hackmyvm Soul靶机复盘

网段扫描

root@LingMj:~# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d1:27:55, IPv4: 192.168.137.190
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.137.1	3e:21:9c:12:bd:a3	(Unknown: locally administered)
192.168.137.66	a0:78:17:62:e5:0a	Apple, Inc.
192.168.137.92	62:2f:e8:e4:77:5d	(Unknown: locally administered)
192.168.137.213	3e:21:9c:12:bd:a3	(Unknown: locally administered)

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.056 seconds (124.51 hosts/sec). 4 responded

端口扫描

root@LingMj:~# nmap -p- -sC -sV 192.168.137.213
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 02:57 EST
Nmap scan report for soul.mshome.net (192.168.137.213)
Host is up (0.0081s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8a:e9:c1:c2:a3:44:40:26:6f:22:37:c3:fe:a1:19:f2 (RSA)
|   256 4f:4a:d6:47:1a:87:7e:69:86:7f:5e:11:5c:4f:f1:48 (ECDSA)
|_  256 46:f4:2c:28:53:ef:4c:2b:70:f8:99:7e:39:64:ec:07 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 3E:21:9C:12:BD:A3 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.65 seconds

获取webshell

一个图片猜隐写了

到这里信息没有了奇怪爆破用户名？

可以爆破用户名

不是怎么简单？

提权

没有cd，我想想咋目录穿越

奥我说呢原来是shell搞得鬼

不能直接转换奥

我看看web吧，没信息看真难只有ls 和 cat

可以写就简单的查看一下能用php不

不能直接>用wget吧

不解析

有动静了不白费我试

但好像不算解析

不行不是这个方向的解我要使用工具了

目前知道拿到peter用户就结束了，但是没找到其余点，难道是爆破?

目前我没方向了，跑完密码没有看看跟-x有关不，想想还是不对不应该给/var/www/html/ 777不是这个方向的东西

80服务要域名

真果然是这个位置的提权真麻烦找起来

这是hard？，直接suid拿root了

结束了整体如果找nginx算难度的话应该为Medium

userflag:HMViwazhere

rootflag:HMVohmygod