hackmyvm Eighty靶机复盘
难度-Hard
hackmyvm Eighty靶机复盘
网段扫描
1
2
3
4
5
6
7
8
9
root@LingMj:~/xxoo/jarjar# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d1:27:55, IPv4: 192.168.137.190
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.137.1 3e:21:9c:12:bd:a3 (Unknown: locally administered)
192.168.137.18 3e:21:9c:12:bd:a3 (Unknown: locally administered)
192.168.137.64 a0:78:17:62:e5:0a Apple, Inc.
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.066 seconds (123.91 hosts/sec). 3 responded
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@LingMj:~/xxoo/jarjar# nmap -p- -sV -sC 192.168.137.18
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-16 04:46 EDT
Nmap scan report for eighty.mshome.net (192.168.137.18)
Host is up (0.037s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c9:ce:d7:2a:f9:48:25:65:a9:33:4b:d5:01:e1:2c:52 (RSA)
| 256 7e:3d:4d:b4:82:0b:13:eb:db:50:e3:60:70:f0:4a:ad (ECDSA)
|_ 256 7f:9d:13:c8:7b:d9:37:1d:cb:ff:e9:ce:f5:90:c3:32 (ED25519)
70/tcp open http pygopherd web-gopher gateway
| gopher-ls:
|_[txt] /howtoconnect.txt "Connection"
|_http-title: Gopher
80/tcp filtered http
MAC Address: 3E:21:9C:12:BD:A3 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.12 seconds
获取webshell
存在域名
像是源代码继续找
xxe么找个注入点
没啥有用的
好了出现了
为啥浏览器访问不了
目前没啥有用部分
没找到密码
不懂但是应该是什么认证密码
看了一下wp原来那个才是密码下面这个是认证值
提权
认证密钥挨个试就行
无线索没有头绪
需要输入密码,密码在之前位置
userflag:hmv8use0red
rootflag:rooted80shmv
This post is licensed under CC BY 4.0 by the author.