Linux

HackMyVm-easypwn

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali ❯ nmap 192.168.56.105 -sV -A -Pn -T4 -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-03 14:36 CST Nmap scan report for 192.168.56.105 Host is up (0.00024s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA) | 256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA) |_ 256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519) 80/tcp open http Apache httpd 2.4.59 ((Debian)) |_http-title: Don't Hack Me |_http-server-header: Apache/2.4.59 (Debian) 6666/tcp open irc? | fingerprint-strings: | Help, Socks4, Socks5: | Hackers, get out of my machine | beast2: |_ start: 11 |_irc-info: Unable to open connection 6666端口只能用nc连接，进入80端口发现需要扫描目录 ...

VulnVM-Ephermeral2

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Ephemeral2 ❯ nmap 192.168.56.107 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 0a:cc:f1:53:7e:6b:31:2c:10:1e:6d:bc:01:b1:c3:a2 (RSA) | 256 cd:19:04:a0:d1:8a:8b:3d:3e:17:ee:21:5d:cd:6e:49 (ECDSA) |_ 256 e5:6a:27:39:ed:a8:c9:03:46:f2:a5:8c:87:85:44:9e (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.41 (Ubuntu) 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 08:00:27:47:B9:0F (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: EPHEMERAL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-time: | date: 2025-03-07T16:30:22 |_ start_date: N/A |_clock-skew: 7h59m57s Gobuster [root@kali] /home/kali/Ephemeral2 ❯ gobuster dir -u http://192.168.56.107 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 ⏎ =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.107 [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /javascript (Status: 301) [Size: 321] [--> http://192.168.56.107/javascript/] /server-status (Status: 403) [Size: 279] /foodservice (Status: 301) [Size: 322] [--> http://192.168.56.107/foodservice/] Progress: 220560 / 220561 (100.00%) =============================================================== Finished =============================================================== 存在一个**/foodservice**页面 ...

VulnVM-Backend

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Backend ❯ nmap 192.168.237.148 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ec:8d:c2:a6:1e:52:43:62:44:29:36:58:73:15:6b (RSA) | 256 0d:39:f5:86:a1:fc:7d:ba:c6:55:14:37:2c:91:fe:37 (ECDSA) |_ 256 d6:91:b0:62:48:85:9c:51:dd:f9:20:35:d2:53:a6:25 (ED25519) 8080/tcp open http Jetty 10.0.18 |_http-title: Site doesn't have a title (text/html;charset=utf-8). | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(10.0.18) MAC Address: 00:0C:29:42:20:88 (VMware) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel CVE-2024-23897 进入8080端口发现是一个Jenkins的登录页面 ...

Dockerlabs-predictable

Box Info OS Linux Difficulty Hard Nmap 不知道为什么扫得很慢，这里就简略一点 [root@kali] /home/kali/predictable ❯ nmap 172.17.0.2 -p- PORT STATE SERVICE 22/tcp open ssh 1111/tcp open lmsocialserver Crack Number 访问1111端口，在源代码中得到信息似乎是这个随机数列表的生成逻辑 ...

HTB-Cypher

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Cypher ❯ nmap cypher.htb -sV -A -T4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA) |_ 256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519) 80/tcp open http nginx 1.24.0 (Ubuntu) |_http-title: GRAPH ASM |_http-server-header: nginx/1.24.0 (Ubuntu) Dirsearch [root@kali] /home/kali/Desktop ❯ dirsearch -u cypher.htb -t 50 -x 404 Target: http://cypher.htb/ Starting: 200 - 5KB - /about 200 - 5KB - /about.html 307 - 0B - /api -> /api/docs 307 - 0B - /api/ -> http://cypher.htb/api/api 307 - 0B - /demo/ -> http://cypher.htb/api/demo 307 - 0B - /demo -> /login 200 - 4KB - /login.html 200 - 4KB - /login 301 - 178B - /testing -> http://cypher.htb/testing/ Task Completed ...

