靶机下载地址https://hackmyvm.eu/machines/machine.php?vm=Wave。
Tips: shell加解密、常见php扩展名、端口转发、less命令的使用。
整体玩下来还是挺有趣的。
HackMyVm Wave Walkthrough
发表评论
分类目录归档:linux靶场
HackMyVm Up Walkthrough
HackMyVm Dentacare Walkthrough
靶机下载地址:https://hackmyvm.eu/machines/machine.php?vm=Dentacare。
扫描端口,开放了22、80和8000。
└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.136
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
80/tcp open http Werkzeug/3.0.2 Python/3.11.2
|_http-server-header: Werkzeug/3.0.2 Python/3.11.2
|_http-title: DentaCare Corporation
| fingerprint-strings:
...
8000/tcp open http Apache httpd 2.4.57
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.57 (Debian)VulNyx Express Walkthrough
这是我第一次玩VulNyx的靶机,这个靶机还是很有意思的,涉及到了GET/POST的变化、SSRF、SSTI,解题思路很有意思,所以记录下来。靶机的下载地址为https://vulnyx.com/file/Express.php。
扫描端口,显示22和80。
└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.134
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
|_ 256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:88:F1:F0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHackMyVm Smol Walkthrough
靶机地址:https://hackmyvm.eu/machines/machine.php?vm=Smol。
直接使用IP地址访问出错,地址栏显示www.smol.hmv,把这个地址加入/etc/hosts。扫描端口:
└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-24 16:03 CST
Nmap scan report for www.smol.hmv (192.168.56.130)
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 6.3
|_http-title: AnotherCTF
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:BF:B5:36 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHackMyVM Icecream Walkthrough
HackMyVm Lookup Walkthrough
靶机地址https://hackmyvm.eu/machines/machine.php?vm=Lookup
直接访问报错,需要在/etc/hosts里设置域名lookup.hmv,再次访问主页显示一个登录页面。
扫描目录没有发现什么敏感文件,也没有什么漏洞,sql注入也不行。只能尝试爆破,先尝试爆出用户名。这里要注意wfuzz的语法,特别是要用多个-H加入必要的头信息。
└─$ wfuzz -c -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -H 'Host: lookup.hmv' -H 'Origin: http://lookup.hmv' -H 'Referer: http://lookup.hmv' -d "username=FUZZ&password=123456" --hh 74 http://lookup.hmv/login.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://lookup.hmv/login.php
Total requests: 10177
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000086: 200 0 L 8 W 62 Ch "admin"
000004897: 200 0 L 8 W 62 Ch "jose"
Total time: 0
Processed Requests: 10177
Filtered Requests: 10175
Requests/sec.: 0HackmyVm Universe Walkthrough
靶机下载地址为:https://hackmyvm.eu/machines/machine.php?vm=Universe
用nmap扫描常用端口,发现21、22。
└─$ nmap -sV -sC -Pn 192.168.56.125
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 95:d6:5d:68:a3:38:f7:74:87:b3:99:20:f8:be:45:4d (ECDSA)
|_ 256 11:77:31:ae:36:4e:22:45:9c:89:8f:5e:e6:01:83:0d (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHackmyVm HackingToys Walkthrough
靶机下载地址:https://hackmyvm.eu/machines/machine.php?vm=HackingToys
扫描端口,开了22和3000.
nmap -sV -sC -Pn -oN port.log 192.168.56.123
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
3000/tcp open ssl/ppp?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=FR
| Not valid before: 2024-05-20T15:36:20
|_Not valid after: 2038-01-27T15:36:20
...Atom Walkthrough
HackmyVm的靶机Atom,下载地址是https://hackmyvm.eu/machines/machine.php?vm=Atom
正常nmap扫描,只能找到22端口,非常蹊跷。卡在第一步就非常郁闷了,cromiphi制作的靶机总是有点小坑的!
└─$ nmap -sV -sC -Pn -oN port.log 192.168.56.118
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 20:20 CST
Nmap scan report for 192.168.56.118
Host is up (0.0026s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel