Linux

HackMyVM-Mathdop

Box Info OS Linux Difficult Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.55.13 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 ac:78:16:74:49:a1:68:9d:54:84:8a:59:e9:38:10:bc (RSA) | 256 06:0c:4d:9d:2c:32:43:d2:3d:f7:4f:82:c8:15:85:60 (ECDSA) |_ 256 3b:cd:fc:1f:dd:48:0f:ee:17:78:9a:f1:09:cb:8c:ec (ED25519) 7577/tcp open http Apache Tomcat (language: en) | http-title: Site doesn't have a title (application/hal+json). |_Requested resource was http://192.168.55.13:7577/api | http-methods: |_ Potentially risky methods: PUT PATCH DELETE 9393/tcp open http Apache Tomcat (language: en) | http-methods: |_ Potentially risky methods: PUT PATCH DELETE |_http-title: Site doesn't have a title (application/hal+json). CVE-2024-37084 进入到9393端口的dashboard ...

HackMyVM-Atom

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/atom ❯ nmap 192.168.55.12 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | ssh-hostkey: | 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA) |_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519) 只有22端口开放？有趣扫一下UDP端口 [root@kali] /home/kali/atom ❯ nmap 192.168.55.12 -sU --top-ports 100 ⏎ PORT STATE SERVICE 623/udp open asf-rmcp IPMI IPMI（智能平台管理接口）能够横跨不同的操作系统、固件和硬件平台，可以智能的监视、控制和自动回报大量服务器的运作状况，以降低服务器系统成本。 ...

VulnVM-Get

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.55.11 -sV -A -p- Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 69:dc:67:49:10:2a:a4:26:a8:9f:c4:5d:a3:b8:a1:3e (ECDSA) |_ 256 6a:2b:e4:44:29:78:62:fb:61:0b:09:2f:9c:bc:18:c6 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) Feroxbuster [root@kali] /home/kali ❯ feroxbuster -u 'http://192.168.55.11/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.11/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 0l 0w 0c http://192.168.55.11/contact.php 200 GET 25l 127w 10359c http://192.168.55.11/icons/openlogo-75.png 200 GET 368l 933w 10701c http://192.168.55.11/ [####################] - 19s 220551/220551 0s found:3 errors:0 [####################] - 18s 220546/220546 12201/s http://192.168.55.11/ 其中contact.php并没有任何回显，尝试参数爆破 ...

HackMyVM-HackingToys

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/hackingtoys ❯ nmap 192.168.55.10 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | ssh-hostkey: | 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA) |_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519) 3000/tcp open ssl/ppp? |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=FR | Not valid before: 2024-05-20T15:36:20 |_Not valid after: 2038-01-27T15:36:20 | fingerprint-strings: | GenericLines: | HTTP/1.0 400 Bad Request | Content-Length: 930 | Puma caught this error: Invalid HTTP format, parsing fails. Are you trying to open an SSL connection to a non-SSL Puma? (Puma::HttpParserError) | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/client.rb:268:in `execute' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/client.rb:268:in `try_to_finish' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/server.rb:298:in `reactor_wakeup' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/server.rb:248:in `block in run' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:119:in `wakeup!' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:76:in `block in select_loop' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:76:in `select' | /usr/local/rvm/gems/ruby-3.1.0/gems/puma-6.4.2/lib/puma/reactor.rb:76:in `select_loop' | /usr/loc | GetRequest: | HTTP/1.0 403 Forbidden | content-type: text/html; charset=UTF-8 | Content-Length: 5702 | <!DOCTYPE html> | <html lang="en"> | <head> | <meta charset="utf-8" /> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta name="turbo-visit-control" content="reload"> | <title>Action Controller: Exception caught</title> | <style> | body { | background-color: #FAFAFA; | color: #333; | color-scheme: light dark; | supported-color-schemes: light dark; | margin: 0px; | body, p, ol, ul, td { | font-family: helvetica, verdana, arial, sans-serif; | font-size: 13px; | line-height: 18px; | font-size: 11px; | white-space: pre-wrap; | pre.box { | border: 1px solid #EEE; | padding: 10px; | margin: 0px; | width: 958px; | header { | color: #F0F0F0; | background: #C00; |_ padding: 查看3000端口服务，是Ruby on rails ...

