HTB Machine Precious
Last updated
Was this helpful?
Last updated
Was this helpful?
Port scaning with nmap
port 80 is open : redirect to http://precious.htb/
add this to /etc/hosts
On this page we have Convert Web Page to PDF functionality
after giving url pdf file is downloaded
using exiftool on pdf we know that it is Generated by pdfkit v0.8.6
This version is vulnerable to RCE
Payload:
we can use this to get reverse shell
references: https://www.revshells.com/
we get shell as user ruby
we can see two user in /home directory
user flag is in directory of user henry but it is not accessible.
inside the directory of user ruby there is config file in .bundle in this file we can see password of user henry
we can use this for ssh to henry
user can run /opt/update_dependencies.rb as root with sudo
this file is not writable. looking at code we see it use YAML.load, which is vulnerable to deserialization attack.
we can write in dependencies.yml
payload:
reference: https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml
now we can run this with sudo and get the root flag sudo /usr/bin/ruby /opt/update_dependencies.rb
This give root flag.
:octocat: Happy Hacking :octocat:
