Windows

Nmap [root@Hacking] /home/kali/Folclore ❯ nmap 192.168.26.15 -A -p- PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? MAC Address: 08:00:27:EE:0F:0E (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 11|10|2008 (98%) OS CPE: cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 Aggressive OS guesses: Microsoft Windows 11 (98%), Microsoft Windows 10 1903 - 21H1 (91%), Microsoft Windows 10 1803 (89%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: FOLCLORE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ee:0f:0e (PCS Systemtechnik/Oracle VirtualBox virtual NIC) | smb2-time: | date: 2025-09-02T13:07:21 |_ start_date: N/A TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 192.168.26.15 只开了smb服务 ...

Nmap [root@Hacking] /home/kali/Patata ❯ nmap 192.168.26.11 -A PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 |_http-title: Curiosidades CTF | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) |_http-title: Curiosidades CTF |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds? MAC Address: 08:00:27:3D:D6:CB (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 10 OS CPE: cpe:/o:microsoft:windows_10 OS details: Microsoft Windows 10 1709 - 21H2 Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-08-30T07:16:27 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: PATATA-MAGICA, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:3d:d6:cb (PCS Systemtechnik/Oracle VirtualBox virtual NIC) TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 192.168.26.11 File Read 进入到80端口这里有一个Games 到页面底部可以进行交互，可以查看文件内容，并且文件名称通过GET传参 查看一下index.php源码 ...

Nmap [root@Hacking] /home/kali/Jungle ❯ nmap 192.168.55.161 -A -p- PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Welcome to the Jungle - The Hex Guns |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC Dirsearch [root@Hacking] /home/kali/Jungle ❯ feroxbuster -u http://192.168.55.161 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.55.161 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 29l 94w 1251c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 2l 10w 160c http://192.168.55.161/img => http://192.168.55.161/img/ 200 GET 29l 124w 1209c http://192.168.55.161/index.php 200 GET 42l 168w 1915c http://192.168.55.161/albums.php 301 GET 2l 10w 162c http://192.168.55.161/media => http://192.168.55.161/media/ 200 GET 126l 218w 2089c http://192.168.55.161/css/styles.css 200 GET 7l 13w 189c http://192.168.55.161/header.php 200 GET 8487l 45658w 3909539c http://192.168.55.161/img/axl.png 200 GET 29l 124w 1209c http://192.168.55.161/ 200 GET 3l 11w 81c http://192.168.55.161/footer.php 403 GET 29l 91w 1232c http://192.168.55.161/css/ 301 GET 2l 10w 160c http://192.168.55.161/css => http://192.168.55.161/css/ 200 GET 29l 124w 1209c http://192.168.55.161/Index.php 301 GET 2l 10w 162c http://192.168.55.161/Media => http://192.168.55.161/Media/ 200 GET 7731l 46736w 3824296c http://192.168.55.161/img/digital-destruction.png 200 GET 9162l 55315w 4712528c http://192.168.55.161/img/paradise-404.png 200 GET 8321l 48830w 4266377c http://192.168.55.161/img/neon-rebellion.png 301 GET 2l 10w 160c http://192.168.55.161/IMG => http://192.168.55.161/IMG/ 200 GET 7l 13w 189c http://192.168.55.161/Header.php 200 GET 29l 124w 1209c http://192.168.55.161/INDEX.php 301 GET 2l 10w 160c http://192.168.55.161/CSS => http://192.168.55.161/CSS/ 301 GET 2l 10w 160c http://192.168.55.161/Img => http://192.168.55.161/Img/ 200 GET 3l 11w 81c http://192.168.55.161/Footer.php 301 GET 2l 10w 162c http://192.168.55.161/MEDIA => http://192.168.55.161/MEDIA/ 200 GET 7l 13w 189c http://192.168.55.161/HEADER.php 200 GET 3l 11w 81c http://192.168.55.161/FOOTER.php [####################] - 5m 1984940/1984940 0s found:25 errors:0 [####################] - 5m 220546/220546 722/s http://192.168.55.161/ [####################] - 5m 220546/220546 721/s http://192.168.55.161/img/ [####################] - 5m 220546/220546 720/s http://192.168.55.161/media/ [####################] - 5m 220546/220546 721/s http://192.168.55.161/css/ [####################] - 5m 220546/220546 722/s http://192.168.55.161/Media/ [####################] - 5m 220546/220546 723/s http://192.168.55.161/IMG/ [####################] - 5m 220546/220546 728/s http://192.168.55.161/CSS/ [####################] - 5m 220546/220546 729/s http://192.168.55.161/Img/ [####################] - 5m 220546/220546 797/s http://192.168.55.161/MEDIA/ 针对/media目录进行扫描，发现一个压缩包 ...

