VulNyx JarJar靶机复盘
难度-Medium
VulNyx JarJar靶机复盘
网段扫描
1
2
3
4
5
6
7
8
9
10
root@LingMj:~/xxoo/jarjar# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d1:27:55, IPv4: 192.168.137.190
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.137.1 3e:21:9c:12:bd:a3 (Unknown: locally administered)
192.168.137.66 a0:78:17:62:e5:0a Apple, Inc.
192.168.137.181 3e:21:9c:12:bd:a3 (Unknown: locally administered)
192.168.137.92 62:2f:e8:e4:77:5d (Unknown: locally administered)
7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.049 seconds (124.94 hosts/sec). 4 responded
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@LingMj:~/xxoo/jarjar# nmap -p- -sV -sC 192.168.137.181
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-01 19:40 EST
Nmap scan report for jarjar.mshome.net (192.168.137.181)
Host is up (0.023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
|_ 256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
80/tcp open http Apache httpd 2.4.61 ((Debian))
|_http-server-header: Apache/2.4.61 (Debian)
|_http-title: The Menace of Jar Jar
MAC Address: 3E:21:9C:12:BD:A3 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.57 seconds
获取webshell
找找信息
说一下正常如果真是跳转admin.php不应该说有大小的所以我们可以试着伪造一下
ok看来是LFI,不过我要找到成功条件
它得先找的当前的目录才能目录穿越
ok可以直接登录
提权
密码都不对,那看来得用tools找点线索了
它是一个传文件的形式不应该是直接开放80端口应该nc接受跟/dev/tcp差不多
好了结束了
userflag:cd3afd21332e0ea7c8a47ff6a26387e1
rootflag:322f07d15f30d1c4e3009dc5f2decb0f
This post is licensed under CC BY 4.0 by the author.