Linux

Box Info OS Difficulty Linux Medium Nmap [root@kali] /home/kali/ofuskeit ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0) | ssh-hostkey: | 256 f4:1e:4f:80:e4:25:19:87:a5:2b:e5:fe:b3:16:5d:70 (ECDSA) |_ 256 7d:5a:d8:80:54:05:d2:2f:6f:7f:59:26:4f:6f:83:a8 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Servicios de Mantenimiento Inform\xC3\xA1tico 3000/tcp open http Node.js Express framework |_http-title: Error Dirsearch [root@kali] /home/kali/ofuskeit ❯ dirsearch -u http://172.17.0.2 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://172.17.0.2/ [22:47:24] Scanning: [22:47:24] 200 - 318B - /.git [22:47:31] 200 - 2KB - /index.html [22:47:31] 301 - 313B - /javascript -> http://172.17.0.2/javascript/ [22:47:33] 301 - 315B - /node_modules -> http://172.17.0.2/node_modules/ [22:47:33] 200 - 14KB - /node_modules/ [22:47:33] 200 - 26KB - /package-lock.json [22:47:33] 200 - 265B - /package.json [22:47:34] 403 - 275B - /server-status [22:47:34] 403 - 275B - /server-status/ Task Completed 查看.git目录，得到一个用户的信息 ...

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/Umz ❯ nmap 192.168.55.73 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: cyber fortress 9000 |_http-server-header: Apache/2.4.62 (Debian) Dirsearch [root@kali] /home/kali/Umz ❯ dirsearch -u http://192.168.55.73 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.73/ [02:39:29] Scanning: [02:39:30] 403 - 278B - /.php [02:39:38] 200 - 3KB - /index.html [02:39:38] 200 - 3KB - /index.php [02:39:38] 200 - 3KB - /index.php/login/ [02:39:43] 403 - 278B - /server-status/ [02:39:43] 403 - 278B - /server-status Task Completed Request Flood 来到index.php，可以看到过多请求会触发某种机制 ...

Nmap [root@kali] /home/kali/hexthink-silent-shadow ❯ nmap 192.168.55.67 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:6e:39:a4:15:86:88:70:c7:9d:09:91:a3:0b:18:8c (ECDSA) |_ 256 f9:21:5d:25:ee:76:05:db:01:3b:45:c9:68:b0:82:9f (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.58 (Ubuntu) 3306/tcp open mysql MariaDB 5.5.5-10.11.11 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.11.11-MariaDB-0ubuntu0.24.04.2 | Thread ID: 34 | Capabilities flags: 63486 | Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, SupportsCompression, IgnoreSigpipes, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, InteractiveClient, FoundRows, ODBCClient, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SupportsTransactions, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults | Status: Autocommit | Salt: wPg7y~-c,O)~bPI]yfu: |_ Auth Plugin Name: mysql_native_password 9090/tcp open zeus-admin? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, SqueezeCenter_CLI, TLSSessionReq, TerminalServerCookie, WMSRequest, X11Probe, drda, ibm-db2-das, informix: |_ Protocolo incorrecto. Esto no es HTTP. Mysql 进入到80端口的index.php，查看到存在ctf_user用户，可以使用密码登录，尝试使用空密码登录呢 ...

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/bypassme ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b4:a8:42:e7:2b:2f:7a:f9:50:bd:6d:31:8e:36:54:7b (ECDSA) |_ 256 c0:ff:28:31:a3:0b:1a:3d:c3:5f:83:1b:3c:44:28:32 (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-title: Login Panel |_Requested resource was login.php |_http-server-header: Apache/2.4.58 (Ubuntu) Dirsearch [root@kali] /home/kali/bypassme ❯ dirsearch -u 172.17.0.2 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://172.17.0.2/ [10:03:10] Scanning: [10:03:11] 403 - 275B - /.php [10:03:18] 302 - 0B - /index.php -> login.php [10:03:18] 302 - 0B - /index.php/login/ -> login.php [10:03:18] 200 - 2KB - /login.php [10:03:18] 403 - 275B - /logs [10:03:18] 403 - 275B - /logs/access_log [10:03:18] 403 - 275B - /logs/ [10:03:18] 403 - 275B - /logs/access.log [10:03:18] 403 - 275B - /logs/error.log [10:03:18] 403 - 275B - /logs/error_log [10:03:18] 403 - 275B - /logs/liferay.log [10:03:18] 403 - 275B - /logs/mail.log [10:03:18] 403 - 275B - /logs/proxy_error_log [10:03:18] 403 - 275B - /logs/proxy_access_ssl_log [10:03:18] 403 - 275B - /logs/wsadmin.traceout [10:03:18] 403 - 275B - /logs/errors.log [10:03:18] 403 - 275B - /logs/www-error.log [10:03:21] 403 - 275B - /server-status/ [10:03:21] 403 - 275B - /server-status Task Completed 发现存在一个/logs目录，但是无法直接查看，还是来到登陆页面查看 ...

