靶机下载地址：https://hackmyvm.eu/machines/machine.php?vm=Dentacare。

扫描端口，开放了22、80和8000。

└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.136
PORT     STATE SERVICE VERSION                                                                                                                                                
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)                                                                                                          
| ssh-hostkey:                                                                                                                                                                
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)                                                                                                               
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)                                                                                                             
80/tcp   open  http    Werkzeug/3.0.2 Python/3.11.2                                                                                                                           
|_http-server-header: Werkzeug/3.0.2 Python/3.11.2                                                                                                                            
|_http-title: DentaCare Corporation                                                                                                                                           
| fingerprint-strings:                                                                                                                                                        
...
8000/tcp open  http    Apache httpd 2.4.57
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.57 (Debian)

继续阅读 →

这是我第一次玩VulNyx的靶机，这个靶机还是很有意思的，涉及到了GET/POST的变化、SSRF、SSTI，解题思路很有意思，所以记录下来。靶机的下载地址为https://vulnyx.com/file/Express.php。

扫描端口，显示22和80。

└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.134
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
|_  256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:88:F1:F0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

继续阅读 →

靶机地址：https://hackmyvm.eu/machines/machine.php?vm=Smol。

直接使用IP地址访问出错，地址栏显示www.smol.hmv，把这个地址加入/etc/hosts。扫描端口：

└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-24 16:03 CST
Nmap scan report for www.smol.hmv (192.168.56.130)
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 6.3
|_http-title: AnotherCTF
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:BF:B5:36 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

继续阅读 →

靶机下载地址：https://hackmyvm.eu/machines/machine.php?vm=Icecream
Tips: smb、nginx unit

继续阅读 →