Vulnhub-my-web-server

无聊打的一个靶机

需要修改dns为:

nmap扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$ bash /data/Code/shell/nmap_quick.sh 192.168.56.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-03 00:22 CST
Nmap scan report for 192.168.56.4
Host is up (0.00030s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:dc:8f:24:51:73:54:bc:87:62:a2:e6:ed:f1:c1:b4 (RSA)
| 256 a9:39:a9:bf:b2:f7:01:22:65:07:be:15:48:e8:ef:11 (ECDSA)
|_ 256 77:f5:a9:ff:a6:44:7c:9c:34:41:f1:ec:73:5e:57:bd (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.3.2
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Armour – Just another WordPress site
2222/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: Radius by TEMPLATED
3306/tcp open mysql MySQL (unauthorized)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/8.0.33
8081/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Visualize by TEMPLATED
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


发现nostromo 1.9.6有一个远程代码执行的漏洞,直接利用exp

获得初步shell。

然后在tomcat的目录下发现用户名和密码,登录到管理面板上传shell 水平提权到tomcat
sudo -l 后tomcat用户可以sudo java。所以直接msf继续生成个jar,sudo java -jar shell.jar 获得root权限

想起服务器上面8080端口还运行了一个tomcat,也许可以利用一下。tomcat用户密码默认配置文件/usr/local/tomcat/conf/tomcat-users.xml

生成war木马,在管理面板部署后开启监听访问。


tomcat 用户可以sudo运行java