Loading

hackmyvm靶机 always复现

nmap -sP 192.168.10.0/24
确定靶机ip为192.168.10.9

nmap -sT -sV -O -p- 192.168.10.9
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-29 06:37 EST
Nmap scan report for always-pc (192.168.10.9)
Host is up (0.00087s latency).
Not shown: 65522 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8080/tcp  open  http          Apache httpd 2.4.57 ((Win64))
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49156/tcp open  msrpc         Microsoft Windows RPC
49158/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:C3:6A:9A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 2008|7|Vista|8.1
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Vista SP2 or Windows 7 or Windows Server 2008 R2 or Windows 8.1
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

对8080端口进行目录扫描,发现登录页面。看源码拿到账密admin/adminpass123
进入拿到另外一套账密ftpuser:KeepGoingBro!!!
直接可以登录,开始考虑提权。
Windows 7 Professional Service Pack 1 (Build 7601) x64版本。版本很老直接拿现成漏洞提权,试了几个最后CVE-2017-0213,直接打通,拿到root权限HMV{White_Flag_Raised}

posted @ 2026-01-30 00:46  场-room  阅读(0)  评论(0)    收藏  举报