hackmyvm Controller靶机复盘
难度-Hard
hackmyvm Controller靶机复盘
网段扫描
1
2
3
4
5
6
7
8
9
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d1:27:55, IPv4: 192.168.137.190
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.137.1 3e:21:9c:12:bd:a3 (Unknown: locally administered)
192.168.137.64 a0:78:17:62:e5:0a Apple, Inc.
192.168.137.84 3e:21:9c:12:bd:a3 (Unknown: locally administered)
192.168.137.91 62:2f:e8:e4:77:5d (Unknown: locally administered)
7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.064 seconds (124.03 hosts/sec). 4 responded
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
root@LingMj:~# nmap -p- -sV -sC 192.168.137.84
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-21 00:45 EDT
Nmap scan report for controller.mshome.net (192.168.137.84)
Host is up (0.010s latency).
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 73:a1:2c:d9:47:5c:18:0b:68:60:02:58:f9:a2:c4:18 (RSA)
| 256 2d:51:0e:a5:af:b2:b1:36:5b:93:6c:d2:17:a3:39:4c (ECDSA)
|_ 256 d0:bb:81:c4:16:aa:28:af:68:f5:38:7d:af:9f:4a:5b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.7.2
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: CONTROLLER – Otro sitio realizado con WordPress
88/tcp open kerberos-sec Heimdal Kerberos (server time: 2025-05-21 04:45:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Samba smbd 4
389/tcp open ldap (Anonymous bind OK)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CONTROLLER.controller.local/organizationName=Samba Administration
| Not valid before: 2021-06-27T17:19:10
|_Not valid after: 2023-05-28T17:19:10
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_http-title: 400 Bad Request
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: organizationName=CONTROLLER/stateOrProvinceName=Some-State/countryName=AU
| Not valid before: 2021-06-27T17:44:27
|_Not valid after: 2022-06-27T17:44:27
445/tcp open netbios-ssn Samba smbd 4
464/tcp open kpasswd5?
636/tcp open ssl/ldap (Anonymous bind OK)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CONTROLLER.controller.local/organizationName=Samba Administration
| Not valid before: 2021-06-27T17:19:10
|_Not valid after: 2023-05-28T17:19:10
3268/tcp open ldap (Anonymous bind OK)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CONTROLLER.controller.local/organizationName=Samba Administration
| Not valid before: 2021-06-27T17:19:10
|_Not valid after: 2023-05-28T17:19:10
3269/tcp open ssl/ldap (Anonymous bind OK)
| ssl-cert: Subject: commonName=CONTROLLER.controller.local/organizationName=Samba Administration
| Not valid before: 2021-06-27T17:19:10
|_Not valid after: 2023-05-28T17:19:10
|_ssl-date: TLS randomness does not represent time
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
MAC Address: 3E:21:9C:12:BD:A3 (Unknown)
Service Info: OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: CONTROLLER, NetBIOS user: <unknown>, NetBIOS MAC: b0:ca:c0:8d:72:7f (unknown)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-05-21T04:46:18
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.29 seconds
获取webshell
不是他域名是这个么老是跳这里
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
<!doctype html>
<html lang="es" >
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Página no encontrada – CONTROLLER</title>
<meta name='robots' content='max-image-preview:large' />
<link rel='dns-prefetch' href='//192.168.0.25' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="CONTROLLER » Feed" href="http://192.168.0.25/index.php/feed/" />
<link rel="alternate" type="application/rss+xml" title="CONTROLLER » Feed de los comentarios" href="http://192.168.0.25/index.php/comments/feed/" />
<script>
window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.0.1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.0.1\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/192.168.0.25\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.2"}};
!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([55357,56424,8205,55356,57212],[55357,56424,8203,55356,57212])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
</script>
<style>
img.wp-smiley,
img.emoji {
display: inline !important;
border: none !important;
box-shadow: none !important;
height: 1em !important;
width: 1em !important;
margin: 0 .07em !important;
