Vulntarget

Nmap [root@Hacking] /home/kali/vulntarget-a ❯ nmap 192.168.237.132 -A PORT STATE SERVICE VERSION 80/tcp open http nginx | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3 | http-robots.txt: 1 disallowed entry |_/ 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) MAC Address: 00:0C:29:99:58:97 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|phone Running: Microsoft Windows 7|Phone OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows OS details: Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0 Network Distance: 1 hop Service Info: Host: WIN7-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: WIN7-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:99:58:97 (VMware) |_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s | smb2-security-mode: | 2:1:0: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: win7-PC | NetBIOS computer name: WIN7-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2025-09-04T10:23:53+08:00 | smb2-time: | date: 2025-09-04T02:23:53 |_ start_date: 2025-09-04T02:22:36 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) TRACEROUTE HOP RTT ADDRESS 1 0.32 ms 192.168.237.132 Dirsearch [root@Hacking] /home/kali/vulntarget-a ❯ dirsearch -u 'http://192.168.237.132/' _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.237.132/ [10:37:07] Scanning: [10:37:08] 400 - 166B - /\..\..\..\..\..\..\..\..\..\etc\passwd [10:37:11] 301 - 178B - /api -> http://192.168.237.132/api/ [10:37:11] 403 - 564B - /api/ [10:37:11] 403 - 564B - /attachment.asp [10:37:11] 403 - 564B - /attachment.aspx [10:37:11] 403 - 564B - /attachment.jsp [10:37:11] 403 - 564B - /attachment.html [10:37:11] 403 - 564B - /attachment.htm [10:37:11] 403 - 564B - /attachmentedit.asp [10:37:11] 403 - 564B - /attachmentedit.aspx [10:37:11] 403 - 564B - /attachmentedit.html [10:37:11] 403 - 564B - /attachmentedit.jsp [10:37:11] 403 - 564B - /attachmentedit.htm [10:37:11] 403 - 564B - /attachments [10:37:11] 403 - 564B - /attachments.aspx [10:37:11] 403 - 564B - /attachments.jsp [10:37:11] 403 - 564B - /attachments.html [10:37:11] 403 - 564B - /attachments.htm [10:37:11] 403 - 564B - /attachments.asp [10:37:13] 200 - 894B - /favicon.ico [10:37:13] 301 - 178B - /general -> http://192.168.237.132/general/ [10:37:14] 301 - 178B - /images -> http://192.168.237.132/./images/ [10:37:14] 403 - 564B - /./images/ [10:37:14] 403 - 564B - /./images/Sym.php [10:37:14] 403 - 564B - /./images/c99.php [10:37:14] 301 - 178B - /inc -> http://192.168.237.132/inc/ [10:37:14] 403 - 564B - /inc/ [10:37:14] 200 - 10KB - /index.php [10:37:14] 400 - 166B - /index.php::$DATA [10:37:14] 200 - 10KB - /index.php. [10:37:14] 200 - 10KB - /index.pHp [10:37:15] 301 - 178B - /mobile -> http://192.168.237.132/mobile/ [10:37:16] 301 - 178B - /portal -> http://192.168.237.132/portal/ [10:37:17] 200 - 26B - /robots.txt [10:37:17] 301 - 178B - /share -> http://192.168.237.132/share/ [10:37:17] 200 - 0B - /share/ [10:37:17] 200 - 2KB - /portal/ [10:37:18] 301 - 178B - /static -> http://192.168.237.132/static/ [10:37:18] 301 - 178B - /static.. -> http://192.168.237.132/static/ [10:37:18] 403 - 564B - /templates/beez/index.php [10:37:18] 403 - 564B - /templates/ja-helio-farsi/index.php [10:37:18] 403 - 564B - /templates/rhuk_milkyway/index.php [10:37:18] 400 - 166B - /Trace.axd::$DATA [10:37:19] 400 - 166B - /web.config::$DATA [10:37:19] 301 - 178B - /WebService -> http://192.168.237.132/WebService/ Task Completed 下文中IP我改动了一下，因为有些工具在kali不好用 ...

靶场拓扑图 Nmap [root@Hacking] /home/kali/Desktop ❯ nmap 192.242.168.203 -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 27:bb:30:76:e1:47:ab:24:f0:89:5a:05:10:66:e4:7e (RSA) | 256 ab:df:49:e1:14:43:b1:75:ad:2f:6f:61:37:eb:24:ac (ECDSA) |_ 256 58:ed:00:9a:e5:37:1b:e6:f5:6c:d5:a3:c7:f0:32:67 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Laravel |_http-server-header: Apache/2.4.41 (Ubuntu) 65534/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: |_ Auth decrypt failed Laravel 80端口开放了Laravel服务，并且网页底部有版本信息 用nuclei扫一下，扫出来了CVE-2021-3129可以直接RCE ...