VulNyx Hit靶机复盘
难度-Easy
VulNyx Hit靶机复盘
网段扫描
1
2
3
4
5
6
7
8
9
10
11
12
root@LingMj:/home/lingmj# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.26.128
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.26.1 00:50:56:c0:00:08 (Unknown)
192.168.26.2 00:50:56:e8:d4:e1 (Unknown)
192.168.26.204 00:0c:29:df:3e:6d (Unknown)
192.168.26.254 00:50:56:f4:1c:e5 (Unknown)
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.850 seconds (138.38 hosts/sec). 4 responded
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@LingMj:/home/lingmj# nmap -p- -sC -sV 192.168.26.204
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 07:03 EST
Nmap scan report for 192.168.26.204 (192.168.26.204)
Host is up (0.0019s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.22.1
|_http-title: Site doesn't have a title (text/html).
| http-git:
| 192.168.26.204:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: Commit #5
|_http-server-header: nginx/1.22.1
MAC Address: 00:0C:29:DF:3E:6D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.99 seconds
获取webshell
是git
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
从你提供的 git log 输出来看,这是一个 Git 仓库的提交历史记录,显示了最近的几次提交。以下是对这些信息的解读:
提交记录
最新提交
提交哈希值:2b5a747
分支:HEAD 和 master,表示当前工作目录指向的是 master 分支。
提交信息:Commit #5,这是第 5 次提交。
其他提交
7dff168:第 4 次提交,提交信息为 Commit #4。
a998093:第 3 次提交,提交信息为 Commit #3。
0cf5be4:第 2 次提交,提交信息为 Commit #2。
9ca5eed:第 1 次提交,提交信息为 Commit #1。
目录结构
从路径来看:
当前工作目录是 /home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204。
这个目录可能是一个 Git 仓库的某个子目录,具体用途需要结合项目背景来判断。
可能的操作
如果你需要进一步操作这个 Git 仓库,可以尝试以下命令:
查看详细提交信息
bash复制
git log -1 2b5a747
这会显示最后一次提交的详细信息,包括提交者、提交时间、修改的文件等。
查看文件差异
bash复制
git diff 9ca5eed 2b5a747
这会显示从第一次提交到最近一次提交的文件差异。
切换到其他提交
bash复制
git checkout 9ca5eed
这会将工作目录切换到第一次提交的状态。
如果你有其他具体需求,可以告诉我,我会进一步帮助你!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# cd /home/lingmj/xxoo
root@LingMj:/home/lingmj/xxoo# knock 192.168.26.204 7000 8000 9000
root@LingMj:/home/lingmj/xxoo# nmap -p- 192.168.26.204
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 08:00 EST
Nmap scan report for hit.nyx (192.168.26.204)
Host is up (0.0022s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:DF:3E:6D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 27.81 seconds
root@LingMj:/home/lingmj/xxoo# knock 192.168.26.204 9000 8000 7000
root@LingMj:/home/lingmj/xxoo# nmap -p- 192.168.26.204
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 08:01 EST
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 8.42% done; ETC: 08:02 (0:00:43 remaining)
root@LingMj:/home/lingmj/xxoo# nmap -p22 -sC -sV 192.168.26.204
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 08:02 EST
Nmap scan report for hit.nyx (192.168.26.204)
Host is up (0.0019s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
MAC Address: 00:0C:29:DF:3E:6D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds
root@LingMj:/home/lingmj/xxoo# knock 192.168.26.204 12345 54321 24680 13579
root@LingMj:/home/lingmj/xxoo# nmap -p22 -sC -sV 192.168.26.204
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 08:02 EST
Nmap scan report for hit.nyx (192.168.26.204)
Host is up (0.0023s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
MAC Address: 00:0C:29:DF:3E:6D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds
root@LingMj:/home/lingmj/xxoo# cd /home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# ls -al
total 20
drwxr-xr-x 3 root root 4096 Feb 4 07:59 .
drwxr-xr-x 7 root root 4096 Feb 4 07:13 ..
drwxr-xr-x 8 root root 4096 Feb 4 07:59 .git
-rw-r--r-- 1 root root 2590 Feb 4 07:59 id_rsa
-rw-r--r-- 1 root root 489 Feb 4 07:59 knockd.conf
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# git checkout 9ca5eed
Previous HEAD position was 7dff168 Commit #4
HEAD is now at 9ca5eed Commit #1
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# ls -al
total 20
drwxr-xr-x 3 root root 4096 Feb 4 07:59 .
drwxr-xr-x 7 root root 4096 Feb 4 07:13 ..
drwxr-xr-x 8 root root 4096 Feb 4 08:07 .git
-rw-r--r-- 1 root root 2590 Feb 4 07:59 id_rsa
-rw-r--r-- 1 root root 489 Feb 4 07:59 knockd.conf
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# cat knockd.conf
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[openHTTPS]
sequence = 12345,54321,24680,13579
seq_timeout = 5
command = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
tcpflags = syn
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# git checkout 0cf5be4
Previous HEAD position was 9ca5eed Commit #1
HEAD is now at 0cf5be4 Commit #2
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# ls -al
total 20
drwxr-xr-x 3 root root 4096 Feb 4 08:08 .
drwxr-xr-x 7 root root 4096 Feb 4 07:13 ..
drwxr-xr-x 8 root root 4096 Feb 4 08:08 .git
-rw-r--r-- 1 root root 2592 Feb 4 08:08 id_rsa
-rw-r--r-- 1 root root 491 Feb 4 08:08 knockd.conf
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# cat knockd.conf
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[openHTTPS]
sequence = 12345,54321,24680,13579
seq_timeout = 5
command = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
tcpflags = syn
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# git checkout a998093
Previous HEAD position was 0cf5be4 Commit #2
HEAD is now at a998093 Commit #3
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# ls -al
total 20
drwxr-xr-x 3 root root 4096 Feb 4 08:08 .
drwxr-xr-x 7 root root 4096 Feb 4 07:13 ..
drwxr-xr-x 8 root root 4096 Feb 4 08:08 .git
-rw-r--r-- 1 root root 1743 Feb 4 08:08 id_rsa
-rw-r--r-- 1 root root 163 Feb 4 08:08 knockd.conf
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# git checkout 7dff168
Previous HEAD position was a998093 Commit #3
HEAD is now at 7dff168 Commit #4
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# ls -al
total 20
drwxr-xr-x 3 root root 4096 Feb 4 08:09 .
drwxr-xr-x 7 root root 4096 Feb 4 07:13 ..
drwxr-xr-x 8 root root 4096 Feb 4 08:09 .git
-rw-r--r-- 1 root root 2590 Feb 4 08:09 id_rsa
-rw-r--r-- 1 root root 489 Feb 4 08:09 knockd.conf
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# cat knockd.conf
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[openHTTPS]
sequence = 12345,54321,24680,13579
seq_timeout = 5
command = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
tcpflags = syn
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# knock 192.168.26.204 7000 8000 9000
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# knock 192.168.26.204 7000 8000 9000
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# knock 192.168.26.204 7000 8000 9000
