又是个win系统的,靶机下载地址https://hackmyvm.eu/machines/machine.php?vm=Zero。
主要是ms17-010漏洞的利用。
HackMyVm DC03 Walkthrough
HackMyVm DC02 Walkthrough
这是个win系统靶机,下载地址为https://hackmyvm.eu/machines/machine.php?vm=DC02。
借助这篇文章,记录win靶机一些常见操作,厘清一些基本概念。
Windows系统靶机导入VirtutalBox出错的一种解决方法
HackMyVm部分Windows系统的靶机,如DC02、DC03导入 VirtualBox时会报错,报错信息如下:
Failed to load the NVRAM store from the file (VERR_PATH_NOT_FOUND).
Can't attach Nvram Storage driver (VERR_PATH_NOT_FOUND).
返回 代码:
E_FAIL (0x80004005)
组件:
ConsoleWrap
界面:
IConsole {6ac83d89-6ee7-4e33-8ae6-b257b2e81be8}
解决方法:
VulNyx Controler Walkthrough
靶机下载地址https://vulnyx.com/file/Controler.php。
这篇walkthrough是跟着靶机作者的wp写的,算是学习加记录,linux靶机玩多了换换win靶机,感觉挺有意思。
HackMyVm Dentacare Walkthrough
靶机下载地址:https://hackmyvm.eu/machines/machine.php?vm=Dentacare。
扫描端口,开放了22、80和8000。
└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.136
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
80/tcp open http Werkzeug/3.0.2 Python/3.11.2
|_http-server-header: Werkzeug/3.0.2 Python/3.11.2
|_http-title: DentaCare Corporation
| fingerprint-strings:
...
8000/tcp open http Apache httpd 2.4.57
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.57 (Debian)
VulNyx Express Walkthrough
这是我第一次玩VulNyx的靶机,这个靶机还是很有意思的,涉及到了GET/POST的变化、SSRF、SSTI,解题思路很有意思,所以记录下来。靶机的下载地址为https://vulnyx.com/file/Express.php。
扫描端口,显示22和80。
└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.134
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
|_ 256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:88:F1:F0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HackMyVm Smol Walkthrough
靶机地址:https://hackmyvm.eu/machines/machine.php?vm=Smol。
直接使用IP地址访问出错,地址栏显示www.smol.hmv
,把这个地址加入/etc/hosts。扫描端口:
└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-24 16:03 CST
Nmap scan report for www.smol.hmv (192.168.56.130)
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 6.3
|_http-title: AnotherCTF
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:BF:B5:36 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HackMyVM Icecream Walkthrough
HackMyVm Lookup Walkthrough
靶机地址https://hackmyvm.eu/machines/machine.php?vm=Lookup
直接访问报错,需要在/etc/hosts里设置域名lookup.hmv,再次访问主页显示一个登录页面。
扫描目录没有发现什么敏感文件,也没有什么漏洞,sql注入也不行。只能尝试爆破,先尝试爆出用户名。这里要注意wfuzz的语法,特别是要用多个-H加入必要的头信息。
└─$ wfuzz -c -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -H 'Host: lookup.hmv' -H 'Origin: http://lookup.hmv' -H 'Referer: http://lookup.hmv' -d "username=FUZZ&password=123456" --hh 74 http://lookup.hmv/login.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://lookup.hmv/login.php
Total requests: 10177
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000086: 200 0 L 8 W 62 Ch "admin"
000004897: 200 0 L 8 W 62 Ch "jose"
Total time: 0
Processed Requests: 10177
Filtered Requests: 10175
Requests/sec.: 0