HackNet
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/HackNet]
└─# nmap 10.129.232.4 -p80,22 -sCV -O
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-19 22:42 EST
Nmap scan report for 10.129.232.4
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 95:62:ef:97:31:82:ff:a1:c6:08:01:8c:6a:0f:dc:1c (ECDSA)
|_ 256 5f:bd:93:10:20:70:e6:09:f1:ba:6a:43:58:86:42:66 (ED25519)
80/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Did not follow redirect to http://hacknet.htb/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds
1.1.2. vhost
┌──(root㉿kali)-[~/Desktop/htb/HackNet]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://10.129.232.4 -H "Host: FUZZ.hacknet.htb" -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.232.4
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.hacknet.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [19966/19966] :: Job [1/1] :: 628 req/sec :: Duration: [0:00:33] :: Errors: 0 ::
1.1.3. Udp Scan
┌──(root㉿kali)-[~/Desktop/htb/HackNet]
└─# nmap 10.129.232.4 -sU --top-ports 50
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-19 22:44 EST
Nmap scan report for hacknet.htb (10.129.232.4)
Host is up (0.063s latency).
Not shown: 49 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
1.1.4. dirsearch
┌──(root㉿kali)-[~/Desktop/htb/HackNet]
└─# dirsearch -u http://hacknet.htb/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/HackNet/reports/http_hacknet.htb/__25-12-19_22-59-04.txt
Target: http://hacknet.htb/
[22:59:04] Starting:
[22:59:21] 302 - 0B - /comment -> /
[22:59:22] 302 - 0B - /contacts -> /
[22:59:25] 302 - 0B - /explore -> /
[22:59:25] 404 - 555B - /favicon.ico
[22:59:29] 200 - 857B - /login
[22:59:30] 302 - 0B - /logout -> /
[22:59:30] 404 - 555B - /media.tar
[22:59:30] 301 - 169B - /media -> http://hacknet.htb/media/
[22:59:30] 404 - 555B - /media.tar.bz2
[22:59:31] 404 - 555B - /media.tar.gz
[22:59:31] 404 - 555B - /media.zip
[22:59:31] 404 - 555B - /media/export-criteo.xml
[22:59:31] 403 - 555B - /media/
[22:59:31] 404 - 555B - /media_admin
[22:59:31] 302 - 0B - /messages -> /
[22:59:36] 302 - 0B - /post -> /
[22:59:36] 302 - 0B - /profile -> /
[22:59:37] 200 - 948B - /register
[22:59:38] 302 - 0B - /search -> /
[22:59:41] 404 - 555B - /static/api/swagger.json
[22:59:41] 404 - 555B - /static/api/swagger.yaml
[22:59:41] 404 - 555B - /static/dump.sql
Task Completed
1.2. Web
注册一个账号
这里面有很多黑客的信息
很符合题目名称 黑客网站
2. Beyond Root
2.1. 网站SSTI
通过插件可以看出这个是一个 Django 框架
我测试了评论区、个人资料等地方,没发现存在SSTI漏洞