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# nmap -p22 -sC -sV 192.168.26.204
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 08:09 EST
Nmap scan report for hit.nyx (192.168.26.204)
Host is up (0.0021s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
MAC Address: 00:0C:29:DF:3E:6D (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.99 seconds
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# git checkout a998093
Previous HEAD position was 7dff168 Commit #4
HEAD is now at a998093 Commit #3
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# cat knockd.conf
[options]
LogFile = /var/log/knockd.log
[openSSH]
sequence = 65535,8888,54111
seq_timeout = 1
command = /usr/sbin/service ssh start
tcpflags = syn
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3E2B3558346EF63A
6ba1VKUz/cNss0/xw7FkmsfiG15ExhqArUxI7WCfiFKNaeuSdUNETexm38BmeC/b
kmKErTAVzIpCtzCxXYEO8wOOyJRJEZGHNqtoq6bgrxcZaJfzONc1EM6aEIfQS+Ks
zloh5Ye8FygCkU2bCSYnaLwyHuGUcJ72Oa+8jYJtsvr1Gd+z0CWJapRodsYnlvep
5EGx+jaYDkOG3VEtvjfPvA+pezHPifDsLr03JNuGb4awvpTGoRqXjXSYSfKOKimy
Jpip4JVxit3T9aaOu1wF5UIExRtTG9lj38Mb1H2zXENcONIX5nAPoacvvZtCp9iz
20qafBdLgnvZF0sy9GEvjouXPNeAk/c19qTvAu6lSsQq0NliIcozN8tLyvNHUjPv
s/BptewE2NK0YvkNNCNhTilVMPaaojhf8zIVqNeH3L99GBUjigNdd2kqYzX4CjG/
7W8WLhl8gPDeM7eI+Tc94dRRopDfQxMkl/ZhpecXTQQj8Ay8kdSJ+788geA2ySUe
eeeBZ2XZk1X73yoqE1n7mQfvoJwtQWsCATQvMZrVlAJv5XYzIQrtKsGmfv18FehN
TosfUBrvqprm2093NHqgKsgZy12reQt8ZnQiusWiY4ozOQxLJnn6SnE2pSkNhOTj
3Zi8x1WCH6qSOKREBnOZjWZJm4J8UgfqU3CpXKLaYDwPSSVjdHHX2D8m0yypxZGb
7yP27mDSEgm2NxKbbesfEehqA+U3HvJClq9dgXYK14Phj6DRO8xDLBsP3GdlzZSB
g2gIObMasB7lJl1zpre0FgP/Ee98xYwFSvu6nuHvfaEC++XXjJBI9xnAe23Bmlam
7MIuk2eD+3R39skT5Sh5B8O/N2geMXL2G08QOLw5Yr5zvi8nNw1CkCO9saRf5x0x
cfQfTQjGzwC/V0JvNtCZg8FDUlXeqoAd/skbZAmLNiFaNwQ2irOQmZvdmH/Zp23X
HDKecWcpLhaa9xbbua84QMoP2lDm4NFLbPPxkG35kCW0qKGymWmqlZhkDiVoBdUJ
psubanx2bCiCDHSoPGJq/4WW9agBuHd9POP3f1OJtDsgesJrZTUewomSDv5Vc039
1PZI8qYCJIgojtlB0A7HFf/fJGSUjm5OmomDLi18HnTg6SiiEnmKtBtI7RkVkGSc
6l+8RgddRFRY7/SmLUqEtLcgjjqFqT1yeKZAFxpGVxJh3c9eY0KNDbbnksPxV6B/
Ogop0/2UWyQSudzhuDmPuXTHA8ZCohhl3S1RKzp0vnvZGyd83wbk427YrImnUqBh
jMvFoMe664v6NwCvGk0H4oT5pz8guPH7EhnNGAYHQ65JtiAmn60fqqjF11mPN2mG
z08EKhIsUZcYzl6zXelvKtI8oCPay7DAVh2YUVTCuXO0+ulaCrbhC4imvFTZflqP
V1DUAhrK0WhvT97rnh7yI3cAO24Kp3dI0on7wB7OxV0NhbzypT3V9IJmOBbgXWW9
TCG+r1FGBHQ6ywjmAeIGF3iui1MnU/TRbY7Zs0sqMZ3iT2jF8qNmfl0YhRtgXM9+
o82sn1CEU4rITslU3qUHA5/yiFVRPuL48mbjTNbkLvzFfMQ/3ePdhg==
-----END RSA PRIVATE KEY-----
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# knock 192.168.26.204 65535,8888 54111
Failed to resolve hostname '192.168.26.204' on port 65535,8888
getaddrinfo: Servname not supported for ai_socktype
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204# knock 192.168.26.204 65535 8888 54111
root@LingMj:/home/lingmj/xxoo1/GitHack-master/dist/192.168.26.204#
提权
这里说明一下需要进行更改的应用程序最好用virtualbox,不是vmware
userflag:21744d4a65af82ac691cb3381c033d37
rootflag:f4b9848754562bfeffbeb8cc8257048c
This post is licensed under CC BY 4.0 by the author.