Dockerlabs-Crackoff

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/crackoff ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 21:28 CST Nmap scan report for sitio.dl (172.17.0.2) Host is up (0.00010s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3d:fc:bd:41:cb:81:e8:cd:a2:58:5a:78:68:2b:a3:04 (ECDSA) |_ 256 d8:5a:63:27:60:35:20:30:a9:ec:25:36:9e:50:06:8d (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: CrackOff - Bienvenido MAC Address: 02:42:AC:11:00:02 (Unknown) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.10 ms sitio.dl (172.17.0.2) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds Gobuster [root@kali] /home/kali/crackoff ❯ gobuster dir -u http://172.17.0.2/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.17.0.2/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 275] /index.php (Status: 200) [Size: 2974] /login.php (Status: 200) [Size: 3968] /welcome.php (Status: 200) [Size: 2800] /db.php (Status: 302) [Size: 75] [--> error.php] /error.php (Status: 200) [Size: 2705] /.php (Status: 403) [Size: 275] /server-status (Status: 403) [Size: 275] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== SQL Injection 进入login.php，发现在username字段中存在SQL注入漏洞，单引号闭合 ...

Dockerlabs-r00tless

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/r00tless ❯ nmap 172.18.0.2 -sV -A -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-01 11:27 CST Nmap scan report for 172.18.0.2 Host is up (0.000092s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 fa:7b:d3:96:f6:83:bb:bd:24:86:b4:a8:f6:59:c3:62 (ECDSA) |_ 256 29:49:38:ae:44:75:d8:88:2a:b6:98:55:00:bd:24:76 (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Subir Archivo 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 02:42:AC:12:00:02 (Unknown) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2025-03-01T03:27:48 |_ start_date: N/A TRACEROUTE HOP RTT ADDRESS 1 0.09 ms 172.18.0.2 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.77 seconds Gobuster [root@kali] /home/kali/r00tless ❯ gobuster dir -u http://172.18.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.18.0.2 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt,html [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.html (Status: 403) [Size: 275] /index.html (Status: 200) [Size: 2410] /.php (Status: 403) [Size: 275] /upload.php (Status: 200) [Size: 56] /readme.txt (Status: 200) [Size: 78] /.php (Status: 403) [Size: 275] /.html (Status: 403) [Size: 275] /server-status (Status: 403) [Size: 275] Progress: 882240 / 882244 (100.00%) =============================================================== Finished =============================================================== Own passsamba ...

Dockerlabs-Inclusion

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Inclusion ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 20:33 CST Nmap scan report for sitio.dl (172.17.0.2) Host is up (0.000081s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | ssh-hostkey: | 256 03:cf:72:54:de:54:ae:cd:2a:16:58:6b:8a:f5:52:dc (ECDSA) |_ 256 13:bb:c2:12:f5:97:30:a1:49:c7:f9:d0:ba:d0:5e:f7 (ED25519) 80/tcp open http Apache httpd 2.4.57 ((Debian)) |_http-server-header: Apache/2.4.57 (Debian) |_http-title: Apache2 Debian Default Page: It works MAC Address: 02:42:AC:11:00:02 (Unknown) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.08 ms sitio.dl (172.17.0.2) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.70 seconds Gobuster [root@kali] /home/kali/Inclusion ❯ gobuster dir -u http://172.17.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.17.0.2 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 275] /shop (Status: 301) [Size: 307] [--> http://172.17.0.2/shop/] /.php (Status: 403) [Size: 275] /server-status (Status: 403) [Size: 275] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== 再扫**/shop** ...

Dockerlabs-Sites

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/sites ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 20:05 CST Nmap scan report for 172.17.0.2 Host is up (0.000077s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 cb:8f:50:db:6d:d8:d4:ac:bf:54:b0:62:12:7c:f0:01 (ECDSA) |_ 256 ca:6b:c7:0c:2a:d6:0e:3e:ff:c4:6e:61:ac:35:db:01 (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Configuraci\xC3\xB3n de Apache y Seguridad en Sitios Web MAC Address: 02:42:AC:11:00:02 (Unknown) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.08 ms 172.17.0.2 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.63 seconds Gobuster [root@kali] /home/kali/sites ❯ gobuster dir -u http://172.17.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ⏎ =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.17.0.2 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 275] /.php (Status: 403) [Size: 275] /vulnerable.php (Status: 200) [Size: 37] /server-status (Status: 403) [Size: 275] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== ReadAnyFiles ...

HTB-Checker

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/Checker ❯ nmap checker.htb -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 8080/tcp open http Apache httpd Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 在checker.htb:8080页面上发现了一个子域名：vault ...