Linux

VulNyx-Loweb

Box Info OS Linux Difficulty Low Nmap [root@kali] /home/kali/Loweb ❯ nmap 192.168.56.122 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA) |_ 256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) Gobuster [root@kali] /home/kali/Loweb ❯ gobuster dir -u http://192.168.56.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.122 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /library (Status: 301) [Size: 318] [--> http://192.168.56.122/library/] /server-status (Status: 403) [Size: 279] Progress: 220560 / 220561 (100.00%) =============================================================== Finished =============================================================== [root@kali] /home/kali/Loweb ❯ gobuster dir -u http://192.168.56.122/library -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.122/library [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 279] /.html (Status: 403) [Size: 279] /index.html (Status: 200) [Size: 1068] /login (Status: 301) [Size: 324] [--> http://192.168.56.122/library/login/] /admin (Status: 301) [Size: 324] [--> http://192.168.56.122/library/admin/] /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] Progress: 882240 / 882244 (100.00%) =============================================================== Finished =============================================================== SQL Injection 进入登录页面，用户名处存在SQL注入 ...

VulNyx-Zerotrace

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali ❯ nmap 192.168.56.119 -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) |_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) 80/tcp open http nginx 1.22.1 |_http-server-header: nginx/1.22.1 |_http-title: Massively by HTML5 UP 8000/tcp open ftp pyftpdlib 1.5.7 | ftp-syst: | STAT: | FTP server status: | Connected to: 192.168.56.119:8000 | Waiting for username. | TYPE: ASCII; STRUcture: File; MODE: Stream | Data connection closed. |_End of status. Dirsearch [root@kali] /home/kali/Zerotrace ❯ dirsearch -u http://192.168.56.119 -t 50 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 50 | Wordlist size: 11460 Output File: /home/kali/Zerotrace/reports/http_192.168.56.119/_25-03-15_19-12-30.txt Target: http://192.168.56.119/ [19:12:30] Starting: [19:12:30] 301 - 169B - /.admin -> http://192.168.56.119/.admin/ [19:12:30] 403 - 555B - /.admin/ [19:12:31] 403 - 555B - /.ht_wsr.txt [19:12:31] 403 - 555B - /.htaccess.bak1 [19:12:31] 403 - 555B - /.htaccess.orig [19:12:31] 403 - 555B - /.htaccess.sample [19:12:31] 403 - 555B - /.htaccess.save [19:12:31] 403 - 555B - /.htaccess_extra [19:12:31] 403 - 555B - /.htaccess_orig [19:12:31] 403 - 555B - /.htaccess_sc [19:12:31] 403 - 555B - /.htaccessOLD [19:12:31] 403 - 555B - /.htaccessBAK [19:12:31] 403 - 555B - /.htaccessOLD2 [19:12:31] 403 - 555B - /.htm [19:12:31] 403 - 555B - /.html [19:12:31] 403 - 555B - /.httr-oauth [19:12:31] 403 - 555B - /.htpasswds [19:12:31] 403 - 555B - /.htpasswd_test [19:12:37] 301 - 169B - /assets -> http://192.168.56.119/assets/ [19:12:37] 403 - 555B - /assets/ [19:12:43] 403 - 555B - /images/ [19:12:43] 301 - 169B - /images -> http://192.168.56.119/images/ [19:12:44] 200 - 17KB - /LICENSE.txt [19:12:50] 200 - 930B - /README.txt [19:12:54] 403 - 555B - /uploads/ [19:12:54] 403 - 555B - /uploads/affwp-debug.log [19:12:54] 403 - 555B - /uploads/dump.sql Task Completed 发现存在一个**/.admin**目录 ...

VulNyx-Lower4

Box Info OS Linux Difficulty Low Nmap [root@kali] /home/kali/Lower4 ❯ nmap 192.168.56.120 -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) |_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) |_auth-owners: root 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-server-header: Apache/2.4.56 (Debian) |_http-title: Apache2 Debian Default Page: It works 113/tcp open ident? |_auth-owners: lucifer MAC Address: 08:00:27:DE:A3:91 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 从113端口上扫描到一个用户名：lucifer ...

VulnVM-Entropy

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Entropy ❯ nmap 192.168.56.117 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 cc:05:ab:8c:ea:28:eb:b1:9d:da:8c:ce:65:ee:63:43 (ECDSA) |_ 256 3f:9f:0a:7d:61:f8:6f:4b:46:01:c4:db:74:b2:b6:a7 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Apache2 Debian Default Page: It works 目录扫描没有任何结果，在apache默认页中发现路径 ...

