{"id":355,"date":"2025-12-10T21:23:30","date_gmt":"2025-12-10T13:23:30","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=355"},"modified":"2026-01-29T16:18:59","modified_gmt":"2026-01-29T08:18:59","slug":"355","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/12\/10\/355\/","title":{"rendered":"HTB\u9776\u673a MonitorsFour \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.129.45.174<\/strong><\/code>\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09<\/strong><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.129.45.174 (10.129.45.174) 56(84) bytes of data.\n64 bytes from 10.129.45.174: icmp_seq=1 ttl=127 time=264 ms\n64 bytes from 10.129.45.174: icmp_seq=2 ttl=127 time=282 ms\n64 bytes from 10.129.45.174: icmp_seq=3 ttl=127 time=281 ms\n64 bytes from 10.129.45.174: icmp_seq=4 ttl=127 time=279 ms\n\n--- 10.129.45.174 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3005ms\nrtt min\/avg\/max\/mdev = 264.334\/276.563\/282.135\/7.185 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7f51\u7edc\u901a\u4fe1\u6b63\u5e38\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.95 scan initiated Sun Dec  7 07:27:28 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.45.174\nNmap scan report for 10.129.45.174\nHost is up (0.28s latency).\nAll 65535 scanned ports on 10.129.45.174 are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Sun Dec  7 07:28:22 2025 -- 1 IP address (1 host up) scanned in 53.87 seconds<\/code><\/pre>\n
\u65e0\u6cd5\u63a2\u6d4b\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/strong><\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Sun Dec  7 07:31:17 2025 as: \/usr\/lib\/nmap\/nmap -sS -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.45.174\nNmap scan report for 10.129.45.174\nHost is up (0.27s latency).\nNot shown: 65533 filtered tcp ports (no-response)\nPORT     STATE SERVICE VERSION\n80\/tcp   open  http    nginx\n|_http-title: Did not follow redirect to http:\/\/monitorsfour.htb\/\n5985\/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose\nRunning (JUST GUESSING): Microsoft Windows 2022|2012|2016 (88%)\nOS CPE: cpe:\/o:microsoft:windows_server_2022 cpe:\/o:microsoft:windows_server_2012:r2 cpe:\/o:microsoft:windows_server_2016\nAggressive OS guesses: Microsoft Windows Server 2022 (88%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nTRACEROUTE (using port 80\/tcp)\nHOP RTT       ADDRESS\n1   275.22 ms 10.10.14.1\n2   276.02 ms 10.129.45.174\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Dec  7 07:32:38 2025 -- 1 IP address (1 host up) scanned in 81.48 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Sun Dec  7 07:33:33 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.45.174\nNmap scan report for 10.129.45.174\nHost is up (0.28s latency).\nAll 65535 scanned ports on 10.129.45.174 are in ignored states.\nNot shown: 65535 open|filtered udp ports (no-response)\n\n# Nmap done at Sun Dec  7 07:34:26 2025 -- 1 IP address (1 host up) scanned in 52.69 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u8fd0\u884cWindows Server<\/code>\u64cd\u4f5c\u7cfb\u7edf\uff0c\u5f00\u653e\u4e8680\/http<\/code>\u548c5985\/winrm<\/code>\u4e24\u4e2a\u670d\u52a1\uff0c\u6839\u636eHackTheBox<\/code>\u89c4\u5219\uff0c\u9776\u673aWeb<\/code>\u670d\u52a1\u548cActive Directory<\/code>\u4e3b\u57df\u540d\u4e3amonitorsfour.htb<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u5b50\u57df\u540d\u7206\u7834<\/h3>\n
\u5728\u5f00\u59cb\u8fdb\u884cWeb<\/code>\u670d\u52a1\u63a2\u6d4b\u524d\uff0c\u9996\u5148\u7206\u7834\u5b50\u57df\u540d\uff0c\u5b57\u5178\u4f7f\u7528bitquark-subdomains-top100000.txt<\/code>\uff1a<\/p>\n
wfuzz -w \/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/bitquark-subdomains-top100000.txt -u 10.129.45.174 -t 70 -H \"Host: FUZZ.monitorsfour.htb\" --hh 138 --hc 400<\/code><\/pre>\n
\"\"<\/p>\n
\u53d1\u73b0\u5b50\u57df\u540d\u4e3acacti<\/code>\u65f6\uff0cWeb<\/code>\u670d\u52a1\u8fd4\u56de\u4e86302<\/code>\u91cd\u5b9a\u5411\u5305\uff0c\u4f46\u6b63\u6587\u4e3a\u7a7a\u3002\u5c1d\u8bd5\u4f7f\u7528curl<\/code>\u89c2\u5bdfHTTP<\/code>\u54cd\u5e94\u7ec6\u8282\uff1a<\/p>\n
