Precious is an easy-rated Linux machine from HackTheBox created by Nauten. This machine is straightforward and does not have any rabbit hole or hard-to-find information, but still, you need to do good research because the exploit is a little uncommon. In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.49.93
Gather Information
This step is always the same, you have to ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises.
Local Terminal
ping-c110.129.49.93
Ping’s output, by the TTL around 64, is a Linux Machine
Nmap’s output
At this point, we know that is only a website, but we still need more details before trying anything.
Relevant information {Domain = precious.htb}
Add that domain to your file /etc/hosts
Browser: http://10.129.49.93
Website main page
There is nothing special about this site, one of the best options, before interacting with the “Web Page to PDF” is using wfuzz
Spoiler, no results.
Browser: Submit http://precious.htb
Ok, nothing happens with the own URL, let’s open a simple http.server using python to see how the site react to it, the result does not change if you use the command without an index.html file.
BrowserSubmit: http://10.10.14.76:80/
Website before submit
Content from index.html... as a .pdf file.
The output is a simple pdf file, nothing suspicious and with using only the textbox there is no way to get a response from bash commands, let’s check the metadata.
output from exiftool, nothing suspicious
Weaponization and Exploitation
If you search for “pdfkit v0.8.6 exploit” you will find a critical command injection exploit. We will use that to get access to the machine. (https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795)
Exploit structure from the code, by security.snyk
As we can see, we only have to change the content from params[:name] from the url to execute a command, to test if this definitely works, you have to open a local terminal and write tcpdump -i eth0 icmp (To check your interface, use ifconfig) and submit at the browser http://10.10.14.76:80/?name=#{‘%20`ping -c 1 10.10.14.76 | bash`’}.
After the test, now we know that is working and we can create a reverse shell, for this, we need two local terminals and one index.html file with a bash command inside.
You can close your LocalTerm1 and the LocalTerm2 now is the target command prompt called “Target”. After this, a good practice is to make a bash treatment.
Target folder exploration, searching for user.txt
Looks like only Henry can open the user flag, we need to gain his privileges, and for that we need to find any important file that could contain his credentials, like configs.
So, our best option at this moment, is to return to home and check if our account, user ruby, has something in the personal folder. At first glance it shows that there is nothing there, but if you show hidden files you can see more stuff.
Folder ruby
But there are many folders…
Search for every config file inside folder ruby, usual location of credentials.
Content of .bundle/config file, Henry’s password.
Our best option now, is to open a new LocalTerm and try to login using ssh with these credentials {henry@Q3c1AqGHtoI0aXAYFH}
LocalTerm after login
We are in, now your LocalTerm is Henry, let’s go to his folder and open the file user.txt
First flag acquired
Privileges Scalation
Now we need to get the credentials of root.
commands’s output
Looks like as Henry, we can execute that “rb” file as the user Root without password
Code of “update_dependencies.rb”
At first glance, we can see that read a file called “dependencies.yml”, we can use that for us.
Nothing important in the content, but there is an exploit called Yaml Deserialization (It took me a lot of time to find it), that can be used here, by creating a new dependencies.yml file with this code, remember to create the new dependencies.yml at Henry’s folder because there you have writing permission.
New dependencies.yml’s code
Now we have to make a modification at the dependencies.yml file and then run again the previous command.
Location of the modification
After executing again the command, we change from Henry to Root, now we have the permission to read the /root/ folder
