目录
1.Which TCP port is open on the remote host?
2.Which web server is running on the remote host? Looking for two words.
3.Which relative path on the webserver leads to the Web Application Manager?
在弹出的验证界面中,随便输入一个账户密码,使用Yakit进行抓包
6.Submit the flag located on the user's desktop.
USER_FLAG:7004dbcef0f854e0fb401875f26ebd00
7.Submit the flag located on the administrator's desktop.
ROOT_FLAG:04a8b36e1545a455393d067e772fe90e
连接至HTB服务器并启动靶机
靶机IP:10.10.10.95
分配IP:10.10.16.7
1.Which TCP port is open on the remote host?
使用nmap对靶机开放端口进行扫描:
nmap -p- -T4 --min-rate=1000 -sS -Pn {TARGET_IP}
由扫描结果可见,靶机仅开放8080端口
2.Which web server is running on the remote host? Looking for two words.
使用nmap对靶机8080端口进行脚本、服务信息扫描:
由扫描结果可见,http-favicon:Apache Tomcat
3.Which relative path on the webserver leads to the Web Application Manager?
使用浏览器访问靶机URL:http://{TARGET_IP}:8080
在主页面右侧可以看到Manager App,点击进入管理页面:/manager/html
4.What is the valid username and password combination for authenticating into the Tomcat Web Application Manager? Give the answer in the format of username:password
在弹出的验证界面中,随便输入一个账户密码,使用Yakit进行抓包
通过Authorization一栏,解码后可以看出凭证格式是:Base64_Encode(账号:密码)
使用WebFuzzer模块对凭证请求构造一下,使用字典进行爆破:
获取凭证:tomcat:s3cret
5.Which file type can be uploaded and deployed on the server using the Tomcat Web Application Manager?
使用凭证对管理页面进行登录,往下拉可以找到文件部署处:
在文件部署的下方可以看到文件上传处,支持上传war类型的文件
6.Submit the flag located on the user's desktop.
先用哥斯拉生成一个Webshell:
将shell.jsp文件打包成war文件:
jar -cvf webshell.war *
将webshell.war文件上传至靶机tomcat服务器中:
点击webshell,自动跳转至shell.jsp路径下:http://{TARGET_IP}:8080/webshell/
使用哥斯拉连接至shell.jsp:
这里直接可以图形化查看内容:C:/Users/Administrator/Desktop/flags/2 for the price of 1.txt
USER_FLAG:7004dbcef0f854e0fb401875f26ebd00
7.Submit the flag located on the administrator's desktop.
直接用命令行直接查看文件内容也可以,在文件名左右加上双引号即可: