Linux

Machine Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/ciberguard ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 01:f6:3a:98:23:dc:8b:00:f0:5c:d5:50:07:f9:ec:e7 (ECDSA) |_ 256 b0:4e:cb:2a:e0:ac:cf:4c:14:7b:23:57:00:6d:12:1d (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: CyberGuard - Seguridad Digital Feroxbuster [root@kali] /home/kali/ciberguard ❯ feroxbuster -u 'http://172.17.0.2/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://172.17.0.2/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 28w 309c http://172.17.0.2/images => http://172.17.0.2/images/ 200 GET 77l 154w 2111c http://172.17.0.2/archiv/script.js 200 GET 311l 560w 5015c http://172.17.0.2/archiv/styles.css 200 GET 231l 1204w 142716c http://172.17.0.2/images/Imagen(1).jpg 200 GET 59l 323w 28431c http://172.17.0.2/images/Image.jpg 200 GET 103l 363w 5100c http://172.17.0.2/ 200 GET 279l 1484w 159900c http://172.17.0.2/images/Imagen%282%29.jpg 200 GET 12l 114w 7473c http://172.17.0.2/images/Iconn.png 200 GET 190l 1007w 91180c http://172.17.0.2/images/Imagen%285%29.png.jpg 200 GET 195l 1148w 120954c http://172.17.0.2/images/Imagen%283%29.jpg 200 GET 243l 1220w 121023c http://172.17.0.2/images/Imagen%284%29.jpg 200 GET 231l 1204w 142716c http://172.17.0.2/images/Imagen%281%29.jpg 301 GET 9l 28w 309c http://172.17.0.2/archiv => http://172.17.0.2/archiv/ 403 GET 9l 28w 275c http://172.17.0.2/server-status [####################] - 29s 661689/661689 0s found:14 errors:1341 [####################] - 28s 661638/661638 23558/s http://172.17.0.2/ [####################] - 0s 661638/661638 3576422/s http://172.17.0.2/images/ => Directory listing (add --scan-dir-listings to scan) [####################] - 0s 661638/661638 330819000/s http://172.17.0.2/archiv/ => Directory listing (add --scan-dir-listings to scan) Own chloe 查看到目录下有一个**/archiv/script.js** ...

Box Info OS Linux Difficulty Easy As is common in real life pentests, you will start the Planning box with credentials for the following account: admin / 0D5oT70Fq13EvB5r Nmap [root@kali] /home/kali/Planning ❯ nmap planning.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA) |_ 256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519) 80/tcp open http nginx 1.24.0 (Ubuntu) |_http-server-header: nginx/1.24.0 (Ubuntu) |_http-title: Edukate - Online Education Website 80端口没有什么可以利用的东西，尝试爆破子域名 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/pycrt ❯ nmap 192.168.55.36 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 6667/tcp open irc | irc-info: | users: 1 | servers: 1 | chans: 0 | lusers: 1 | lservers: 0 | server: irc.local | version: InspIRCd-3. irc.local | source ident: nmap | source host: 192.168.55.4 |_ error: Closing link: (nmap@192.168.55.4) [Client exited] 80端口没有可以利用的信息，只是一个静态页面 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Environment ❯ nmap Environment.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 5c:02:33:95:ef:44:e2:80:cd:3a:96:02:23:f1:92:64 (ECDSA) |_ 256 1f:3d:c2:19:55:28:a1:77:59:51:48:10:c4:4b:74:ab (ED25519) 80/tcp open http nginx 1.22.1 |_http-title: Save the Environment | environment.htb |_http-server-header: nginx/1.22.1 Dirsearch [root@kali] /home/kali/Environment ❯ dirsearch -u http://environment.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://environment.htb/ [07:23:08] Scanning: [07:23:23] 403 - 555B - /admin/.config [07:23:23] 403 - 555B - /admin/.htaccess [07:23:39] 403 - 555B - /administrator/.htaccess [07:23:43] 403 - 555B - /admpar/.ftppass [07:23:43] 403 - 555B - /admrev/.ftppass [07:23:46] 403 - 555B - /app/.htaccess [07:23:52] 403 - 555B - /bitrix/.settings.bak [07:23:52] 403 - 555B - /bitrix/.settings [07:23:52] 403 - 555B - /bitrix/.settings.php.bak [07:23:54] 301 - 169B - /build -> http://environment.htb/build/ [07:23:54] 403 - 555B - /build/ [07:24:15] 403 - 555B - /ext/.deps [07:24:15] 200 - 0B - /favicon.ico [07:24:26] 200 - 4KB - /index.php [07:24:26] 200 - 2KB - /index.php/login/ [07:24:31] 403 - 555B - /lib/flex/varien/.project [07:24:31] 403 - 555B - /lib/flex/uploader/.actionScriptProperties [07:24:31] 403 - 555B - /lib/flex/varien/.flexLibProperties [07:24:31] 403 - 555B - /lib/flex/varien/.actionScriptProperties [07:24:31] 403 - 555B - /lib/flex/uploader/.flexProperties [07:24:31] 403 - 555B - /lib/flex/uploader/.project [07:24:31] 403 - 555B - /lib/flex/uploader/.settings [07:24:31] 403 - 555B - /lib/flex/varien/.settings [07:24:34] 200 - 2KB - /login [07:24:34] 200 - 2KB - /login/ [07:24:35] 302 - 358B - /logout/ -> http://environment.htb/login [07:24:35] 302 - 358B - /logout -> http://environment.htb/login [07:24:36] 403 - 555B - /mailer/.env [07:25:01] 403 - 555B - /resources/sass/.sass-cache/ [07:25:01] 403 - 555B - /resources/.arch-internal-preview.css [07:25:02] 200 - 24B - /robots.txt [07:25:12] 301 - 169B - /storage -> http://environment.htb/storage/ [07:25:12] 403 - 555B - /storage/ [07:25:19] 403 - 555B - /twitter/.env [07:25:21] 405 - 244KB - /upload/ [07:25:22] 405 - 244KB - /upload [07:25:24] 403 - 555B - /vendor/ Task Completed Env Bypass 进入登录页，进行抓包，可以看到直接带出了报错信息 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/balufood ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 69:15:7d:34:74:1c:21:8a:cb:2c:a2:8c:42:a4:21:7f (ECDSA) |_ 256 a7:3a:c9:b2:ac:cf:44:77:a7:9c:ab:89:98:c7:88:3f (ED25519) 5000/tcp open http Werkzeug httpd 2.2.2 (Python 3.11.2) |_http-server-header: Werkzeug/2.2.2 Python/3.11.2 |_http-title: Restaurante Balulero - Inicio Weak Pass 进入到172.17.0.2:5000/login ...

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/Eureka ❯ nmap Eureka.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA) | 256 90:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA) |_ 256 94:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://furni.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) 添加furni.htb到**/etc/hosts** ...

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/Gallery ❯ nmap 172.17.0.3 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 19:95:1a:f2:f6:7a:a1:f1:ba:16:4b:58:a0:59:f2:02 (ECDSA) |_ 256 e7:e9:8f:b8:db:94:c2:68:11:4c:25:81:f1:ac:cd:ac (ED25519) 80/tcp open http PHP cli server 5.5 or later (PHP 8.3.6) |_http-title: Galer\xC3\xADa de Arte Digital Feroxbuster [root@kali] /home/kali/Gallery ❯ feroxbuster -u 'http://172.17.0.3/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://172.17.0.3/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 200 GET 29l 83w 1478c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 7l 57w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 266l 543w 5288c http://172.17.0.3/style.css 200 GET 28l 63w 1104c http://172.17.0.3/login.php 200 GET 0l 0w 0c http://172.17.0.3/config.php 302 GET 0l 0w 0c http://172.17.0.3/dashboard.php => login.php SQL Injection 在用户名这里存在注入点 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/immportal ❯ nmap 192.168.55.17 -sV -A -p- PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.55.4 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 504 Feb 27 2024 message.txt 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 e8:79:ad:8b:d1:a8:39:1b:ac:ed:52:ef:d0:22:0e:eb (RSA) | 256 65:df:6d:1d:49:11:bd:f3:2f:fa:10:0c:3b:48:69:39 (ECDSA) |_ 256 f6:b7:bf:cf:a5:d5:1b:26:4e:13:08:31:07:d5:79:b1 (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-title: Password |_http-server-header: Apache/2.4.56 (Debian) Own www-data ...

Box Info OS Linux Diffculty Easy Nmap [root@kali] /home/kali/up ❯ nmap 192.168.55.16 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: RodGar - Subir Imagen 进入之后是一个上传页面，经过测试没有漏洞 Feroxbuster [root@kali] /home/kali/up ❯ feroxbuster -u 'http://192.168.55.16/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.16/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 150l 388w 4489c http://192.168.55.16/ 301 GET 9l 28w 316c http://192.168.55.16/uploads => http://192.168.55.16/uploads/ 301 GET 9l 28w 319c http://192.168.55.16/javascript => http://192.168.55.16/javascript/ 200 GET 150l 388w 4489c http://192.168.55.16/index.php 403 GET 31l 94w 964c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 1l 1w 1301c http://192.168.55.16/uploads/robots.txt 301 GET 9l 28w 329c http://192.168.55.16/javascript/clipboard => http://192.168.55.16/javascript/clipboard/ 200 GET 858l 3081w 26377c http://192.168.55.16/javascript/clipboard/clipboard Own www-data 注意到**/uploads下还有一个robots.txt**，经过解码得到源码 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/bicho ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-24 09:26 EDT Nmap scan report for 172.17.0.2 Host is up (0.000089s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-title: Did not follow redirect to http://bicho.dl |_http-server-header: Apache/2.4.58 (Ubuntu) 添加bicho.dl到**/etc/hosts** ...