HackMyVM-SingDanceRap

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali ❯ nmap 192.168.56.116 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0) | ssh-hostkey: | 2048 5d:41:2a:c1:2d:3b:6c:78:b3:af:ae:9d:42:fe:88:b8 (RSA) | 256 3c:e9:64:eb:84:fe:5c:83:94:07:27:6c:12:14:c8:4c (ECDSA) |_ 256 09:9b:2b:18:de:6c:6d:f8:8b:15:df:6c:0f:c0:7c:b2 (ED25519) 80/tcp open http Apache httpd 2.4.59 ((Debian)) |_http-server-header: Apache/2.4.59 (Debian) |_http-title: News Website 65000/tcp filtered unknown Gobuster [root@kali] /home/kali ❯ gobuster dir -u http://192.168.56.116/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.116/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 279] /index.html (Status: 200) [Size: 3118] /news.php (Status: 200) [Size: 1301] /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] /.html (Status: 403) [Size: 279] /littlesecrets (Status: 301) [Size: 324] [--> http://192.168.56.116/littlesecrets/] /server-status (Status: 403) [Size: 279] Progress: 882240 / 882244 (100.00%) =============================================================== Finished =============================================================== 针对这个**/littlesecrets**再次进行扫描 ...

VulnVM-Solitude

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Solitude ❯ nmap 192.168.56.115 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 2b:c7:6c:06:c7:80:41:bc:cb:dc:fe:d6:e8:85:db:b0 (RSA) | 256 61:d1:67:f9:8f:99:62:9b:d4:9a:70:19:ff:78:bd:77 (ECDSA) |_ 256 2b:6e:53:ab:ac:68:ca:78:a7:d6:2f:34:65:e8:5d:17 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 08:00:27:22:A4:A8 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2025-03-11T20:26:05 |_ start_date: N/A |_nbstat: NetBIOS name: SOLITUDE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) |_clock-skew: 7h59m57s Enum4linux [root@kali] /home/kali/Solitude ❯ enum4linux -a 192.168.56.115 [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\garret (Local User) 找到一个用户名：garret ...

HackMyVM-Matrioshka

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Matrioshka ❯ nmap 192.168.56.108 -sV -A -p- -T4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0) | ssh-hostkey: | 256 b5:a4:7c:65:5c:1f:d7:89:42:bd:76:df:2c:8e:93:4e (ECDSA) |_ 256 5d:3d:2b:43:fc:89:fa:24:a3:f4:73:5f:7b:89:6c:e3 (ED25519) 80/tcp open http Apache httpd 2.4.61 ((Debian)) |_http-server-header: Apache/2.4.61 (Debian) |_http-title: mamushka MAC Address: 08:00:27:D5:7C:4C (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 5.X OS CPE: cpe:/o:linux:linux_kernel:5 OS details: Linux 5.0 - 5.5 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 将mamushka.hmv添加到**/etc/hosts** ...

VulNyx-Lower3

Box Info OS Linux Difficulty Low Nmap [root@kali] /home/kali/Lower3 ❯ nmap 192.168.56.113 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) |_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.56 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 36141/tcp mountd | 100005 1,2,3 46793/udp mountd | 100005 1,2,3 56285/tcp6 mountd | 100005 1,2,3 57285/udp6 mountd | 100021 1,3,4 37329/tcp6 nlockmgr | 100021 1,3,4 39713/tcp nlockmgr | 100021 1,3,4 41715/udp nlockmgr | 100021 1,3,4 58173/udp6 nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 2049/tcp open nfs 3-4 (RPC #100003) 36141/tcp open mountd 1-3 (RPC #100005) 38315/tcp open mountd 1-3 (RPC #100005) 39713/tcp open nlockmgr 1-4 (RPC #100021) 41871/tcp open mountd 1-3 (RPC #100005) MAC Address: 08:00:27:C5:C6:B4 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NFS 发现了 NFS（Network File System）共享，可能存在可挂载的远程文件系统。 mountd、nlockmgr、nfs_acl 这些 RPC 端口也被发现，表明服务器可能允许远程文件访问。 ...

HackMyVM-Newbee

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/debian ❯ nmap 192.168.237.155 -sV -A -p- -T4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 92:6e:6d:b0:bd:08:1e:db:9d:56:0e:f8:15:25:ca:21 (ECDSA) |_ 256 88:d7:08:bd:a2:95:75:cc:71:06:47:ae:fd:d3:8b:b9 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: PHPJabbers.com | Free Food Store Website Template MAC Address: 00:0C:29:0A:FF:81 (VMware) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ParamScan 访问80端口，在网页注释中发现存在GET参数 ...

HTB-Dog

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Dog ❯ nmap dog.htb -sV -A -Pn -T4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA) | 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA) |_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-git: | 10.10.11.58:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: todo: customize url aliases. reference:https://docs.backdro... |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-generator: Backdrop CMS 1 (https://backdropcms.org) | http-robots.txt: 22 disallowed entries (15 shown) | /core/ /profiles/ /README.md /web.config /admin | /comment/reply /filter/tips /node/add /search /user/register |_/user/password /user/login /user/logout /?q=admin /?q=comment/reply |_http-title: Home | Dog 可以发现nmap直接扫描到了**/.git**目录 ...