nmap 123456789101112└─$ sudo nmap -sS 10.129.32.130 -p- --min-rate=3000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-25 00:43 EDTWarning: 10.129.32.130 giving up on port because retransmission cap hit (10).Nmap scan report for monitorsthree.htb (10.129.32.130)Host is up (0.56s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh80/tcp open http8084/tcp filtered websnpNmap done: 1 IP address (1 host up) scanned in 43.77 se...

这个周中间因为事情比较杂，又要交漏洞维持生计又要准备一些可有可无的比赛，所以这个机器分了好几天抽时间打的，所以就简单记一下容易出疏漏的重点部分 nmap扫到有22,80,3000 80 其中有一个上传功能玩了下没啥东西 不过这边倒是有说他们在招什么技术栈的人所以简单记录下 然后除了几个人员名字就没东西了 3000这个当时我是开着bp进的 然后放了下包看请求是blazor 当时想法肯定就是想办法看他的blazor的map，看拿到dll看有没有泄露之类的 然后尝试访问了下他的_framework/blazor.boot.json，发现不存在，这就很神奇 但同时她的html里又有_framework/blazor.server.js，所以有两种可能 1.他隐藏起来了 2.我思路有问题 这里接着玩了玩着实没啥收获，然后把肉眼能见的东西都拿去搜看有没有漏洞 除了80的上传着实看不出他是干啥之外，收获了一个80web服务存在ssrf 然后就去访问了下3000的blazor map，发现还是没有 然后就ffuf跑端口 12345678910111213141516171819202122...

Nmap 123456789└─$ sudo nmap -sS 10.129.114.121 -p22,80 -sV --min-rate=2000Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-11 00:35 EDTNmap scan report for 10.129.114.121 (10.129.114.121)Host is up (0.45s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.41 ((Ubuntu))Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel vhost 这爆破时候全有，估计是个泛配置，所以访问了了几个发现没啥区别就没再跑了 dir 1234567891011...

USER在他的gitea的example中有暴露他git的版本号。 不知道为什么我本地搭的用python的临时http一直报错，没办法最后用的他自己的git 参考https://github.com/Basyaact/CVE-2024-32002-PoC_Chinese 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455#!/bin/bash# Set Git configuration optionsgit config --global protocol.file.allow alwaysgit config --global core.symlinks true# optional, but I added it to avoid the warning messagegit config --global init.defaultBranch main # Define the tell-tale path#tell_ta...

UserNmap1234567891011└─$ sudo nmap -sS 10.129.118.118 -p22,80,3000 -sV --min-rate=3000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-21 02:48 EDTStats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service ScanService scan Timing: About 66.67% done; ETC: 02:48 (0:00:05 remaining)Nmap scan report for 10.129.118.118 (10.129.118.118)Host is up (0.43s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)80/tc...

Nmap123456789101112131415161718192021222324252627282930313233343536PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-15 07:09:48Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain...

Usernmap1234567891011121314151617181920212223242526272829303132333435363738└─$ sudo nmap -sU 10.129.29.242 --top-ports=200 --min-rate=3000Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-22 22:08 EDTNmap scan report for 10.129.29.242 (10.129.29.242)Host is up (0.50s latency).Not shown: 196 open|filtered udp ports (no-response)PORT STATE SERVICE53/udp open domain88/udp open kerberos-sec123/udp open ntp389/udp open ldap####PORT STATE SERVICE VERSION25/tcp open smtp ...

nmap12345678910111213└─$ sudo nmap -sS 10.129.xxx.xxx -p22,80 -sV --min-rate=3000Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-16 00:24 EDTNmap scan report for 10.129.xx.xx (10.129.xx.xx)Host is up (0.43s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)80/tcp open http nginx 1.18.0 (Ubuntu)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at h...

https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/ 没有公开CVE-2024-24592的利用方式 这里我用文章中原本的upload方式只能把plk传到我的目录下，我看其他的好像也有每个五分钟就跑的，所以我这里抓个包看看 1234567891011121314151617181920212223GET /auth.login HTTP/1.1Host: api.blurry.htbUser-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: keep-aliveX-ClearML-Worker: flowerX-Trains-Worker: flowerX-ClearML-Client: clearml-1.16.1X-Trains-Client: clearml-1.16.1Authorization: ...