achnouri/Machines
GitHub: achnouri/Machines
一个涵盖 Linux、Windows AD 及 OT/ICS 环境的渗透测试靶机实战 Writeup 集合,记录了完整攻击路径与关键技术。
Stars: 2 | Forks: 0
#
## | 机器 | 头像 | 侧重点 | 关键技术 | Writeup | 状态 | |-|-|-|-|-|-| | **Support** |
| Windows AD | SMB Access, Binary Analysis, XOR Decryption, LDAP Enumeration, RBCD, DCSync | [阅读](https://github.com/achnouri/support_machine_writeup) | 已拿下 Root |
| **Eighteen** | 
| Windows AD | MSSQL Impersonation, Password Spraying, BadSuccessor Attack, dMSA Creation | [待定](#) | 已拿下 Root |
| **Editor** | 
| Linux | XWiki RCE (CVE-2025-24893), Password Grep, SSH Access, ndsudo Privilege Escalation, PATH Hijacking via CVE-2024-32019 | [阅读](https://github.com/achnouri/Editor-CTF-writre-up) | 已拿下 Root |
| **SeaPanda** | 
| ICS / OT | USB Infection, Process Hollowing, SSH Lateral Movement, Splunk, Modbus Manipulation, PLC Logic Deployment | [阅读](https://github.com/achnouri/Reconstruction-Maritime-ICS-Attack) | 已重建 |
| **Expressway** | 
|Linux | IKE/IPsec Discovery, PSK Cracking, Sudo Chroot Bypass (CVE-2025-32463)| [待定](#) | 已拿下 Root |
| **Lame** | 
|Linux | SMB Enumeration, Samba CVE-2007-2447 (Username Map Script), Metasploit Exploitation, Root Shell via usermap_script| [待定](#) | 已拿下 Root |
| **Devvortex** | 
|Linux| Virtual Host Discovery, Joomla CVE-2023-23752 (Information Disclosure), MySQL Database Access, Password Cracking, CVE-2023-1326 (apport-cli Privilege Escalation) | [待定](#) | 已拿下 Root |
| **Cap** | 
| Linux | IDOR, PCAP Traffic Analysis, Credential Reuse, Linux Capabilities, Python setuid Exploit | [阅读](https://github.com/achnouri/cap_machine_writeup) | 已拿下 Root |
| **Facts** | 
| Linux | Camaleon CMS (v2.9.0), CVE-2025-2304 (Privilege Escalation to Admin), CVE-2024-46987 (Arbitrary File Read), SSH Private Key Extraction, Facter Custom Directory RCE (sudo) |[待定](#) | 已拿下 Root |
| **TwoMillion** | 
| Linux | JS Deobfuscation, API Enumeration, PrivEsc, OS Command Injection, Reverse Shell, .env, Lateral Movement, CVE-2023-0386. OverlayFS/FUSE Kernel Exploit | [阅读](https://github.com/achnouri/TwoMillion-Machine) | 已拿下 Root |
| **Snapped** | 
| Linux | Snapd LPE (CVE-2026-3888), Race Condition Exploitation, systemd-tmpfiles Timer Abuse, Dynamic Loader Overwrite, SUID Bash Persistence | [待定](#) | 已拿下 Root |
| **CCTV** | 
| Linux | ZoneMinder Default Credentials, Time-based Blind SQLi (CVE-2024-51482), Bcrypt Hash Cracking, SSH Access, Internal Service Discovery, motionEye Admin Credential Extraction, Command Injection via motionEye (CVE-2025-60787) | [待定](#) | 已拿下 Root |
| **Reactor** | 
| Linux | Next.js RCE (CVE-2025-55182 / React2Shell), SQLite DB Credential Extraction, MD5 Hash Cracking, SSH Access, Node.js Inspector Debugger Exploitation (Root) | [待定](#) | 已拿下 Root |
| **WingData** | 
| Linux | Wing FTP Server, Anonymous FTP Access, Directory Traversal, SSH Private Key Theft, Sudo CVE-2021-3156 (Baron Samedit), Root Privilege Escalation | [待定](#) | 已拿下 Root |