curl -v http:\/\/10.129.45.174 -H \"Host: cacti.monitorsfour.htb\"<\/code><\/pre>\n
\"\"<\/p>\n
\u53d1\u73b0Nginx<\/code>\u8fd4\u56de\u7684\u91cd\u5b9a\u5411\u5305URI<\/code>\u4e3a\/cacti<\/code>\uff0c\u5224\u5b9a\u5b50\u57df\u540dcacti<\/code>\u5b58\u5728\uff01<\/p>\n
\u4e3b\u7ad9\u70b9\u679a\u4e3e<\/h3>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/monitorsfour.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u8be5\u7ad9\u70b9\u4e3a\u4e00\u5bb6\u7f51\u7edc\u8fd0\u7ef4\u670d\u52a1\u516c\u53f8\u7684\u4e1a\u52a1\u7f51\u7ad9\u3002\u901a\u8bfb\u7f51\u9875\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u9875\u9762\u5e95\u90e8\u5b58\u5728\u4e00\u4e2a\u7535\u5b50\u90ae\u7bb1sales@monitorsfour.htb<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u70b9\u51fbLogin<\/code>\u6309\u94ae\uff0c\u8df3\u8f6c\u5230\u767b\u5f55\u9875\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u767b\u5f55\u6846\u5e95\u90e8\u5b58\u5728\u53ef\u8df3\u8f6c\u81f3\u5fd8\u8bb0\u5bc6\u7801\u754c\u9762\u7684\u94fe\u63a5\u3002\u70b9\u51fb\u94fe\u63a5\u8df3\u8f6c\u5230\u8be5\u754c\u9762\uff0c\u53d1\u73b0\u65e0\u6cd5\u4f7f\u7528\u8be5\u529f\u80fd\u5224\u65ad\u7528\u6237\u540d\u662f\u5426\u5b58\u5728\uff0c\u56e0\u4e3a\u65e0\u8bba\u8f93\u5165\u4ec0\u4e48\u5185\u5bb9\uff0c\u8be5\u529f\u80fd\u90fd\u4f1a\u8fd4\u56de\u201c\u5982\u679c\u90ae\u7bb1\u5730\u5740\u5df2\u6ce8\u518c\u5c31\u4f1a\u53d1\u9001\u90ae\u4ef6\u201d\u7684\u63d0\u793a\uff1a<\/p>\n
\"\"<\/p>\n
\u67e5\u770b\u7f51\u9875\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u5f53\u524d\u9875\u9762\u5b9e\u9645\u8c03\u7528\u4e86\/api\/v1\/reset<\/code>\u63a5\u53e3\u6267\u884c\u4e86\u67e5\u8be2\u7528\u6237\u548c\u53d1\u9001\u5bc6\u7801\u6062\u590d\u90ae\u4ef6\u7684\u529f\u80fd\uff1a<\/p>\n
<form action=\"\/api\/v1\/reset\" method=\"POST\">\n  <div class=\"panel panel-body login-form\">\n    <div class=\"text-center\">\n      <div ><img src=\"static\/admin\/assets\/images\/logo.ico\" style=\"width:100px;height:100px;\"><\/img><\/div>\n      <h5 class=\"content-group\">Password recovery <small class=\"display-block\">We'll send you instructions in email<\/small><\/h5>\n    <\/div>\n\n    <div class=\"form-group has-feedback\">\n      <input type=\"text\" name=\"email\" class=\"form-control\" placeholder=\"Your email\">\n      <div class=\"form-control-feedback\">\n        <i class=\"icon-user text-muted\"><\/i>\n      <\/div>\n    <\/div>\n    <button type=\"submit\" class=\"btn bg-blue btn-block\">Reset password <i class=\"icon-arrow-right14 position-right\"><\/i><\/button>\n  <\/div>\n<\/form><\/code><\/pre>\n
\u76f4\u63a5\u626b\u63cf\/api\/v1<\/code>\u540e\u7aef\u63a5\u53e3\uff1a<\/p>\n
dirsearch -u http:\/\/monitorsfour.htb\/api\/v1 -x 400,403,404 -t 70 -e php,js,html,txt,zip,tar.gz,xml,json<\/code><\/pre>\n
\"\"<\/p>\n
\u53d1\u73b0\u9664\u4e86auth<\/code>\u3001logout<\/code>\u3001reset<\/code>\u63a5\u53e3\u5916\uff0c\u8fd8\u5b58\u5728user<\/code>\u548cusers<\/code>\u63a5\u53e3\u3002<\/p>\n
\u5c1d\u8bd5\u8bbf\u95ee\/api\/v1\/users<\/code>\u63a5\u53e3\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u9700\u8981\u6211\u4eec\u63d0\u4f9bAPI Token<\/code>\u8bbf\u95ee\u5bc6\u94a5\u3002<\/p>\n
\u5c1d\u8bd5\u626b\u63cf\u7ad9\u70b9\u6839\u76ee\u5f55\uff1a<\/p>\n
dirsearch -u http:\/\/monitorsfour.htb -x 400,403,404 -t 70 -e php,js,html,txt,zip,tar.gz,xml,json<\/code><\/pre>\n
\"\"<\/p>\n
\u53d1\u73b0\u6839\u76ee\u5f55\u4e0b\u5b58\u5728.env<\/code>\u6587\u4ef6\uff0c\u9664\u524d\u7aef\u9759\u6001\u6587\u4ef6\u548cHTML<\/code>\u6a21\u677f\u76ee\u5f55\u5916\uff0c\u8fd8\u5b58\u5728\/contact<\/code>\u63a5\u53e3\u3002\u9996\u5148\u8bbf\u95ee.env<\/code>\u6587\u4ef6\uff1a<\/p>\n
DB_HOST=mariadb\nDB_PORT=3306\nDB_NAME=monitorsfour_db\nDB_USER=monitorsdbuser\nDB_PASS=f37p2j8f4t0r<\/code><\/pre>\n
\u53d1\u73b0\u4e3a\u7f51\u7ad9\u6570\u636e\u5e93\u51ed\u636e\uff1a<\/p>\n