hackmyvm-zero
┌──(root㉿kali)-[~]└─# arp-scan -I eth1 192.168.56.0/24WARNING: Could not obtain IP address for interface eth1. Using 0.0.0.0 forthe source address, which may not be what you want.Either configure eth1 with an IP address, or manually specify the addresswith the --arpspa option.Interface: eth1, type: EN10MB, MAC: 00:0c:29:96:80:36, IPv4: (none)Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.56.1 0a:00:27:00:00:0e (Unknown: locally...
htb-season8.2-fluffy
信息收集┌──(root㉿kali)-[/srv/ftp/incoming]└─# nmap -sCV -p- --min-rate 10000 10.10.11.69Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-26 08:56 EDTNmap scan report for 10.10.11.69Host is up (0.65s latency).Not shown: 65516 filtered tcp ports (no-response)PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-26 19:33:46Z)139/tcp open netbios-ssn Microsoft Windows...
htb-season8.1-puppy
信息收集┌──(root㉿kali)-[/myift/bachang/htb/8/1]└─# nmap -p- --min-rate 10000 -oN ports.txt 10.10.11.70Nmap scan report for 10.10.11.70Host is up (0.19s latency).Not shown: 65516 filtered tcp ports (no-response)PORT STATE SERVICE53/tcp open domain88/tcp open kerberos-sec111/tcp open rpcbind135/tcp open msrpc139/tcp open netbios-ssn389/tcp open ldap445/tcp open microsoft-ds464/tcp open kpasswd5636/tcp open ldapssl2049/tcp open nfs3260/tcp open iscsi3268/tcp ...
hackmyvm_quoted
有ftp服务并且可以匿名登录并且进行get,put操作 ftp> get iisstart.htmlocal: iisstart.htm remote: iisstart.htm229 Entering Extended Passive Mode (|||49166|)150 Opening ASCII mode data connection.100% |**********************************************************************************************************************************************************************| 689 667.51 KiB/s 00:00 ETA226 Transfer complete.689 bytes received in 00:00 (501.00 KiB/s) └─# cat iisstart.htm <!DOCTYPE html...
hackmyvm_nessus
信息采集 ┌──(root㉿kali)-[~]└─# arp-scan -I eth1 192.168.56.0/24Interface: eth1, type: EN10MB, MAC: 00:0c:29:96:80:36, IPv4: 192.168.56.103Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.56.1 0a:00:27:00:00:0e (Unknown: locally administered)192.168.56.100 08:00:27:81:30:5f PCS Systemtechnik GmbH192.168.56.156 08:00:27:c0:51:50 PCS Systemtechnik GmbH3 packets received by filter, 0 packets dropped by kernelEnding arp-scan 1.10.0: 256...
hackmyvm_runas
┌──(root㉿kali)-[/myift/bachang/win/runas]└─# arp-scan -I eth1 192.168.56.0/24Interface: eth1, type: EN10MB, MAC: 00:0c:29:96:80:36, IPv4: 192.168.56.103Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.56.1 0a:00:27:00:00:0e (Unknown: locally administered)192.168.56.100 08:00:27:81:30:5f PCS Systemtechnik GmbH192.168.56.109 08:00:27:56:13:ce PCS Systemtechnik GmbH3 packets received by filter, 0 packets dropped by kernelEnding...
hackmyvm_Galera
发现了一个4567端口比较奇怪根据靶机名猜到是Galera集群 其特点如下: 同步复制主动且多主的拓扑读写任意节点自动的成员资格控制,失效的成员会自动剔除节点自动加入row级别的并行复制各节点可供客户端直接连接 php配置文件泄露 过滤了很多命令 80端口web服务爆破失败 我们尝试加入Galera集群已同步得到器数据库信息及操作权限 目标操作系统是 Debian 12 “Bookworm”Debian12, 默认仓库中的 MariaDB 版本是 10.11.11 为了防止集群同步过程出现问题我们也是用相同版本的MariaDB去伪装节点加入集群 创建节点docker配置结构如下 docker-compose.ymlversion: "3.9" # Docker Compose 文件格式版本services: galera-atacante: image: mariadb:10.11.11 # 使用官方 MariaDB 镜像,带 Galera 支持 container_name: galera-atacante #...
hackmyvm_todd
先寻找靶机 arp-scan -I eth1 192.168.56.0/24 再次扫描其开放的服务 nmap -A -p- 192.168.56.104 22,80和一个特殊的7066端口 目录扫描得到一个目录访问目录可知 其含有一些用得上的脚本 尝试连接7066发现直接给了个shell在自己目录下得到userflag 然后就很明显了进行提权 但是我们当前这个shell连上很快就会断掉没法操作 所以我们尝试ssh登录 生成密钥ssh-keygen -t rsa -f todd 公钥放到用户目录的.ssh目录下 cd .sshecho "ssh-rsa...
hackmyvm_Matrioshka
扫描 先将域名添加进hosts文件 是个wordpress 扫描网站 ┌──(root㉿kali)-[/myift/Matr]└─# wpscan --url http://mamushka.hmv -e u,ap --plugins-detection aggressive --api-token "w37ueOSrhj3dG2sKNoaWQBgoq6tRjQ11as06z288k7U"_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) |...
hackmyvm_dc04
端口扫描 给扫到的域名加入hosts文件 SMB (445)Kerberos (88)LDAP (389, 3268)RPC (135, 593)DNS (53)暂时都利用失败 80端口服务目录扫描 找到新的域名加入host文件 http://heartbeat.soupedecode.local/login.php 对登陆页面进行测试 爆破出密码: admin/nimda 使用responder进行欺骗尝试拿到hash responder -I eth1 -Pdv 下面是详细的解释: Web 应用的功能: 登录后的 Web 页面 (http://heartbeat.soupedecode.local:8080/login.php 成功登录后跳转的页面) 提供了一个 "Network Share Connect" 功能。这意味着这个页面背后的服务器端代码(很可能是 PHP)会接收你输入的 IP 地址,并尝试从目标服务器 (192.168.56.126) 发起一个网络共享连接到你提供的 IP 地址。输入攻击机 IP: 当你输入...