## 技能与专长 ### > 操作系统 | 分类 | 技术 | |----------|--------------| | **Windows** | Active Directory, LDAP, SMB, Kerberos, Group Policy, Powershell, Windows Internals | | **Linux** | Unix Privilege Escalation, Kernel Exploits, Systemd, SUID/SGID, Capabilities, Cron Jobs | | **ICS/OT** | Modbus, SCADA, PLC Programming, Industrial Protocols, Process Control Security | ### > 侦察与枚举 | 分类 | 工具与技术 | |----------|-------------------| | **网络** | Nmap, Rustscan, Masscan, Wireshark, tcpdump, Netcat, Ncat | | **Web** | Burp Suite, OWASP ZAP, Gobuster, Dirb, FFUF, Wfuzz, Nikto | | **Active Directory** | BloodHound, SharpHound, LDAPSearch, ADRecon, PowerView, CrackMapExec | | **云** | AWS CLI, Azure CLI, Cloud Enumeration, Misconfiguration Discovery | ### > 漏洞利用 | 分类 | 技术 | |----------|------------| | **Web** | SQL Injection, XSS, CSRF, RCE, LFI/RFI, SSRF, Deserialization, SSTI, XXE | | **网络** | MITM, Sniffing, Spoofing, ARP Poisoning, DNS Spoofing | | **AD 攻击** | Kerberoasting, AS-REP Roasting, RBCD, DCSync, Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Silver Ticket | | **权限提升** | Sudo Abuse, SUID/SGID, Capabilities, Cron Jobs, Docker Escape, Kernel Exploits, Path Hijacking | | **密码攻击** | Hashcat, John the Ripper, Hydra, Medusa, Crunch, Wordlist Generation | ### > 后渗透 | 分类 | 能力 | |----------|--------------| | **横向移动** | WMI, PsExec, SMBExec, WinRM, RDP, SSH Tunneling, Proxychains | | **权限维持** | Schedules Tasks, Systemd Services, Registry Run Keys, .bashrc, .profile, SSH Keys | | **数据窃取** | FTP, SCP, HTTP(S), DNS Tunneling, ICMP Tunneling | | **Pivoting** | SSH Tunneling, Port Forwarding, Socks Proxy, Chisel, Ligolo-ng |
#### 免责声明 *所有机器均在获得明确授权的许可环境中被攻陷, Writeup 仅供教育目的使用*
## | 机器 | 头像 | 侧重点 | 关键技术 | Writeup | 状态 | |-|-|-|-|-|-| | **Support** |
| Windows AD | SMB Access, Binary Analysis, XOR Decryption, LDAP Enumeration, RBCD, DCSync | [阅读](https://github.com/achnouri/support_machine_writeup) | 已拿下 Root |
| **Eighteen** | | Windows AD | MSSQL Impersonation, Password Spraying, BadSuccessor Attack, dMSA Creation | [待定](#) | 已拿下 Root |
| **Editor** | | Linux | XWiki RCE (CVE-2025-24893), Password Grep, SSH Access, ndsudo Privilege Escalation, PATH Hijacking via CVE-2024-32019 | [阅读](https://github.com/achnouri/Editor-CTF-writre-up) | 已拿下 Root |
| **SeaPanda** | | ICS / OT | USB Infection, Process Hollowing, SSH Lateral Movement, Splunk, Modbus Manipulation, PLC Logic Deployment | [阅读](https://github.com/achnouri/Reconstruction-Maritime-ICS-Attack) | 已重建 |
| **Expressway** | |Linux | IKE/IPsec Discovery, PSK Cracking, Sudo Chroot Bypass (CVE-2025-32463)| [待定](#) | 已拿下 Root |
| **Lame** | |Linux | SMB Enumeration, Samba CVE-2007-2447 (Username Map Script), Metasploit Exploitation, Root Shell via usermap_script| [待定](#) | 已拿下 Root |
| **Devvortex** | |Linux| Virtual Host Discovery, Joomla CVE-2023-23752 (Information Disclosure), MySQL Database Access, Password Cracking, CVE-2023-1326 (apport-cli Privilege Escalation) | [待定](#) | 已拿下 Root |
| **Cap** | | Linux | IDOR, PCAP Traffic Analysis, Credential Reuse, Linux Capabilities, Python setuid Exploit | [阅读](https://github.com/achnouri/cap_machine_writeup) | 已拿下 Root |
| **Facts** | | Linux | Camaleon CMS (v2.9.0), CVE-2025-2304 (Privilege Escalation to Admin), CVE-2024-46987 (Arbitrary File Read), SSH Private Key Extraction, Facter Custom Directory RCE (sudo) |[待定](#) | 已拿下 Root |
| **TwoMillion** | | Linux | JS Deobfuscation, API Enumeration, PrivEsc, OS Command Injection, Reverse Shell, .env, Lateral Movement, CVE-2023-0386. OverlayFS/FUSE Kernel Exploit | [阅读](https://github.com/achnouri/TwoMillion-Machine) | 已拿下 Root |
| **Snapped** | | Linux | Snapd LPE (CVE-2026-3888), Race Condition Exploitation, systemd-tmpfiles Timer Abuse, Dynamic Loader Overwrite, SUID Bash Persistence | [待定](#) | 已拿下 Root |
| **CCTV** | | Linux | ZoneMinder Default Credentials, Time-based Blind SQLi (CVE-2024-51482), Bcrypt Hash Cracking, SSH Access, Internal Service Discovery, motionEye Admin Credential Extraction, Command Injection via motionEye (CVE-2025-60787) | [待定](#) | 已拿下 Root |
| **Reactor** | | Linux | Next.js RCE (CVE-2025-55182 / React2Shell), SQLite DB Credential Extraction, MD5 Hash Cracking, SSH Access, Node.js Inspector Debugger Exploitation (Root) | [待定](#) | 已拿下 Root |
| **WingData** | | Linux | Wing FTP Server, Anonymous FTP Access, Directory Traversal, SSH Private Key Theft, Sudo CVE-2021-3156 (Baron Samedit), Root Privilege Escalation | [待定](#) | 已拿下 Root |
## 技能与专长 ### > 操作系统 | 分类 | 技术 | |----------|--------------| | **Windows** | Active Directory, LDAP, SMB, Kerberos, Group Policy, Powershell, Windows Internals | | **Linux** | Unix Privilege Escalation, Kernel Exploits, Systemd, SUID/SGID, Capabilities, Cron Jobs | | **ICS/OT** | Modbus, SCADA, PLC Programming, Industrial Protocols, Process Control Security | ### > 侦察与枚举 | 分类 | 工具与技术 | |----------|-------------------| | **网络** | Nmap, Rustscan, Masscan, Wireshark, tcpdump, Netcat, Ncat | | **Web** | Burp Suite, OWASP ZAP, Gobuster, Dirb, FFUF, Wfuzz, Nikto | | **Active Directory** | BloodHound, SharpHound, LDAPSearch, ADRecon, PowerView, CrackMapExec | | **云** | AWS CLI, Azure CLI, Cloud Enumeration, Misconfiguration Discovery | ### > 漏洞利用 | 分类 | 技术 | |----------|------------| | **Web** | SQL Injection, XSS, CSRF, RCE, LFI/RFI, SSRF, Deserialization, SSTI, XXE | | **网络** | MITM, Sniffing, Spoofing, ARP Poisoning, DNS Spoofing | | **AD 攻击** | Kerberoasting, AS-REP Roasting, RBCD, DCSync, Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Silver Ticket | | **权限提升** | Sudo Abuse, SUID/SGID, Capabilities, Cron Jobs, Docker Escape, Kernel Exploits, Path Hijacking | | **密码攻击** | Hashcat, John the Ripper, Hydra, Medusa, Crunch, Wordlist Generation | ### > 后渗透 | 分类 | 能力 | |----------|--------------| | **横向移动** | WMI, PsExec, SMBExec, WinRM, RDP, SSH Tunneling, Proxychains | | **权限维持** | Schedules Tasks, Systemd Services, Registry Run Keys, .bashrc, .profile, SSH Keys | | **数据窃取** | FTP, SCP, HTTP(S), DNS Tunneling, ICMP Tunneling | | **Pivoting** | SSH Tunneling, Port Forwarding, Socks Proxy, Chisel, Ligolo-ng |
#### 免责声明 *所有机器均在获得明确授权的许可环境中被攻陷, Writeup 仅供教育目的使用*
"没有绝对安全的系统,唯一安全的系统是关机并拔掉电源的那个"
标签:Active Directory, Checkov, CTF学习, CTI, HTTP, OT/ICS安全, Plaso, Terraform 安全, Web报告查看器, XXE攻击, 内网渗透, 靶机Writeup