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/pkgpoison ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 03:57 EDT Nmap scan report for 172.17.0.2 Host is up (0.000057s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 2f:87:50:66:15:23:d6:c3:90:3f:ea:8c:a4:4b:b3:ff (RSA) | 256 d1:35:c1:82:09:e8:c2:c7:cd:98:89:61:c2:6b:14:64 (ECDSA) |_ 256 dd:01:45:ce:bd:a3:05:21:5b:31:4c:2f:df:38:c4:f6 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: 404 Not Found |_http-server-header: Apache/2.4.41 (Ubuntu) Feroxbuster [root@kali] /home/kali/pkgpoison ❯ feroxbuster -u 'http://172.17.0.2/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://172.17.0.2/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 28w 308c http://172.17.0.2/notes => http://172.17.0.2/notes/ 200 GET 5l 24w 177c http://172.17.0.2/notes/note.txt 200 GET 5094l 30782w 2832734c http://172.17.0.2/index.png 200 GET 26l 51w 589c http://172.17.0.2/ [####################] - 17s 661647/661647 0s found:4 errors:3422 [####################] - 16s 661638/661638 40447/s http://172.17.0.2/ [####################] - 0s 661638/661638 330819000/s http://172.17.0.2/notes/ => Directory listing (add --scan-dir-listings to scan) 查看到一个note.txt ...

Box Info OS Difficulty Linux Medium Nmap [root@kali] /home/kali/ghoster ❯ nmap 192.168.55.65 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 c5:5f:01:14:c9:d4:fe:8e:9c:01:5f:3a:2c:dd:38:64 (ECDSA) |_ 256 63:25:3e:2b:61:4f:21:86:fa:d9:e5:d5:b6:bd:e8:29 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 8081/tcp open http Werkzeug httpd 3.1.3 (Python 3.11.2) |_http-title: Document Submission Portal |_http-server-header: Werkzeug/3.1.3 Python/3.11.2 Gobuster [root@kali] /home/kali/ghoster ❯ gobuster dir -u 'http://192.168.55.65/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ⏎ =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.55.65/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 278] /uploads (Status: 301) [Size: 316] [--> http://192.168.55.65/uploads/] /.php (Status: 403) [Size: 278] /server-status (Status: 403) [Size: 278] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== CVE-2023-36664 没有什么可以直接利用的，来到8081端口 ...

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/manage ❯ nmap 192.168.55.66 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 139/tcp open netbios-ssn Samba smbd 4 445/tcp open netbios-ssn Samba smbd 4 MAC Address: 08:00:27:01:D6:2B (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Dirsearch [root@kali] /home/kali/manage ❯ dirsearch -u 'http://192.168.55.66' ⏎ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.66/ [23:33:52] Scanning: [23:33:53] 403 - 278B - /.php [23:33:55] 200 - 11KB - /admin.php [23:34:01] 200 - 10KB - /index.html [23:34:05] 403 - 278B - /server-status/ [23:34:05] 403 - 278B - /server-status Task Completed 好像不存在SQL注入问题，也无法爆破登录，现在来看看445端口 ...

Nmap [root@kali] /home/kali/LogisticCloud ❯ nmap 172.17.0.2 -sV -A -p- ⏎ Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-29 22:07 EDT Nmap scan report for 172.17.0.2 Host is up (0.00011s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 e9:59:86:db:ea:af:ff:09:ee:8f:ab:c6:0d:b8:b5:82 (ECDSA) |_ 256 ff:8d:9f:f8:e7:a5:f4:ce:6a:2d:e4:30:ac:77:18:fc (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Login - HLG Logistics | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set 9000/tcp open http Golang net/http server |_http-title: Site doesn't have a title (application/xml). |_http-server-header: MinIO | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 400 Bad Request | Accept-Ranges: bytes | Content-Length: 303 | Content-Type: application/xml | Server: MinIO | Strict-Transport-Security: max-age=31536000; includeSubDomains | Vary: Origin | X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8 | X-Amz-Request-Id: 18442BF4BCD11059 | X-Content-Type-Options: nosniff | X-Xss-Protection: 1; mode=block | Date: Fri, 30 May 2025 02:08:05 GMT | <?xml version="1.0" encoding="UTF-8"?> | <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/nice ports,/Trinity.txt.bak</Resource><RequestId>18442BF4BCD11059</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error> | GenericLines, Help, RTSPRequest, SSLSessionReq: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 400 Bad Request | Accept-Ranges: bytes | Content-Length: 276 | Content-Type: application/xml | Server: MinIO | Strict-Transport-Security: max-age=31536000; includeSubDomains | Vary: Origin | X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8 | X-Amz-Request-Id: 18442BF13C1B8666 | X-Content-Type-Options: nosniff | X-Xss-Protection: 1; mode=block | Date: Fri, 30 May 2025 02:07:50 GMT | <?xml version="1.0" encoding="UTF-8"?> | <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/</Resource><RequestId>18442BF13C1B8666</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error> | HTTPOptions: | HTTP/1.0 200 OK | Vary: Origin | Date: Fri, 30 May 2025 02:07:50 GMT |_ Content-Length: 0 9001/tcp open http Golang net/http server |_http-server-header: MinIO Console |_http-title: MinIO Console | fingerprint-strings: | GenericLines, SSLSessionReq: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest, HTTPOptions: | HTTP/1.0 200 OK | Accept-Ranges: bytes | Content-Length: 1309 | Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'; script-src 'self' https://unpkg.com; connect-src 'self' https://unpkg.com; | Content-Type: text/html | Last-Modified: Fri, 30 May 2025 02:07:50 GMT | Referrer-Policy: strict-origin-when-cross-origin | Server: MinIO Console | X-Content-Type-Options: nosniff | X-Frame-Options: DENY | X-Xss-Protection: 1; mode=block | Date: Fri, 30 May 2025 02:07:50 GMT |_ <!doctype html><html lang="en"><head><meta charset="utf-8"/><base href="/"/><meta content="width=device-width,initial-scale=1" name="viewport"/><meta content="#081C42" media="(prefers-color-scheme: light)" name="theme-color"/><meta content="#081C42" media="(prefers-color-scheme: dark)" name="theme-color"/><meta content="MinIO Console" name="description"/><meta name="minio-license" content="agpl"/><link href="./s AWS 进入80端口可以找到一个登录框，尝试爆破登陆失败，查看一下网页源码，发现了一个特殊的值huguelogistics-data，并且name是bucket ...

