HMV JO2024

Zsm published on 2025-03-07 included in 靶场

JO2024

靶场链接

https://hackmyvm.eu/machines/machine.php?vm=JO2024

日常扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


┌──(parallels㉿kali-linux-2024-2)-[~]
└─$ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:1c:42:fd:ba:b5, IPv4: 192.168.31.187
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    58:ea:1f:38:ff:17       (Unknown)
192.168.31.106  08:00:27:91:df:4a       (Unknown)
192.168.31.186  42:60:96:7b:26:bd       (Unknown: locally administered)
192.168.31.210  f4:6d:3f:27:e6:fb       (Unknown)

8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.841 seconds (139.05 hosts/sec). 4 responded
                                                                             
┌──(parallels㉿kali-linux-2024-2)-[~]
└─$ nmap -sC -sV 192.168.31.106 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-07 16:22 CST
Nmap scan report for 192.168.31.106 
Host is up (0.0039s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
80/tcp open  http    Apache httpd 2.4.61 ((Debian))
|_http-title: Paris 2024 Olympic Games
|_http-server-header: Apache/2.4.61 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.21 seconds
                                                                

网页没有什么危险信息，轻微爆破一下目录

HMV Smol

Zsm published on 2025-03-07 included in 靶场

Smol

靶场链接

https://hackmyvm.eu/machines/machine.php?vm=Smol

日常扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19


┌──(parallels㉿kali-linux-2024-2)-[~]
└─$ nmap -sC -sV 192.168.31.25
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-06 20:18 CST
Nmap scan report for 192.168.31.25
Host is up (0.0023s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://www.smol.hmv
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.60 seconds

设置一下重定向，最下面有Proudly powered by WordPress | PopularFX Theme wpscan启动！

HMV publisher

Zsm published on 2025-03-05 included in 靶场

publisher

靶场链接

https://hackmyvm.eu/machines/machine.php?vm=Publisher

日常扫描

ip给了是 . . . 8

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


┌──(kali㉿kali)-[~]
└─$ nmap -sV -sC -T4 -Pn -p- 192.168.31.8  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-04 20:46 HKT
Nmap scan report for 192.168.31.8
Host is up (0.0017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Publisher's Pulse: SPIP Insights & Tips
MAC Address: 08:00:27:E4:F1:F5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.56 seconds

dirb和dirsearch都扫不出来什么东西，换gobuster试试

HMV HackingToys

Zsm published on 2025-03-03 included in 靶场

HackingToys

靶场链接

https://hackmyvm.eu/machines/machine.php?vm=HackingToys

日常扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26


┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l        
Interface: eth0, type: EN10MB, MAC: 12:37:b3:be:69:38, IPv4: 192.168.31.183
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    58:ea:1f:38:ff:17       (Unknown)
192.168.31.178  08:00:27:23:bb:bb       (Unknown)
192.168.31.186  42:60:96:7b:26:bd       (Unknown: locally administered)
192.168.31.210  f4:6d:3f:27:e6:fb       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.873 seconds (136.68 hosts/sec). 4 responded
                                                                                
┌──(kali㉿kali)-[~]
└─$ nmap 192.168.31.178                                         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-02 20:19 HKT
Nmap scan report for 192.168.31.178
Host is up (0.0013s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
MAC Address: 08:00:27:23:BB:BB (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

有ssl证书，https访问3000端口

HMV Metamorphose

Zsm published on 2025-03-02 included in 靶场

Metamorphose

靶场链接

https://hackmyvm.eu/machines/machine.php?vm=Metamorphose

日常扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30


┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l -I eth0
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 12:37:b3:be:69:38, IPv4: 192.168.31.183
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    58:ea:1f:38:ff:17       (Unknown)
192.168.31.25   08:00:27:78:88:2c       (Unknown)
192.168.31.186  42:60:96:7b:26:bd       (Unknown: locally administered)
192.168.31.210  f4:6d:3f:27:e6:fb       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.936 seconds (132.23 hosts/sec). 4 responded

┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sSV -p- -T5 192.168.31.25
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 12:25 HKT
Nmap scan report for 192.168.31.25
Host is up (0.0017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
4369/tcp  open  epmd    Erlang Port Mapper Daemon
39441/tcp open  unknown
MAC Address: 08:00:27:78:88:2C (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 139.14 seconds

反弹shell

epmd的信息在https://book.hacktricks.wiki/en/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html 有

Linux笔记

Zsm published on 2025-03-01 included in 靶场

linux提权

信息收集

hostname

hostname命令将返回目标计算机的主机名。尽管该值可以很容易地更改或具有相对无意义的字符串（例如 Ubuntu-3487340239），但在某些情况下，它可以提供有关目标系统在企业网络中的角色的信息