Pilgrimage(git info leak)

10.10.11.219

scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
./masscan.sh 
which ip? 10.10.11.219
which network, for example eth0tun0
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-07-07 13:57:13 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
[-] Passed the wait window but still running, forcing exit...        
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-07 22:00 CST
Nmap scan report for 10.10.11.219
Host is up (0.34s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA)
|   256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA)
|_  256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://pilgrimage.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

echo "10.10.11.219 pilgrimage.htb" >> /etc/hosts

web

http://pilgrimage.htb/
http://pilgrimage.htb/assets 403
http://pilgrimage.htb/vendor 403
http://pilgrimage.htb/tmp/ 403

  1. 扫web目录
  2. 查看源代码
  3. xray scan
    ./xray webscan –plugin phantasm -u http://pilgrimage.htb/ –poc “pocs/*”

    git info leak

    git clone https://github.com/lijiejie/GitHack
    python GitHack.py http://pilgrimage.htb/.git

info leak

ssh emily@10.10.11.219
abigchonkyboi123

CVE-2022-44268:ImageMagick 7.1.0-49 存在信息泄露漏洞。当它解析 PNG 图像(例如,用于调整大小)时,生成的图像中可能会嵌入任意本地文件的内容(如果 ImageMagick 二进制文件有读取权限)。
CVE-2022-4510:Binwalk 远程代码执行漏洞
普通用户使用binwalk可以反弹shell

https://www.exploit-db.com/exploits/51249

使用这个exp,因此可以反弹一个root权限的shell

总结

  1. RCE漏洞可以用来提权吗?
    可以. 普通用户使用binwalk RCE可以反弹shell, 反弹一个root权限的shell

    conference