VulnVM Interceptor 2靶机复盘

网段扫描

root@LingMj:~# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d1:27:55, IPv4: 192.168.137.190
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.137.1	3e:21:9c:12:bd:a3	(Unknown: locally administered)
192.168.137.41	3e:21:9c:12:bd:a3	(Unknown: locally administered)
192.168.137.203	a0:78:17:62:e5:0a	Apple, Inc.
192.168.137.172	62:2f:e8:e4:77:5d	(Unknown: locally administered)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.028 seconds (126.23 hosts/sec). 4 responded

端口扫描

root@LingMj:~# nmap -p- -sV -sC 192.168.137.41
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-28 20:42 EDT
Nmap scan report for debian.mshome.net (192.168.137.41)
Host is up (0.020s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
80/tcp  open  http        Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)
139/tcp open  netbios-ssn Samba smbd 4
445/tcp open  netbios-ssn Samba smbd 4
MAC Address: 3E:21:9C:12:BD:A3 (Unknown)
Service Info: OS: Unix

Host script results:
| smb2-time: 
|   date: 2025-03-29T00:42:44
|_  start_date: N/A
|_nbstat: NetBIOS name: DEBIAN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.52 seconds

获取webshell

没有东西，扫目录了，不过里面有smb，ftp应该要爆破但是不知道用户

新线索

和1是一样的？ 我试试1的方式能不能提权

应该不一样因为1有ping的php文件这个好像没有

看看能不能匿名登录，不然爆破一手

第一个用户smb没有，可以考虑ftp了

小拿一手命令，不然我感觉我的hydra跑得很慢奥，等着了

跑半天了，会不会是cra的问题之前就有案例得用msf跑

验证了一下确实只有中间要跑密码，先跑半个小时不对就换了，总不能这个靶机跑密码硬控1个小时，好了得到提示，跑密码跑到明年都跑不出直接转站wordpress

搁置了，没有思路

提权

userflag:

rootflag: