuser [root@kali] /home/kali/status ❯ gobuster dir -u http://172.17.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ⏎ =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.17.0.2 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 5197] /status.php (Status: 403) [Size: 5197] /.php (Status: 403) [Size: 5197] /server-status (Status: 403) [Size: 5197] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== 查看到有一个status.php，状态码是403 注意到响应头中有一个Statusid是0，尝试将其修改为1 ...

Nmap [root@kali] /home/kali/Bola ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0) | ssh-hostkey: | 256 4f:3f:8c:fb:88:da:ea:37:d6:9f:c3:bd:f4:8e:18:1b (ECDSA) |_ 256 2e:a1:36:ff:8b:bb:0d:b3:c8:cb:4a:81:cb:37:77:31 (ED25519) 12345/tcp open http Werkzeug httpd 2.2.2 (Python 3.11.2) |_http-title: Site doesn't have a title (application/json). |_http-server-header: Werkzeug/2.2.2 Python/3.11.2 Dirsearch [root@kali] /home/kali/Bola ❯ dirsearch -u http://172.17.0.2:12345/ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://172.17.0.2:12345/ [10:24:22] Scanning: [10:24:29] 400 - 167B - /console [10:24:32] 405 - 153B - /login [10:24:37] 308 - 245B - /user -> http://172.17.0.2:12345/user/ [10:24:37] 400 - 54B - /user/ [10:24:37] 200 - 65B - /user/2 [10:24:37] 200 - 69B - /user/1 [10:24:37] 200 - 73B - /user/3 Task Completed 发现有很多用户名 ...

Nmap [root@kali] /home/kali/Artificial ❯ nmap Artificial.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA) | 256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA) |_ 256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Artificial - AI Solutions |_http-server-header: nginx/1.18.0 (Ubuntu) TensorFlow RCE 随意注册一个用户，进入到上传页面，得到requirement.txt和dockerfile ...

Box Info OS Difficulty Linux Medium Nmap [root@kali] /home/kali/sabulaji ❯ nmap 192.168.55.88 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: epages |_http-server-header: Apache/2.4.62 (Debian) 873/tcp open rsync (protocol version 31) Dirsearch [root@kali] /home/kali/sabulaji ❯ dirsearch -u http://192.168.55.88 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.88/ [03:28:14] Scanning: [03:28:16] 403 - 278B - /.php [03:28:23] 200 - 2KB - /index.html [03:28:27] 403 - 278B - /server-status [03:28:27] 403 - 278B - /server-status/ Task Completed 并没有什么有价值的东西 ...

Box Info OS Difficulty Linux Medium Nmap [root@kali] /home/kali/ApacheByte ❯ nmap 172.17.0.3 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 1b:a6:6b:55:9c:c7:98:b3:ac:01:00:21:2f:67:9a:3e (ECDSA) |_ 256 68:bd:c1:ad:61:e1:5d:e9:2b:f8:d1:f1:7d:16:fe:4c (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Blog |_http-server-header: Apache/2.4.58 (Ubuntu) Change Passwd 来到网页端，任意注册后来到account.php，发现可以上传头像或者修改密码 头像只能上传图片格式，并且可以在/uploads/目录下看到 得到一个路径，并且注意目录中还有另外一个图片 尝试修改密码，将numero改为图片名称，修改管理员的密码 这里管理员的用户名是: manager ...

Nmap [root@kali] /home/kali/merchan ❯ nmap 192.168.55.77 -sV -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-04 23:07 EDT Nmap scan report for 192.168.55.77 Host is up (0.00028s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0) | ssh-hostkey: | 256 da:68:54:15:39:b8:44:ed:b9:08:4c:59:e5:89:50:08 (ECDSA) |_ 256 b4:7d:98:a8:01:e8:3b:17:43:24:43:39:3a:b4:b8:50 (ED25519) 80/tcp open http Apache httpd 2.4.62 |_http-title: Did not follow redirect to http://merchan.thl |_http-server-header: Apache/2.4.62 (Debian) Feroxbuster [root@kali] /home/kali/merchan ❯ feroxbuster -u 'http://www.merchan.thl/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js ⏎ ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://www.merchan.thl/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [js] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 280c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 28w 319c http://www.merchan.thl/images => http://www.merchan.thl/images/ 200 GET 8l 29w 28898c http://www.merchan.thl/assets/favicon.ico 200 GET 139l 592w 68236c http://www.merchan.thl/images/camiseta.jpg 200 GET 7l 36w 330c http://www.merchan.thl/js/scripts.js 200 GET 186l 943w 74237c http://www.merchan.thl/images/llavero.jpg 200 GET 10826l 22299w 236792c http://www.merchan.thl/css/styles.css 301 GET 9l 28w 319c http://www.merchan.thl/assets => http://www.merchan.thl/assets/ 200 GET 563l 3920w 380306c http://www.merchan.thl/images/sudadera.png 200 GET 130l 399w 7235c http://www.merchan.thl/ 301 GET 9l 28w 316c http://www.merchan.thl/css => http://www.merchan.thl/css/ 301 GET 9l 28w 315c http://www.merchan.thl/js => http://www.merchan.thl/js/ 200 GET 1l 15w 1365c http://www.merchan.thl/secret.js [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 5m 1102751/1102751 0s found:12 errors:0 [####################] - 5m 220546/220546 740/s http://www.merchan.thl/ [####################] - 5m 220546/220546 726/s http://www.merchan.thl/images/ [####################] - 5m 220546/220546 729/s http://www.merchan.thl/assets/ [####################] - 5m 220546/220546 729/s http://www.merchan.thl/css/ [####################] - 5m 220546/220546 727/s http://www.merchan.thl/js/ 发现有一个secret.js ...