vertical-align: -0.1em !important;
background: none !important;
padding: 0 !important;
}
</style>
<link rel='stylesheet' id='wp-block-library-css' href='http://192.168.0.25/wp-includes/css/dist/block-library/style.min.css?ver=5.7.2' media='all' />
<link rel='stylesheet' id='wp-block-library-theme-css' href='http://192.168.0.25/wp-includes/css/dist/block-library/theme.min.css?ver=5.7.2' media='all' />
<link rel='stylesheet' id='twenty-twenty-one-style-css' href='http://192.168.0.25/wp-content/themes/twentytwentyone/style.css?ver=1.3' media='all' />
<link rel='stylesheet' id='twenty-twenty-one-print-style-css' href='http://192.168.0.25/wp-content/themes/twentytwentyone/assets/css/print.css?ver=1.3' media='print' />
<link rel="https://api.w.org/" href="http://192.168.0.25/index.php/wp-json/" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://192.168.0.25/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://192.168.0.25/wp-includes/wlwmanifest.xml" />
<meta name="generator" content="WordPress 5.7.2" />
<style>.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style></head>
<body class="error404 wp-embed-responsive is-light-theme no-js hfeed">
<div id="page" class="site">
<a class="skip-link screen-reader-text" href="#content">Saltar al contenido</a>
<header id="masthead" class="site-header has-title-and-tagline" role="banner">
<div class="site-branding">
<p class="site-title"><a href="http://192.168.0.25/">CONTROLLER</a></p>
<p class="site-description">
Otro sitio realizado con WordPress </p>
</div><!-- .site-branding -->
</header><!-- #masthead -->
<div id="content" class="site-content">
<div id="primary" class="content-area">
<main id="main" class="site-main" role="main">
<header class="page-header alignwide">
<h1 class="page-title">No hay nada aquí</h1>
</header><!-- .page-header -->
<div class="error-404 not-found default-max-width">
<div class="page-content">
<p>Parece que no se ha encontrado nada en esta ubicación. ¿Quieres probar una búsqueda?</p>
<form role="search" method="get" class="search-form" action="http://192.168.0.25/">
<label for="search-form-1">Buscar...</label>
<input type="search" id="search-form-1" class="search-field" value="" name="s" />
<input type="submit" class="search-submit" value="Buscar" />
</form>
</div><!-- .page-content -->
</div><!-- .error-404 -->
</main><!-- #main -->
</div><!-- #primary -->
</div><!-- #content -->
<aside class="widget-area">
<section id="search-2" class="widget widget_search"><form role="search" method="get" class="search-form" action="http://192.168.0.25/">
<label for="search-form-2">Buscar...</label>
<input type="search" id="search-form-2" class="search-field" value="" name="s" />
<input type="submit" class="search-submit" value="Buscar" />
</form>
</section>
<section id="recent-posts-2" class="widget widget_recent_entries">
<h2 class="widget-title">Entradas recientes</h2><nav role="navigation" aria-label="Entradas recientes">
<ul>
<li>
<a href="http://192.168.0.25/index.php/2021/06/27/hola-mundo/">CONTROLLER</a>
</li>
</ul>
</nav></section><section id="recent-comments-2" class="widget widget_recent_comments"><h2 class="widget-title">Comentarios recientes</h2><nav role="navigation" aria-label="Comentarios recientes"><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link"><a href='https://wordpress.org/' rel='external nofollow ugc' class='url'>Un comentarista de WordPress</a></span> en <a href="http://192.168.0.25/index.php/2021/06/27/hola-mundo/#comment-1">CONTROLLER</a></li></ul></nav></section> </aside><!-- .widget-area -->
<footer id="colophon" class="site-footer" role="contentinfo">
<div class="site-info">
<div class="site-name">
<a href="http://192.168.0.25/">CONTROLLER</a>
</div><!-- .site-name -->
<div class="powered-by">
Funciona gracias a <a href="https://es.wordpress.org/">WordPress</a>. </div><!-- .powered-by -->
</div><!-- .site-info -->
</footer><!-- #colophon -->
</div><!-- #page -->
<script>document.body.classList.remove("no-js");</script> <script>
if ( -1 !== navigator.userAgent.indexOf( 'MSIE' ) || -1 !== navigator.appVersion.indexOf( 'Trident/' ) ) {
document.body.classList.add( 'is-IE' );
}
</script>
<script id='twenty-twenty-one-ie11-polyfills-js-after'>
