bash
$ nmap -p- 192.168.31.62 --min-rate 5000
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-28 11:16 -0400
Nmap scan report for solar (192.168.31.62)
Host is up (0.00054s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 08:00:27:0F:FF:C8 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 6.98 secondsbash
$ nmap -sVC -O -p 22,80,443 192.168.31.62 -oN nmapscan/nmap_tcp
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-28 11:19 -0400
Nmap scan report for solar (192.168.31.62)
Host is up (0.00051s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 00:31:c1:0a:8b:0f:c9:45:e7:2f:7f:06:0c:4f:cb:42 (ECDSA)
|_ 256 6b:04:c5:5d:39:ed:b3:41:d0:23:2b:77:d1:53:d0:48 (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
443/tcp open ssl/http Apache httpd 2.4.62 ((Debian))
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-title: Solar Energy Control Login
| ssl-cert: Subject: commonName=www.solar.nyx/organizationName=Solar/stateOrProvinceName=Madrid/countryName=ES
| Subject Alternative Name: DNS:www.solar.nyx, DNS:www.sunfriends.nyx
| Not valid before: 2024-10-10T00:03:30
|_Not valid after: 2034-10-08T00:03:30
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:0F:FF:C8 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.72 seconds把 www.solar.nyx, www.sunfriends.nyx 这俩域名加入 /etc/hosts
然后进行一下爆破
bash
$ dirsearch -u www.solar.nyx -x 403,404 -q
$ dirsearch -u www.sunfriends.nyx -x 403,404 -q
[10:39:42] 200 - 15KB - https://www.sunfriends.nyx/favicon.ico
[10:39:45] 200 - 604B - https://www.sunfriends.nyx/server.php
$ feroxbuster -k -u 'https://www.solar.nyx/' -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt --random-agent -x php,html,txt,db,zip,rar -b 404,502 -q
404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 78l 147w 1318c https://www.solar.nyx/style.css
200 GET 20l 51w 745c https://www.solar.nyx/index.php
200 GET 0l 0w 0c https://www.solar.nyx/login.php
200 GET 20l 51w 745c https://www.solar.nyx/
302 GET 0l 0w 0c https://www.solar.nyx/logout.php => index.php?msg=Log-out.
Scanning: https://www.solar.nyx/
$ feroxbuster -k -u 'https://www.sunfriends.nyx/' -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt --random-agent -x php,html,txt,db,zip,rar -b 404,502 -q
404 GET 9l 31w 281c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 284c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 69l 144w 1174c https://www.sunfriends.nyx/style.css
200 GET 202l 984w 11089c https://www.sunfriends.nyx/
200 GET 202l 984w 11089c https://www.sunfriends.nyx/index.php
200 GET 108l 255w 2997c https://www.sunfriends.nyx/styleadmin.css
200 GET 46l 124w 1523c https://www.sunfriends.nyx/server.php
Scanning: https://www.sunfriends.nyx/