HackMyVM-Pwned

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.158 -sV -A -p- PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA) | 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA) |_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Pwned....!! Feroxbuster [root@kali] /home/kali/pwned ❯ feroxbuster -u http://192.168.55.6/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.6/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 16l 27w 194c http://192.168.55.6/nothing/nothing.html 200 GET 75l 191w 3065c http://192.168.55.6/ 200 GET 4l 7w 41c http://192.168.55.6/robots.txt 301 GET 9l 28w 314c http://192.168.55.6/nothing => http://192.168.55.6/nothing/ 301 GET 9l 28w 318c http://192.168.55.6/hidden_text => http://192.168.55.6/hidden_text/ 200 GET 22l 21w 211c http://192.168.55.6/hidden_text/secret.dic 下载这个dic用作扫描字典 ...

HackMyVM-Gift

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.157 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.3 (protocol 2.0) | ssh-hostkey: | 3072 2c:1b:36:27:e5:4c:52:7b:3e:10:94:41:39:ef:b2:95 (RSA) | 256 93:c1:1e:32:24:0e:34:d9:02:0e:ff:c3:9c:59:9b:dd (ECDSA) |_ 256 81:ab:36:ec:b1:2b:5c:d2:86:55:12:0c:51:00:27:d7 (ED25519) 80/tcp open http nginx |_http-title: Site doesn't have a title (text/html). 目录扫描失败 [root@kali] /home/kali ❯ curl "http://192.168.56.157/" -v * Trying 192.168.56.157:80... * Connected to 192.168.56.157 (192.168.56.157) port 80 * using HTTP/1.x > GET / HTTP/1.1 > Host: 192.168.56.157 > User-Agent: curl/8.12.1 > Accept: */* > * Request completely sent off < HTTP/1.1 200 OK < Server: nginx < Date: Sat, 19 Apr 2025 06:42:57 GMT < Content-Type: text/html < Content-Length: 57 < Last-Modified: Sun, 20 Sep 2020 16:29:39 GMT < Connection: keep-alive < ETag: "5f678373-39" < Accept-Ranges: bytes < Dont Overthink. Really, Its simple.  * Connection #0 to host 192.168.56.157 left intact Hydra to ssh 尝试使用simple爆破登录 ...

VulnVM-easyaspie

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/homelab ❯ nmap 192.168.56.156 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 8c:c5:70:a6:8f:7c:53:6f:98:6d:01:9c:63:b7:3b:60 (RSA) | 256 31:1f:74:73:32:ff:8e:f0:f9:63:fb:51:13:98:32:27 (ECDSA) |_ 256 7e:1f:ea:1b:50:38:d8:88:5a:fc:cb:6f:70:3f:25:0b (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.41 (Ubuntu) Gobuster [root@kali] /home/kali/homelab ❯ gobuster dir -u http://192.168.56.156/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 50 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.156/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /note.txt (Status: 200) [Size: 162] /server-status (Status: 403) [Size: 279] Progress: 661680 / 661683 (100.00%) =============================================================== 查看**/note.txt** ...

Dockerlabs-stackinferno

HackMyVM-buster

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.151 -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0) | ssh-hostkey: | 2048 c2:91:d9:a5:f7:a3:98:1f:c1:4a:70:28:aa:ba:a4:10 (RSA) | 256 3e:1f:c9:eb:c0:6f:24:06:fc:52:5f:2f:1b:35:33:ec (ECDSA) |_ 256 ec:64:87:04:9a:4b:32:fe:2d:1f:9a:b0:81:d3:7c:cf (ED25519) 80/tcp open http nginx 1.14.2 | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: nginx/1.14.2 |_http-generator: WordPress 6.7.1 |_http-title: bammmmuwe 直接就扫到了wordpress目录 ...

Dockerlabs-ChocoPing

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Chocoping ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 |_http-title: Index of / |_http-server-header: Apache/2.4.62 (Debian) | http-ls: Volume / | SIZE TIME FILENAME | 1.0K 2025-04-05 11:13 ping.php Own www-data 注意到可以传入ip参数执行ping命令下面我会用两种扫描工具来进行对比 ...