Vulnyx

VulNyx-Build

Box Info OS Difficulty Windows Low Nmap [root@kali] /home/kali ❯ nmap 192.168.55.68 -sV -A -p- Not shown: 65523 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 8080/tcp open http Jetty 12.0.19 |_http-server-header: Jetty(12.0.19) |_http-title: Site doesn't have a title (text/html;charset=utf-8). | http-robots.txt: 1 disallowed entry |_/ 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:9C:A2:BB (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 10 OS CPE: cpe:/o:microsoft:windows_10 OS details: Microsoft Windows 10 1709 - 21H2 Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 14h59m58s | smb2-time: | date: 2025-06-01T03:03:58 |_ start_date: N/A |_nbstat: NetBIOS name: BUILD, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:9c:a2:bb (PCS Systemtechnik/Oracle VirtualBox virtual NIC) | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Jenkins RCE 来到8080端口，默认的用户凭证就是admin/admin ...

VulNyx-Matrix

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Matrix ❯ nmap 192.168.56.141 -sV -A -p- 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0) | ssh-hostkey: | 256 67:78:c9:d2:e3:ff:be:fc:9e:13:9a:af:9d:59:17:66 (ECDSA) |_ 256 1a:78:b1:e6:f1:f0:d1:b3:ab:c8:3f:95:fd:46:52:67 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Enter The Matrix Gobuster [root@kali] /home/kali/Matrix ❯ gobuster dir -u http://192.168.56.141/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .pcap =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.141/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: pcap [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /trinity.pcap (Status: 200) [Size: 146389] /server-status (Status: 403) [Size: 279] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== Exiftool 进行流量分析 ...

VulNyx-Loweb

Box Info OS Linux Difficulty Low Nmap [root@kali] /home/kali/Loweb ❯ nmap 192.168.56.122 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA) |_ 256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.62 (Debian) Gobuster [root@kali] /home/kali/Loweb ❯ gobuster dir -u http://192.168.56.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.122 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /library (Status: 301) [Size: 318] [--> http://192.168.56.122/library/] /server-status (Status: 403) [Size: 279] Progress: 220560 / 220561 (100.00%) =============================================================== Finished =============================================================== [root@kali] /home/kali/Loweb ❯ gobuster dir -u http://192.168.56.122/library -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.122/library [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 279] /.html (Status: 403) [Size: 279] /index.html (Status: 200) [Size: 1068] /login (Status: 301) [Size: 324] [--> http://192.168.56.122/library/login/] /admin (Status: 301) [Size: 324] [--> http://192.168.56.122/library/admin/] /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] Progress: 882240 / 882244 (100.00%) =============================================================== Finished =============================================================== SQL Injection 进入登录页面，用户名处存在SQL注入 ...

