SolarLab - hackthebox

最新推荐文章于 2025-05-01 23:47:29 发布

古明地核

最新推荐文章于 2025-05-01 23:47:29 发布

阅读量1.2k

点赞数 9

分类专栏： hackthebox靶场合集文章标签：安全服务器网络安全网络 windows

本文链接：https://blog.youkuaiyun.com/tanbinn/article/details/139709033

版权

简介

靶机名称：SolarLab

难度：中等

靶场地址：https://app.hackthebox.com/machines/SolarLab

本地环境

靶机IP ：10.10.11.16

ubuntu渗透机IP(ubuntu 22.04)：10.10.16.17

windows渗透机IP（windows11）：10.10.14.20

扫描

nmap起手

nmap -sT -p0- 10.10.11.16 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;
nmap -sT -sV -sC -O -p$ports 10.10.11.16 -oA nmapscan/detail

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-10 22:30 CST
Nmap scan report for solarlab.htb (10.10.11.16)
Host is up (0.091s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: SolarLab Instant Messenger
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
6791/tcp open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: -6m20s
| smb2-time:
|   date: 2024-06-10T14:24:35
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.99 seconds

80和6791端口。值得一提的是nmap不要扫太快，加–min-rate或者-T什么的参数，不然6791会漏掉。

HTTP

访问靶机ip时会被重定向到solarlab.htb和report子域名加上。在hosts里加上即可继续访问。

80端口

一个倒计时页面。信息收集一波，没有明显的利用点。

路径扫描

 gobuster dir -u  http://solarlab.htb -w $HVV_PATH/8_dict/SecLists-master/Discovery/Web-Content/directory-list-2.3-small.txt -b 400-404 -t 10 -x php,zip,bak,jpg,png,mp4,mkv,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://solarlab.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /root/Tool/HVV//8_dict/SecLists-master/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   400,401,402,403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,png,mp4,txt,html,php,zip,jpg,mkv
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 169] [--> http://solarlab.htb/images/]
/index.html           (Status: 200) [Size: 16210]
/Images               (Status: 301) [Size: 169] [--> http://solarlab.htb/Images/]
/assets               (Status: 301) [Size: 169] [--> http://solarlab.htb/assets/]
/Index.html           (Status: 200) [Size: 16210]
/IMAGES               (Status: 301) [Size: 169] [--> http://solarlab.htb/IMAGES/]
/%20                  (Status: 200) [Size: 1621

最低0.47元/天解锁文章