Writer:SomeB0dyTime:2023/2/20Nmap扫描结果Nmapscanreportfor10.129.159.83(10.129.159.83)Hostisup(0.39slatency).Notshown:997closedtcpports(reset)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH8.8(protocol2.0)|ssh-hostkey:|2566e4e1341f2fed9e0f7275bededcc68c2(ECDSA)|_25680a7cd10e72fdb958b869b1b20652a98(ED25519)5

信息收集TCP协议：nmap-p--sT--min-rate=1000-Pn10.129.221.221 UDP协议nmap-p--sU--min-rate=1000-Pn10.129.221.221 将开放的端口整理一下，探测一下对应服务nmap-p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49689,49690,49710,49714-Pn-sT-sC-sV10.129.221.221 发现了域名sequel.htb以及子域名dc.sequel.htb，加入hosts文件中 53端口开放尝试区域传输di

WewereabletogainSSHaccesstoaLinuxmachinewhosepasswordwasreusedbyanothermachineduringourpenetrationtest.Onthismachine,wehaveastandarduser"htb-student"whocanleaveamessagetotheadministratorusingaself-writtenprogramcalled"leave_msg."Sincethetargetcompanypaysalotofattentiontodefensefromoutsidetheirnetwor

Inject靶机Nmap结果┌──(root💀kali)-[~]└─#nmap-A10.129.181.158StartingNmap7.93(https://nmap.org)at2023-03-1302:08EDTNmapscanreportfor10.129.181.158Hostisup(0.61slatency).Notshown:998closedtcpports(reset)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH8.2p1Ubuntu4ubuntu0.5(UbuntuLinux;protocol2.0)|ssh-hostkey:|3

HttpsuperpassNmap结果┌──(root💀kali)-[~]└─#nmap-A10.10.11.203StartingNmap7.93(https://nmap.org)at2023-03-1006:10ESTNmapscanreportfor10.10.11.203Hostisup(0.48slatency).Notshown:998closedtcpports(reset)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH8.9p1Ubuntu3ubuntu0.1(UbuntuLinux;protocol2.0)|ssh-hostkey:|

Socketnmap┌──(root💀kali)-[~]└─#nmap-A10.10.11.206StartingNmap7.93(https://nmap.org)at2023-03-2710:53EDTNmapscanreportfor10.10.11.206Hostisup(0.72slatency).Notshown:998closedtcpports(reset)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH8.9p1Ubuntu3ubuntu0.1(UbuntuLinux;protocol2.0)|ssh-hostkey:|2564fe3a6

Codernmap结果┌──(root💀kali)-[~]└─#nmap-A10.10.11.207StartingNmap7.93(https://nmap.org)at2023-04-0222:06EDTNmapscanreportfor10.10.11.207Hostisup(0.085slatency).Notshown:987closedtcpports(reset)PORTSTATESERVICEVERSION53/tcpopendomainSimpleDNSPlus80/tcpopenhttpMicrosoftIIShttpd10.0|_http-server-header:Mi

信息收集：TCP协议：nmap-p--sT--min-rate=1000-Pn10.129.222.107 UDP协议：nmap-p--sU--min-rate=1000-Pn10.129.222.107 直接访问80端口，会自动出现一个域名superpass.htb，将这个域名加入hosts文件中 在web界面有一个登陆框，在登陆框处，存在一个注册界面 在注册后，会出现一个报错页面，在页面中发现了一些文件的绝对路径，猜测可能在其他位置存在LFI漏洞，然后下载这些文件 开始目录扫描gobusterdir-uhttp://superpass.htb-w/usr/share/seclists/Di

信息收集：Tcp协议：nmap-p--sT--min-rate=1000-Pn10.129.228.120Udp协议：nmap-p--sU--min-rate=1000-Pn10.129.228.120nmap-p53,80,88,135,139,389,445,464,636,3268,3269,5985,9389,49667,49674,49693-sC-sV-Pn-O-sT10.129.228.120 发现flight.htb，加入hosts文件中DNS协议：dig10.129.228.120-x10.129.228.120 区域传输：dig10.129.228.120axfrfligh

//靶场看起来简单，实际上打了六七个小时,很多地方有坑。。。信息收集：TCP协议：TARGET=10.129.91.88&&nmap-p$(nmap-p---min-rate=1000-T4$TARGET-Pn|grep^[0-9]|cut-d'/'-f1|tr'\n'','|seds/,$//)-sC-sV-Pn-vvv$TARGET-oNnmap_tcp_all.nmap UDP协议nmap-sU--open-T5--top-ports200-Pn10.129.91.88 发现域名cerberus.local，子域名icinga.cerberus.local，加入hosts文件中，在808