VulNyx-Zerotrace

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali ❯ nmap 192.168.56.119 -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0) | ssh-hostkey: | 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) |_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) 80/tcp open http nginx 1.22.1 |_http-server-header: nginx/1.22.1 |_http-title: Massively by HTML5 UP 8000/tcp open ftp pyftpdlib 1.5.7 | ftp-syst: | STAT: | FTP server status: | Connected to: 192.168.56.119:8000 | Waiting for username. | TYPE: ASCII; STRUcture: File; MODE: Stream | Data connection closed. |_End of status. Dirsearch [root@kali] /home/kali/Zerotrace ❯ dirsearch -u http://192.168.56.119 -t 50 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 50 | Wordlist size: 11460 Output File: /home/kali/Zerotrace/reports/http_192.168.56.119/_25-03-15_19-12-30.txt Target: http://192.168.56.119/ [19:12:30] Starting: [19:12:30] 301 - 169B - /.admin -> http://192.168.56.119/.admin/ [19:12:30] 403 - 555B - /.admin/ [19:12:31] 403 - 555B - /.ht_wsr.txt [19:12:31] 403 - 555B - /.htaccess.bak1 [19:12:31] 403 - 555B - /.htaccess.orig [19:12:31] 403 - 555B - /.htaccess.sample [19:12:31] 403 - 555B - /.htaccess.save [19:12:31] 403 - 555B - /.htaccess_extra [19:12:31] 403 - 555B - /.htaccess_orig [19:12:31] 403 - 555B - /.htaccess_sc [19:12:31] 403 - 555B - /.htaccessOLD [19:12:31] 403 - 555B - /.htaccessBAK [19:12:31] 403 - 555B - /.htaccessOLD2 [19:12:31] 403 - 555B - /.htm [19:12:31] 403 - 555B - /.html [19:12:31] 403 - 555B - /.httr-oauth [19:12:31] 403 - 555B - /.htpasswds [19:12:31] 403 - 555B - /.htpasswd_test [19:12:37] 301 - 169B - /assets -> http://192.168.56.119/assets/ [19:12:37] 403 - 555B - /assets/ [19:12:43] 403 - 555B - /images/ [19:12:43] 301 - 169B - /images -> http://192.168.56.119/images/ [19:12:44] 200 - 17KB - /LICENSE.txt [19:12:50] 200 - 930B - /README.txt [19:12:54] 403 - 555B - /uploads/ [19:12:54] 403 - 555B - /uploads/affwp-debug.log [19:12:54] 403 - 555B - /uploads/dump.sql Task Completed 发现存在一个**/.admin**目录 ...

VulNyx-Lower4

Box Info OS Linux Difficulty Low Nmap [root@kali] /home/kali/Lower4 ❯ nmap 192.168.56.120 -sV -A PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) |_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) |_auth-owners: root 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-server-header: Apache/2.4.56 (Debian) |_http-title: Apache2 Debian Default Page: It works 113/tcp open ident? |_auth-owners: lucifer MAC Address: 08:00:27:DE:A3:91 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 从113端口上扫描到一个用户名：lucifer ...

VulNyx-Change

Box Info OS Windows Difficulty Medium Nmap [root@kali] /home/kali ❯ nmap 192.168.56.114 -sV -A -p- ⏎ PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-11 02:36:46Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megachange.nyx0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megachange.nyx0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49671/tcp open msrpc Microsoft Windows RPC 49674/tcp open msrpc Microsoft Windows RPC 49675/tcp open msrpc Microsoft Windows RPC 49680/tcp open msrpc Microsoft Windows RPC 49697/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:DD:48:CA (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 2019 OS details: Microsoft Windows Server 2019 Network Distance: 1 hop Service Info: Host: CHANGE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: 15h59m57s |_nbstat: NetBIOS name: CHANGE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:dd:48:ca (Oracle VirtualBox virtual NIC) | smb2-time: | date: 2025-03-11T02:37:41 |_ start_date: N/A 把megachange.nyx添加到**/etc/hosts** ...

VulNyx-Lower3

Box Info OS Linux Difficulty Low Nmap [root@kali] /home/kali/Lower3 ❯ nmap 192.168.56.113 -sV -A -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) |_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.56 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 36141/tcp mountd | 100005 1,2,3 46793/udp mountd | 100005 1,2,3 56285/tcp6 mountd | 100005 1,2,3 57285/udp6 mountd | 100021 1,3,4 37329/tcp6 nlockmgr | 100021 1,3,4 39713/tcp nlockmgr | 100021 1,3,4 41715/udp nlockmgr | 100021 1,3,4 58173/udp6 nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 2049/tcp open nfs 3-4 (RPC #100003) 36141/tcp open mountd 1-3 (RPC #100005) 38315/tcp open mountd 1-3 (RPC #100005) 39713/tcp open nlockmgr 1-4 (RPC #100021) 41871/tcp open mountd 1-3 (RPC #100005) MAC Address: 08:00:27:C5:C6:B4 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NFS 发现了 NFS（Network File System）共享，可能存在可挂载的远程文件系统。 mountd、nlockmgr、nfs_acl 这些 RPC 端口也被发现，表明服务器可能允许远程文件访问。 ...