Thehackerslabs

Thehackerslabs-Folclore

Nmap [root@Hacking] /home/kali/Folclore ❯ nmap 192.168.26.15 -A -p- PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? MAC Address: 08:00:27:EE:0F:0E (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 11|10|2008 (98%) OS CPE: cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 Aggressive OS guesses: Microsoft Windows 11 (98%), Microsoft Windows 10 1903 - 21H1 (91%), Microsoft Windows 10 1803 (89%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: FOLCLORE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ee:0f:0e (PCS Systemtechnik/Oracle VirtualBox virtual NIC) | smb2-time: | date: 2025-09-02T13:07:21 |_ start_date: N/A TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 192.168.26.15 只开了smb服务 ...

Thehackerslabs-Patata Mágica

Nmap [root@Hacking] /home/kali/Patata ❯ nmap 192.168.26.11 -A PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 |_http-title: Curiosidades CTF | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) |_http-title: Curiosidades CTF |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds? MAC Address: 08:00:27:3D:D6:CB (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 10 OS CPE: cpe:/o:microsoft:windows_10 OS details: Microsoft Windows 10 1709 - 21H2 Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-08-30T07:16:27 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: PATATA-MAGICA, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:3d:d6:cb (PCS Systemtechnik/Oracle VirtualBox virtual NIC) TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 192.168.26.11 File Read 进入到80端口这里有一个Games 到页面底部可以进行交互，可以查看文件内容，并且文件名称通过GET传参查看一下index.php源码 ...

Thehackerslabs-Welcome To The Jungle

Nmap [root@Hacking] /home/kali/Jungle ❯ nmap 192.168.55.161 -A -p- PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Welcome to the Jungle - The Hex Guns |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC Dirsearch [root@Hacking] /home/kali/Jungle ❯ feroxbuster -u http://192.168.55.161 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.161 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 29l 94w 1251c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 2l 10w 160c http://192.168.55.161/img => http://192.168.55.161/img/ 200 GET 29l 124w 1209c http://192.168.55.161/index.php 200 GET 42l 168w 1915c http://192.168.55.161/albums.php 301 GET 2l 10w 162c http://192.168.55.161/media => http://192.168.55.161/media/ 200 GET 126l 218w 2089c http://192.168.55.161/css/styles.css 200 GET 7l 13w 189c http://192.168.55.161/header.php 200 GET 8487l 45658w 3909539c http://192.168.55.161/img/axl.png 200 GET 29l 124w 1209c http://192.168.55.161/ 200 GET 3l 11w 81c http://192.168.55.161/footer.php 403 GET 29l 91w 1232c http://192.168.55.161/css/ 301 GET 2l 10w 160c http://192.168.55.161/css => http://192.168.55.161/css/ 200 GET 29l 124w 1209c http://192.168.55.161/Index.php 301 GET 2l 10w 162c http://192.168.55.161/Media => http://192.168.55.161/Media/ 200 GET 7731l 46736w 3824296c http://192.168.55.161/img/digital-destruction.png 200 GET 9162l 55315w 4712528c http://192.168.55.161/img/paradise-404.png 200 GET 8321l 48830w 4266377c http://192.168.55.161/img/neon-rebellion.png 301 GET 2l 10w 160c http://192.168.55.161/IMG => http://192.168.55.161/IMG/ 200 GET 7l 13w 189c http://192.168.55.161/Header.php 200 GET 29l 124w 1209c http://192.168.55.161/INDEX.php 301 GET 2l 10w 160c http://192.168.55.161/CSS => http://192.168.55.161/CSS/ 301 GET 2l 10w 160c http://192.168.55.161/Img => http://192.168.55.161/Img/ 200 GET 3l 11w 81c http://192.168.55.161/Footer.php 301 GET 2l 10w 162c http://192.168.55.161/MEDIA => http://192.168.55.161/MEDIA/ 200 GET 7l 13w 189c http://192.168.55.161/HEADER.php 200 GET 3l 11w 81c http://192.168.55.161/FOOTER.php [####################] - 5m 1984940/1984940 0s found:25 errors:0 [####################] - 5m 220546/220546 722/s http://192.168.55.161/ [####################] - 5m 220546/220546 721/s http://192.168.55.161/img/ [####################] - 5m 220546/220546 720/s http://192.168.55.161/media/ [####################] - 5m 220546/220546 721/s http://192.168.55.161/css/ [####################] - 5m 220546/220546 722/s http://192.168.55.161/Media/ [####################] - 5m 220546/220546 723/s http://192.168.55.161/IMG/ [####################] - 5m 220546/220546 728/s http://192.168.55.161/CSS/ [####################] - 5m 220546/220546 729/s http://192.168.55.161/Img/ [####################] - 5m 220546/220546 797/s http://192.168.55.161/MEDIA/ 针对/media目录进行扫描，发现一个压缩包 ...

