Original link: https://5ime.cn/iscc-2022-measure.html
Only made the stage one intranet server exploit, which is very simple, but I am speechless with this shell VPN.
I took a look at the packet capture and found that a proxy for sockets 5 was set up at the local 1080 We directly used Proxifier to configure it.
Players can use the VPN client to log in to the intranet server Server1. The intranet server has been pointed out by the security team to have some kind of vulnerability, but the intranet administrator has not taken any security measures.
Server1 communicates regularly with the intranet server Server2 (the communication program is called Heartbeat), and the NSCP protocol is used for communication.
Contestants need to dig out and exploit system loopholes, obtain the process ID of the Heartbeat program, and submit the correct process ID and problem-solving ideas, which will be regarded as a successful problem-solving in Phase 1.
The ping is forbidden, the端口cannot be detected, and the ip is directly accessed. There is a gitlab service
The login and registration are both 500 or 422 Take a common path and find that the version is 13.9 at http://172.18.0.4/public
Baidu Yibo, found a CVE-2021-22205 , the version number matches, and it is impossible to log in and register, so there is a high probability that this未授权RCE
github to find a script: https://github.com/Al1ex/CVE-2021-22205
Since I didn’t know the path at the beginning, I directly vulhub a vulnerable environment and found that the installation directory is
/home/git/gitlab
We write directly to the public style folder assets , in fact, we can also write directly to the public directory.
python .\CVE-2021-22205.py -a true -t http://172.18.0.4/ -c "ps -aux > /home/git/gitlab/public/assets/12222.txt"
Directly access 172.18.0.4/assets/12222.txt to get the process number of Heartbeat 2053741
This article is reproduced from: https://5ime.cn/iscc-2022-measure.html
This site is for inclusion only, and the copyright belongs to the original author.