Information 在pdf文件中，给出了默认的用户名和密码 Nmap [root@Hacking] /home/kali/Evelator ❯ nmap 192.168.55.158 -A -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-21 13:51:51Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bloodhound.thl, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bloodhound.thl, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49706/tcp open msrpc Microsoft Windows RPC 添加bloodhound.thl到/etc/hosts ...

Fscan [root@Hacking] /home/kali/Desktop ❯ ./fscan -h 192.168.10.10 -p 80 ⏎ ┌──────────────────────────────────────────────┐ │ ___ _ │ │ / _ \ ___ ___ _ __ __ _ ___| | __ │ │ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │ │ / /_\\_____\__ \ (__| | | (_| | (__| < │ │ \____/ |___/\___|_| \__,_|\___|_|\_\ │ └──────────────────────────────────────────────┘ Fscan Version: 2.0.0 [2025-07-16 22:41:57] [INFO] 暴力破解线程数: 1 [2025-07-16 22:41:57] [INFO] 开始信息扫描 [2025-07-16 22:41:57] [INFO] 最终有效主机数量: 1 [2025-07-16 22:41:57] [INFO] 开始主机扫描 [2025-07-16 22:41:57] [INFO] 有效端口数量: 1 [2025-07-16 22:41:57] [SUCCESS] 端口开放 192.168.10.10:80 [2025-07-16 22:42:03] [SUCCESS] 服务识别 192.168.10.10:80 => [http] [2025-07-16 22:42:03] [INFO] 存活端口数量: 1 [2025-07-16 22:42:03] [INFO] 开始漏洞扫描 [2025-07-16 22:42:03] [INFO] 加载的插件: webpoc, webtitle [2025-07-16 22:42:04] [SUCCESS] 网站标题 http://192.168.10.10 状态码:200 长度:25157 标题:易优CMS - Powered by Eyoucms.com [2025-07-16 22:42:11] [SUCCESS] 目标: http://192.168.10.10:80 漏洞类型: poc-yaml-thinkphp5023-method-rce 漏洞名称: poc1 详细信息: links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce [2025-07-16 22:42:14] [SUCCESS] 扫描已完成: 2/2 发现存在thinkphp的rce漏洞 ...

CMS Getshell fscan扫描到192.168.10.10开放了808端口，似乎使用的是骑士CMS 进入登录页，发现了版本信息是4.2.111 并且通过回显可以判断出用户名就是admin，尝试进行爆破密码 得到密码是admin123456。来到工具-风格模板-可用模板进行抓包，修改tpl_dir的值 然后木马的位置在/Application/Home/Conf/config.php 根目录中拿到flag，上线msf 获取NTLM哈希值 上线cs ...

Box Info OS Difficulty Windows Medium As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt Nmap PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-10 17:46:07Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA) | 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA) |_ 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 添加dc.voleur.htb到/etc/hosts ...

Box Info OS Difficulty Windows Hard As is common in real life Windows pentests, you will start the RustyKey box with credentials for the following account: rr.parker / 8#t5HE8L!W3A Nmap [root@kali] /home/kali/RustyKey ❯ nmap rustykey.htb -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-29 13:48:41Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found GetTGT (rr.parker) 默认给出账户无法直接用于认证 ...

Box Info OS Difficulty Windows Medium As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV! Nmap [root@kali] /home/kali/TombWatcher ❯ nmap TombWatcher.htb -sV -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-08 15:48:25Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found 添加DC01.tombwatcher.htb到/etc/hosts ...

Box Info OS Difficulty Windows Hard Nmap [root@kali] /home/kali/Certificate ❯ nmap Certificate.htb -sV -A PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30) |_http-title: Certificate | Your portal for certification |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-01 09:04:19Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certificate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb | Not valid before: 2024-11-04T03:14:54 |_Not valid after: 2025-11-04T03:14:54 |_ssl-date: 2025-06-01T09:05:51+00:00; +7h38m40s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 DC01.certificate.htb添加到/etc/hosts ...