Thehackerslabs-Evelator

Information 在pdf文件中，给出了默认的用户名和密码 Nmap [root@Hacking] /home/kali/Evelator ❯ nmap 192.168.55.158 -A -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-21 13:51:51Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bloodhound.thl, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bloodhound.thl, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49706/tcp open msrpc Microsoft Windows RPC 添加bloodhound.thl到/etc/hosts ...

Thehackerslabs-Pa Que Aiga Lujo

Nmap [root@Hacking] /home/kali/Lujo ❯ nmap 192.168.55.157 -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 17:13 CST Nmap scan report for 192.168.55.157 Host is up (0.00026s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) | ssh-hostkey: | 256 af:79:a1:39:80:45:fb:b7:cb:86:fd:8b:62:69:4a:64 (ECDSA) |_ 256 6d:d4:9d:ac:0b:f0:a1:88:66:b4:ff:f6:42:bb:f2:e5 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: LuxeCollection - Art\xC3\xADculos de Lujo Exclusivos Dir scan [root@Hacking] /home/kali/Lujo ❯ dirsearch -u http://192.168.55.157 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.157/ [17:16:08] Scanning: [17:16:09] 403 - 279B - /.php [17:16:15] 200 - 15KB - /index.html [17:16:18] 301 - 318B - /scripts -> http://192.168.55.157/scripts/ [17:16:18] 200 - 937B - /scripts/ [17:16:18] 403 - 279B - /server-status [17:16:18] 403 - 279B - /server-status/ [17:16:19] 301 - 317B - /styles -> http://192.168.55.157/styles/ Task Completed [root@Hacking] /home/kali/Lujo ❯ feroxbuster -u http://192.168.55.157 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.157 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 221l 524w 5600c http://192.168.55.157/scripts/main.js 200 GET 231l 411w 3799c http://192.168.55.157/styles/responsive.css 200 GET 168l 285w 2899c http://192.168.55.157/styles/components.css 200 GET 230l 445w 4172c http://192.168.55.157/styles/main.css 200 GET 285l 778w 15656c http://192.168.55.157/ 301 GET 9l 28w 318c http://192.168.55.157/scripts => http://192.168.55.157/scripts/ 301 GET 9l 28w 317c http://192.168.55.157/styles => http://192.168.55.157/styles/ [####################] - 2m 661674/661674 0s found:7 errors:0 [####################] - 2m 661638/661638 4945/s http://192.168.55.157/ [####################] - 1s 661638/661638 1070612/s http://192.168.55.157/scripts/ => Directory listing (add --scan-dir-listings to scan) [####################] - 0s 661638/661638 220546000/s http://192.168.55.157/styles/ => Directory listing (add --scan-dir-listings to scan) 什么也没有扫到，那么就从页面里找信息，发现有一些人名其中Sophia可以进行SSH爆破登录 ...

