oscp备考，oscp系列——Wintermute-v1靶场，两台靶机内网渗透，LFI漏洞，screen4.5提权，struts2.3远程代码执行漏洞，CVE-2017-16995提权

最新推荐文章于 2025-07-09 11:26:30 发布

原创

最新推荐文章于 2025-07-09 11:26:30 发布 · 1.4k 阅读

28 ·

CC 4.0 BY-SA版权

文章标签：

#struts #web安全 #渗透测试 #Vulnhub #打靶

公众号：泷羽Sec-尘宇安全

前言

oscp备考，oscp系列——Wintermute-v1靶场，两台靶机内网渗透，LFI漏洞，screen4.5提权，struts2.3远程代码执行漏洞，CVE-2017-16995提权
难度简单

对于低权限shell获取涉及：ntopng弱口令，信息收集得到目录，LFI漏洞
对于提权：screen4.5提权
对于内网：struts2.3远程代码执行漏洞，Ubuntu内核提权
下载地址：

https://www.vulnhub.com/entry/wintermute-1,239/

nmap

主机发现

└─# nmap -sn 192.168.56.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-01 09:52 EST
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers: No such file or directory (2)
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.1
Host is up (0.00046s latency).
MAC Address: 0A:00:27:00:00:16 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00020s latency).
MAC Address: 08:00:27:77:3F:CC (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00064s latency).
MAC Address: 08:00:27:76:11:D1 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.89 seconds

端口扫描

└─# nmap --min-rate 10000 -p- 192.168.56.102 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-01 22:57 CST
Warning: 192.168.56.102 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.56.102 (192.168.56.102)
Host is up (0.11s latency).
Not shown: 48936 closed tcp ports (reset), 16596 filtered tcp ports (no-response)
PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
3000/tcp open  ppp

Nmap done: 1 IP address (1 host up) scanned in 64.02 seconds


└─# nmap --min-rate 10000 -p- 192.168.56.102 -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-01 23:03 CST
Nmap scan report for 192.168.56.102 (192.168.56.102)
Host is up (0.00042s latency).
All 65535 scanned ports on 192.168.56.102 (192.168.56.102) are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds

详细端口扫描

└─# nmap -sV -sT -sC -O -p25,80,3000 192.168.56.102 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-01 23:02 CST
Nmap scan report for 192.168.56.102 (192.168.56.102)
Host is up (0.00069s latency).

PORT     STATE SERVICE         VERSION
25/tcp   open  smtp            Postfix smtpd
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
| Not valid before: 2018-05-12T18:08:02
|_Not valid after:  2028-05-09T18:08:02
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
80/tcp   open  http            Apache httpd 2.4.25 ((Debian))
|_http-title: Night City
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open  hadoop-datanode Apache Hadoop
| http-title: Welcome to ntopng
|_Requested resource was /lua/login.lua?referer=/
| hadoop-datanode-info: 
|_  Logs: submit
| hadoop-tasktracker-info: 
|_  Logs: submit
|_http-trane-info: Problem with XML parsing of /evox/about
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4.37
OS details: DD-WRT v24-sp2 (Linux 2.4.37)
Service Info: Host:  straylight

OS and Service detection performed. Please report any incorrect results at ht