NMAP [root@kali] /home/kali/thedog ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.49 ((Unix)) |_http-title: Comando Ping | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.49 (Unix) MAC Address: 02:42:AC:11:00:02 (Unknown) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Nuclei [root@kali] /home/kali/thedog ❯ nuclei -u http://172.17.0.2 ⏎ __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v3.4.2 projectdiscovery.io [INF] Current nuclei version: v3.4.2 (outdated) [INF] Current nuclei-templates version: v10.2.2 (latest) [WRN] Scan results upload to cloud is disabled. [INF] New templates added in latest release: 65 [INF] Templates loaded for current scan: 7991 [INF] Executing 7793 signed templates from projectdiscovery/nuclei-templates [WRN] Loading 198 unsigned templates for scan. Use with caution. [INF] Targets loaded for current scan: 1 [INF] Templates clustered: 1743 (Reduced 1638 Requests) [INF] Using Interactsh Server: oast.me [CVE-2021-41773:RCE] [http] [high] http://172.17.0.2/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh [http-trace:trace-request] [http] [info] http://172.17.0.2 [http-trace:options-request] [http] [info] http://172.17.0.2 [missing-sri] [http] [info] http://172.17.0.2 ["https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css"] [waf-detect:apachegeneric] [http] [info] http://172.17.0.2 [http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://172.17.0.2 [http-missing-security-headers:content-security-policy] [http] [info] http://172.17.0.2 [http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://172.17.0.2 [http-missing-security-headers:referrer-policy] [http] [info] http://172.17.0.2 [http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://172.17.0.2 [http-missing-security-headers:strict-transport-security] [http] [info] http://172.17.0.2 [http-missing-security-headers:permissions-policy] [http] [info] http://172.17.0.2 [http-missing-security-headers:x-frame-options] [http] [info] http://172.17.0.2 [http-missing-security-headers:x-content-type-options] [http] [info] http://172.17.0.2 [http-missing-security-headers:clear-site-data] [http] [info] http://172.17.0.2 [http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://172.17.0.2 [tech-detect:jsdelivr] [http] [info] http://172.17.0.2 [tech-detect:bootstrap] [http] [info] http://172.17.0.2 [apache-detect] [http] [info] http://172.17.0.2 ["Apache/2.4.49 (Unix)"] [options-method] [http] [info] http://172.17.0.2 ["GET,POST,OPTIONS,HEAD,TRACE"] CVE-2021-41773 经过信息收集，得到以下命令执行的方式 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/homelab ❯ nmap 192.168.55.41 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 ((Unix)) |_http-favicon: Apache on Mac OS X |_http-title: Mac OS X Server | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.62 (Unix) 只有80端口开放了 Dir Fuzz [root@kali] /home/kali/homelab ❯ dirsearch -u http://192.168.55.41 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.41/ [04:47:54] Scanning: [04:48:00] 200 - 820B - /cgi-bin/printenv [04:48:00] 200 - 1KB - /cgi-bin/test-cgi [04:48:01] 200 - 4KB - /error.html [04:48:01] 200 - 8KB - /favicon.ico [04:48:02] 200 - 5KB - /index.html [04:48:05] 301 - 313B - /script -> http://192.168.55.41/script/ [04:48:05] 403 - 276B - /script/ [04:48:06] 301 - 314B - /service -> http://192.168.55.41/service/ [04:48:06] 301 - 319B - /service?Wsdl -> http://192.168.55.41/service/?Wsdl [04:48:06] 301 - 312B - /style -> http://192.168.55.41/style/ [04:48:10] 403 - 276B - /server-status/ [04:48:11] 403 - 276B - /server-status Task Completed [root@kali] /home/kali/homelab ❯ curl http://192.168.55.41/service/ Whoa! But sorry, this service is only available for myself!# 看到有一个service路径，但是好像需要认证 ...