Linux

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Nocturnal ❯ nmap Nocturnal.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA) | 256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA) |_ 256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Welcome to Nocturnal |_http-server-header: nginx/1.18.0 (Ubuntu) User 任意注册一个账户，然后登录，可以上传一些文件 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.144 -p- PORT STATE SERVICE 22/tcp open ssh 8080/tcp open http-proxy Gobuster [root@kali] /home/kali ❯ gobuster dir -u http://192.168.56.144:8080/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt --exclude-length 45 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.144:8080/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] Exclude Length: 45 [+] User Agent: gobuster/3.6 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /redirect (Status: 400) [Size: 24] /robots.txt (Status: 200) [Size: 16] Progress: 97322 / 882244 (11.03%)^C [!] Keyboard interrupt detected, terminating. Progress: 100724 / 882244 (11.42%) =============================================================== Finished =============================================================== 发现一个**/redirect路由，并且需要url**参数 ...

《The Walking Dead》又叫做《行尸走肉》，是一部更了十多年的美剧，我是全部看完了的，刚好有这个靶机，那么肯定得打一下。 Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 172.17.0.2 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 0d:09:9d:0f:dc:43:54:cd:39:a9:e2:d6:81:74:40:e8 (RSA) | 256 09:d0:f6:52:00:3f:21:51:19:b1:c6:7a:f4:ff:21:01 (ECDSA) |_ 256 19:e0:b3:72:bd:e9:1e:8d:4c:c4:fd:1f:da:3f:a5:cf (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: The Walking Dead - CTF 访问网页，发现有一个隐藏的shell.php ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Matrix ❯ nmap 192.168.56.141 -sV -A -p- 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0) | ssh-hostkey: | 256 67:78:c9:d2:e3:ff:be:fc:9e:13:9a:af:9d:59:17:66 (ECDSA) |_ 256 1a:78:b1:e6:f1:f0:d1:b3:ab:c8:3f:95:fd:46:52:67 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Enter The Matrix Gobuster [root@kali] /home/kali/Matrix ❯ gobuster dir -u http://192.168.56.141/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .pcap =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.141/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: pcap [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /trinity.pcap (Status: 200) [Size: 146389] /server-status (Status: 403) [Size: 279] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== Exiftool 进行流量分析 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Todd ❯ nmap 192.168.56.137 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA) | 256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA) |_ 256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519) 80/tcp open http Apache httpd 2.4.59 ((Debian)) |_http-title: Mindful Listening |_http-server-header: Apache/2.4.59 (Debian) 页面没有任何可以用的信息 然后再次进行Nmap，发现多了几个端口 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Search ❯ nmap 192.168.56.136 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 39:0d:70:e0:55:cb:20:de:ad:f7:10:d8:1f:76:4d:9d (ECDSA) |_ 256 df:e2:94:52:e9:3d:eb:69:2d:b4:a5:a9:2c:3e:63:46 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Apache2 Debian Default Page: It works 得到用户名是support ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.56.131 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2 (protocol 2.0) | ssh-hostkey: | 256 f6:91:6b:ad:ea:ad:1d:b9:44:09:d8:74:a3:02:38:35 (ECDSA) |_ 256 b6:66:2f:f0:4c:26:7f:7d:14:ea:b3:62:09:64:a7:94 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 进入80端口查看，是一个apache默认页 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Code ❯ nmap code.htb -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA) | 256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA) |_ 256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519) 5000/tcp open http Gunicorn 20.0.4 |_http-title: Python Code Editor |_http-server-header: gunicorn/20.0.4 Own www-data SSTI 注入 - Hello CTF 进入到5000端口是一个python代码执行窗口 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Strutted ❯ nmap strutted.htb -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) CVE-2024-53677 存在一个Download路由可以下载到网站源码 查看pom.xml发现使用的是struts2 6.3.0.1 ...

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/Interceptor ❯ nmap 192.168.56.123 -sV -A -p- PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) Gobuster [root@kali] /home/kali/Interceptor ❯ gobuster dir -u http://192.168.56.123 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.123 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] /index.html (Status: 200) [Size: 10701] /wordpress (Status: 301) [Size: 320] [--> http://192.168.56.123/wordpress/] /backup (Status: 301) [Size: 317] [--> http://192.168.56.123/backup/] /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] /server-status (Status: 403) [Size: 279] /fping.php (Status: 200) [Size: 1958] Progress: 882240 / 882244 (100.00%) =============================================================== Finished =============================================================== Crack ZIP 在**/backup里发现一个压缩包，应该是涉及到了/fping**这个路由的。 ...