( Element.prototype.matches && Element.prototype.closest && window.NodeList && NodeList.prototype.forEach ) || document.write( '<script src="http://192.168.0.25/wp-content/themes/twentytwentyone/assets/js/polyfills.js?ver=1.3"></scr' + 'ipt>' );
</script>
<script src='http://192.168.0.25/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js?ver=1.3' id='twenty-twenty-one-responsive-embeds-script-js'></script>
<script src='http://192.168.0.25/wp-includes/js/wp-embed.min.js?ver=5.7.2' id='wp-embed-js'></script>
<script>
/(trident|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener("hashchange",(function(){var t,e=location.hash.substring(1);/^[A-z0-9_-]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a|select|input|button|textarea)$/i.test(t.tagName)||(t.tabIndex=-1),t.focus())}),!1);
</script>
</body>
</html>
这个wordpress用不了已经被焊死在某个ip无法操作,看smb了
那就尝试上传看看是否存在定时任务操作
没有
目前os和subprocess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
root@LingMj:~/xxoo/jarjar# curl -s http://192.168.137.84|html2text|uniq
Saltar al contenido
****** CONTROLLER ******
Otro sitio realizado con WordPress
***** CONTROLLER *****
A domain controller (DC) is a server computer that responds to security
authentication requests within a computer network domain. It is
a network server that is responsible for allowing host access to domain
resources. It authenticates users, stores user account information and
enforces security policy for a domain. It is most commonly implemented
in Microsoft Windows environments (see Domain controller (Windows)), where it
is the centerpiece of the Windows Active Directory service.… Seguir leyendo
CONTROLLER
Publicada el 27 de junio de 2021
Categorizado como Sin categoría
Buscar...[Unknown INPUT type][Buscar]
***** Entradas recientes *****
* CONTROLLER
***** Comentarios recientes *****
* Un comentarista de WordPress en CONTROLLER
CONTROLLER
Funciona gracias a WordPress.
root@LingMj:~/xxoo/jarjar# curl -s http://192.168.137.84/index.php/2021/06/27/hola-mundo/|html2text|uniq
Saltar al contenido
CONTROLLER
Otro sitio realizado con WordPress
****** CONTROLLER ******
A domain controller (DC) is a server computer that responds to security
authentication requests within a computer network domain. It is
a network server that is responsible for allowing host access to domain
resources. It authenticates users, stores user account information and
enforces security policy for a domain. It is most commonly implemented
in Microsoft Windows environments (see Domain controller (Windows)), where it
is the centerpiece of the Windows Active Directory service. However, non-
Windows domain controllers can be established via identity management software
such as Samba and Red HatFreeIPA.
From controller we want to announce that our services are going to change to
the python 3 programming language which stands out mainly for its portability.
Due to the termination of python 2, there are still tools that use this
language but we still offer support for it. If you want to support our projects
or help to improve them you can upload them and our experts will test your
utilities for you.
Publicada el 27 de junio de 2021Por control
Categorizado como Sin categoría
***** 1 comentario *****
1. Un comentarista de WordPress dice:
27 de junio de 2021 a las 18:36
Hola, esto es un comentario.
Para empezar a moderar, editar y borrar comentarios, por favor, visita la
pantalla de comentarios en el escritorio.
Los avatares de los comentaristas provienen de Gravatar.
Responder
***** Dejar un comentario Cancelar la respuesta *****
Tu dirección de correo electrónico no será publicada. Los campos obligatorios
están marcados con *
Nombre *[author ]
Correo electrónico *[Unknown INPUT type]
Web[Unknown INPUT type]
[ ]Guarda mi nombre, correo electrónico y web en este navegador para la próxima
vez que comente.
[Publicar el comentario]
Buscar...[Unknown INPUT type][Buscar]
***** Entradas recientes *****
* CONTROLLER
***** Comentarios recientes *****
* Un comentarista de WordPress en CONTROLLER
CONTROLLER
Funciona gracias a WordPress.
只能这样才能获得信息,需要python代码在smb
没弹回来
还是这个方案好使
提权
还有定时任务
还不给看
用@eval好了
问题是他在那
直接靶机找地址
需要函数绕过的话
这样吧
目前没定时任务了应该怎么继续提权呢
那直接改就王炸了
原来那个deb坏了换了个新的
userflag:K1ng0F3V4S10n
rootflag:DpKg1sB3tt3rTh4nPyth0n?
This post is licensed under CC BY 4.0 by the author.