Post

hackmyvm Minimal靶机复盘

难度-Medium

Posted Updated
By
2 min read
hackmyvm Minimal靶机复盘

网段扫描

1
2
3
4
5
6
7
8
9
10
11

root@LingMj:/home/lingmj# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.56.110
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:12       (Unknown: locally administered)
192.168.56.100  08:00:27:28:57:32       (Unknown)
192.168.56.148  08:00:27:64:92:99       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.947 seconds (131.48 hosts/sec). 3 responded

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

root@LingMj:/home/lingmj# nmap -p- -sC -sV 192.168.56.148        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 23:55 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.148
Host is up (0.00085s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 d2:73:06:e2:e4:84:54:8c:42:0f:4e:81:7c:78:b9:c2 (ECDSA)
|_  256 75:a0:cf:35:61:a1:c8:77:cf:1a:cb:bc:6d:5b:49:75 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Minimal Shop
|_http-server-header: Apache/2.4.52 (Ubuntu)
MAC Address: 08:00:27:64:92:99 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.76 seconds

获取webshell

图 0
图 1
图 2
图 3
图 4

可以测试sql

图 5
图 6

爆破把,没有mysql

图 7

无,看看目录

图 8
图 9
图 10

注册

图 11
图 12
图 13

还没跑出来

图 14

我怀疑是fuzz的问题

图 15

单纯没有,看看phpfilter

图 16 图 18

图 17
图 19

确实有奥

图 21

图 20

图 22

还是busybox

提权

图 23
图 24

图 25
图 26
图 27
图 28

程序的话进行反编译把

图 29

纯翻译的话就知道第一个是linux

图 30
图 31

培根啥的?

图 32

合理,因为就他是英文

图 33

第三个不好找

图 34
图 35

这里说名一下他是跟目录,所以可以进行软连接

图 36

没成功,为啥呢

图 37
图 38
图 39
图 40
图 41

感觉做溢出操作,但是我好像不会

图 42

果然又是权限问题,虽然提示很明显但是tmp为啥不行呢有点懵逼

图 43

唯一的区别是所属目录权限组问题了

图 44

没有无法获取shell了就这样把,id_rsa也没有

userflag:HMV{can_you_find_the_teddy_bear?}

rootflag:HMV{never_gonna_ROP_you_down}

hackmyvm
pwn phpfilter
This post is licensed under CC BY 4.0 by the author.