HTB--Toolbox
0x01 信息收集
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-04-16 09:10:57] [INFO] 暴力破解线程数: 1
[2025-04-16 09:10:57] [INFO] 开始信息扫描
[2025-04-16 09:10:57] [INFO] 最终有效主机数量: 1
[2025-04-16 09:10:57] [INFO] 开始主机扫描
[2025-04-16 09:10:57] [INFO] 有效端口数量: 233
[2025-04-16 09:10:57] [SUCCESS] 端口开放 10.129.96.171:21
[2025-04-16 09:10:57] [SUCCESS] 端口开放 10.129.96.171:22
[2025-04-16 09:10:57] [SUCCESS] 端口开放 10.129.96.171:135
[2025-04-16 09:10:57] [SUCCESS] 端口开放 10.129.96.171:443
[2025-04-16 09:10:57] [SUCCESS] 端口开放 10.129.96.171:139
[2025-04-16 09:10:57] [SUCCESS] 端口开放 10.129.96.171:445
[2025-04-16 09:10:57] [SUCCESS] 服务识别 10.129.96.171:22 => [ssh] 版本:for_Windows_7.7 产品:OpenSSH 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_for_Windows_7.7.]
[2025-04-16 09:11:02] [SUCCESS] 服务识别 10.129.96.171:139 => Banner:[.]
[2025-04-16 09:11:02] [SUCCESS] 服务识别 10.129.96.171:445 =>
[2025-04-16 09:11:02] [SUCCESS] 服务识别 10.129.96.171:21 =>
[2025-04-16 09:12:02] [SUCCESS] 服务识别 10.129.96.171:135 =>
[2025-04-16 09:12:22] [SUCCESS] 服务识别 10.129.96.171:443 =>
[2025-04-16 09:12:22] [INFO] 存活端口数量: 6
[2025-04-16 09:12:22] [INFO] 开始漏洞扫描
[2025-04-16 09:12:22] [INFO] 加载的插件: findnet, ftp, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-16 09:12:23] [SUCCESS] NetInfo 扫描结果
目标主机: 10.129.96.171
主机名: Toolbox
发现的网络接口:
IPv4地址:
└─ 192.168.56.1
└─ 192.168.99.1
└─ 10.129.96.171
IPv6地址:
└─ dead:beef::1521:7fe1:df31:bacc
└─ dead:beef::dd
[2025-04-16 09:12:23] [SUCCESS] 网站标题 https://10.129.96.171 状态码:200 长度:22357 标题:MegaLogistics
[2025-04-16 09:12:24] [SUCCESS] 匿名登录成功!
[2025-04-16 09:14:34] [SUCCESS] 扫描已完成: 10/10
_____ ___ _
/__ \ ___ ___ __ _ _ __ / _ \| | _ _ ___
/ /\// __| / __| / _' || '_ \ / /_)/| || | | |/ __|
/ / \__ \| (__ | (_| || | | |/ ___/ | || |_| |\__ \
\/ |___/ \___| \__,_||_| |_|\/ |_| \__,_||___/
https://github.com/TideSec/TscanPlus
TscanClient Version: 2.7.4 NewVersion: 2.7.6 Expired: 2026.01.01
[09:11:03] [INFO] Start IpScan:10.129.96.171
[09:11:03] [INFO] 开始扫描 1 个主机的 65535 个端口,共 65535 个任务
[09:11:04] [+] 10.129.96.171:22 open
[09:11:04] [+] 10.129.96.171:21 open
[09:11:04] [+] 10.129.96.171:135 open
[09:11:04] [+] 10.129.96.171:139 open
[09:11:04] [+] 10.129.96.171:445 open
[09:11:04] [+] 10.129.96.171:443 open
[09:11:04] [+] [TCP/FTP] [FileZilla] 10.129.96.171:21 [220-FileZilla Server 0.9.60 beta.220-written by Ti]
[09:11:04] [INFO] start FTP check 10.129.96.171:21
[09:11:04] [+] 开始 FtpScan 任务: FTP://10.129.96.171:21
[09:11:04] [+] [TCP/SSH] [OpenSSH for_Windows_7.7] 10.129.96.171:22 [SSH-2.0-OpenSSH_for_Windows_7.7]
[09:11:04] [INFO] start SSH check 10.129.96.171:22
[09:11:04] [+] 开始 SshScan 任务: SSH://10.129.96.171:22
[09:11:05] [+] [TCP/RPC] [Microsoft Windows RPC] 10.129.96.171:135 [.@]
[09:11:05] [+] [TCP/NETBIOS] [Microsoft Windows netbios-ssn] 10.129.96.171:139 [.]
[09:11:05] [INFO] start WMI check 10.129.96.171:135
[09:11:05] [+] 开始 WmiExec 任务: WMI://10.129.96.171:135
[09:11:05] [+] 10.129.96.171:5985 open
[09:11:06] [+] [TLS/HTTPS] [200] [Apache-HTTP-Server/2.4.38][Apache-Web-Server][jQuery][Apache/2.4.38 (Debian)] https://10.129.96.171:443 [MegaLogistics]
[09:11:06] [+] Vul Found: ftp://10.129.96.171:21:anonymous
[->]docker-toolbox.exe
[09:11:09] [+] [TCP/MICROSOFT-DS] 10.129.96.171:445
[09:11:09] [INFO] start SMB check 10.129.96.171:445
端口扫描 38% [███████░░░░░░░░░░░░░] (25328/65535) [1s:2s][09:11:09] [+] 开始 SmbScan 任务: SMB://10.129.96.171:445
[09:11:12] [+] [TCP/HTTP] [404] [Microsoft-HTTPAPI/2.0][Microsoft HTTPAPI httpd 2.0] http://10.129.96.171:5985 [Not Found]
[09:11:12] [INFO] start WinRM check 10.129.96.171:5985
[09:11:12] [+] 开始 WinRMScan 任务: WinRM://10.129.96.171:5985
[09:11:12] [+] 10.129.96.171:47001 open
[09:11:13] [+] 10.129.96.171:49665 open
[09:11:13] [+] 10.129.96.171:49667 open
[09:11:13] [+] 10.129.96.171:49666 open
[09:11:13] [+] 10.129.96.171:49664 open
端口扫描 75% [███████████████░░░░░] (49643/65535) [0s:0s][09:11:13] [+] 10.129.96.171:49669 open
[09:11:13] [+] 10.129.96.171:49668 open
[09:11:17] [+] alive ports is: 14
[09:11:17] [+] Ip扫描结束:10.129.96.171
[09:11:17] [INFO] Start UrlScan:https://10.129.96.171:443
http://10.129.96.171:5985
[09:11:17] [+] [TCP/HTTP] [404] [Microsoft-HTTPAPI/2.0] http://10.129.96.171:5985 [Not Found]
[09:11:19] [+] [TLS/HTTPS] [200] [Apache/2.4.38 (Debian)][jQuery-ui][Apache-HTTP-Server/2.4.38][Apache-Web-Server] https://10.129.96.171:443 [MegaLogistics]
[09:11:19] [+] Url扫描结束:https://10.129.96.171:443
http://10.129.96.171:5985
[09:11:19] [+] 项目任务完成:Default, Timeuse:16.093245034
[09:11:19] [+] 扫描结束,耗时: 16.777032545s
根据自动化poc扫描,发现有一个ftp的匿名访问,可以直接下载到一个exe文件。没有其他的信息下,我们先尝试在虚拟机上运行此exe。发现其就是一个很正常的发行版exe
再尝试访问HTTPS并查看可能出现的认证域名。通过查看网站证书细节,我们可以查看到证书的common name
将此域名与靶机IP绑定后访问,我们访问到一个登陆页面,测试后发现经过普通的单引号闭合就可以绕过登录逻辑直接以admin登录。