Vulnvm

Box Info OS Difficulty Linux Medium Nmap [root@kali] /home/kali/ghoster ❯ nmap 192.168.55.65 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 c5:5f:01:14:c9:d4:fe:8e:9c:01:5f:3a:2c:dd:38:64 (ECDSA) |_ 256 63:25:3e:2b:61:4f:21:86:fa:d9:e5:d5:b6:bd:e8:29 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 8081/tcp open http Werkzeug httpd 3.1.3 (Python 3.11.2) |_http-title: Document Submission Portal |_http-server-header: Werkzeug/3.1.3 Python/3.11.2 Gobuster [root@kali] /home/kali/ghoster ❯ gobuster dir -u 'http://192.168.55.65/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ⏎ =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.55.65/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 278] /uploads (Status: 301) [Size: 316] [--> http://192.168.55.65/uploads/] /.php (Status: 403) [Size: 278] /server-status (Status: 403) [Size: 278] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== CVE-2023-36664 没有什么可以直接利用的，来到8081端口 ...

Box Info OS Difficulty Linux Easy Nmap [root@kali] /home/kali/manage ❯ nmap 192.168.55.66 -sV -A -p- PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) 139/tcp open netbios-ssn Samba smbd 4 445/tcp open netbios-ssn Samba smbd 4 MAC Address: 08:00:27:01:D6:2B (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Dirsearch [root@kali] /home/kali/manage ❯ dirsearch -u 'http://192.168.55.66' ⏎ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.55.66/ [23:33:52] Scanning: [23:33:53] 403 - 278B - /.php [23:33:55] 200 - 11KB - /admin.php [23:34:01] 200 - 10KB - /index.html [23:34:05] 403 - 278B - /server-status/ [23:34:05] 403 - 278B - /server-status Task Completed 好像不存在SQL注入问题，也无法爆破登录，现在来看看445端口 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap 192.168.55.11 -sV -A -p- Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 69:dc:67:49:10:2a:a4:26:a8:9f:c4:5d:a3:b8:a1:3e (ECDSA) |_ 256 6a:2b:e4:44:29:78:62:fb:61:0b:09:2f:9c:bc:18:c6 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) Feroxbuster [root@kali] /home/kali ❯ feroxbuster -u 'http://192.168.55.11/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.11/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 0l 0w 0c http://192.168.55.11/contact.php 200 GET 25l 127w 10359c http://192.168.55.11/icons/openlogo-75.png 200 GET 368l 933w 10701c http://192.168.55.11/ [####################] - 19s 220551/220551 0s found:3 errors:0 [####################] - 18s 220546/220546 12201/s http://192.168.55.11/ 其中contact.php并没有任何回显，尝试参数爆破 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/homelab ❯ nmap 192.168.56.156 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 8c:c5:70:a6:8f:7c:53:6f:98:6d:01:9c:63:b7:3b:60 (RSA) | 256 31:1f:74:73:32:ff:8e:f0:f9:63:fb:51:13:98:32:27 (ECDSA) |_ 256 7e:1f:ea:1b:50:38:d8:88:5a:fc:cb:6f:70:3f:25:0b (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.41 (Ubuntu) Gobuster [root@kali] /home/kali/homelab ❯ gobuster dir -u http://192.168.56.156/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 50 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.156/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /note.txt (Status: 200) [Size: 162] /server-status (Status: 403) [Size: 279] Progress: 661680 / 661683 (100.00%) =============================================================== 查看**/note.txt** ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Search ❯ nmap 192.168.56.136 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 39:0d:70:e0:55:cb:20:de:ad:f7:10:d8:1f:76:4d:9d (ECDSA) |_ 256 df:e2:94:52:e9:3d:eb:69:2d:b4:a5:a9:2c:3e:63:46 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Apache2 Debian Default Page: It works 得到用户名是support ...

Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/Interceptor ❯ nmap 192.168.56.123 -sV -A -p- PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) Gobuster [root@kali] /home/kali/Interceptor ❯ gobuster dir -u http://192.168.56.123 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.123 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] /index.html (Status: 200) [Size: 10701] /wordpress (Status: 301) [Size: 320] [--> http://192.168.56.123/wordpress/] /backup (Status: 301) [Size: 317] [--> http://192.168.56.123/backup/] /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] /server-status (Status: 403) [Size: 279] /fping.php (Status: 200) [Size: 1958] Progress: 882240 / 882244 (100.00%) =============================================================== Finished =============================================================== Crack ZIP 在**/backup里发现一个压缩包，应该是涉及到了/fping**这个路由的。 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Entropy ❯ nmap 192.168.56.117 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 cc:05:ab:8c:ea:28:eb:b1:9d:da:8c:ce:65:ee:63:43 (ECDSA) |_ 256 3f:9f:0a:7d:61:f8:6f:4b:46:01:c4:db:74:b2:b6:a7 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Apache2 Debian Default Page: It works 目录扫描没有任何结果，在apache默认页中发现路径 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/Solitude ❯ nmap 192.168.56.115 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 2b:c7:6c:06:c7:80:41:bc:cb:dc:fe:d6:e8:85:db:b0 (RSA) | 256 61:d1:67:f9:8f:99:62:9b:d4:9a:70:19:ff:78:bd:77 (ECDSA) |_ 256 2b:6e:53:ab:ac:68:ca:78:a7:d6:2f:34:65:e8:5d:17 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 08:00:27:22:A4:A8 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2025-03-11T20:26:05 |_ start_date: N/A |_nbstat: NetBIOS name: SOLITUDE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) |_clock-skew: 7h59m57s Enum4linux [root@kali] /home/kali/Solitude ❯ enum4linux -a 192.168.56.115 [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\garret (Local User) 找到一个用户名：garret ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Ephemeral2 ❯ nmap 192.168.56.107 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 0a:cc:f1:53:7e:6b:31:2c:10:1e:6d:bc:01:b1:c3:a2 (RSA) | 256 cd:19:04:a0:d1:8a:8b:3d:3e:17:ee:21:5d:cd:6e:49 (ECDSA) |_ 256 e5:6a:27:39:ed:a8:c9:03:46:f2:a5:8c:87:85:44:9e (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.41 (Ubuntu) 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 08:00:27:47:B9:0F (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: EPHEMERAL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-time: | date: 2025-03-07T16:30:22 |_ start_date: N/A |_clock-skew: 7h59m57s Gobuster [root@kali] /home/kali/Ephemeral2 ❯ gobuster dir -u http://192.168.56.107 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 ⏎ =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.107 [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /javascript (Status: 301) [Size: 321] [--> http://192.168.56.107/javascript/] /server-status (Status: 403) [Size: 279] /foodservice (Status: 301) [Size: 322] [--> http://192.168.56.107/foodservice/] Progress: 220560 / 220561 (100.00%) =============================================================== Finished =============================================================== 存在一个**/foodservice**页面 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Backend ❯ nmap 192.168.237.148 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ec:8d:c2:a6:1e:52:43:62:44:29:36:58:73:15:6b (RSA) | 256 0d:39:f5:86:a1:fc:7d:ba:c6:55:14:37:2c:91:fe:37 (ECDSA) |_ 256 d6:91:b0:62:48:85:9c:51:dd:f9:20:35:d2:53:a6:25 (ED25519) 8080/tcp open http Jetty 10.0.18 |_http-title: Site doesn't have a title (text/html;charset=utf-8). | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(10.0.18) MAC Address: 00:0C:29:42:20:88 (VMware) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel CVE-2024-23897 进入8080端口发现是一个Jenkins的登录页面 ...