Thehackerslabs-Merchan

Nmap [root@kali] /home/kali/merchan ❯ nmap 192.168.55.77 -sV -A -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-04 23:07 EDT Nmap scan report for 192.168.55.77 Host is up (0.00028s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0) | ssh-hostkey: | 256 da:68:54:15:39:b8:44:ed:b9:08:4c:59:e5:89:50:08 (ECDSA) |_ 256 b4:7d:98:a8:01:e8:3b:17:43:24:43:39:3a:b4:b8:50 (ED25519) 80/tcp open http Apache httpd 2.4.62 |_http-title: Did not follow redirect to http://merchan.thl |_http-server-header: Apache/2.4.62 (Debian) Feroxbuster [root@kali] /home/kali/merchan ❯ feroxbuster -u 'http://www.merchan.thl/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js ⏎ ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://www.merchan.thl/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [js] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 31w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 28w 280c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 28w 319c http://www.merchan.thl/images => http://www.merchan.thl/images/ 200 GET 8l 29w 28898c http://www.merchan.thl/assets/favicon.ico 200 GET 139l 592w 68236c http://www.merchan.thl/images/camiseta.jpg 200 GET 7l 36w 330c http://www.merchan.thl/js/scripts.js 200 GET 186l 943w 74237c http://www.merchan.thl/images/llavero.jpg 200 GET 10826l 22299w 236792c http://www.merchan.thl/css/styles.css 301 GET 9l 28w 319c http://www.merchan.thl/assets => http://www.merchan.thl/assets/ 200 GET 563l 3920w 380306c http://www.merchan.thl/images/sudadera.png 200 GET 130l 399w 7235c http://www.merchan.thl/ 301 GET 9l 28w 316c http://www.merchan.thl/css => http://www.merchan.thl/css/ 301 GET 9l 28w 315c http://www.merchan.thl/js => http://www.merchan.thl/js/ 200 GET 1l 15w 1365c http://www.merchan.thl/secret.js [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 3m 1102751/1102751 0s found:12 errors:0 [####################] - 5m 1102751/1102751 0s found:12 errors:0 [####################] - 5m 220546/220546 740/s http://www.merchan.thl/ [####################] - 5m 220546/220546 726/s http://www.merchan.thl/images/ [####################] - 5m 220546/220546 729/s http://www.merchan.thl/assets/ [####################] - 5m 220546/220546 729/s http://www.merchan.thl/css/ [####################] - 5m 220546/220546 727/s http://www.merchan.thl/js/ 发现有一个secret.js ...

Thehackerslabs-Hexthink-Silent-Shadow

Nmap [root@kali] /home/kali/hexthink-silent-shadow ❯ nmap 192.168.55.67 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:6e:39:a4:15:86:88:70:c7:9d:09:91:a3:0b:18:8c (ECDSA) |_ 256 f9:21:5d:25:ee:76:05:db:01:3b:45:c9:68:b0:82:9f (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.58 (Ubuntu) 3306/tcp open mysql MariaDB 5.5.5-10.11.11 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.11.11-MariaDB-0ubuntu0.24.04.2 | Thread ID: 34 | Capabilities flags: 63486 | Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, SupportsCompression, IgnoreSigpipes, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, InteractiveClient, FoundRows, ODBCClient, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SupportsTransactions, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults | Status: Autocommit | Salt: wPg7y~-c,O)~bPI]yfu: |_ Auth Plugin Name: mysql_native_password 9090/tcp open zeus-admin? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, SqueezeCenter_CLI, TLSSessionReq, TerminalServerCookie, WMSRequest, X11Probe, drda, ibm-db2-das, informix: |_ Protocolo incorrecto. Esto no es HTTP. Mysql 进入到80端口的index.php，查看到存在ctf_user用户，可以使用密码登录，尝试使用空密码登录呢 ...

Thehackerslabs-Black Gold

Box Info OS Windows Difficulty Hard Nmap [root@kali] /home/kali ❯ nmap 192.168.56.10 -sV -A -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Neptune 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-08 07:26:35Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: neptune.thl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: neptune.thl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 53459/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 53460/tcp open msrpc Microsoft Windows RPC 53470/tcp open msrpc Microsoft Windows RPC 53479/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:37:4E:C0 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%) OS CPE: cpe:/o:microsoft:windows_server_2016 Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-04-08T07:27:27 |_ start_date: N/A |_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:37:4e:c0 (Oracle VirtualBox virtual NIC) | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required 修改**/etc/hosts** ...

Thehackerslabs-B.I.G

Box Info OS Windows Difficulty Hard Nmap [root@kali] /home/kali ❯ nmap 192.168.212.4 -sV -A -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Site doesn't have a title (text/html). |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-05 23:20:54Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bbr.thl, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bbr.thl, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49671/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49686/tcp open msrpc Microsoft Windows RPC 57043/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:29:23:16 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 2016 OS CPE: cpe:/o:microsoft:windows_server_2016 OS details: Microsoft Windows Server 2016 build 10586 - 14393 Network Distance: 1 hop Service Info: Host: BIG; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 15h54m38s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_nbstat: NetBIOS name: BIG, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:29:23:16 (Oracle VirtualBox virtual NIC) | smb2-time: | date: 2025-04-05T23:21:49 |_ start_date: 2025-04-05T19:55:29 将bbr.thl添加到**/etc/hosts** ...