Post

hackmyvm Orasi靶机复盘

难度-Hard

Posted Updated
By
3 min read
hackmyvm Orasi靶机复盘

网段扫描

1
2
3
4
5
6
7
8
9
10

root@LingMj:~# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d1:27:55, IPv4: 192.168.137.190
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.137.1	3e:21:9c:12:bd:a3	(Unknown: locally administered)
192.168.137.53	62:2f:e8:e4:77:5d	(Unknown: locally administered)
192.168.137.97	3e:21:9c:12:bd:a3	(Unknown: locally administered)
192.168.137.203	a0:78:17:62:e5:0a	Apple, Inc.

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.137 seconds (119.79 hosts/sec). 4 responded

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

root@LingMj:~# nmap -p- -sV -sC 192.168.137.97         
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-12 22:53 EDT
Nmap scan report for orasi.mshome.net (192.168.137.97)
Host is up (0.021s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.137.190
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Feb 11  2021 pub
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8a:07:93:8e:8a:d6:67:fe:d0:10:88:14:61:49:5a:66 (RSA)
|   256 5a:cd:25:31:ec:f2:02:a8:a8:ec:32:c9:63:89:b2:e3 (ECDSA)
|_  256 39:70:57:cc:bb:9b:65:50:36:8d:71:00:a2:ac:24:36 (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
5000/tcp open  http    Werkzeug httpd 1.0.1 (Python 3.7.3)
|_http-server-header: Werkzeug/1.0.1 Python/3.7.3
|_http-title: 404 Not Found
MAC Address: 3E:21:9C:12:BD:A3 (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.84 seconds

获取webshell

picture 0
picture 1
picture 2

这是什么呢

picture 3
picture 4
picture 5
picture 6

像一个目录

picture 7

没有成功

picture 8

重新检查一下没有*而是/sh4dow$s

picture 9
picture 10
picture 11

奇怪什么地方出问题了,打错了应该是0不是o

picture 12

现在利用这个方式过滤出需要的部分直接复制就好了

picture 13

看一下wp,我之前是不知道crunch这个工具所以6 6 1337leet的提示对我很难想,而且查不到

picture 14

这样看就清晰了

picture 15
picture 16
picture 17
picture 18
picture 19
picture 20

试了很多唯有ssti出现需要响应,而且不能使用+测试

picture 21
picture 22
picture 23

提权

picture 24
picture 25

单纯一个命令执行,但是需要走点过滤

picture 26
picture 27

想想有啥可以直接命令执行,除bash其实可以使用echo或者wget

picture 28

不能使用 /这样的话就无法直接扔进去

picture 29

为啥呢

picture 30

王炸吧,哈哈哈

picture 31

可以但是这个终端不能用了

picture 32

picture 33
picture 34

没权限是什么东西

picture 35

不会apk逆向哈哈哈,完了看看还有没有其他方法提权

userflag:

rootflag:

hackmyvm
upload
This post is licensed under CC BY 4.0 by the author.