hackmyvm Ginger靶机复盘
难度-Hard
hackmyvm Ginger靶机复盘
网段扫描
1
2
3
4
5
6
7
root@LingMj:~/xxoo/jarjar# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d1:27:55, IPv4: 192.168.137.190
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.137.1 3e:21:9c:12:bd:a3 (Unknown: locally administered)
192.168.137.64 a0:78:17:62:e5:0a Apple, Inc.
192.168.137.142 3e:21:9c:12:bd:a3 (Unknown: locally administered)
192.168.137.114 62:2f:e8:e4:77:5d (Unknown: locally administered)
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@LingMj:~/xxoo/jarjar# nmap -p- -sV -sC 192.168.137.142
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-19 02:58 EDT
Nmap scan report for ginger.mshome.net (192.168.137.142)
Host is up (0.069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
| 256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
|_ 256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 3E:21:9C:12:BD:A3 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.43 seconds
获取webshell
登录和插件其中一个
看来是登录 webmaster / sanitarium
好了成功弹shell
提权
看来不是这个方向
看不懂
不行开始迷茫了,看一下wp告诉我dmesg 这个东西
给我个*能帮助我穿越么
sabrina:dontforgetyourpasswordbitch
王炸一下
调来调去太麻烦直接搞公钥得了
5秒啊那得看手速了
做一下准备
结束,前面那个dmegs不知道其他都没啥难度
userflag:f65aaadaeeb04adaccba45d7babf5f8c
rootflag:ae426c9d237d676044e5cd8e8af9ef7f
This post is licensed under CC BY 4.0 by the author.