VulNyx Gen靶机复盘
难度-Hard
网段扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.26.128
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.26.2 00:50:56:e8:d4:e1 (Unknown)
192.168.26.1 00:50:56:c0:00:08 (Unknown)
192.168.26.172 00:0c:29:a7:dd:d0 (Unknown)
192.168.26.254 00:50:56:fa:a6:d1 (Unknown)
192.168.26.1 00:50:56:c0:00:08 (Unknown) (DUP: 2)
7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.925 seconds (132.99 hosts/sec). 4 responded
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
└─# nmap -p- -sC -sV 192.168.26.172
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-18 06:17 EST
Nmap scan report for 192.168.26.172 (192.168.26.172)
Host is up (0.0025s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
MAC Address: 00:0C:29:A7:DD:D0 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.01 seconds
└─# nmap -sU --top-ports 20 192.168.26.172
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-18 06:18 EST
Nmap scan report for 192.168.26.172 (192.168.26.172)
Host is up (0.0017s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp closed nat-t-ike
49152/udp closed unknown
MAC Address: 00:0C:29:A7:DD:D0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 19.24 seconds
获取webshell
这里看到扫描的结果有点懵,猜测在ipv6
猜测正确但是需要思考网站访问web 80服务应该如何形式访问
windows 访问不到需要找到Windows对应的ipv6地址
陷入沉默
但是我Windows不知道ipv6地址是啥,无法进行80端口操作,这里启动b方案去kali整了
算了又卡,又访问不来,老老实实用curl
又卡住了
无想法,也没找到有用的点,查查ssh版本漏洞吧
找了一伙版本还是没有,尝试爆破user
出现用户名看看怎么操作,没密码继续爆破
大概500这样子,等的时候无聊,hydra最近用起来老慢了,如果可以给他提速的方法留言给我
新任务,但是貌似没看懂
翻译一头雾水,
没用尝试缩小界面看看能否进去
还是不行,查一下资料吧
沉默了,这里打算看一下wp提供一下思路,去查看站长的wp
可是我访问不了80端口,很麻烦,这里酌情考虑视频复盘了
太强了,我直接复盘不了,先搁置了。
重启出现80端口
把他想错了,说明一下这个是什么意思,之前理解的是他直接利用这个9999进入内部登录,但是理解之后发现他并不是怎么设计,他的设计原理是这个mark登录进去,可以利用这个mark把里面的某一个端口通过隧道的形式转发到我们指定的ip服务,这里我直接转发到我的localhost:9999服务端口上,用ss -lnput 可以查看到我们这边的9999端口开放了
这里已经访问出来的9999服务,进行一下目录扫描
这个格式有点麻烦
提权
apache并没有解析php,很好奇
尝试在这里出现结果
我就知道尝试怎么多不对就知道肯定不是怎么干的
我想到一个想法就是把peter的私钥传递到/root/.ssh/
没成功,继续憋
好像知道了,靶机应该被我搞坏了,重新开启一下这个靶机。
明白了,真服了
到这里靶场完成了,这个提权卡了一个点
userflag:d045787a2743570b0dc1aea01fc952ce
rootflag:f003a3bc3ff27072d6ac2c7a1ab63254